A major cybersecurity company is urging governments to forbid all organizations in their countries from paying ransomware gangs, arguing it would at least make crooks shift from hitting critical infrastructure providers such as hospitals, utilities and schools.
Emsisoft made the plea Monday in releasing final — and record — ransomware numbers for 2023 for the number of organizations hit.
Just over 2,200 U.S. hospitals, schools, and governments were directly impacted by ransomware, the company said, with many more being indirectly impacted via attacks on their supply chains. Additionally, thousands of private sector companies were either directly or indirectly impacted. The number of victim organizations is likely much higher; the numbers gleaned by Emsisoft are ones that can be confirmed. Many organizations — in every country around the world — don’t report successful cyber attacks.
“The only viable mechanism by which governments can quickly reduce ransomware volumes is to ban ransom payments,” Emsisoft argues. “Ransomware is a profit-driven enterprise. If it is made unprofitable, most attacks will quickly stop.”
“Were there to be a ban, we believe that bad actors would quickly pivot and move from high-impact encryption-based attacks to other less disruptive forms of cybercrime. It would really make no sense for them to expend time and effort attacking organizations which could not pay. Additionally, bad actors already do attack healthcare providers, local governments, and other custodians of critical infrastructure – relentlessly, day in, day out – and it’s far from certain that they would have either the incentive or the resources to attack them any more frequently.”
A ban would not need to stop all payments, Emsisoft argues. It would simply need to stop enough to ensure that ransomware ceased to be profitable and, as most companies would abide by the law, this would likely be achieved.
In 2022, Emisisoft notes, both North Carolina and Florida banned public sector entities from paying demands. “As far as we are aware, no entity in either state has experienced catastrophic data loss as a result of the ban, and nor have any experienced unusually excessive downtime.”
We reached out to Canadian-based Emsisoft threat researcher Brett Callow with two questions about banning ransomware payments:
First, why would a ban on ransomware payments would stop a gang from attacking organizations? Wouldn’t gangs continue stealing and encrypting data, and then threatening to embarrass the organization into capitulating? “The aim wouldn’t be to stop all cybercrime,” Callow replied, “it’d be to stop disruptive encryption-based attacks. And, yes, a decrease in ransomware could well mean an increase in business email compromise and other forms of cybercrime. But those other forms don’t put people’s lives at risk.”
Second, if paying crooks is banned, isn’t there a risk organizations will ease off on cybersecurity. They would think, ‘Crooks know I won’t pay to get data back, so I won’t be a target any more.’ Callow replied that governments have many legal and regulatory tools to make organizations invest in cybersecurity. For example, he noted that recently New York’s Attorney General secured US$450,000 from U.S. Radiology Specialists, Inc. (US Radiology) for failing to protect its patients’ personal and healthcare data.
Last year, 48 countries, including Canada and the U.S., agreed their national governments shouldn’t give in to ransomware demands. The promise came at the end of the third annual meeting in Washington of the International Counter Ransomware Initiative (CRI).
“CRI members affirmed the importance of strong and aligned messaging discouraging paying ransomware demands and leading by example,” the group said in a statement.