Should the payment of a ransom be criminalized?
As with most questions of such importance, the answer is heavily nuanced. Right now, many factors need to be considered by organizations affected by ransomware when they consider their response, and criminalizing ransomware payments removes any confusion around the existing legal position of those opting to pay a ransom. Directors of affected organizations currently need to consider sanctions regulations, anti-money-laundering (AML) regulations, and terrorist-financing legislation. These are complex areas, dogged by a lack of availability of clear-cut legal guidance.
And in the few instances where the law is clear-cut on this topic, it tends to tilt toward criminalization—at least in individual US states. North Carolina became the first US state to ban public agencies from paying ransomware demands. Florida has since adopted similar legislation. Other state legislatures, too, have considered laws restricting ransomware payments.
It is undeniable that the single major outcome from the payment of a ransomware demand is the enrichment and encouragement of the existing cybercriminal ecosystem. We have seen this from the development, enlargement, and professionalization of ransomware operations. When a victim pays a ransomware demand, that payment further incentivizes investment in and development of new ransomware tools and threat actors (including state-sponsored activity). Criminalizing ransomware payments removes that option from the disaster-response toolbox—in the hopes of smothering this ecosystem.
One could make the case that criminalization would also force organizations to give closer attention and greater funding to the identification, management, and security of their most critical assets—and to the security posture of their organization overall. Consider that a victim organization’s most effective response to a successful ransomware attack is to restore from backups. Over the past decade of rampant ransomware, organizations of every size have learned that an effective and properly maintained backup strategy is non-negotiable in today's threat landscape.
The problem is that criminals are also aware of this relatively effective "Get out of jail free" card. They have sought also to gain access to backups and encrypt those as well. And they are still adapting their tactics rapidly, increasingly moving on to a "hack and leak" strategy—where the threat is not data deletion but data exposure/distribution.
Whereas the "hack and leak" aspect of ransomware originated as secondary leverage to the encryption attack, those positions are now switching. In some cases, encryption is being abandoned altogether because it carries a high development and maintenance overhead and offers diminishing effectiveness. After all, when an organization is faced with the threat of a simple leak of stolen data, restoring from backups is not an option. Nothing has been encrypted, and there is nothing to restore.
Organizations should now be looking at the wide-scale deployment of dynamic network segmentation—as well as liberal use of encryption of data at rest, data in transit, and data in use. These technologies, still woefully under-deployed, are highly effective at making data very difficult to get to and exfiltrate (let alone leak).
Still, best practices aren't always practiced. The criminalization of ransomware payments could well force the payment of ransoms underground—creating regulatory and legal problems for businesses at a time when they are least equipped to deal with it. Attempts at further punishing the victim of a criminal act is attacking the issue from the wrong direction.
Instead, we should be focusing on the financial systems that make the paper trail so opaque. We can hope that as emerging cryptocurrency regulations come into effect, the identities of both senders and receivers of cryptocurrency transactions will become clear, forcing criminals to think again about their cashing-out strategies.
In situations where data cannot otherwise be recovered, and where its continued absence could force a company out of business, a critical service offline, or even have life-and-death consequences, the option to pay should remain on the table as a very last resort.