Debates around how to curtail ransomware activity are getting louder and shifting.
There's little agreement from cybersecurity experts and officials on the best way to impede ransomware, but federal policy is often viewed as an important, albeit slow-moving mechanism to ebb the flow of attacks.
As debates and policy discussions gain momentum, there is ample evidence that the status quo isn’t working. Ransomware victims in the U.S. paid $1.5 billion in ransoms between May 2022 and June 2023, a senior administration official said in November.
Some policy changes are already underway as part of the Biden administration’s national cybersecurity strategy, including a public-private collaborative effort to develop and adopt technology that’s secure by design and default. Policies directly targeting ransomware, such as a more strict ban against ransom payments, remain theoretical but are gaining more support.
“From a purely ethical perspective, they should be banned. That would have a positive impact, because if the crime doesn’t pay, the criminal would stay away,” said Tim Morris, chief security advisor at the cybersecurity vendor Tanium.
“For an ill-prepared organization where ransomware has disrupted operations, then payment may be the only viable option, or in many cases a much cheaper option,” Morris said.
Ransom payment ban gains limited support
The Biden administration decided against an outright ban on ransom payments in September 2022, but White House officials revived the potential policy change in mid-2023 through the International Counter Ransomware Initiative.
The problem isn’t going away, and ransom payments are a well-established norm across businesses of all types. More than 4 in 5 CISOs working at a business hit by ransomware said their organization paid the ransom, according to an October report from Splunk.
Organizations are already prohibited from making ransom payments to individuals or entities sanctioned by the U.S. Department of Treasury’s Office of Foreign Assets Control. Yet, more researchers, threat analysts and federal cyber authorities are coming around to the notion of a more universal ban.
“Far too much happens in the shadows,” Brett Callow, threat analyst at Emsisoft, told Cybersecurity Dive. He and his colleagues at the cybersecurity software company kicked off the year calling for a complete ban on ransom payments.
“I’ve become increasingly convinced that ransomware isn’t a cybersecurity problem as much as it is a policy problem. That’s where the real solutions lie,” Callow said. “We’re never going to defend our way out of this. We need better policy.”
A ransom payment ban could force victim organizations to balance conflicting responsibilities such as business continuity or critical operations support with legal restrictions against funding cybercrime.
The proposal and its presumed outcomes are overly simplistic, Frank Dickson, group VP at IDC’s Security and Trust research practice, told Cybersecurity Dive. “We know what’s right — it’s right not to pay the ransom. The question is, is it best?”
Ban proposal, business considerations in conflict
While a ban could take years, if it happens at all, international support remains mixed and limited in scope and capacity.
The International Counter Ransomware Initiative, a collection of 48 countries, the European Union and Interpol, has yet to fully embrace the proposal. The group endorsed a joint policy statement in November, emphasizing that institutions under their governments’ control should not pay ransomware extortion demands.
Many businesses, even those with backups, pay ransoms to potentially speed up the recovery process or avoid the release of stolen data, according to Dickson.
Business considerations such as operational disruptions and lost revenue are critical factors organizations weigh when they’re confronted with a ransom demand.
“There are certain circumstances where businesses just can’t recover without a particular decryption key and things of that nature,” said Drew Schmitt, practice lead at GuidePoint Security’s research and intelligence team.
Schmitt deals with the technical ramifications of ransomware and sometimes helps clients negotiate ransom payments because alternatives are limited or potentially more damaging for the victim organization.
This hedging response to a ransom payment ban underscores a common view among incident responders and other cybersecurity experts.
Policy a slow conduit for change
Policies and regulations around ransomware are widely expected to change in 2024 and beyond, but how and to what effect remains unclear.
“One of the biggest challenges is going to be designing policy in a way that does allow for certain types of organizations to have flexibility to make sure that they can recover, while also simultaneously impacting the ransomware groups to where it doesn't make financial sense anymore,” Schmitt said.
There’s also concern that the speed of any action tackling ransomware from a policy perspective will be too slow and no match for the rapid and dramatic changes in ransomware threat actors’ activities.
“The idea that we can address ransomware with policy doesn't work all that well,” Dickson said. “Essentially what you’re doing is applying a formalized policy and legal framework to something that’s appropriate to a paradigm that was a three-year-ago reality.”