The Institute for Security and Technology’s Ransomware Task Force threw cold water on the need for a ransomware payment ban in a recent report.
The nonprofit Institute for Security and Technology rejects the viability of a ransom payment ban for multiple reasons, including:
- Concerns about a ban’s impact on ransom payment reporting by victims.
- The potential to drive more payments underground.
- And the unintended consequences and practicalities of critical infrastructure exemptions.
The education sector in particular has reported the highest rates of ransomware attacks out of any other industry polled by Sophos, a U.K.-based cybersecurity firm. Additionally, in 2023, Sophos found that 47% of public and private K-12 institutions worldwide hit by a ransomware attack ended up paying to recover their stolen data.
Schools are often vulnerable to ransomware attacks because they lack enough resources to defend themselves. In recent years, major ransomware attacks have struck Los Angeles Unified School District, Minneapolis Public Schools, and Des Moines Public Schools in Iowa. In December 2022, Arkansas’ Little Rock School District revealed it approved a $250,000 payment to end a ransomware incident and retrieve stolen data.
Rather than a ban, the RTF detailed 16 milestones it asserts would be “the most reasonable and effective approach to reducing payments.”
“While a ban may be an easier policy lift than activities designed to drive preparedness, it will almost certainly create the wrong kind of impact,” the RTF co-chairs said via email. “The number of organizations making payments is declining, which suggests we’re on the right path."
Most of the RTF’s recommendations are already in place, under development or at least partially underway. All but one of the proposals were originally shared in a report the group released in September 2021.
“Unfortunately, most organizations still have little in the way of cyber resilience and are woefully underprepared for cyberattacks such as ransomware,” the RTF co-chairs said via email. “Implementing a ransom payments ban will not change that and it is not an instant off switch for attackers. They will continue to launch attacks knowing that organizations lack sufficient defenses or mitigations.”
Two of the primary efforts RTF is calling for were completed or advanced in the last couple years. Publicly traded companies must now report report material cyber incidents and disclose cyber governance and risk management strategies to the Securities and Exchange Commission.
The Cybersecurity and Infrastructure Security Agency’s proposed rule for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 will compel upwards of 316,000 U.S. critical infrastructure owners, operators and suppliers to quickly divulge cyberattacks and ransom payments. That rule will take effect within 18 months.
Organizations are already prohibited from making ransom payments to individuals or entities sanctioned by the U.S. Department of Treasury’s Office of Foreign Assets Control.
Ban proposals falter under policy debates
Debates and policy discussions aimed at curtailing ransomware activity have shifted over the past 18 months as ample evidence emerges that current efforts to deter ransomware aren't working.
Ransomware victims in the U.S. paid $1.5 billion in ransoms between May 2022 and June 2023, a senior administration official said in November. Almost 5,200 organizations were hit by ransomware attacks in 2023, according to Rapid7.
The Biden administration decided against an outright ban on ransom payments in September 2022, but White House officials revived the potential policy change in mid-2023 through the International Counter Ransomware Initiative.
Disputes over the best path forward continue.
Brett Callow, threat analyst at Emsisoft, who kicked off the year calling for a complete ban on ransom payments remains a stalwart proponent of the measure.
The RTF contends ransomware attacks haven’t decreased in states, such as Florida and North Carolina, that previously introduced such bans, but Callow disagrees with that argument because it’s limited in scope.
“State-level bans do not necessarily reduce the number of attacks. Russia-based cybercriminals may well not realize that a state has a ban, or even that an organization is in that state. However, that does not mean the bans are pointless,” Callow said via email.
“While attackers may not be aware of state-level bans — and so do not cease attacks — they absolutely would be aware of a federal-level ban that applied nationally,” Callow said.
Instead of introducing a strict extortion payment ban on organizations hit by ransomware attacks, the RTF is calling for resolve and a commitment to redouble efforts already underway.
The group is helmed by eight co-chairs, including former cyber authorities such as Kemba Walden, who served as acting national cyber director throughout most of 2023 and is now president of Paladin Global Institute.
Anna Merod contributed to this story.