Should organizations be banned from paying ransomware attackers?

It might be tempting to simply pay the ransom to try and resolve an incident – but doing so will encourage more cyber attacks.

Illustration phishing

Ransomware attacks increased in impact last year. While paying a ransom might be the least costly approach for organizations suffering an incident of this type, the long term impact is not necessarily in the best interest of that organization – or others – as a whole. Below, we present the key insights from a discussion between key F-Secure experts.

Participants:

Callum Roxan

Callum Roxan

Callum is the Head of Threat Intelligence with a history of responding to threat actors on the frontline in incident response, threat hunter and SOC analyst roles. Callum is passionate about all things security and has a wide range of experience delivering services and consultancy across a variety of industries.

Matt Lawrence

Matt is the Head of Incident Response, motivated and accomplished leader in IR and MDR. He carries over a decade of experience managing investigations in the finance, commercial, defense, and higher education sectors across the world. During his career, he has spearheaded the development of global security services and led research & development into several new attack detection techniques.

Alan Melia

Alan is a Principal Incident Response Consultant at F-Secure. He manages investigation and incidents for a wide range of international and domestic clients from small businesses to government agencies.  Previously, Alan was a manager at EY and spend 14 years at Microsoft in positions including Escalation Engineer (Internet Products) and Forensic Investigator. 

Should I pay the ransom?

According to Alan Melia, Principal Incident Response Consultant at F-Secure, it should never be acceptable to pay criminals.

“Ransomware gangs charge whatever they think they can get away with. The fact it is cheaper to pay the ransom rather than invest in good security is never a good thing. Forcing organizations to take security seriously is the way forward. There’s a parallel here with health and safety: it’s doubtful businesses would take it as seriously as they do today without legislation that compels them to do so.”

Matt Lawrence, F-Secure’s Head of Incident Response, agreed in principle, but noted the situation was far from straightforward.

“In an ideal world, negotiating with criminals is a red line no one would cross. Even if payment is necessary to save the business, it presents a series of both moral and legal challenges that can often be insurmountable. For example, can you adequately mitigate the risk of indirectly funding a terrorist group and thus committing a criminal act?”

What the law says

US legislation such as the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) already gives authorities the power to penalize those engaging – directly or indirectly – with a range of prohibited individuals, entities and regimes. That applies equally to a victim organization and anyone acting on their behalf, such as cyber-insurers or third-party security companies. And ignorance of the law is no get-out. The US Department of the Treasury’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments [1] states:

“A person subject to US jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations.”

But is such an approach too harsh to be effective? Lawrence thought policies should instead incentivize organizations to approach the problem pragmatically.

“Rather than penalizing businesses for attempting to save themselves, progressive policy that acknowledges the challenge and focuses on supporting organizations to do the right things up front would have a much broader impact on this problem. Better to remove the taboos associated with being compromised and help organizations improve their responses so we can move to a point where extortion is no longer a viable business model for the criminals”

This mirrors policies [2] set by governments that make kidnap ransom payments illegal to discourage kidnappings [3].

Could cyber-insurance be one answer?

Roxan didn’t think so. Insurers will typically take the cheapest effective fix, which could well be to pay the ransom.

“Any payment of ransoms encourages future extortion activities. ‘Outsourcing’ the problem to cyber-insurers serves as an incentive for organizations to pay attackers, safe in the knowledge that they can claim the money back. And if more organizations decide to pay the ransom on that basis, more future criminal activity will be funded”

The economics of ransomware

And even though paying up might be the most financially sound decision for an individual organization, it wouldn’t be best for the wider economy or organizations as a whole, Roxan continued.

“Research on the economics of ransomware [4] shows there is a sizable gap between decentralized decision-making and socially optimal outcomes”

In simpler terms, while it may be the most beneficial for a single organization to pay in isolation it is not the most beneficial outcome for all organizations for that payment to be made.

While Roxan acknowledged that no ban on paying attackers could be 100% effective – and was likely to push some activities underground – on balance he thought it may nonetheless be beneficial.

“Along with other actions, a ban would undoubtedly contribute to a reduction in ransom payments, and therefore a net benefit for the economy as a whole”

In addition, he thought organizations operating in countries with a ban in place could face a lower risk of attack.

“Most high-impact ransomware incidents aren’t random – cybercriminals will assess the potential of success by engaging in some form of victim qualification before they decide to invest time and resources into an attack. If a cybercriminal perceives they are less likely to be able to extract a payment from an organization they may well decide to choose another victim instead. Therefore, you could argue that more bellicose ransomware payment legislation at a national level could provide a competitive advantage over time for any organizations operating in that jurisdiction”

In summary

Clearly, there are no easy answers and the debate will doubtless rage on for some time. While our experts broadly agreed that organizations’ best line of defense today was to put in place effective processes and technologies to detect and respond to any attacks as quickly as possible, as Melia noted:

“It would be better if we could turn the question of whether or not to pay attackers into a moral decision rather than the financial one it is now. That’s how I think the law can help.”