Why Making Ransomware Payments Illegal Could Backfire

Originally published by CXO REvolutionaries.

Written by Ben Corll, CISO - Americas, Zscaler.

A debate swirling since at least last summer – about the wisdom of banning compromised companies from making payments to ransomware actors – was sparked again recently when Australia broached the possibility of doing just that.

The argument for outlawing payment is pretty straightforward. Superficially, at least, it resembles the argument against negotiating with terrorists: if you make it clear to criminal actors in advance that they won’t get anything, you create a deterrent to malicious behavior. Or, sometimes, the premise is phrased in economic terms — you can, by outlawing payment, “shut down the ecosystem” that empowers and funds the criminals involved.

While stalled at the federal level in the U.S., these ideas are gaining traction elsewhere. Countries like Australia are considering codifying payment bans into law, and both Florida and North Carolina have made it illegal for state agencies to pay ransoms. Still, more states now require state agencies to report ransomware cases when they occur. The FBI doesn’t recommend ransomware victims in the U.S. pay ransoms.

Too complex for a tidy, policy-based solution

But after giving these developments due consideration, I’ve come to the position that it probably wouldn’t be wise to outlaw payment on a mass scale. I think outlawing payment might actually make things worse, not better.

Why? There are several good reasons:

The threat to operational stability can be staggering

Reported instances of ransomware in the media sometimes seem to portray it as a relative nuisance, swatted away with the equivalent of a rounding-error paid ransom… but that’s not always the case.

Depending on exactly what data is encrypted and held for ransom, organizations can be brought to a complete standstill; in some cases, the entire business might be destroyed.

If we picture a shipping company losing a core database it uses to run its operations for an extended period, that could have broad economic implications. Every minute that ticks by in such a situation is precious because of the ripple effects of supply chain disruption.

Is it wise to tell the owners of such companies in such situations that regardless of the consequences to them, their employees, and their customers, no ransom can ever be paid?

Furthermore, if that idea does become federal law, will it always be honored? Or will those in a position to make the decision simply opt, in many cases, to break the law and pay the ransom to save their businesses?

Outlawing ransomware payments could shift criminal focus to especially vulnerable organizations

Given the above context, how will criminals respond if payments become illegal? One line of thought is that they will put greater emphasis on more vulnerable organizations, and, therefore, presumably be more likely to break the law.

It’s one thing for criminals to target huge, diverse Fortune 500 corporations that offer dozens or hundreds of services and products. Such companies have, as a result, the capacity to pick up the pieces and move on in the wake of a cyber incident.

It’s quite another thing for criminals to target organizations like hospitals, where the services are a matter of life and death, and executives who can’t legally pay ransoms are forced to watch from the sidelines as an incident unfolds. Small and medium-sized businesses, with their lack of financial and technical resources, are also more likely to be negatively impacted by legislation than enterprise companies.

Would governments provide these organizations with the necessary resources to resolve the incident, like negotiators and digital forensics experts?

Paid ransoms can, in some cases, protect sensitive data

Aside from the consequences to organizations if ransomware is outlawed, there’s also the question of the data itself.

Imagine that a government agency has exceptionally sensitive data, like the real names of international assets, that continually provide difficult-to-obtain intel required for national security. Imagine that this data is held for ransom, and the government agency doesn’t pay because payment is illegal. Data could be leaked in secondary extortion or sold to the highest bidder, jeopardizing those assets or perhaps even their families. Instances of ransomware actors blackmailing patients with their healthcare information are no longer speculative.

Should we hand over that decision to criminals, who aren’t a moral group and are on the lookout for a quick buck?

Legal complexities abound

It’s one thing to talk abstractly about outlawing ransoms, but as a practical matter, it’s not so simple. Not only are legal ramifications complicated within a country, but for multinational organizations, entirely different laws can and do apply.

If a company operates in the U.S., and the U.S. outlaws ransom payment, is that company required never to pay ransoms at all – or does that only apply to threats that originate in its U.S.-based branches?

Suppose a company’s U.S. headquarters is attacked, and some of its U.S.-hosted data is encrypted. Suppose also that this U.S.-based organization has offices overseas. Is it legal for one of those overseas offices, using money held in banks in those countries, to pay a ransom? If not, why? How can U.S. law be enforced outside U.S. borders?

This area is fraught with legal, ethical, and practical concerns, as an anecdote from one of my colleagues illustrates, and a sweeping law outlawing all ransoms in all contexts is probably too blunt a tool to reflect that complexity. What’s needed is a scalpel, not a sledgehammer.

So while I’d certainly like to see an end to the ransomware scourge, it seems to me that for now, at least, it’s probably best to leave the question of paying ransoms up to the organizations involved — not their country’s governments.