Banning Ransom Payments Does Not Protect Anyone

A proposed ban on ransom demand payments continues to be a heavily debated issue. The simple answer is yes, a ban payment of ransomware demands across the board.

‍

Financial incentives primarily drive ransomware attacks, so reducing or eliminating the financial payoffs for the attacks would certainly stifle this illicit activity, but this is a complex issue that requires a more complex answer.

‍

Takeaway: Really, I’m at a loss for words right now. Just how disconnected from reality does the government need to be to think this an outright ban on ransom payments would work?  

‍

The potential impact of a ransomware attack can vary greatly depending on the target, the industry, the systems and data involved.

‍

The US government is basically telling private industry that they should, in some cases, bankrupt their business because the government can’t protect them from these attacks or their potential impact on the organization.

‍

Sure, banning all ransom payments would reduce the financial incentives for attackers. This is the crux of the government’s argument, and while it’s an assertive position on its face, it still leaves organizations on the hook regardless of which option they choose.  

‍

Most ransomware attack today involving data extortion, even if an organization decides not to pay a ransom to restore systems, they are still subject to extortion because the attackers already have stolen valuable and/or private data they use as leverage for leverage as payment.

‍

Those who advocate for paying the ransom believe that it's the quickest and easiest way to regain access to valuable data and is the best way to reduce the overall impact of an attack.  

‍

They argue that the cost of paying the ransom is often lower than the cost of restoring data from backups or the potential financial losses incurred from delayed recovery.

‍

On the other hand, if you pay a ransom, odds are they are going to attack you again. So, if you can recover without paying the ransom, do it, your chances of them attacking you again are much lower.

‍

Paying a ransom demand creates legal liability issues for the victim organization, especially if the attackers are sanctioned, as is the case with Russian ransomware operators.  

‍

But in some circumstances, paying the ransom may be the logical approach. For example, a hospital who urgently requires access to systems where any delays could pose a risk to human life.

‍

In these cases, the decision on whether to pay a ransom demand is more complicated. This is why experts are divided on whether organizations should pay ransomware demands.

‍

The Biden administration recently hosted a summit for security leaders from 50 nations recently where they pledged to adopt non-payment policies regarding ransomware and data extortion attacks.

‍

While this seems to be a quick fix, in reality this is a very difficult decision that has the potential for serious repercussions no matter which path a victim organization chooses.

‍

There are no easy, one-size-fits-all answers here, and the government’s guidance belies this fact. It oversimplifies the problem and is further evidence that the authorities really do not have a handle on how to address the growing threat from ransomware and data extortion attacks.

‍

Whether or not an organization should pay a ransom demand is nit the core issue  we need to focus on here.

‍

The US government needs to stop telling American companies that they have to fend for themselves. We need more than proclamations; we need intervention and protection from what are known to be nation-state threat actors freelancing in what is nothing short of cyber terrorism.

‍

Ultimately, whether to pay a ransom or not does not address the root cause of the problem: the vulnerabilities in the victim's systems that leave them exposed to ransomware attacks.  

‍

Instead of preparing to pay a ransom demand, organizations should focus on implementing preventative and resilience measures to protect their organizations from ransomware attacks.

‍

This means a focus on detecting these multi-stage operations earlier in the attack sequence, as well as on resilience should the attack be successful, with an emphasis on preventing data loss and extended system downtime.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.