The average ransomware payment in 2023 is $1.5 million, up from $812,000 a year prior.  Organizations attacked by a ransomware gang face a stark choice of whether to pay or not. For years there have been discussions on how to stop the payments, but these have been too extreme and now is the time for a reasonable scenario to ban ransomware payments. Still, as we have made progress with new technologies and other efforts, we have seen ransomware payments drop from 76% in 2019 to near 40% today.

This major drop is encouraging but it is unlikely to get near zero until governments begin the process of banning ransomware payments to dissuade the remaining victims from paying. There are three imperatives for government to take these steps: 

  1. The Moral Imperative — The rational decision for many victims is to pay the ransom, but this payment provides the criminals with resources to commit additional crimes. This is simply a classic Kantian moral imperative - we should be acting as we want others to act. Organizations and particularly corporations, however, cannot always make decisions this way. Therefore, government must step in and push for the decision that is better for society or we create a downward spiral toward a kleptocracy. 
  2. The National Security Imperative  — Nation States have been using ransomware to attack companies that they disagree with, and criminal syndicates aligned with nation states have been funding their work through ransomware. Russia, China, Iran and North Korea are all using ransomware gangs to exploit organizations and either directly or indirectly fund their operations. 
  3. The Economic Imperative — Even in non-national security or critical infrastructure cases, ransomware payments are a pure economic drain on legitimate economies and further fund criminal activities.

How do we ban ransomware?

Criminal penalties are the first thing most people think of when it comes to banning ransomware payments. There are, however, a wide range of non-mutually exclusive options to make payment illegal or more difficult. To keep this short, I’m leaving out any discussion of regulating crypto currency to make payment more difficult, which is a possibility as well, but adds another level of complexity to this discussion. Some areas to create a ban include but are not limited to:

  • Reporting payments — U.S. Congress has already done this for critical infrastructure with CIRCIA, which will go into effect in 2024. The U.S. Security and Exchange Commission is making cybersecurity incidents, including ransomware, public for publicly traded companies. While helpful in tipping the scale, this alone is not very effective, and we’ve already started seeing the criminals utilizing the push for transparency to threaten companies. 
  • Government oversight of security programs — Governments could require that companies that pay ransoms must enter a program to oversee their security program in the future. The U.S. Federal Trade Commission has an extensive history with 20-year consent decrees that provide regulatory oversight of companies that fail to provide security to consumers. Governments could build similar programs for companies that make ransomware payments. This is not a trivial cost to add and could alter whether payment is still the rational choice. 
  • Fines — Governments could levy fines against companies that pay ransoms. There would have to be an economic analysis of the tipping point where fines become a deciding factor to pay or not. Fines could, except in extreme circumstances, help change the decision a company makes about payment. 
  • Criminal charges — Generally, I do not like the idea of turning victims into criminals in order to push the scale in the direction of stopping payments. That said, there could be cases where criminal charges are appropriate. If organizations try to hide payment to avoid fines or other punishment or conspire with the criminals in some way, criminal penalties could be appropriate. 

Should there be exceptions or exemptions?

While it would be preferable to develop a structure that does not need exceptions or exemptions for companies or entities, there may be national security or other reasons why payment is actually a preferable option to non-payment and the penalties created might not be appropriate. 

It will likely be necessary to have a regulator, law enforcement official, or special panel review ransomware payment exceptions on a case-by-case basis, until we have created a situation where non-payment is the rational decision. The more we can learn about these cases, and what they involve, the better equipped we will be to see where areas for exemptions emerge.

Ari Schwartz

Read Next

EU’s Cyber Resilience Act Enters Into Force

New product cybersecurity requirements are coming to the EU single market after years of intense debate and negotiation in Brussels, as the European Union’s Cyber Resilience Act officially enters into force.

Through the Looking Glass: An Updated Vision for the Office of the National Cyber Director

The ONCD was established to advise the President on cybersecurity and has matured into a key component of cybersecurity policymaking. However, changes are needed to ensure the efficacy of the office, especially as it relates to other agencies.

The U.S. Data Security EO with Lee Licata and Grant Dasher (Part 2)

For the first time in the Distilling Cyber Policy podcast, Alex and Jen are re-joined by guests from earlier this season: Lee Licata, from the Department of Justice, and Grant Dasher, from CISA.