Government urged to ban ransom payments to cybercriminals

'That is the urgent task to which the British and other governments should apply themselves,' says former head of NCSC

Government urged to ban ransom payments to cybercriminals

Image:
Government urged to ban ransom payments to cybercriminals

Ciaran Martin, the founding CEO of the UK's National Cyber Security Centre (NCSC), has renewed calls for a ban on ransom payments to hackers, likening the practice to financing terrorist activities.

In an opinion piece for The Times, Martin underscored the urgency of implementing such a ban to curtail the flourishing $20 billion criminal ransomware industry. He argued that rewarding criminality only serves to incentivise further attacks.

"Ransomware is by far the most damaging cyber threat to most businesses right now. We have to find a way of making a ransom payments ban work," Martin said.

"That is the urgent task to which the British and other governments should apply themselves."

Ransomware attacks have surged in recent months, with reports indicating a record $1 billion in cryptocurrency payments extorted from victims last year alone, according to Chainalysis.

A survey conducted by Proofpoint revealed that approximately 58% of businesses faced with such attacks opt to pay the ransom, with British companies displaying an even higher propensity at 82%.

While some people may oppose the idea of banning ransom payments, citing concerns over victim criminalisation and the practicality of enforcement, Martin remains steadfast in his stance.

He proposes a collaborative effort among governments to establish a support framework for affected organisations, potentially including financial assistance for those unable to recover from attacks.

Jake Moore, global cybersecurity advisor at ESET, cautioned against the unintended consequences of a ban, including potential business closures and the risk of illegal payments leading to further legal repercussions for victims.

"Banning ransomware payments can often have further implications - and this is not the first time this idea has cropped up," Moore said.

He argued that while prevention is preferable, there are scenarios where paying the ransom may be the only viable option for businesses to survive.

"Being stuck between a rock and a hard place is no position any company wants to be in but if the law is directing only one way, then companies can easily fold and the potential of livelihoods lost can make this a damming and forced decision.

"There is also the potential of driving ransom payments underground to retrieve back access to data causing the potential of further demands on their victims after breaking the law in the process.

"Although the long term effects of banning ransom payments may sound idyllic, the path needed to navigate all companies to this ideal is going to be challenging, if not impossible. And then there is the inevitability that companies will still become a target and left with no other option."

Despite these reservations, a growing number of cybersecurity firms endorse the call for a ban on ransom payments.

Threat analyst Brett Callow stresses that as long as payments remain lawful, cybercriminals will continue to exploit them, necessitating a decisive prohibition to disincentivise attacks.

In the US, where ransomware attacks are rampant, state legislatures are exploring similar bans despite the federal government's cautious stance. The FBI, however, has expressed reservations, fearing that companies may opt to pay ransoms secretly, thus exposing themselves to further exploitation.

While the UK government has reiterated its stance against paying ransoms to cybercriminals, it highlights the importance of international collaboration in combating cyber threats.

A Home Office spokesperson reaffirmed the UK's commitment to tackling cybercrime, citing recent joint efforts to disrupt the activities of the Russian ransomware group LockBit.

"We have been clear that we do not pay ransoms to cybercriminals nor do we condone or recommend businesses or victims of cyberattacks doing so," the spokesperson said.

Last year, a coalition of 40 countries, led by the USA, pledged to never pay cybercriminal ransoms and to collectively work toward disrupting their financial systems.