Should ransomware payments be made illegal?

Locking up a victim's IT systems, encrypting their data and demanding cash for a return to normality has become a tidy way for hackers to make a quick buck.

Since 2020, when ransomware became big business, several jurisdictions around the world have flirted with the idea of banning ransom payments. It's a classic problem of moral hazard: paying the ransom provides immediate relief to the victim, but it rewards cyber criminals and reinforces their business model.

Of course even paying a ransom does not stop attackers from hitting the same target again a short while later. And in the worst case, known as 'pseudo-ransomware', the ransom demand could be nothing but a decoy when in fact the victim's data is irreversibly corrupted.

There are already cases where ransom payments fall into a legal grey area or are banned outright. In the US, for example, any payment to a person or group on the Office of Foreign Assets Control's blacklist - which covers countries under sanctions as well as terrorists and drug traffickers - is against the law.

Last year the Australian government announced that it "does not condone" ransom payments, but stopped short of actually making them illegal. The Dutch government reportedly considered banning insurers from covering ransom payments, although so far nothing has come of that idea.

And since it is especially galling to see public funds paid to extortionists, there is pressure to stop public bodies from paying up. This year both North Carolina and Florida have prohibited state agencies and local governments from paying ransoms.

Ransom payments have hit the insurance industry hard. Ransomware claims in the US rose 35% in 2020 as the ransomware epidemic ramped up, according to rating agency AM Best. In some cases ransom demands have even been tailored to the amount of insurance.

Even so, the idea of a ban on ransom payments generally doesn't go down well with the insurance industry. The Geneva Association, a think tank, surveyed cyber insurers and reinsurers and found that most thought a ban on ransom payments would make attacks at least a little less common. But they also considered it a 'blunt instrument' that might have unintended consequences.

"The reality is a lot of organizations who are attacked don't report it, so you have a misbalance in terms of how law enforcement and governments are focusing on the problem because they're not aware of how bad it is," says Roger Francis, Cyber Claims Director at CFC Underwriting. "By making things illegal, in essence, you'd drive things underground."

Another risk is that banning ransom payments discourages customers from taking out cyber insurance - after all, reimbursement of ransom payments is one of the major services that insurers provide. That would be bad news, and not only for underwriters - considering that just about all cyber insurance policies now come with  requirements for the customer to implement stringent security procedures, undermining the industry would be everybody's loss.

A ban on insurers reimbursing ransom costs without criminalizing the payment itself - as mooted in the Netherlands - would perhaps be the worst of both worlds, leaving victims without support at a desperate time but still rewarding attackers if they can round up the cash.

So if a ban on ransom payments is not the answer, what can be done to contain the damage? There is no easy answer, but better security practices and education are surely part of it. The insurance industry is already at the forefront of that work, enforcing tight security standards before they will consider putting their names to a policy. Customers may moan about the hoops they have to jump through, but the end result is that they are better protected.

Vulnerable targets like government agencies and especially hospitals, which can afford next to no downtime, should also think about having old-fashioned manual processes in place in case their IT systems go down. Printing out patient records and putting them in a filing cabinet is the ultimate offline backup.

At the same time, governments and law enforcement need to wake up to the seriousness of the problem. Better regulation and scrutiny of crypto-currencies - the near universal medium of ransom payments - would be a good place to start. If governments keep an eye on crypto exchanges, they can freeze or trace transactions even on a theoretically decentralized and anonymous system.

Many cyber attackers are located in jurisdictions like Russia and North Korea where it is all but impossible for western law enforcement agencies to chase them down. But when elite detectives turn their attention to the problem, they can be surprisingly effective.

When Colonial Pipeline, one of the major arteries transporting oil across the United States, was hacked in 2021, the company paid a ransom of 75 bitcoin (at the time about $4.4 million), but most of it was recovered by the FBI within weeks.

And in July the Netherlands Public Prosecution Service seized about half a million euros' worth of crypto assets that had been paid by Maastricht University as a ransom in 2019. It was only a fifth of the original payment, but thanks to the rising price of bitcoin it amounted to far more than the original €200,000 ransom.

Those examples show that, although it will always be a struggle, tracing and recovering crypto assets is not impossible. Rather than banning ransom payments - effectively punishing the victim - governments would be better off prioritizing cyber crime and building up the expertise to deal with it.