US officials close to persuading allies to not pay off ransomware crooks Top White House officials are working to secure an agreement between almost 50 countries to not pay ransom demands to cybercriminals as the international Counter Ransomware Initiative (CRI) summit gets underway in Washington DC Tuesday. "This was a really big lift, and we're still in the final throes of getting every last …
Like five years ago when ransomware was starting to become a thing. Better late than never I guess!
It would have been so much easier to crack down on it back before it became so established, now that it has been ingrained into the business world as a "cost" (you can even buy ransomware insurance!) there will probably be pushback from companies that are hit by it during the interim between the ban and between the ransomware people giving up because it no longer pays. No doubt that will be painful for those so afflicted, but if they try to delay it or cheat their way around the ban it will only delay the day before ransomware becomes a thing of the past.
This could be a good thing, but the big question is what the vermin behind ransomware will turn their hand to next. They're clearly not going to go and get an honest job, their skills are in cyber-attacks, and they'll come up with ways to make money from those skills.
Ransomware and blackmail against individuals won't bring in sufficient money, blackmailing fellow criminal groups is likely to result in a very unpleasant death. Perhaps they'll move to short selling a company before making attacks on company operations to specifically take down the company and cause as much damage as possible?
My guess: ransomware where they tell the victim that they need to avoid telling anyone that they've paid a ransom. While I support making payment of ransoms illegal, I don't think it will eliminate companies that find some way of doing it. After all, companies manage to pay bribes without writing "cost center: general corruption, item: bribe" on their balance sheet. I've been hoping that, since executives seem to be legitimately frightened about the risk from ransomware, that it would mean more tested backups. Unfortunately, if it has, it hasn't been enough.
If they make payment of ransoms illegal, and they pay ransoms anyway then they've broken the law. And not only broken the law but are part of a conspiracy because there would need to be multiple people involved to make that payment happen - at minimum the CEO to make the call to pay the ransom, the CFO or someone else with authority to transfer money from corporate accounts, plus someone of a techie bent who would know how to exchange the money they transferred into crypto so they can make the payment. Then assuming they even get the password to unlock their files they have to give that to their lower level IT people to decrypt everything (and they are going to wonder how they got the password if paying ransom is illegal...)
So you have multiple people who could squeal on the whole affair, or turn state's evidence if the Feds find out via e.g. watching money flows and seeing money come out of the corporate account and go to a crypto exchange. Obviously corporate leaders knowingly commit crimes all the time, but something that could be charged under RICO laws is bad place to be since they could do real time if they're caught.
I get it, and I think banning paying ransoms is a good idea. I'm just speculating on what could happen if they do it, and I can easily imagine a company starting up to consult on recovering from ransomware which ends up taking the money paid to them as "consulting fees" and using part of it to pay a ransom. The attacked company can then claim that they paid consultants to help get them up as quickly as possible and they had no idea what they did to make that happen. Not that it would necessarily work, but I wouldn't be surprised to see someone try it.
Yeah I get what you're saying and there will be some cheating here and there. But if the success rate for ransomware payments drops by 98%, the ransomware guys will find something else to do like attacking crypto wallets on smartphones to steal bitcoin.
It's only governments and their departments that have signed up to not paying ransoms. Unclear whether they will expect this from their contracted businesses, or indeed if they will make it illegal for anyone to pay ransomware.
Making it illegal would mostly kill it overnight. I'd fully support that. Sure, some companies would risk it. Plenty already break the law all the time, and usually don't get caught. Robust enforcement seems key, but how do you police it?
It's very easy to say 'Don't pay' but there are other legal responsibilities, specifically those due to the shareholders.
Paying a ransom incurs a cost, even if insured, but not paying can result in a total loss*. If that happens then there will be a long list of aggrieved shareholders and staff questioning whether the directors did everything in their power to save the company, which includes paying the ransom, and looking for compensation.
* Not that paying a ransom guarantees that the decryption keys will work as expected.
Which is why making it illegal clarifies things. If we agree that it's something people shouldn't do, then doing that removes that particular problem from company directors:
Shareholder: You're recovering from an attack, yes?
Director: Yes.
Shareholder: Why haven't you paid the attacker instead of this expensive recovery?
Director: That's against the law and the company could get fined if I did. What would that do for your shares?
Now I think the director has some pretty good reasons not to pay as it is, but just in case the shareholder is determined not to understand why those are good reasons, this makes it much easier to deal with. Of course, this agreement doesn't make it illegal for a company to pay a ransom, just government.
Shareholders should be far more concerned about the lack of an extensive and (here's the critical bit) regularly tested backup and DR plan. Business-crippling data loss is far more likely to occur through general kit failure, outright incompetence, or malicious internal actors, than via ransomware.
But that's "just IT and they already have a budget, so why do they need more money?"
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
