Ransomware Dilemma: To Pay or Not to Pay? Link to heading

“To ban or not to ban, that’s the tough question currently under debate by lawmakers around the world in response to the skyrocketing rate of ransomware attacks on businesses, government agencies, and other organisations.” (Carr, 2022). Ransomware attacks are becoming increasingly frequent in the business world as more organisations are targeted, with their data being held hostage for payment. Before delving into the depths of this debate, it is important to establish a solid understanding of what ransomware payments are. According to the Australian Cyber Security Centre, “Ransomware is a common and dangerous type of malware. It works by locking up or encrypting your files so you can no longer access them. A ransom, usually in the form of cryptocurrency, is demanded to restore access to the files. Cybercriminals might also demand a ransom to prevent data and intellectual property from being leaked or sold online.” (Australian Government).

Ransomware significantly disrupts business operations and has severe economic repercussions. Some major ransomware attacks and their estimated economic losses include WannaCry ($4 billion), TeslaCrypt (unknown), NotPetya ($10 billion), Sodinokibi ($200 million), SamSam ($6 million), and the Colonial Pipeline Ransomware Attack ($4.4 million) (James, 2023). These attacks have had a severe impact on society, highlighting the need for effective guidelines and policies. Unfortunately, “Policies and legislation in place to cover these kinds of things and stop them from happening are severely outdated or non-existent.” (Wheeler & Martin, 2021). The lack of robust legislation stems from the contentious nature of the ransomware debate, leaving the question of “To ban or not to ban” still a very open-ended discussion.

The primary argument in favour of banning ransomware payments is that paying these ransoms perpetuates the ransomware problem. “It’s a simple matter of supply and demand: If hackers know organisations in a state or country are prohibited from making ransom payouts, they’ll focus their attacks elsewhere” (Carr, 2022). When ransomware payments are made, attackers learn that the targeted organisations are willing to pay, thereby encouraging further attacks. This point was discussed during the 54th Hawaii International Conference on System Sciences, which noted, “Ransomware payments produce one clear outcome: they enrich organised crime and rogue states who can then use the funds to develop more harmful technologies, circumventing government and corporate cyber security controls. Studies have shown that payment of ransoms effectively encourage and facilitate future ransomware attacks and increases the intensity and frequency of ransomware attacks” (Dey & Lahiri, 2021). According to this journal, the inevitable result of ransomware payments is the perpetuation and escalation of future attacks. As highlighted, “organisations start paying their attackers, they also end up encouraging these ‘bad’ guys to come back for more, amplifying in the process the risk of future attacks on everyone, including themselves” (Dey & Lahiri, 2021).

Fleming Shi supports this argument, stating, “Ransom payments fuel the efforts of the cyber criminals. Hackers use that money to become more capable, commit more crimes, and expand their operations” (Shi, 2020). Payments directly fund and empower further criminal activities, making the cycle of ransomware attacks more frequent and severe.

Emsisoft further supports this argument by stating, “Organisations are currently providing cybercriminals with a multi-billion-dollar revenue stream – which is entirely funded by the public, albeit indirectly – and it makes absolutely no sense to permit this situation to continue. The best way to protect organisations from ransomware attacks and to protect individuals from the consequences of those attacks is to make it illegal for organisations to pay ransoms. This would stop the attacks, and stop them quickly” (Lab, 2020).

However, an argument against this perspective is the difficulty in halting ransom payments. Even if these payments are made illegal, there is no clear indication that attacks will stop, especially not immediately. Emsisoft acknowledges this challenge, stating, “To be clear, a prohibition would not be pain-free. While the criminals would eventually give up, they would not do so immediately and organisations that were successfully attacked during that interim period would not have the option of paying to recover their data. But it is a case of short-term pain for long-term gain. The alternative is our hospitals and other public and private sector organisations being attacked year after year, resulting in the disruption of critical services and, inevitably, in more lives being lost” (Lab, 2020). In their view, the long-term benefits clearly outweigh the short-term consequences.

