A former British security chief has reignited the perennial ransomware question: to pay or not to pay?
Ciaran Martin, who was the first-ever CEO of the UK’s National Cyber Security Centre (NCSC), answered emphatically in the negative. Yet Martin doesn’t only advise victims to hold onto their cash. He also wants to ban them from handing over the ransom.
Writing in today’s London Times, Martin called the intervention an “urgent task.”
“Ransomware is by far the most damaging cyber threat to most businesses right now,” he said. “We have to find a way of making a ransom payments ban work.”
It’s a proposal that’s regularly made, but rarely in such pressing circumstances.
In recent months, ransomware attacks have again surged in scope and complexity. A record sum of $1bn (€922mn) in cryptocurrency payments was extorted from victims last year, according to a report by Chainalysis. Britain’s National Cyber Security Centre (NCSC) also fears that AI will exacerbate the damage.
But is a ban the best solution? Opinions are divided.
The case against a ban on ransomware payments
To mitigate the threat, governments advise victims not to pay the ransom. They also recognise, however, that it can be the only viable option to keep businesses afloat and prevent devastating data leaks. As a result, politicians remain reluctant to prohibit the payments.
Industry insiders have raised similar concerns. Jake Moore, Global Cybersecurity Advisor at Slovakian firm ESET, warns a ban will create more problems than it solves.
“If the law is directing only one way, then companies can easily fold and the potential of livelihoods lost can make this a damming and forced decision,” he said.
A ban could also lead victims to pay ransoms illegally. Consequently, they could face problems with not only hackers but also the government. Breaking the law would also create a new target for blackmail.
“Although prevention is better than cure, there are still multiple cases where the only option has been to pay,” Moore said
Moore’s view is common in the sector. But not everyone shares his perspective.
The case for a ban
A small but growing number of cybersecurity firms endorse the call for a ban.
Among the supporters is cybersecurity specialist anti-virus firm Emsisoft. In a recent blogpost, the company said government task forces, international coalitions, and law enforcement interventions have failed to tackle the problem. A blanket ban, Emsisoft argues, is the only way to quickly reduce ransomware volumes.
Brett Callow, a threat analyst at the firm, calls the alternatives “little more than building speed bumps and whacking moles.”
“For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them,” he said. “The only solution is to financially disincentivise attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”
Kevin Beaumont, a security researcher based in the UK, echoes the sentiment.
“This one needs firm leadership from the very top, as the lobbying against will be real,” Beaumont wrote in a December blogpost. “Civil society needs protection via firm leadership, not leadership by a small number of firms profiting from the status quo. This is a chance for world leaders to lead when others haven’t.”