Skip links

Ransomware ban backers insist thugs must be cut off from payday

Global law enforcement authorities’ attempts to shutter the LockBit ransomware crew have sparked a fresh call for a ban on ransomware payments to perpetrators.

Ciaran Martin, founding CEO of the UK’s National Cyber Security Center (NCSC), reiterated his stance on the matter a week after LockBit started to get back on its feet again following the efforts of Operation Cronos to bring its servers offline for good.

“Ransomware is by far the most damaging cyber threat to most businesses right now. We have to find a way of making a ransom payments ban work,” he said.

LockBit recovered its online presence (albeit in a limited capacity at the time of writing) within days of Operation Cronos’ week-long embarrassment of the gang and weeks after the FBI flopped in its wrestling match for control over ALPHV’s infrastructure.

Martin’s comments reflect a growing belief in the cybersecurity community that a ban on ransom payments is the only way to disrupt the crime in the long term, despite the challenges that would come with such a move.

One of the foremost arguments is that banning ransom payments would leave many businesses unable to recover their systems.

Jake Moore, global cybersecurity advisor at ESET, said: “Banning ransomware payments can often have further implications – and this is not the first time this idea has cropped up. Although prevention is better than cure, there are still multiple cases where the only option has been to pay. Being stuck between a rock and a hard place is no position any company wants to be in but if the law is directing only one way, then companies can easily fold and the potential of livelihoods lost can make this a damming and forced decision.

“Although the long-term effects of banning ransom payments may sound idyllic, the path needed to navigate all companies to this ideal is going to be challenging, if not impossible. And then there is the inevitability that companies will still become a target and left with no other option.”

It’s an argument that those in favor of a ban acknowledge and appreciate, a compelling one without a tangible solution right now.

Martin argues that a ban will only work if governments collaborate on establishing a framework of support for organizations that are attacked and don’t have the resources available to recover.

In a piece co-authored with Tarah Wheeler, CEO at Red Queen Dynamics, the pair pointed to the Troubles in Northern Ireland, a conflict that saw insurers refusing to cover businesses against bombings, meaning the government had to step in to offer the support that was needed.

“There may even be a case for financial support to affected businesses who don’t pay,” they wrote

“That’s unusual, but an emergency situation requires unusual measures – and there can be no doubt that ransomware constitutes an emergency.”

The financial support described would have to persist for as long as ransomware does post-ban, which could be for years before the criminals get bored and move on to something more profitable. It would be a painful battle of attrition between organizations legally unable to pay and criminals draining their governments of support funds.

Establishing this support package would need to account for attacks on key services and critical infrastructure, where we’ve seen in the past that paying a ransom is often deemed the only solution for a fast recovery.

Other arguments against a ban are increasingly falling apart, Martin said.

“Terrible arguments have been made against a ban. One is that ‘it will drive the problem underground.’ Will company directors really knowingly break the criminal law? Other reasons are falling apart,” he opined in The Times.

Cybersecurity expert Kevin Beaumont agreed, saying: “A lot of the arguments against this fall apart with any basic level of scrutiny and are largely being made by people and orgs who directly or indirectly benefit from the status quo. 

“Nothing should be off the table, and it may well help manage ransomware group’s targets if this option was very much on the table, in fact.”

It’s a take with which others have also concurred, such as Lisa Forte, partner at Red Goat Cyber Security, who said that small disruptions of ransomware gangs aren’t working, so the finances of ransomware must be the next target.

She also pointed to the 1991 law enacted by the Italian government to curb ransom payments to high-profile kidnappers – an endemic crime at the time. 

The law saw the government seize control of all assets of a kidnapping victim’s family so they couldn’t be offered as a payment, and the prohibition of kidnapping ransom insurance policies.

It took a few years to work but it did to a decent degree, although it’s believed some families just stopped reporting the kidnappings to avoid their assets being seized.

Strictly technical measures such as trying to prevent attacks through adequate security products and controls have been argued as ones that should be prioritized over a ban. Ensuring robust backups are in place is also a long-peddled solution but neither is full proof, clearly.

There are currently no plans to develop a legal ban on ransom payments from the governments of the Five Eyes nations. 

Nearly 50 members of the Counter Ransomware Initiative (CRI), which includes the UK, US, Japan, India, and Israel, all vowed to not pay ransoms in October 2023, although this of course isn’t legally binding.

The ongoing debates linger against a background of growing cyber extortion rates, according to security shop Emsisoft, which pegged last year’s average extortion payment at $1.5 million.

The New Zealand-based company is another proponent of a ransom payment ban. Brett Callow, threat analyst at Emsisoft told The Register at the start of the year that it’s probably the only solution to the perpetual issue. ®

Source