In an era where digital threats are always looming, ransomware casts a particularly long and ominous shadow for organizations. For the criminals behind these attacks, ransomware is a huge and highly lucrative business with many groups using double extortion tactics; exfiltrating data alongside encrypting systems to pile on more pressure.
With the rise of ransomware showing no signs of slowing, there is a drive from authorities, and some businesses, for more radical options to eradicate the problem. Since most attacks are motivated by money, cutting off the flow of payments has often been touted as one of the most direct solutions.
A recent report by Emsisoft highlighted the growing number of attacks on vulnerable sectors like healthcare and called for a ban on meeting ransom demands. On a larger scale, The International Counter Ransomware Initiative (CRI), an alliance of 50 countries working together against the threat, is aiming to implement national bans on ransomware payments.
So, how feasible is a blanket ban on payments, and is it likely to act as a deterrent to ransomware gangs who are prepared to take ever more audacious measures to extort money from victims? And in the meantime, how can organizations stop attacks in their tracks and avoid being put in the position to make a payment in the first place?
Why ransomware is reaching a crisis point
We have spent the last few years carefully tracking reported ransomware incidents and the results paint a grim picture – a range of relentless attacks with a particularly devastating impact on vulnerable sectors like healthcare and education.
Worse still, the volume of attacks is increasing; in nearly every month of 2023, the number of reported attacks was higher than the year before and, in some months, the volume had more than doubled year-over-year. It’s worth noting that this only accounts for publicly disclosed ransomware incidents that can be readily tracked – many companies will quietly pay off their attacker in the hope of reducing the reputational damage, although new SEC disclosure requirements may change this.
Like most criminals, ransomware gangs are motivated by making the most profit with the least effort, and so they naturally gravitate to targets that seem more likely to pay up. Sectors such as healthcare, education and the public sector, which often lack resources for effective security, are increasingly bearing the brunt of this threat.
Healthcare is uniquely at risk because the consequences of cyberattacks can escalate into threats against human life. The risk is highlighted by research from the University of Minnesota School of Public Health, which estimates that roughly one American died every month between 2016 and 2021 due to delays and errors caused by attacks.
These aggressive tactics, and the intentional targeting of critical infrastructure, are paying off for the threat actors. Findings from Sophos indicate that roughly half (46%) of ransomware victims in the last two years met the ransom to restore system access, a sharp increase from 2020 when just 26% of victims met payments. While paying up may seem like a viable option for companies facing an operational meltdown, it also helps sustain the cycle of cyberattacks.
With so many businesses still conceding to criminals’ demands, it's no wonder the gangs continue to see ransomware as one of their most reliable and lucrative ventures. So, can a payment ban help to reverse this trend?
The case for banning ransomware payments
Making ransomware payments are not illegal in the US yet, although the advice from authorities is always that businesses should not engage with criminals. Still, it looks increasingly likely that an official ban may be law in the future. CRI members have met multiple times to discuss and implement steps against ransomware gangs and their cause is growing; their latest meeting in November 2023 saw 11 new member nations, as well as INTERPOL joining the initiative.
These activities have included mentorship between members, a commitment to assisting each other when critical sectors are hit by ransomware, and the creation of a blacklist of illicit digital wallets known to be used by ransomware actors.
But the centerpiece is undoubtedly the joint statement that member governments should not pay ransoms. Notably, the language is suggestive, using "should not" rather than "will not", but it's still an encouraging step towards a united front against ransomware actors.
By cutting off the financial incentive, we can significantly diminish the appeal of these attacks. As soon as ransomware stops acting as a reliable revenue source, the business model will collapse, and the flood of attacks should begin to dry up.
Why organizations are still responsible for fighting ransomware
While an international ban on meeting payment demands would make ransomware a less attractive option for criminals, it's a complex endeavor with multiple practical and legal challenges. Authorities will need to monitor illicit payments and penalize non-compliance. Crucially, this will need to work smoothly across multiple international borders, with no loopholes or safe havens for either criminals or their victims to work around.
With all this in mind, nobody should expect a meaningful ban on payments to come into effect overnight. As such, organizations cannot afford to take their eye off the ball and still very much need to take matters into their own hands. Dealing with ransomware requires the resolve for long-term planning – paying up seems like an easy short-term solution but will only continue the cycle of attacks.
Most ransomware attacks involve tactics designed to deceive employees and security systems alike, so firms must have strong identity and access management capabilities. This includes password management, multifactor authentication (MFA) and pursuing policies like least privilege and Zero Trust.
A solid recovery plan is important so that ransomware victims can restore their encrypted data with backups rather than give in to the demands.
However, the vast majority of ransomware attacks, 90%, now involve data exfiltration, so relying on backups as a means to combat attackers is not enough. Restoring a system from backup will do nothing to stop criminals from leaking or selling stolen data, so the focus here needs to be on preventing theft from occurring with anti-data exfiltration (ADX) solutions.
Collective action against ransomware, from international agreements to individual organizational policies, reflects a commitment to a safer cyber future. It's a journey that demands resilience, adaptability, and unwavering vigilance. A ransomware payment ban would strike a powerful blow against the gangs laying siege to our society, but it must be part of a broader cybersecurity strategy, not a standalone solution.
