Ransomware payment ban: Wrong idea at the wrong time

Opinion A general ban on ransomware payments, as was floated by some this week, sounds like a good idea. Eliminate extortion as a source of criminal income, and the attacks are undoubtedly going to drop. 

But unfortunately, it's not going to work — at least not now, and probably not in the foreseeable future — for a number of reasons. Plus, it would inevitably lead to more attacks on critical infrastructure targets such as hospitals, power grids, water systems, and the like, which isn't exactly great.

This is because a payment ban would inevitably have to include an exception for incidents where not paying the ransom poses a serious risk of death, bodily harm, or terrorist attack. In other words, there's got to be an exception for critical infrastructure.

We've seen this with the US Securities and Exchange Commission's new cybersecurity incident disclosure rules: The SEC allows delayed reporting if disclosing the attack poses "a substantial risk to national security or public safety."

The US and UK governments urge organizations not to pay ransoms, and we can see why. It just encourages more attacks. At the same time, many did not fault the Colonial Pipeline CEO's decision to pay off crooks in 2021 to prevent further fuel supply shortages.

A critical infrastructure exclusion makes sense. No one is going to victim blame a hospital, or argue in favor of allowing patients to die instead of paying a ransom. A similar case can be made for gas and electric companies: They can't ignore the need for residential heating during a winter storm. But this also means that attackers will simply pivot and target these sectors where declining to give in to extortionists' demands could be a matter of life and death.

We are already seeing criminals increasingly focus on hospitals and health-care facilities. In 2023, ransomware gangs breached 46 hospital systems in the US with a total of 141 hospitals between them, and at least 32 of the 46 had patient data including protected health information, stolen.

These intrusions caused weeks-long outages, diverted ambulances and delayed medical treatment for patients. While all of this should be a security wake-up call for any critical infrastructure organization, preventing future ransomware chaos requires a solution that's more disaster preparedness than just prohibiting payments to criminals.

Then there's also the issue of enforcement. Such a ban would need to be universal or else ransomware crews will simply focus on victims in other geographic regions that don't prohibit payments. That kind of multi-government cooperation is highly unlikely at best, and if by some miracle it did happen, the hurdles of coordinated enforcement and funding would immediately wreck this effort. 

Presumably, any type of international law would be enacted by the United Nations. But this doesn't always guarantee a global mandate with teeth. Or, perhaps even worse, it would run the risk of becoming an attempt to rewrite international law by nations that already provide safe harbor to ransomware crews and use the illicit proceeds to fund state-sponsored terrorism and weapons programs.

Case in point: The UN cybercrime treaty. A global approach to stopping cybercrime is needed, and it's a good idea in theory. But instead, it's looking like a attempt by Russia, with support from China and North Korea, to justify state surveillance and eliminate data privacy rules.

Another roadblock is the lack of security maturity across sectors, which Megan Stifel, chief strategy officer for the Institute for Security and Technology and the executive director of the IST's Ransomware Task Force, pointed out in an earlier interview with The Register. 

This is especially concerning considering that two notoriously under-funded and understaffed sectors when it comes to infosec, local governments and schools, are increasingly being targeted by these money-grubbing miscreants. 

Some of the 2023 ransomware victims in these sectors include the city of Oakland, California, and New York's Suffolk County, both of which declared states of emergency, and Dallas, Texas, which also saw its IT systems crippled by cybercrime gangs. 

Meanwhile, the MOVEit security hole affected millions of individuals when a Russia-linked ransomware crew stole data belonging to the Louisiana Office of Motor Vehicles, the Colorado Department of Health Care Policy and Financing, and the Oregon Department of Transportation. 

• Freight giant Estes refuses to deliver ransom, says personal data opened and stolen
• Formal ban on ransomware payments? Asking orgs nicely to not cough up ain't working
• Court hearings become ransomware concern after justice system breach
• A tale of 2 casino ransomware attacks: One paid out, one did not

By security shop Emsisoft's count, at least 108 K-12 districts and 72 post-secondary schools fell victim to ransomware crews in 2023, compared to 45 ad 44, respectively, a year earlier. And some 95 government entities experienced ransomware infections last year, compared to 106 in 2022. However, 55 of the 106 were Arkansas agencies that all shared an IT services provider.

State and local government agencies and schools collect a ton of sensitive information that can be financially lucrative to criminals, and these orgs don't have the resources to defend themselves against ransomware. Simply making it illegal for them to pay ransom demands seems especially cruel unless they receive the needed professional and financial support to shore up networks first.

Luckily, on this front, there is nearly $375 million in grant money available for state, local, and territorial (SLT) governments across the US to address cybersecurity risks and threats.

Additionally, a dedicated US Federal Communications Commission program aims to provide up to $200 million for K-12 schools and libraries in rural and low-income communities and would gather information on "cybersecurity and advanced firewall services" to protect these orgs against cyberattacks.

A complete ban won't work. It would be nice if it could provide a magic-bullet response to ransomware. Then again, it would also be nice if countries like Russia, Iran and North Korea decided to prosecute cybercriminals operating inside their borders. None of these are realistic.

Having said that, a ban on ransomware payments is becoming more palatable than it was even a couple years ago, and this year's international Counter Ransomware Initiative summit, held at the White House, is one such indication. 

At the event, the US persuaded all 50 member countries to sign on to a joint policy statement under which they agreed not to pay ransom demands. They also pledged to better track cryptocurrency payments to cybercriminals and increase information-sharing capabilities.

While the no payment pledge only applies to the national governments' themselves, not private companies, it couldn't get the needed support even a year prior.

Our advice? Secure your networks now. Don't be low-hanging fruit. Implement all those basic hygiene measures that public and private infosec specialists have been preaching for years: use strong passwords and data encryption, implement zero-trust access, network segmentation and multi-factor authentication, install software updates and backup regularly. 

"The best defense is to take steps to proactively avoid becoming a victim," Sam Rubin, VP of Unit 42 Consulting at Palo Alto Networks, told The Register.

In lieu of a complete ban on ransom payments, be prepared. ®