Banning ransomware payments: An attractive but dangerous idea
A successful cyberattack on critical infrastructure — such as electricity grids, transportation networks or healthcare systems — could cause severe disruption and put lives at risk.
Our understanding of the threat is far from complete since organizations have historically not been required to report data breaches, but attacks are on the rise according to the Privacy Rights Clearinghouse. A recent rule from the United States Securities and Exchange Commission should help clarify matters further by now requiring that organizations “disclose material cybersecurity incidents they experience.”
As the digital world continues to expand and integrate into every facet of society, the looming specter of cyber threats becomes increasingly more critical. Today, these cyber threats have taken the form of sophisticated ransomware attacks and debilitating data breaches, particularly targeting essential infrastructure.
A major question coming from policymakers, however, is whether businesses faced with crippling ransomware attacks and potentially life threatening consequences should have the option to pay out large amounts of cryptocurrency to make the problem go away. Some believe ransoms be banned for fear of encouraging ever more attacks.
Following a major ransomware attack in Australia, its government has been considering a ban on paying ransoms. The United States has also more recently been exploring a ban. But other leading cybersecurity experts argue that a ban does little to solve the root problem.
Ransomware and the ethical dilemma of whether to pay the ransom
At the most basic level, ransomware is simply a form of malware that encrypts the victim’s data and demands a ransom for its release. A recent study by Chainalysis shows that crypto cybercrime is down by 65% over the past year, with the exception of ransomware, which saw an increase.
“Ransomware is the one form of cryptocurrency-based crime on the rise so far in 2023. In fact, ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June,” said Chainalysis.
Even though there has been a decline in the number of crypto transactions, malicious actors have been going after larger organizations more aggressively. Chainalysis continued:
“Big game hunting — that is, the targeting of large, deep-pocketed organizations by ransomware attackers — seems to have bounced back after a lull in 2022. At the same time, the number of successful small attacks has also grown.”
The crippling effect of ransomware is especially pronounced for businesses that heavily rely on data and system availability.
The dilemma of whether to pay the ransom is contentious. On one hand, paying the ransom might be seen as the quickest way to restore operations, especially when lives or livelihoods are at stake. On the other hand, succumbing to the demands of criminals creates a vicious cycle, encouraging and financing future attacks.
Organizations grappling with this decision must weigh several factors, including the potential loss if operations cannot be restored promptly, the likelihood of regaining access after payment, and the broader societal implications of incentivizing cybercrime. For some, the decision is purely pragmatic; for others, it’s deeply ethical.
Should paying ransoms be banned?
The increasing incidence of ransomware attacks has ignited a policy debate: Should the payment of ransoms be banned? Following a major ransomware attack on Australian consumer lender Latitude Financial, in which millions of customer records and IDs were stolen, some have begun to advocate for a ban on paying the ransom as a way of deterring attacks and depriving cybercriminals of their financial incentives.
In the United States, the White House has voiced its qualified support for a ban. “Fundamentally, money drives ransomware and for an individual entity it may be that they make a decision to pay, but for the larger problem of ransomware that is the wrong decision… We have to ask ourselves, would that be helpful more broadly if companies and others didn’t make ransom payments?” said Anne Neuberger, deputy national security advisor for cyber and emerging technologies in the White House.
While proponents argue that it will deter criminals and reorient priorities for C-suite executives, critics, however, warn that a ban might leave victims in an untenable position, particularly when a data breach could lead to loss of life, as in the case of attacks on healthcare facilities.
“The prevailing advice from the FBI and other law enforcement agencies is to discourage organizations from paying ransoms to attackers,” Jacqueline Burns Koven, head of cyber threat intelligence for Chainalysis, tells Magazine.
“This stance is rooted in the understanding that paying ransoms perpetuates the problem, as it incentivizes attackers to continue their malicious activities, knowing that they can effectively hold organizations hostage for financial gain. However, some situations may be exceptionally dire, where organizations and perhaps even individuals face existential threats due to ransomware attacks. In such cases, the decision to pay the ransom may be an agonizing but necessary choice. Testimony from the FBI recognizes this nuance, allowing room for organizations to make their own decisions in these high-stakes scenarios, and voiced opposition to an all out ban on payments.”
Another complicating factor is that an increasing number of ransomware attacks, according to Chainalysis, may not have financial demands but instead focus on blackmail and other espionage purposes.
