White House Weighs Ban on Payments to Ransomware Operators

Date:

May 9, 2023

World map

The White House is considering implementing a ban on payments to ransomware operators in an effort to reduce the financial incentives that drive disruptive and costly ransomware attacks.  

“Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said Friday during a presentation at the Institute for Security and Technology’s Ransomware Task Force event,” Cybersecurity Dive reports.

“Specific conditions would warrant a waiver to the ban, especially in cases where a ransomware group is preventing the delivery of critical services, pending proper notification and permission from the pertinent government agency, Neuberger said.”

Takeaway: To pay or not to pay a ransom demand has been at the core of the issue since these threat actors began these more complex, targeted attacks against specific industries and organizations.

The simple answer is yes, ban payment of ransomware demands across the board. Ransomware attacks are (mostly) driven by financial incentives, so reducing or eliminating the financial payoffs for the attacks would certainly stifle this illicit industry.

But the answer is not that simple. In some cases, such as when a hospital is attacked, or other systems that control critical infrastructure where lives could be at risk, then expediency is of the utmost concern - ostensibly, but not always. Paying a ransom and receiving a decryption key from the attackers is likely more efficient, save for the fact that most organizations don't get all their data back even with the help of the attackers - so that's not a foolproof plan.

In some instances, offering a waiver to the ban also seems problematic, because if lives are potentially on the line, determining if the incident qualifies for the waiver would also likely add delay. There is also the data exfiltration issue. Even if an organization decides not to pay a ransom to restore systems, they may still be subject to extortion because the attackers already have stolen valuable and/or private data they use as leverage for leverage as payment.

Ultimately, we need to get to a place where we are not focused on addressing a ransomware attack after sensitive data has been exfiltrated and the disruptive ransomware payload has been delivered. This means a focus on detecting these multi-stage operations earlier in the attack sequence, as well as on resilience should the attack be successful, with an emphasis on preventing data loss and extended system downtime.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.