July 8, 2024 By Jonathan Reed 3 min read

The FBI, CISA and NSA all strongly advise against organizations making ransomware payments if they fall victim to ransomware attacks. If so, why not place a ban on paying ransomware demands?

The topic came up at a recent Oxford Cyber Forum. Jen Easterly, Director of CISA, commented on the issue, saying, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” It’s unlikely this was a purely spontaneous remark as the issue of ransomware is top of mind for all cyber professionals, especially the director of CISA. For now, it looks like making ransomware payments a punishable offense is not going to happen.

Even more telling is that Easterly’s answer was made during an interview with Ciaran Martin, the former head of the U.K.’s National Cyber Security Centre. Earlier this year, Martin had called for a ban on all ransomware payments in an article she wrote for The Times newspaper.

So, should paying ransomware be banned or not?

Banning ransomware payments: More harm than good?

The Ransomware Task Force for the Institute for Security and Technology has also chimed in on the topic. The task force stated that placing a ban on ransomware payments in the U.S. at the current time will make it worse for victims, society and the economy. Small businesses typically cannot withstand a lengthy business disruption and might go out of business after a ransomware attack.

Additionally, if a ban was enforced, it could hamper the wider response to ransomware threats. If companies faced penalties for paying, they might be tempted to make ransomware payments secretly. This means accurate data about ransomware variants and threat intelligence would suffer.

Explore ransomware protection solutions

Fake ransomware rescue services

Other obstacles to a ransomware payment ban include fake “data recovery” firms. These scammers claim to be able to recover stolen data or crack encryption. But in reality, the alleged rescuers negotiate with ransomware gangs on the side, essentially paying the ransom and then charging the victims a fee. If ransomware payments were banned, these shady operations would likely increase.

Fight the good fight

Some say banning ransomware payments outright could be thought of as capitulation. It sends the message that the security community has no other means to thwart ransomware attacks. Instead, the federal government is mandating the reporting of cyber incidents, such as with the recent Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). By improving ransomware reporting rates, security teams can learn more about how attackers operate and share threat intelligence. This type of digital solidarity is believed to be more effective than trying to face these threats alone.

Law enforcement efforts should also be supported and ramped up in response to the ongoing ransomware threats. The LockBit ransomware-as-a-service gang is one example of a big win that brought intruders to justice.

Plus, there are efforts such as CISA’s pre-ransomware notification initiative, which aims to reduce risk by alerting organizations of early-stage ransomware activity. The initiative generated more than 1,200 pre-ransomware notifications in 2023.

The U.S. government also champions secure-by-design. At Oxford Cyber, Easterly said, “I do think we’ve made a difference, but I don’t think we’re going to make ransomware a shocking anomaly without successful implementation of a Secure-by-Design campaign,” said Easterly. “We cannot expect businesses that don’t have huge security teams to be able to secure that infrastructure unless that technology comes to them with dramatically reduced numbers of vulnerabilities.”

Setting priorities against ransomware

It’s no secret what the U.S. government feels is the best course for fighting ransomware—the plans are being laid out explicitly. They include stricter incident reporting standards, continued law enforcement efforts, shared intelligence, collaborative efforts and secure-by-design. For now, penalties for paying ransom aren’t part of the official game plan.

However, many entities, including IBM, strongly discourage paying ransomware. Instead, follow best practices and check out IBM’s Definitive Guide to Ransomware.

More from News

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Hackers are increasingly targeting auto dealers

3 min read - Update as of July 11, 2024 In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace. Car buyers who recently bought a car from…

A proactive cybersecurity policy is not just smart — it’s essential

3 min read - It’s easy to focus on the “after” when it comes to cybersecurity: How to stop an attack after it begins and how to recover when it's over. But while a reactive response sort of worked in the past, it simply is not good enough in today’s world. Not only are attacks more intense and more damaging than ever before, but cyber criminals also use so many different attack methods. Zscaler ThreatLabz 2024 Phishing Report found that phishing attacks increased by…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today