Why a ban on ransom payments will not work

When Atlanta was hit by a SamSam ransomware attack in 2018, the ransom note requested about $50,000. The city didn't pay the ransom and spent millions of dollars on recovery.

People assume the initial ransom price is not nearly as severe as the recovery costs, but "I think that's a very profoundly short-sighted way of thinking about this," said Josephine Wolff, associate professor of cybersecurity policy at Fletcher School at Tufts University, speaking during a webcast hosted by The Institute for Security and Technology (IST) Wednesday.

The cost of a ransomware attack can add up; response includes regulatory and legal expenses, software and hardware recovery and investments in improving the failed security systems. Those costs often exist whether an organization gives into an extortion or not, further complicating the decision of paying a ransom.

Some ransomware attacks or payments go unreported, making a blanket "no pay" policy for ransomware difficult to enforce. Legislators know this and have been slow to craft a ban of ransom payments.

Ransomware is a fresh take on organized crime, said Michael Daniel, CEO of Cyber Threat Alliance, during the webcast. And because of its ability to take down large companies, it feels like it's just "part of being a capitalist economy."

Policymakers and security advocates are having a hard time accepting how frequently organizations are paying millions to criminal gangs. "These are political decisions" that impact the public at-large, he said.

It's easy for legislators and security professionals to become desensitized to what is at risk during a ransomware attack. Legislators and security researchers feel empathy for victim organizations, but they are ultimately detached from the organization's mission, said Jen Ellis, VP of community and public affairs at Rapid7, during the webcast.

Those most impacted by an attack are motivated to pay. In some cases, it's not the victim company but its customers who want service restored.

When the Health Service Executive (HSE) of Ireland was hit by ransomware in May, Ellis was contacted by a parent whose child was under the care of the healthcare organization. The parent told her "I will remortgage my house if it means I can help pay the ransom," she said.

It's not black and white

The argument of "to pay or not to pay" has been oversimplified, according to Ari Schwartz, managing director of cybersecurity services and policy at Venable, during the webcast. Two arguments tend to arise:

Why would anyone pay if it contributes to more criminal activity?
Why would anyone not pay if it means unlocking their data, and therefore business?

"Neither of those is totally accurate, but there is some truth to both of them as well," said Schwartz. When deciding on how to respond to an extortion, companies are nudged by insurance companies, third-party incident response teams, or regulations prohibiting a payment.

If a company tries to take a rational approach but it is illegal to pay, "it still doesn't solve the problem of when people are really in bad shape," such as the Colonial Pipeline shutdown, said Schwartz. For Schwartz, before the U.S. can explicitly outlaw paying a ransom, it first has to ensure it is capable of recovering from a major cyberattack.

Rather than addressing ransom payments, a good starting point might be to finally enact a federal incident reporting law or an after-action report requirement. "If we start with 'no pay or don't pay,' we're just going to end up in that debate that doesn't get us anywhere for a while," Schwartz said.

Prohibition of ransom payments is the long-term goal but does little to solve today's issues, especially when the target operates critical infrastructure. Companies that opt to pay their attackers "now made themselves indebted in terms of the knowledge the attacker has about them," said Ellis. Ransom payment can also open companies to double extortion, if a breach threat was not part of the original ransom note.

Though the federal government, specifically the FBI and Cybersecurity and Infrastructure Security Agency (CISA), ask private industry to report threats or cyberattacks, these agencies don't have a lot of information, said Wolff.

The government and industry has made little progress on ransomware policy and procedure, though initiatives exist. While the FBI discourages all ransom payments, the uniqueness of individual attacks makes the ease of ransom payments hard to ignore.

The decisions U.S. law enforcement makes in terms of ransomware "so far seems to me to have been, 'We want to stay on the good side of the victim,'" she said. Because the FBI is so desperate to have attacks reported to the agency, it upholds an incentive based on a lack of penalties.

It leaves the U.S. treating victim organizations with a victim mentality, Wolff said.

This treatment was highlighted in June, when the FBI announced it recovered about half of Colonial Pipeline's $4.4 million ransom. The Justice Department made clear it is unknown what kind of future actions it would be able to take in regards to seizing cryptocurrency funds because it is dependent on how early a company involves the agency.

This leaves policymakers in a bind because they are the only people with the foresight to take action for the future, not the short-term present.

"It seems to me that it's now been going on for so long, and has sort of grown to a problem of such magnitude, that it's really astonishing to me how little willingness there is to think about the future in this space," Wolff said.