The White House and international partners in the fight against ransomware are considering a ban on ransom payments, eyeing a new and complicated means to counter financially motivated threat actors.
It’s a potential move cyber authorities have grappled with in the U.S. government, bilaterally and multilaterally, as part of the International Counter Ransomware Initiative, Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said Friday during a presentation at the Institute for Security and Technology’s Ransomware Task Force event.
Specific conditions would warrant a waiver to the ban, especially in cases where a ransomware group is preventing the delivery of critical services, pending proper notification and permission from the pertinent government agency, Neuberger said.
“Do we ban ransomware with a waiver?” Neuberger said. “Fundamentally, money drives ransomware and for an individual entity it may be that they make a decision to pay, but for the larger problem of ransomware that is the wrong decision.”
Interjecting the government further into a specific policy on ransom payments is an effort fraught with complications that could cause unintended consequences.
“We have to ask ourselves, would that be helpful more broadly if companies and others didn’t make ransom payments?” Neuberger said.
It’s a measure the U.S. government is weighing through its policy process and the International Counter Ransomware Initiative. If implemented, a ban would represent a major shift in strategy.
Neuberger’s office did not respond to a request for comment.
The Biden administration, as recently as last fall, decided against an outright ban on ransom payments. Instead, cyber authorities strongly encourage organizations not to pay.
“It is so hard and so much more work needs to be done to improve the security of tech, to improve the cybersecurity of systems, that we’d essentially be pressing victims to make their payments go undercover,” Neuberger said in September at the Code Conference.
Unraveling the waiver
A waiver, no matter the form or stipulations it includes, could create another wrinkle in the maze of cyberattack reporting.
“We already have a reporting problem,” Allan Liska, threat intelligence analyst and solutions architect at Recorded Future, told Cybersecurity Dive.
A ban could cause organizations to keep even more ransomware activity under wraps because they’ll want to hide evidence of any payments made. “You’re just pushing it further underground,” Liska said.
“We may, two years from now, say ‘oh look, there’s no more ransomware,’ because everybody’s doing everything they can to cover up every ransomware attack,” Liska said.
Bans are a bad idea, Liska said, and a recent ban in North Carolina illustrates why.
North Carolina in April 2022 banned the public sector from making ransom payments and communicating with ransomware actors. But the number of publicly reported ransomware attacks against public sector organizations in the state hasn’t slowed down, according to Liska.
A ban may cause a slowdown on ransom payments long term, but the short-term impact could be significant, particularly for organizations that can’t figure out how to obtain a waiver, or otherwise wait for the proper government agency to issue a waiver.
Developing a roadmap for businesses and agencies to follow, and allowing a waiver in certain cases, will be a difficult undertaking.
High ransomware activity warrants potential ban
Cyber authorities are reconsidering their official policy on ransom payments, in part, due to the persistent threat and high level of ransomware activity.
The San Bernardino County Sheriff’s Department in California, the recent victim of a ransomware attack, announced Friday it paid a $1.1 million ransom, just over half of which was covered by insurance, the Southern California News Group reported.
Ransomware is “a financially motivated crime type, and the more you pay the more you generate the interest in further criminal activity of that kind,” Patrick Hallinan, Australian minister counsellor for home affairs, said at IST’s Ransomware Task Force event.
“It could be good, I think, if you were to outlaw ransomware payments, but it’s not always that simple,” Hallinan said.
The potential change in policy reflects cyber authorities’ willingness, however cautious, to pivot on strategy and policy to take a bigger bite out of ransomware activity.
“I see no option but to limit the circumstances in which ransoms can be paid,” Brett Callow, threat analyst at Emsisoft, said via email. “Less payments equals less ransomware. It’s that simple.”
The threat intelligence community, much like cyber authorities, have not reached a consensus on outlawing ransom payments.
“In general, the problem with bans is that the bad guys don't actually care,” Liska said. “They assume everybody is as shifty as they are, and they’ll find a way to pay.”
And even if bans against ransom payments eventually lead to a reduction in ransomware attacks, threat actors will find other ways to commit cybercrime, according to Liska.
“If they can’t extort the money out of you,” Liska said, “they’ll just figure out how to trick you into giving it to them.”