“In such cases, there may be no feasible way to pay the attackers, as their demands may go beyond monetary compensation… In the event that an organization finds itself in a situation where paying the ransom is the only viable option, it is essential to emphasize the importance of reporting the incident to relevant authorities.”
“Transparency in reporting ransomware attacks is crucial for tracking and understanding the tactics, techniques and procedures employed by malicious actors. By sharing information about attacks and their aftermath, the broader cybersecurity community can collaborate to improve defenses and countermeasures against future threats,” Koven continues.
Could we enforce a ban on paying ransomware attackers?
Even if a ban were implemented, a key challenge is the difficulty in enforcing it. The clandestine nature of these transactions complicates tracing and regulation. Furthermore, international cooperation is necessary to curb these crimes, and achieving a global consensus on a ransom payment ban might be challenging.
While banning ransom payments could encourage some organizations to invest more in robust cybersecurity measures, disaster recovery plans and incident response teams to prevent, detect and mitigate the impact of cyberattacks, it still amounts to penalizing the victim and making the decision for them.
“Unfortunately, bans on extortions have traditionally not been an effective way to reduce crime — it simply criminalizes victims who need to pay or shifts criminals to new tactics,” says Davis Hake, co-founder of Resilience Insurance who says claims data over the past year shows that while ransomware is still a growing crisis, some clients are already taking steps toward becoming more cyber-resilient and able to withstand an attack.
“By preparing executive teams to deal with an attack, implementing controls that help companies restore from backups, and investing in technologies like EDR and MFA, we’ve found that clients are significantly less likely to pay extortion, with a significant number not needing to pay it at all. The insurance market can be a positive force for incentivizing these changes among enterprises and hit cybercriminals where it hurts: their wallets,” Hake continues.
The growing threat and risk of cyberattacks on critical infrastructure
The costs of ransomware attacks on infrastructure are often ultimately borne by taxpayers and municipalities that are stuck with cleaning up the mess.
To understand the economic effects of cyberattacks on municipalities, I released a research paper with several faculty colleagues, drawing on all publicly reported data breaches and municipal bond market data. In fact, a 1% increase in the county-level cyberattacks covered by the media leads to an increase in offering yields ranging from 3.7 to 5.9 basis points, depending on the level of attack exposure. Evaluating these estimates at the average annual issuance of $235 million per county implies $13 million in additional annual interest costs per county.
One reason for the significant adverse effects of data breaches on municipalities and critical infrastructure stems from all the interdependencies in these systems. Vulnerabilities related to Internet of Things (IoT) and industrial control systems (ICS) increased at an “even faster rate than overall vulnerabilities, with these two categories experiencing a 16% and 50% year over year increase, respectively, compared to a 0.4% growth rate in the number of vulnerabilities overall, according to the X-Force Threat Intelligence Index 2022 by IBM.
Read also
A key factor contributing to this escalating threat is the rapid expansion of the attack surface due to IoT, remote work environments and increased reliance on cloud services. With more endpoints to exploit, threat actors have more opportunities to gain unauthorized access and wreak havoc.
“Local governments face a significant dilemma… On one hand, they are charged with safeguarding a great deal of digital records that contain their citizens’ private information. On the other hand, their cyber and IT experts must fight to get sufficient financial support needed to properly defend their networks,” says Brian de Vallance, former DHS assistant secretary.
“Public entities face a number of challenges in managing their cyber risk — the top most is budget. IT spending accounted for less than 0.1% of overall municipal budgets, according to M.K. Hamilton & Associates. This traditional underinvestment in security has made it more and more challenging for these entities to obtain insurance from the traditional market.”
Cybersecurity reform should involve rigorous regulatory standards, incentives for improving cybersecurity measures and support for victims of cyberattacks. Public-private partnerships can facilitate sharing of threat intelligence, providing organizations with the information they need to defend against attacks. Furthermore, federal support, in the form of resources or subsidies, can also help smaller organizations – whether small business or municipalities – that are clearly resource constrained so they have funds to invest more in cybersecurity.
Toward solutions
So, is the solution a market for cybersecurity insurance? A competitive market to hedge against cyber risk will likely emerge as organizations are increasingly required to report material incidents. A cyber insurance market would still not solve the root of the problem: Organizations need help becoming resilient. Small and mid-sized businesses, according to my research with professors Annie Boustead and Scott Shackelford, are especially vulnerable.
