IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Banning Ransomware Payments Brings New Challenges

Bans intended to stop victims from paying cyber criminals and cut off lucrative profit streams bring plenty of practical difficulties and risks that attackers will redouble focus on the most vulnerable entities.

Illustration of a laptop screen that shows a keyhole symbol above the words "Your files have been locked!" and a button that says "pay." Red background.
Shutterstock
Cyber criminals will keep making ransomware attacks as long as they see profits outweigh the effort and risks. Some states have responded by prohibiting state and local government entities from paying the extortionists — a move North Carolina and Florida took in 2021 and 2022, respectively, and which several others have mulled as well.

State bans like these keep taxpayer money from funding cyber crime, but such small-level, standalone prohibitions are unlikely to have a big impact on the ransomware problem, said Jen Ellis — Institute for Security and Technology (IST) adjunct senior policy adviser and Ransomware Task Force co-chair — in response to a Government Technology question during an IST webinar yesterday.

A nationwide ban applying to both public- and private-sector victims would reach farther, however, and past years have seen cyber researchers debate the pros and cons. Deputy National Security Adviser Anne Neuberger said in May that federal officials had “grappled” with the question of whether to ban most extortion payments while allowing the federal government to grant waivers.

If the U.S. means to do so, there are plenty of risks and challenges to consider, cyber experts said during yesterday’s webinar.

That includes introducing and launching such a policy.

Silas Cutler is an adjunct senior cyber threat adviser at IST and a principal reverse engineer at cybersecurity company Stairwell. He worried that busy small-business owners may not be keeping up with the latest cybersecurity legislation and could accidentally commit a crime if they pay after a hypothetical ban passes. That would give cyber attackers leverage to keep extorting the businesses in exchange for keeping the fact of the payment quiet.

Another concern is attackers are likely to respond to a payment ban by testing how well it sticks. Attackers may intensify their focus on the victims most likely to feel compelled to pay, such as small- to medium-sized businesses — which may not be able to stay afloat during an interruption to their operations — and essential service and critical infrastructure providers where “disruption isn’t really an option,” Ellis said.
Screenshot of a zoom call showing headshots of 4 speakers: Silas Culter and Jen Ellis. Bottom row: Jason Kikta and Marc Rogers
Silas Cutler, Jen Ellis, Jason Kikta and Marc Rogers discuss ransomware trends and concerns during an IST webinar.
Screenshot
In her May comments, Neuberger raised the idea of a federal policy that let entities request permission to pay, so that vital services providers like major hospitals could get back up and running fast.

But offering waivers might just highlight those entities to attackers, said Jason Kikta, adjunct senior technical adviser at IST and CISO for endpoint security company Automox. Threat actors might fixate on those entities, whether with ransomware or other strategies for making money off them.

“All we're doing is teaching them [that] this is the soft underbelly, this is what we really truly care about — go after that,” he said. “They're going to look at who gets to pay and who doesn't get to pay, and they're just going to look for more things that look like that.”

Plus, waiver request management could become an administrative nightmare.

Kikta tried to figure out just how many waiver requests federal officials would need to evaluate. Using data from threat and risk intelligence services company eCrime.ch, he considered the number of unique organizations in the U.S. known to have been victimized by data extortion or ransomware so far this year. What he found is that it comes out to an average of slightly more than eight organizations per day of the work week.

Of course, the eCrime.ch data likely underestimates the victim count, because not all incidents are known. But given that not all organizations will seek waivers, the notion that federal officials could face eight waiver requests a day may still be roughly accurate, he said.

Federal officials would likely need to make their waiver determinations quickly — within 24 hours — to prevent a backlog and stay on top of developing situations, Kikta said. But decision-making could be a complicated process to complete rapidly.

“This has to be legal due process to make that decision of ‘you are allowed to pay’, ‘you are not permitted to pay,’” Kikta said. “There’s going to be a lot of factors going into that — companies are going to have to prepare these packages, and if it doesn't go their way, they're going to sue.”

Adding pressure is the fact that officials could see new waiver requests come in unpredictably, at the last moment. That’s because some victims may plan against paying only to discover “at the eleventh hour” that they’re unable to restore their systems from backups and so would need to pay up to maintain their operations.

Kikta, who previously served in U.S. Cyber Command, recalled one company that had tested various backup restoration processes and believed it could rebound from a ransomware attack, only to realize at the last minute that it had never tested restoring the entire company all at once. It discovered that bringing everything back simultaneously at its data rates would take months, far longer than the organization could withstand.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.