Time for a Formal Ban on Ransomware Payments?


January 3, 2024

World map

To pay or not to pay a ransom demand has been a heavily debated issue around the ransomware problem since these threat actors initiated more complex, targeted attacks against specific industries and organizations.  

The simple answer is yes, ban payment of ransomware demands across the board. Financial incentives primarily drive ransomware attacks, so reducing or eliminating the financial payoffs for the attacks would certainly stifle this illicit industry.  

However, the answer is not that simple. In some cases, such as when a hospital is attacked or other systems that control critical infrastructure where lives could be at risk, then expediency is of the utmost concern - ostensibly, paying a ransom demand would speed up recovery efforts, but not always.

Paying a ransom and receiving a decryption key from the attackers is likely more efficient. Still, it is not a foolproof plan, as most organizations don't get all of their data back. Offering a waiver to the ban is problematic due to the delay in determining if the incident qualifies, posing risks to the public's health and safety.  

Lastly, with data extortion, even if an organization decides not to pay a ransom to restore systems, they may still be subject to extortion because the attackers already have stolen valuable and/or private data they use as leverage for leverage as payment.

Takeaway: The recommendation from law enforcement and other experts is that organizations should never pay a ransom demand, which would significantly diminish the financial incentives for these attacks.

In most circumstances that would be the logical approach, but it may not be the right approach for every organization. For example, it may be within the risk parameters for an entertainment company like MGM to refuse a ransom demand even though downtime is costing the organization revenue, they can obviously afford it when doing $4 billion in revenue a quarter.

But what about a hospital who urgently requires access to systems where any delays could pose a risk to human life? In these cases, the decision on whether to pay a ransom demand is more complicated.

This is why experts are divided on whether organizations should pay ransomware demands. Those who advocate for paying the ransom believe that it's the quickest and easiest way to regain access to valuable data and is the best way to reduce the overall impact of an attack. They argue that the cost of paying the ransom is often lower than the cost of restoring data from backups or the potential financial losses incurred from delayed recovery.

On the other hand, those who oppose paying the ransom argue that doing so only encourages cybercriminals to continue their attacks by reinforcing the financial incentives that drive ransomware attacks.

They point to examples where paying the ransom did not guarantee that the victim's data was restored or cases where the data was corrupted during decryption. They also point out that most victims who paid a ransom demand were attacked again, often by the same threat actor who demands a higher ransom payment knowing the victim is likely to pay.

While paying the ransom may seem like a quick fix, it may not be the best solution for businesses and individuals. Paying the ransom only supports the criminal activities of cybercriminals, leading to an increase in ransomware attacks.

Additionally, paying the ransom does not guarantee that the victim's data will be restored. There have been instances where victims have paid the ransom, but the cybercriminals did not provide the decryption key or provided a faulty one, leaving the victim without their data and their money.

Also, even if the victim's data is restored, paying the ransom may result in further attacks. Cybercriminals may see the victim as an easy target and continue to target them with future attacks.

And paying the ransom does not address the root cause of the problem, which is the vulnerability of the victim's systems to ransomware attacks. Instead of paying the ransom, victims should focus on implementing preventative measures to protect their data from future attacks.

Ultimately, we need to get to a place where we are not focused on addressing a ransomware attack after sensitive data has been exfiltrated and the disruptive ransomware payload has been delivered.

This means a focus on detecting these multi-stage operations earlier in the attack sequence, as well as on resilience should the attack be successful, with an emphasis on preventing data loss and extended system downtime.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.