“Investment in digital transformation is expected to reach $2T in 2023 according to IDC and all of this infrastructure presents an unimaginable target for cybercriminals. While insurance is excellent at transferring financial risk from cybercrime, it does nothing to actually ensure this investment remains available for the business,” says Hake, who says there is a “huge opportunity” for insurance companies to help clients improve “cyber hygiene, reduce incident costs, and support financial incentives for investing in security controls.”
Encouragingly, Hake has noticed a trend for more companies to “work with clients to provide insights on vulnerabilities and incentivize action on patching critical vulnerabilities.”
“One pure-technology mitigation that could help is SnapShield, a ‘ransomware activated fuse,’ which works through behavioral analysis,” says Doug Milburn, founder of 45Drives. “This is agentless software that runs on your server and listens to traffic from clients. If it detects any ransomware content, SnapShield pops the connection to your server, just like a fuse. Damage is stopped, and it is business as usual for the rest of your network, while your IT personnel clean out the infected workstation. It also keeps a detailed log of the malicious activity and has a restore function that instantly repairs any damage that may have occurred to your data,” he continues.
Ransomware attacks are also present within the crypto market, and there is a growing recognition that new tools are needed to build on-chain resilience. “While preventative measures are important, access controlled data backups are imperative. If a business is using a solution, like Jackal Protocol, to routinely back up its state and files, it could reboot without paying ransoms with minimal losses,” said Eric Waisanen, co-founder of Astrovault.
Ultimately, tackling the growing menace of cyber threats requires a holistic approach that combines policy measures, technological solutions and human vigilance. Whether a ban on ransom payments is implemented, the urgency of investing in robust cybersecurity frameworks cannot be overstated. As we navigate an increasingly digital future, our approach to cybersecurity will play a pivotal role in determining how secure that future will be.
Emory Roane, policy counsel at PRCD, says that mandatory disclosure of cyber breaches and offering identity theft protection services are essential, but it “still leaves consumers left to pick up the pieces for, potentially, a business’ poor security practices.”
But the combination of mandatory disclosure and the threat of getting sued may be the most effective. He highlights the California Consumer Privacy Act.
“It provides a private right of action allowing consumers to sue businesses directly in the event that a business suffers a data breach that exposes a consumer’s personal information and that breach was caused by the business’ failure to use reasonable security measures,” Roane explains. That dovetails with a growing recognition that data is an important consumer asset that has long been overlooked and transferred to companies without remuneration.
Greater education around cybersecurity and data sovereignty will not only help consumers stay alert to ongoing threats — e.g., phishing emails — but also empower them to pursue and value more holistic solutions to information security and data sharing so that the incidence of ransomware attacks is lower and less severe when they do happen.
Bans rarely work, if for no other reason than enforcement is either physically impossible or prohibitively expensive. Giving into ransoms is not ideal, but neither is penalizing the entity that is going through a crisis. What organizations need are better tools and techniques – and that is something that the cybersecurity industry, in collaboration with policymakers, can help with through new technologies and the adoption of best practices.
Subscribe
The most engaging reads in blockchain. Delivered once a
week.
Politics
One year of Starmer: Nine charts that tell us whether Labour’s first year has been a success or failure
It might feel like it’s been even longer for the prime minister at the moment, but it’s been a whole year since Sir Keir Starmer’s Labour Party won a historic landslide, emphatically defeating Rishi Sunak’s Conservatives and securing a 174-seat majority.
Over that time, Sir Keir and his party have regularly reset or restated their list of milestones, missions, targets and pledges – things they say they will achieve while in power (so long as they can get all their policies past their own MPs).
We’ve had a look at the ones they have repeated most consistently, and how they are going so far.
Overall, it amounts to what appears to be some success on economic metrics, but limited progress at best towards many of their key policy objectives.
From healthcare to housebuilding, from crime to clean power, and from small boats to squeezed budgets, here are nine charts that show the country’s performance before and after Labour came to power, and how close the government are to achieving their goals.
Sir Keir Starmer has been in office for a year. Pic Reuters
Cost of living
On paper, the target that Labour have set themselves on improving living standards is by quite a distance the easiest to achieve of anything they have spoken about.