One company that has taken a stand against ransomware payments is Latitude. In March 2023, Latitude fell victim to a cyberattack, resulting in the theft of data belonging to 14 million customers. On April 11th, Latitude announced its decision with a statement: they “will not reward criminal behaviour, nor do we believe that paying a ransom will result in the return or destruction of the information that was stolen,”. “In line with advice from cybercrime experts, Latitude strongly believes that paying a ransom will be detrimental to our customers and cause harm to the broader community by encouraging further criminal attacks” (Croft, 2023). Latitude recognised the adverse effects that paying the ransom would have not only on their customers but also on the wider community.

Clare O’Neil expanded on this perspective, stating, “The idea that we’re going to trust [hackers] people to delete data that they have taken off and may have copied a million times is just frankly silly. They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals. We’re standing strong as a country against this, we don’t want to fuel the ransomware business model” (Croft, 2023). Wayne Tufek, CyberRisk’s Director of Cybersecurity, further supported this stance, telling The Australian that “making ransom payments illegal would act as a deterrent for criminals to continue attacks if they know that they won’t be paid large sums of money” (Croft, 2023).

These views were integral to Latitude’s decision-making process. Banning ransomware payments appears to be the most effective solution: it prevents rewarding criminals, discourages further attacks, and stops the perpetuation of cyberattacks on businesses. So why have governments not yet implemented legislation to support this?

There are several compelling reasons why ransomware payments should not be banned. Implementing a blanket ban is not a straightforward solution. Criminal activities perpetrated by hackers are already illegal, and they will likely find ways to circumvent such a ban. The Senior Security Advisor at Sophos articulated this concern: “I don’t know that [banning ransom payments] is necessarily an answer. I was thinking about this the other day: If we make ransom payments illegal, as a cybercriminal I’ll just charge you a ‘consulting fee.’ It’s not going to be an extortion payment – it’s going to be a consulting fee to help you get your network to its previously operating condition. Or I’ll just use intermediaries or shell companies or whatever. There are ways around that legally, and they’re criminals – they don’t care. They’re already breaking one law; they don’t care if they’re breaking a second law” (SOPHOS, 2020).

There is no guarantee that implementing a ban would effectively stop ransomware attacks. It is unrealistic to assert that banning ransomware payments will prevent all future incidents. The adaptability of cybercriminals means they will continually seek and exploit new methods to achieve their objectives.

Although banning ransomware payments may decrease the number of attacks, the resulting attacks could become more complex and pose higher risks to companies. Electricity giant AGL states, “Banning ransomware payments, while likely to reduce the number of ransomware attacks, could have dire consequences” (Croft, 2023).

There is also the issue of service disruptions for businesses. The data or services held for ransom are often critical to the organisation’s operations. Sometimes, these are essential services that need to be restored immediately. Megan Brown, former counsel to the U.S. Attorney General and current cybersecurity lawyer, argues that in many scenarios, it is better to pay the ransom. She states, “The people who are absolutists—‘It’s immoral to pay the ransom’—should tell that to a medical practice that can’t schedule surgery. Or a company that cannot access its critical files, can’t provide service, and the company’s going to die. So, let’s say your company gets hit with a crippling ransomware attack. You can’t get your backups to work, and all your data is encrypted. If you don’t pay the ransom, are you fulfilling your fiduciary duty? If you can save the company for hundreds of thousands in bitcoin, then what’s the rational action for that fiduciary to take? In many instances, it’s to pay” (Carr, 2022).

AGL also supports this view, as expressed in their 2023-2030 Australian Cyber Security Discussion Paper: “Prohibiting the payment of ransom or extortion demands may reduce the volume of attacks. However, such a prohibition may result in potentially avoidable catastrophic damage, harm to the community, loss of life, disruption of essential services or disclosure of sensitive information. In some circumstances and for some organisations, the payment of a ransom demand may be the only path to achieving acceptable outcomes” (Croft, 2023).

AGL believes that Australia’s cybersecurity infrastructure is not yet up to the standard it should be, making it premature to enforce legislation banning ransom payments. Instead, they suggest that the federal government “should, for now, focus strongly on discouraging organisations from paying ransom demands, but acknowledge that there are situations where payments may be the best option.” Additionally, the “Government can take a more active leadership role to help victim organisations and individuals to make better informed decisions on whether to pay a ransom, with consideration given to all relevant matters, including consequential harms across stakeholder groups” (Croft, 2023).

