The Push to Ban Ransom Payments Is Gaining Momentum

Although ransomware attacks represented just 17 percent of all cyberattacks in 2022, they cost victims an estimated $30 billion in 2023. According to IBM’s Cost of a Data Breach 2023 report, the average cost of these attacks is $5.13 million, and that doesn’t even begin to cover the complete cost of the disruptions, including lost business, reputational damage, and the extensive resources required for recovery and remediation.

It used to be that companies with reliable data backups could recover from these attacks unscathed, but modern ransom tactics layer on additional extortion threats, such as publishing sensitive data, or attacking the victim’s customers or business partners.

Companies that pay ransoms also aren’t guaranteed anything in return. Nowhere has this been more clear than in the recent high profile attack on UnitedHealth Group, with estimated costs to the company expected to reach $1 billion. UnitedHealth confirmed they paid a $22 million ransom, only to be targeted for extortion again by another ransomware group that claimed to have been cheated out of their payment. During a House hearing, UnitedHealth representatives estimated that a third of Americans’ personal health information was stolen in that attack.

Ransomware’s Relentless Grip Continues as Payments Fuel More Attacks#

The healthcare sector, in particular, is increasingly a prime target of these attacks, due to the critical nature of their services, frequently outdated systems, and the high value of sensitive data.

In March 2024, the Lurie Children’s Hospital in Chicago was hit by a ransomware attack and the Rhysida ransomware gang claims to have sold patient data on the dark web for $3.4 million. Lurie serves an estimated 239,000 pediatric patients in the midwest every year, treating cancer and blood disorders. During the cyberattack, the hospital was forced to take its entire computer network offline and cancel a number of appointments and elective surgeries, delaying care for patients who are in critical need of timely treatment.

Ransomware attacks on educational institutions saw a 70% increase in 2023 from the previous year, for similar reasons to healthcare - outdated systems and access to a trove of sensitive data. Approximately 90% of these attacks target schools in the U.S. and the U.K.

Some ransomware gangs have even published stolen data, including mental health records and files from sexual assault investigations. After the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom, the attackers published confidential documents that include sexual assault records, and reports on psychiatric hospitalizations, abusive parents, truancy, and suicide attempts.

Attacks on the financial sector often receive disproportionate media attention, but the severe financial and emotional impact of ransomware on institutions that serve vulnerable populations can be just as devastating. A shift towards a culture that refuses to pay ransoms is on the horizon, fueled in part by the realization that paying only emboldens attackers who cripple children’s hospitals and government agencies without regard to the suffering left in their wake.

UK Moves to Discourage Ransom Payments: New Proposal Would Mandate Incident Reporting and Licensing for Extortion Fees#

The UK’s cybersecurity agency recently made a major move towards extinguishing ransom payments and undermining the profitability of the ransom business model. In new guidance co-sponsored by the National Cyber Security Centre (NCSC) and three major UK insurance providers, the UK is strongly recommending against ransomware victims paying ransom demands.

“The NCSC does not encourage, endorse or condone paying ransoms, and it’s a dangerous misconception that doing so will make an incident go away or free victims of any future headaches,” NCSC CEO Felicity Oswald said. “In fact, every ransom that is paid signals to criminals that these attacks bear fruit and are worth doing.”

Although the new guidance ultimately leaves the decision whether to pay the ransom to the victim, it aims to reduce:

• disruption and cost to businesses
• the number of ransoms paid by UK ransomware victims
• the size of ransoms where victims choose to pay

Uniting insurance agencies and the NCSC on this guidance is a major step towards changing the cultural response to ransom demands and may pave the way for an eventual ban on ransom payments.

In another major move this week, the British government is proposing mandatory incident reporting from ransomware victims along with the requirement to obtain a license before making any extortion payments. The policy is in its earliest stages and subject to public consultation for 12 weeks before it has the possibility of being enforced.

UK officials have been under pressure to disrupt ransomware activity, which has increased every year for the past five years. This would be a strong move that may make UK institutions a less lucrative target, if ransomware gangs know that they may be tied up in bureaucracy before getting paid.

Momentum Builds for Banning Ransom Payments#

Ciaran Martin, former head of the National Cyber Security Centre, advocated for banning ransom payments in a March 2024 article in The Times, comparing it to paying terrorist kidnappers. The state doesn’t pay when public entities are hacked, and Martin recognized the challenge for private companies needing a framework for support before a ban could be successful.

The British Library, one of the largest libraries in the world, found out exactly what happens when you don’t pay the ransom demanded by attackers. It was hailed for its exemplary response to a ransomware attack in October 2023, where the Rhysida gang demanded a ransom of 20 bitcoin, at the time around £596,000, to restore services and return the stolen data. The library took approximately six months to resume operations and was forced to use 40 percent of its financial reserves, approximately £6–7 million, to recover from the attack.

The British Library published the details of its recovery process in an 18-page incident review, which identifies a number of lessons that were painfully learned in this attack and might be useful to other organizations that also maintain no option to capitulate to extortion demands.