They have not set a specific number to aim for, and every previous parliament on record has overseen an increase in real terms disposable income.
The closest it got to not happening was the last parliament, though. From December 2019 to June 2024, disposable income per quarter rose by just £24, thanks in part to the energy crisis that followed Russia’s invasion of Ukraine.
By way of comparison, there was a rise of almost £600 per quarter during the five years following Thatcher’s final election victory in 1987, and over £500 between Blair’s 1997 victory and his 2001 re-election.
After the first six months of the latest government, it had risen by £144, the fastest start of any government going back to at least 1954. As of March, it had fallen to £81, but that still leaves them second at this stage, behind only Thatcher’s third term.
VERDICT: Going well, but should have been more ambitious with their target
Get inflation back to 2%
So, we have got more money to play with. But it might not always feel like that, as average prices are still rising at a historically high rate.
Inflation fell consistently during the last year and a half of Rishi Sunak’s premiership, dropping from a peak of 11.1% in October 2022 to exactly 2% – the Bank of England target – in June 2024.
It continued to fall in Labour’s first couple of months, but has steadily climbed back up since then and reached 3.4% in May.
When we include housing costs as well, prices are up by 4% in the last year. Average wages are currently rising by just over 5%, so that explains the overall improvement in living standards that we mentioned earlier.
But there are signs that the labour market is beginning to slow following the introduction of higher national insurance rates for employers in April.
If inflation remains high and wages begin to stagnate, we will see a quick reversal to the good start the government have made on disposable income.
VERDICT: Something to keep an eye on – there could be a bigger price to pay in years to come
‘Smash the gangs’
One of Starmer’s most memorable promises during the election campaign was that he would “smash the gangs”, and drastically reduce the number of people crossing the Channel to illegally enter the country.
More than 40,000 people have arrived in the UK in small boats in the 12 months since Labour came to power, a rise of over 12,000 (40%) compared with the previous year.
Labour have said that better weather in the first half of this year has contributed to more favourable conditions for smugglers, but our research shows crossings have also risen on days when the weather is not so good.
VERDICT: As it stands, it looks like “the gangs” are smashing the government
Reduce NHS waits
One of Labour’s more ambitious targets, and one in which they will be relying on big improvements in years to come to achieve.
Starmer says that no more than 8% of people will wait longer than 18 weeks for NHS treatment by the time of the next election.
When they took over, it was more than five times higher than that. And it still is now, falling very slightly from 41.1% to 40.3% over the 10 months that we have data for.
So not much movement yet. Independent modelling by the Health Foundation suggests that reaching the target is “still feasible”, though they say it will demand “focus, resource, productivity improvements and a bit of luck”.
VERDICT: Early days, but current treatment isn’t curing the ailment fast enough
Halve violent crime
It’s a similar story with policing. Labour aim to achieve their goal of halving serious violent crime within 10 years by recruiting an extra 13,000 officers, PCSOs and special constables.
Recruitment is still very much ongoing, but workforce numbers have only been published up until the end of September, so we can’t tell what progress has been made on that as yet.
We do have numbers, however, on the number of violent crimes recorded by the police in the first six months of Labour’s premiership. There were a total of 1.1m, down by 14,665 on the same period last year, a decrease of just over 1%.
That’s not nearly enough to reach a halving within the decade, but Labour will hope that the reduction will accelerate once their new officers are in place.
VERDICT: Not time for flashing lights just yet, but progress is more “foot patrol” than “high-speed chase” so far
Build 1.5m new homes
One of Labour’s most ambitious policies was the pledge that they would build a total of 1.5m new homes in England during this parliament.
There has not yet been any new official data published on new houses since Labour came to power, but we can use alternative figures to give us a sense of how it’s going so far.
A new Energy Performance Certificate is granted each time a new home is built – so tends to closely match the official house-building figures – and we have data up to March for those.
Those numbers suggest that there have actually been fewer new properties added recently than in any year since 2015-16.
Labour still have four years to deliver on this pledge, but each year they are behind means they need to up the rate more in future years.
If the 200,000 new EPCs in the year to March 2025 matches the number of new homes they have delivered in their first year, Labour will need to add an average of 325,000 per year for the rest of their time in power to achieve their goal.
VERDICT: Struggling to lay solid foundations
Clean power by 2030
Another of the more ambitious pledges, Labour’s aim is for the UK to produce 95% of its energy from renewable sources by 2030.
