Ransomware: Should paying hacker ransoms be illegal?

By Joe Tidy
Cyber reporter

Published
image copyrightGetty/ BBC

A cyber-crime spree wreaking havoc around the world has reignited calls for governments to ban ransom payments to hackers.

Ransomware criminals are holding computer systems hostage on a daily basis, demanding large payments from victims to restore order.

The CEO of Colonial Pipeline has admitted his company paid hackers nearly $4.5m last week after their attack forced the firm to stop transporting fuel.

But research from Bitcoin analysts Elliptic suggests this is just a drop in the ocean.

Since last August, the hackers responsible, DarkSide, have made at least $90m in ransom payments from about 47 victims, Bitcoin records show.

And DarkSide is just one of at least a dozen prolific ransomware gangs making vast profits from holding companies, schools, governments and hospitals to ransom.

image copyrightColonial Pipeline
image captionColonial Pipeline paid nearly $4.5m to DarkSide hackers within hours of being hacked

They work anonymously so are hard to track down.

And many operate in countries unwilling to arrest them.

Law-enforcement agencies

Ransomware attacks prevent victims accessing computer systems or data until a ransom is paid.

Law-enforcement agencies around the world are increasingly urging victims not to pay.

But paying ransoms is not illegal.

And many organisations pay in secret.

Now, the Ransomware Task Force (RTF) global coalition of cyber-experts is lobbying governments to take action.

It has made nearly 50 recommendations to curb the crime spree but couldn't agree over whether countries should ban ransom payments.

And we asked two members why.

'Banning payments would result in a pretty horrific game of 'chicken''

Rapid7 community and public affairs vice-president Jen Ellis says: "Most people agree, in an ideal world, the government would prohibit paying ransoms.

"Since ransomware is a profit-motivated crime, this would hopefully discourage the crime altogether.

"And no-one would be faced with funding organised crime.

"The problem is, we don't live in an ideal world.

"In the world we do live in, banning payments would almost certainly result in a pretty horrific game of 'chicken', whereby criminals would shift all their focus towards organisations which are least likely to be able to deal with downtime - for example hospitals, water-treatment plants, energy providers, and schools.

"The hackers may expect the harm to society caused by this downtime to apply the necessary pressure to ensure they get paid.

"They have very little to lose by doing this - and potentially a big payday to gain.

image copyrightGetty Images
image captionTravelex reportedly paid REvil hackers more than $2m in Bitcoin, after a January 2020 ransomware attack

"Let's say the government creates a fund to support these organisations so they don't have to pay.

"If that happens, the attackers could then just switch their focus to small businesses and non-profit organisations which don't have the resources to protect themselves.

"They could face complete ruin if they don't pay.

"Faced with declaring bankruptcy, these organisations may consider making a payment in secret, which would then place them even further at the mercy of the criminals, who could threaten to publicise it.

"Overcoming these problems is not straightforward.

"It will take time, education, and sustained investment.

"Prohibiting payments is a great goal to shoot for.

"But we must be pragmatic in our approach to ensure we do not create significant economic and societal harm."

media captionBusinesses are being held to ransom by callous cyber-criminals

'A payment ban would take some burden off organisations'

Cyber Threat Alliance president and chief executive Michael Daniel says: "The case for prohibiting ransom payments is clear.

"Ransomware attacks are primarily motivated by profit.

"And without profit, attackers will shift away from this tactic.

"Further, ransom profits are used to fund other, even more dangerous crime, such as human trafficking, child exploitation, and terrorism.

"Finally, payments beget more attacks, reinforcing the tactic's utility.

"No organisation wants to pay a ransom.

"Instead, they feel they have no choice, whether it's due to the threat of insolvency, reputational damage stemming from service interruptions, or the potential for loss of life or wide-scale economic disruption.

"Indeed, from a purely short-term, organisational viewpoint, paying a ransom is often an economically rational decision.

image copyrightGetty Images
image captionGarmin reportedly paid about $10m to Evil Corp ransomware hackers, in August 2020

"We need to break this cycle and deprive the ransomware ecosystem of 'fuel'.

"A payment ban would take some burden off organisations, by removing payment as a legal possibility.

"As a result, well designed prohibitions would provide targeted organisations with leverage to push back against their attackers.

"Such prohibitions should not be implemented immediately.

"in fact, such bans should only be put in place after governments have established effective victim-support mechanisms.

"Payment prohibitions should be part of a broad-based campaign to improve prevention, deterrence, disruption, and response.

"Those arguing against bans make an excellent point about the potential heavy cost organisations attacked during a transition period could face, potentially even going out of business or facing enormous pressure to restore service.

"Therefore, for payment bans to achieve their intended effect, governments will have to provide companies with the resources and support to withstand these attacks."