Attempts by global law enforcement to shut down the LockBit ransomware team have sparked renewed calls for a ban on ransomware payments to perpetrators.
Ciaran Martin, founding CEO of the UK’s National Cyber Security Center (NCSC), reiterated his stance on the issue a week after LockBit began getting back on its feet following Operation Cronos’ efforts to permanently put down its servers offline.
“Ransomware is by far the most damaging cyber threat to most businesses today. We need to find a way to make banning ransom payments work,” he said.
LockBit regained its online presence (albeit in a limited capacity at the time of writing) days after Operation Cronos. embarrassment of a week of the gang and weeks after the FBI failed in its wrestling match for the control of ALPHV infrastructure.
Martin’s comments reflect a growing belief within the cybersecurity community that a ban on paying ransoms is the only way to disrupt crime in the long term, despite the challenges this would bring.
One of the most important arguments is that banning ransom payments would prevent many companies from recovering their systems.
Jake Moore, Global Cybersecurity Advisor at ESET, said: “Banning ransomware payments can often have other implications – and this is not the first time this idea has come up. While prevention is better than cure, there are still many cases where the only option Being stuck between a rock and a hard place is not a situation any business wants to find itself in, but if the law does not points that in one sense, then businesses can easily go bankrupt and the potential for lost livelihoods can make this a roadblock and forced decision.
“While the long-term effects of banning ransom payments may seem idyllic, the path to guiding all businesses toward this ideal will be difficult, if not impossible. with no other option. »
It’s an argument that proponents of a ban recognize and appreciate, and one that is compelling without a tangible solution at this time.
Martin argues that a ban will only work if governments work together to establish a framework of support for organizations that are under attack and lack the resources to recover.
In an article co-written with Tarah Wheeler, CEO of Red Queen Dynamics, the pair highlighted the unrest in Northern Ireland, a conflict which saw insurers refusing to cover businesses against bomb attacks, meaning that the government had to step in to provide the necessary support. was necessary.
“There could even be reason to provide financial support to the companies concerned which do not pay,” they believe. wrote.
“It’s unusual, but an emergency requires unusual measures – and there’s no doubt that ransomware is an emergency.”
The financial support described should persist for as long as the ransomware persists after it is banned, which could take years before criminals get bored and move on to something more profitable. It would be a painful battle of attrition between organizations legally unable to pay and criminals draining their governments of support funds.
Establishing this support program should take into account attacks against key services and critical infrastructure, where we have seen in the past that paying a ransom is often seen as the only solution for rapid recovery.
Other arguments against a ban are increasingly falling apart, Martin said.
“There have been terrible arguments made against a ban. One is that ‘it would drive the problem underground.’ Are business leaders actually knowingly breaking criminal law? Other reasons fall apart,” he said. of opinion in time.
Cybersecurity expert Kevin Beaumont agrees: saying: “Many of the arguments against this fall apart with any basic level of scrutiny and are largely made by people and organizations who directly or indirectly benefit from the status quo.
“Nothing should be off the table, and it could well help manage ransomware group targets if this option was indeed on the table.”
It’s a view that others have also subscribed to, such as Lisa Forte, partner at Red Goat Cyber Security, who said that small disruptions from ransomware gangs don’t work, and therefore ransomware finances must be the next target.
She also discussed the 1991 law passed by the Italian government to limit the payment of ransoms to high-profile kidnappers – a crime endemic at the time.
The law saw the government take control of all assets of a kidnapping victim’s family so that they could not be offered as payment, and the banning of insurance policies against ransoms in the event of ‘kidnapping.
It took a few years for this to work, but it was effective to a decent extent, although it is believed that some families simply stopped reporting kidnappings to avoid having their property seized.
Strictly technical measures, such as attempting to prevent attacks through adequate security products and controls, have been argued to be those that should take priority over a ban. Ensuring that robust backups are in place has also been a long-marketed solution, but it’s also clearly not a complete proof.
There are currently no plans to develop a legal ban on the payment of ransoms by Five Eyes governments.
Nearly 50 members of the Counter Ransomware Initiative (CRI), which includes the UK, US, Japan, India and Israel, all sworn not to pay ransom in October 2023, although this is of course not legally binding.
The ongoing debates linger amid rising rates of cyber extortion, according to security shop Emsisoft, which pegged last year’s average extortion payout at $1.5 million.
The New Zealand-based company also supports a ban on ransom payments. Brett Callow, threat analyst at Emsisoft, said The register at the beginning of the year that it is probably the only solution to the perpetual question. ®