One of the strongest arguments against paying ransoms is the lack of assurance that paying will result in the full return of data and services. There is simply no guarantee. The FBI addressed this issue in a public service announcement in 2019, stating, “The FBI does not advocate paying a ransom, in part because it does not guarantee an organisation will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key. Paying ransoms emboldens criminals to target other organisations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers” (FBI, 2019). The FBI acknowledges that banning ransom payments is not a comprehensive solution, though they advise against paying the ransom. It is a case-by-case scenario, making it impractical to enforce a blanket rule for all situations.

“Whichever path you choose – pay or not pay – it may take time to return to normal operations. You should take steps to maintain your organisation’s essential functions according to your business continuity plan” (Ey, 2020). Ultimately, the decision to pay or not to pay a ransom depends on the specific circumstances of each case. There is no universal solution to ransomware attacks; each scenario is unique and requires careful consideration to ensure the best outcome for the organisation, its stakeholders, and the broader community. Thoughtful discernment and strategic planning are essential in navigating the complexities of ransomware incidents to minimise harm and safeguard critical functions.

References Link to heading

Carr DF (2022) Should ransomware payments be illegal?: Endpoint. Tanium. Available from: https://www.tanium.com/blog/should-ransomware-payments-be-illegal/

Croft D (2023a) Prohibition of ransomware payments could have dire consequences, says AGL. Cyber Security Connect. Available from: https://www.cybersecurityconnect.com.au/policy/8974-prohibition-of-ransomware-payments-could-have-dire-consequences-says-agl#:~:text=%E2%80%9CProhibiting%20the%20payment%20of%20ransom,or%20disclosure%20of%20sensitive%20information

Croft D (2023b) Push to outlaw ransomware payments ignites following latitude’s refusal to pay. Cyber Security Connect. Available from: https://www.cybersecurityconnect.com.au/industry/8911-push-to-outlaw-ransomware-payments-ignites-following-latitude-s-refusal-to-pay

Culafi A (2020) Should ransomware payments be banned? experts weigh in: TechTarget. Security, TechTarget. Available from: https://www.techtarget.com/searchsecurity/news/252490335/Should-ransomware-payments-be-banned-Experts-weigh-in

Dey D and Lahiri A (2021) Should we outlaw ransomware payments? - scholarspace.manoa.hawaii.edu. Available from: https://scholarspace.manoa.hawaii.edu/server/api/core/bitstreams/551673d1-1749-446f-b9cb-6516b38b3158/content

Ey (2020) Ransomware: To pay or not to pay? EY Australia, EY. Available from: https://www.ey.com/en_au/consulting/ransomware-to-pay-or-not-to-pay

Government A by the A (n.d.) Ransomware. Ransomware | Cyber.gov.au. Available from: https://www.cyber.gov.au/threats/types-threats/ransomware#:~:text=It%20works%20by%20locking%20up,being%20leaked%20or%20sold%20online

Internet crime complaint center (2019) (IC3): High-impact ransomware attacks threaten U.S. businesses and organizations (n.d.) Internet Crime Complaint Center (IC3) | High-Impact Ransomware Attacks Threaten U.S. Businesses And Organisations. Available from: https://www.ic3.gov/Media/Y2019/PSA191002

James N (2023) 10 of the biggest ransomware attacks in history. Astra Security Blog. Available from: https://www.getastra.com/blog/security-audit/biggest-ransomware-attacks/

Lab EM (2020) Enough is enough: Woman’s death highlights the need for a ban on ransom payments. Emsisoft. Available from: https://www.emsisoft.com/en/blog/36948/enough-is-enough-womans-death-highlights-the-need-for-a-ban-on-ransom-payments/

Ransomware: New legislation should criminalise making ransomware payments (2021) Ashurst. Available from: https://www.ashurst.com/en/news-and-insights/insights/ransomware-new-legislation-should-criminalise-making-ransomware-payments/

Shi F (2020) Ransomware attacks: Why it should be illegal to pay the ransom. Dark Reading. Available from: https://www.darkreading.com/risk/ransomware-attacks-why-it-should-be-illegal-to-pay-the-ransom

SOPHOS (2020) The State of Ransomware 2020. Available from: https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf

Wheeler T and Martin C (2021) Should ransomware payments be banned? Brookings, Brookings. Available from: https://www.brookings.edu/techstream/should-ransomware-payments-be-banned/