Ransomware ban backers insist thugs must be cut off from payday Global law enforcement authorities' attempts to shutter the LockBit ransomware crew have sparked a fresh call for a ban on ransomware payments to perpetrators. Ciaran Martin, founding CEO of the UK's National Cyber Security Center (NCSC), reiterated his stance on the matter a week after LockBit started to get back on its feet …
“The National Cyber Security Centre (NCSC) is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats.”
Like: don't click on a URL or open an email attachment /s
Yes, there needs to be a ban. And it needs to not just be a fine for companies that pay, it needs to come with prison time for the CEO.
No, there does NOT need to be any corporate welfare to go with it. I'm sure the usual suspects would love that, but for-profit companies do not deserve help for being stupid.
An effective ban on paying ransom is about as likely as an effective ban on ransomware, it relies on every country agreeing and implementing an effective ban. It's probably easier for a desperate company to pay a ransom via some shady intermediaries than it is to actually perform the cyberattack in the first place. It's a shame when companies get hit, but they should be prepared for it, and there is no excuse for not having a tested disaster recovery process.
10 do_backup
20 test_backup
30 goto 10
"it relies on every country agreeing and implementing an effective ban."
No it doesn't. If county X bans paying ransoms then the scammers will quickly get the message and just concentrate on countries Y and Z. They aren't going to waste their time and effort in a country where they won't be paid. Other countries would be likely to follow the example if successful. As someone else mentioned, paying a ransom in country X should mean the CEO of that company goes to jail. It would be very difficult for larger companies especially to hide payments to scammers without also fiddling their accounts too, opening them up to an even bigger can of worms if their accounts are audited.
You clearly don't know how ransomware organizations operate.
They're franchises. Infections are performed by "affiliates", most of whom are low-skilled skiddies. They'll attack anyone in their sights, even if the probability of a payoff is low. Infecting is cheap; it's profitable even with a very low rate of return. Increasingly the process is automated, making it even cheaper and less subject to the whims of attackers, defenders, or governments.
Meanwhile, it's entirely plausible that companies would find ways to pay ransoms under the table.
The idea that forbidding payments would have any significant effect is a pipe dream. And comparing it to kidnapping — a very difficult, expensive, and risky crime — as the article does is nonsense.
All you need is basically the NATO countries plus China, India, and Japan. Other countries like Israel or Brazil would be a bonus but even that list would so erode profitability that ransomware would no longer be worth it versus those criminals doing other criminal things. You don't have to eliminate every penny it can earn, just make it earn so little that the guys doing it can make more doing something else.
"banning ransom payments would leave many businesses unable to recover their systems." This might be true if there were no way to protect those systems, which is not the case. It might be impossible to guarantee 100% that your systems won't suffer an attack and exfiltration of your data but there's plenty of existing security and recovery tech and procedures out there to reduce the impact of an attack.
The solution for handling companies that would not survive a payment ban has been around since life started on this planet and was published decades ago by Darwin. If a company goes out of business because of a ransomware attack it can go bankrupt and be replaced by companies that are either not vulnerable or can recover using backups.
My response to the idea of a government bailout for ransomware victims is a stream of bad language that would legitimately result in strong action from the moderators.
The Italian system of confiscating the wealth of victims so they cannot pay up is interesting. For the time being I would leave it as a threat: this is what will happen if companies try to sneak payments around a ban.
That's pretty much what I came to say. If the company can't afford to have backups of their IT systems, they can't afford to stay in business. Paying criminals shouldn't even be on the table.
One "halfway" option would be to require all ransomware payments to be public (with jailtime and 100x payment amount as fine if not publicly disclosed within 10 days of payment), but add a 10x payment amount as a fine. Want to pay because it's the only way you can stay in business? Guess how much it'll really cost you. Now do your backups PROPERLY this time!
Go ahead and pay the ransom. Get the key. Decrypt your data.
However, announce publicly that the key did NOT work. The ransomware attackers failed to hold up their end of the deal. Data was lost. Money was wasted. The decryption tools do not work, don't bother paying for them. Explain the quick return to productivity as recovered backup data the attackers missed. Then keep your mouth shut.
Heck, they don't even need to be attacked. A few conniving CISOs could put together a secret plan before the 2nd round of drinks hits the table. Stage a few outages to non-mission critical systems and do some press releases over the period of a few weeks. The minute the rest of the world believes the payments don't work, the market will dry up.
"Martin argues that a ban will only work if governments collaborate on establishing a framework of support for organizations that are attacked and don't have the resources available to recover."
Absolutely no fucking way.
Do you think
A) They will make 100% sure that they are protected as much as possible, with good strong security teams, and a good solid plan for recovery ir
B) they will go "Who cares, the tax payer will bail us out. Investing in all that IT stuff cuts into my stock holding payouts"
As for using the troubles in Northern Island as an example, thats just a piss poor example. If you'd like to explain how a company or person was to take reasonable measures against either Republican or Loyalist terrorists killing you or blowing up your property, other than trying to keep your head nice and low, feel free to explain.
NI is a very poor example, given that many businesses during the Troubles were also paying protection money to the paramilitaries of both sides.
I think that national standards on data protection, annual audits and criminal offences for bosses that prioritize profits over good practice would be a start. The government would be better off investing in a pen-testing department than bailing out companies.
One is that 'it will drive the problem underground.' Will company directors really knowingly break the criminal law?
I have to wonder if Mr Martin has ever followed the news.
Forbidding payments is a useless gesture. It's security theater as legislation.
It does not significantly alter the motivation to attack, because attacking is extremely cheap and largely conducted by affiliates who are strongly motivated. It does not significantly alter the motivation to pay, because the whole point of ransom payments is that they're difficult to trace.
And as the entire ransomware industry becomes increasingly automated — which is more or less inevitable because of the economic advantages — it won't matter even if all payments were prevented, because the bot armies are not sensitive to the rate of return.
As always, this particular line of argument only demonstrates which "security experts" are any good at security thinking.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