Emisoft is one of the first cyber security vendors to call for a ban on ransom payments, despite the company potentially benefitting from the prevalence of these attacks. In their 2023 State of Ransomware in the U.S. Report, Emisoft emphasizes the critical need to eliminate the profitability of ransomware attacks:

We believe that the only solution to the ransomware crisis – which is as bad as it has ever been – is to completely ban the payment of ransoms. The only viable mechanism by which governments can quickly reduce ransomware volumes is to ban ransom payments. Ransomware is a profit-driven enterprise. If it is made unprofitable, most attacks will quickly stop.

Yes, banning payments may cause problems in the short-term for some victims, but not banning them causes even more problems, and it causes them long-term and for everybody. It ensures that organizations will continue to be attacked, that hospitals, schools and government services will continue to be disrupted, that the U.S. will continue to take a multi-billion dollar economic hit, and, most significantly, that ransomware will continue to be a risk-to-life threat.

Security researcher Kevin Beaumont, who is cited in the report as a proponent of a ban, commented on Mastodon about how unpopular this idea is in the cybersecurity industry.

“I only came off the fence about looking seriously about banning payment late last year and boy is there pushback in private, I keep getting told I’ll kill the golden goose,” Beaumont said.

“In an industry which thinks it is (cyber) punk - about challenging systems etc - the most controversial thing I’ve apparently said or done is raised this one. It is the elephant in the room, it is allowing the industry - including me - to fail upwards. I wish it wasn’t controversial to point this out.”

Beaumont said one of the defining things he has seen at every organization where he has discussed ransomware preparedness, is that “they have spent more time deciding if and how they would pay a ransom - who gets the call, the CEO, the board etc - than actually preparing cyber resilience. Organizations are discussing the wrong thing first because it’s seen as completely normal to pay. That’s all our fault.”

US Ransomware Task Force Outlines a Roadmap to Potential Prohibition of Ransomware Payments#

Last October, the US and a consortium of 48 countries, the European Union, and Interpol, pledged to no longer pay ransoms, a hard-fought agreement that aims to disrupt the ransomware business model and promote international cooperation in combating cybercrime. Making it a criminal offense to pay ransoms is still a controversial idea but the US is slowly moving towards that goal.

The attack on Change/UnitedHealth reignited the movement to ban ransom payments after Americans experienced the sting of disruption and a cash crunch at hospitals, health clinics, and pharmacies.

Kemba Walden, former national cyber director from February-November 2023, said during a House Financial Services subcommittee hearing that the US isn’t in a “place where the American economy is resilient enough to withstand” a prohibition on companies making ransom payments, despite the payments not guaranteeing a satisfactory resolution for the victim.

“The profits are still too high and the costs are still too low,” Walden said. “So we need to shift that balance, and there are a number of policy options that we can take in order to get to the point where profitability is no longer a motivator for ransomware actors.

“If we banned ransomware payments today, we could bankrupt the very small- and medium-sized businesses that the American economy relies upon. Think rural hospitals that serve four or five municipalities; those can go bankrupt. What we need to do is prepare for the worst — prepare those organizations to be more resilient against ransomware attacks, because a ban on payments is not going to stop the attacks from happening, but it will starve those businesses.”

Walden is part of the US Ransomware Task Force, which published a Roadmap to Potential Prohibition of Ransomware Payments in April 2024. The document outlines several downsides to a payment ban, along with recommended milestones before the US would be prepared for such a ban.

We recognize that ransomware actors are inherently profit-motivated, and therefore a ban on payments could eventually result in less criminal activity. However, for several reasons detailed below, we believe a ban on payments under current circumstances will likely worsen the harms both for direct victims and, in turn, for society and the economy. In cases where bans have been introduced in limited ways (e.g., governments prohibiting themselves from paying ransoms), there has not been a clear decrease in ransomware attacks against these entities.

Even in the most proactive jurisdictions, the task force estimates that progress towards a ban is still several years away.

Meanwhile, the states are taking action on their own. North Carolina was the first state to prohibit public entities from paying ransoms in 2022, and the legislation also prohibits communication with ransomware criminals. Similarly, Florida’s Cyber Security Act prohibits a county or a municipality experiencing a ransomware incident from paying or otherwise complying with a ransomware demand. Arizona, Pennsylvania, New York, Tennessee, and Texas have introduced similar legislation that has not yet been enacted.

The bill proposed in New York seeks to extend penalties to private entities as well, with a $10,000 penalty for any governmental, business, or health care organization that makes a ransomware payment. In this instance, such a nominal fine may be less of a deterrent. It essentially ensures the state gets its cut of the incident payouts when a victim decides to pay the ransomware gang.

Prosecuting ransomware victims for trying to pay their way out of these incidents is still a tough pill to swallow in hopes of systemic change across the ransomware landscape. Even though payments create more resources and incentive for ransomware gangs and perpetuate their attacks, law enforcement currently has limited resources to combat this criminal behavior, let alone prosecute the victims.

While organizations still widely lack a successful framework against ransomware, progress towards a ban on payments will require overcoming significant obstacles and making incremental advances. States adopting a more radical approach to deterring ransom payments will lead the way to a more resilient future where the scourge of ransomware can no longer cripple essential services and bleed companies for billions of dollars every year.