Should governments make it illegal to pay ransomware demands? That’s the question being asked on a global scale, following a series of high-profile hacks that have impacted businesses, governments and organisations alike.
There are thought to be over a dozen highly prolific ransomware groups, hitting big businesses with incredibly lucrative demands. One of them, DarkSide, has made around $90 million in ransom payments – across 47 different victims – in just a matter of months. Among the worst-hit was Colonial Pipeline, which stumped up $4.5 million after hackers stopped it transporting fuel. What’s more, it was just a few hours between the hackers getting access and the ransom being paid.
All this has prompted renewed calls for governments to make it illegal for private companies to pay these demands. The theory is that, if faced with a potentially larger penalty from the authorities than what was demanded in the ransom, private companies won’t have a choice but to spurn the advances of their hackers. This leaves hackers impotent and therefore, the theory goes, less likely to target these businesses in the first place.
However, some analysts have claimed that such a ban would only work in an ideal world – and would be much less effective in reality than some think. For example, a huge number of businesses already pay the ransoms in secret. If they’re able to continue doing so, they may consider trying to go under the radar to get their data back and not have to involve the authorities (as well as all the negative press this would involve).
It could also have much more grizzly outcomes, as community and public affairs vice-president at Rapid 7, Jen Ellis, told the BBC.
“Banning payments would almost certainly result in a pretty horrific game of ‘chicken’, whereby criminals would shift all their focus towards organisations which are least likely to be able to deal with downtime – for example hospitals, water-treatment plants, energy providers, and schools.”
Ellis added that hackers would use the harm to society caused by such downtime to “apply the necessary pressure to ensure they get paid.” The hackers themselves have very little to lose, but potentially much to gain.
Supporters of such a ban say that one way to help make it effective would be for governments to justify their measures by providing organisations with the resources and support to withstand such attacks in the first place.