They started strong. The ban on new onshore wind turbines was lifted within their first few days of government, and they delivered support for 131 new renewable energy projects in the most recent funding round in September.
But – understandably – it takes time for those new wind farms, solar farms and tidal plants to be built and start contributing to the grid.
In the year leading up to Starmer’s election as leader, 54% of the energy on the UK grid had been produced by renewable sources in the UK.
That has risen very slightly in the year since then, to 55%, with a rise in solar and biomass offsetting a slight fall in wind generation.
The start of this year has been unusually lacking in wind, and this analysis does not take variations in weather into account. The government target will adjust for that, but they are yet to define exactly how.
VERDICT: Not all up in smoke, but consistent effort is required before it’s all sunshine and windmills
Fastest economic growth in the G7
Labour’s plan to pay for the improvements they want to make in all the public services we have talked about above can be summarised in one word: “growth”.
The aim is for the UK’s GDP – the financial value of all the goods and services produced in the country – to grow faster than any other in the G7 group of advanced economies.
Since Labour have been in power, the economy has grown faster than European rivals Italy, France and Germany, as well as Japan, but has lagged behind the US and Canada.
The UK did grow fastest in the most recent quarter we have data for, however, from the start of the year to the end of March.
VERDICT: Good to be ahead of other similar European economies, but still a way to go to overtake the North Americans
No tax rises
Without economic growth, it will be difficult to keep to one of Chancellor Rachel Reeves’ biggest promises – that there will be no more tax rises or borrowing for the duration of her government’s term.
Paul Johnson, director of the Institute for Fiscal Studies, said last month that she is a “gnat’s whisker” away from being forced to do that at the autumn budget, looking at the state of the economy at the moment.
That whisker will have been shaved even closer by the cost implications of the government’s failure to get its full welfare reform bill through parliament earlier this week.
And income tax thresholds are currently frozen until April 2028, meaning there is already a “stealth” hike scheduled for all of us every year.
Please use Chrome browser for a more accessible video player
One year of Keir: A review of Starmer’s first 12 months in office
But the news from the last financial year was slightly better than expected. Total tax receipts for the year ending March 2025 were 35% of GDP.
That’s lower than the previous four years, and what was projected after Jeremy Hunt’s final Conservative budget, but higher than any of the 50 years before that.
The Office for Budget Responsibility (OBR) still projects it to rise in future years though, to a higher level than the post-WWII peak of 37.2%.
The OBR – a non-departmental public body that provides independent analysis of the public finances – has also said in the past few days that it is re-examining its methodology, because it has been too optimistic with its forecasts in the past.
If the OBR’s review leads to a more negative view of where the economy is going, Rachel Reeves could be forced to break her promise to keep the budget deficit from spiralling out of control.
VERDICT: It’s going to be difficult for the Chancellor to keep to her promise
OVERALL VERDICT: Investment and attention towards things like violent crime, the NHS and clean energy are yet to start bearing fruit, with only minuscule shifts in the right direction for each, but the government is confident that what’s happened so far is part of its plans.
Labour always said that the house-building target would be achieved with a big surge towards the back end of their term, but they won’t be encouraged by the numbers actually dropping in their first few months.
Where they are failing most dramatically, however, appears to be in reducing the number of migrants making the dangerous Channel crossing on small boats.
The economic news, particularly that rise in disposable income, looks more healthy at the moment. But with inflation still high and growth lagging behind some of our G7 rivals, that could soon start to turn.
The Data and Forensics team is a multi-skilled unit dedicated to providing transparent journalism from Sky News. We gather, analyse and visualise data to tell data-driven stories. We combine traditional reporting skills with advanced analysis of satellite images, social media and other open source information. Through multimedia storytelling we aim to better explain the world while also showing how our journalism is done.
Gunnar Strömmer reportedly said that Swedish authorities had confiscated more than $8.3 million worth of criminal profits since a law related to seizures was passed in 2024.
Increasing US regulatory clarity is enabling more traditional finance participants to seek out decentralized financial solutions.
-
Sports3 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports1 year agoStory injured on diving stop, exits Red Sox game
-
Sports2 years agoGame 1 of WS least-watched in recorded history
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports4 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Sports2 years agoButton battles heat exhaustion in NASCAR debut
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike