UK to ban ransomware payments by public sector organizations The UK government is proposing to "ban" public sector organizations and critical national infrastructure from paying criminal operators behind ransomware attacks, under new measures outlined today. This means the NHS, local councils and schools – all of which have been in the crosshairs of various miscreants in recent years – …
>> Kev Breen, senior director of cyber threat intelligence at Immersive, said of the government’s measures today: “If the option is to recover quickly by paying, versus not being able to recover because you're banned from doing so, the temptation may be to pay and simply not report it.
Of course he would say that - but he's a fool to think any organisation will be able to avoid anyone leaking info about an illegal ransomware payment.
Because if it fits down on ransomware, he has less work for"threat. intelligence. " Just make paying a ransom illegal and be done with it already. Maybe then people will do proper backups.
It's not just about backups. It's about doing forensics, then analysing repeated copies of backups until you're absolutely sure that there are ones that aren't affected, then also getting data selectively restored on top of that, and verifying the entire infrastructure you have is 'clean'.
That takes time. RTO is generally calculated per-system, and ransoms tend to clear out entire organisations, meaning you need to restore _every_ system.
That takes time, and in today's climate of capacity being pretty much full with little slack, you'll find businesses will go under if operating on low margins just through cashflow and organisations such as the NHS will definitely suffer patient harm and potentially fatalities by not being able to intervene in time.
Backups do not help you when you're weeks away from having a clean, working environment, and you need data now or someone will die.
I think it is a bad thing, both pragmatically and idealistically, to pay a ransom. However, the idea that it could be faster is correct at least some of the time which convinces people to pay. When it works, which is by no means guaranteed, the decryption software can be run to somewhat quickly bring computers up. You still need to do a lot of work from there, but you're doing it while the rest of the machines are working. The cost of interruption can be high, so that can seem appealing to someone who is either ignorant of or trying not to think about the high chance that it doesn't go as well as they picture. That's why people pay. If they knew how often that key doesn't work or the infection comes back for another payment, maybe they wouldn't.
Also, those who choose this option tend to be doing their jobs badly, which can be catastrophic in a situation like this. For example, when the computers are functional because the ransomed decryption was run, it can be very hard to convince management that you need to gradually take them down for a complete reimage anyway, but if you don't do it, then at the very least, the same vulnerability exists for someone to exploit and quite likely the original ransomware is still there. Several businesses have gotten a series of infections, either from the same source or from multiple ones, until they did the proper thing and rebuilt securely.
"If the option is to recover quickly by paying, versus not being able to recover because you're banned from doing so, the temptation may be to pay and simply not report it."
Then make failing to report it a criminal offence resulting in gaol time and being barred working as a Director for life.
Nothing like personal punishment to focus the mindset.
There’s no need to do it explicitly if the government would just use the statutory authorities it already has. Every ransomware operator can be designated under one or more instruments as soon as it’s known to exist. Paying a ransom is then conspiracy to provide material support to a proscribed organization.
That's sort of possible, but it's not as useful as just passing a law making ransoms illegal. Unknown groups or groups someone forgot to put on a list wouldn't be a problem if you're clear that the entire activity is prohibited. Penalties for doing it anyway could be written into the law, rather than relying on discussion of who got what support given the likely but unknown large cut by the unlisted people who broke into the company in the first place, since a lot of ransomware operations use this model. It's also pretty much as difficult to do that as to put ransomware groups on those lists and charge people who pay ransoms, so since one is not much easier than another, the clear one is probably better.
This post has been deleted by its author
If nobody pays them, there is no money to be made from ransomware, and therefore it doesn't happen.
Because while some people will do it just because they can, and some people will do it because they hate what the company is doing and want to put them out of business, ransomware gangs do it for money.
Conceivably, they might be able to get money for it from somewhere else. Like being paid by a hostile government, or a competitor of the company being attacked. But for sure, putting M&S offline for a couple of months is a worth a lot more money to M&S than to Kim Jong Un or John Lewis.
"Because while some people will do it just because they can, and some people will do it because they hate what the company is doing and want to put them out of business, ransomware gangs do it for money."
And some people do it because their governments want to do it, and even if there's no money to be made the practise is important. Imagine you want to go to war with a developed nation, a very good, low cost way of disrupting its economy is attacking its IT infrastructure - be that retail commerce, banking, payments systems, transport, energy (not just energy systems management, but things like energy trading, balancing, settlement). We've seen a bit of that, but it's all been piecemeal, in a war scenario against either Russia or China then it wouldn't be piecemeal, it would be a structured attempt to cause long lasting damage by as much concurrent data destruction or corruption as possible..
This is why the idea of penalties for those companies which manage their IT infrastructure in an irresponsible way are an important part of the solution.
If your company performs a function which can be described as 'critical to society' your IT security, backups and recovery plans must be top notch. Making more profit by neglecting to manage your business properly should be something which results in both criminal and financial liability for those responsible.
If someone can prove that you can make yourself less of a target by preemptively committing to not pay ransoms, then laws might be unnecessary. It seems like it could work. The recent attacks all seem to be targeted and bespoke to some degree, not like the old ransomware worms that were completely indiscriminate; there is some effort involved on the part of the attacker. In the absence of any possibility of being paid a ransom, the question will be whether any other revenue streams could justify that effort.
It's a lot harder to prove that you won't pay if no law requires it. Let's say I'm the CEO of a company and I make a preemptive public statement to that effect, ignoring the various problems of doing so. It's not hard for a ransomware operator to conclude that I'll change my mind when looking at the likely loss of the company I run. Even if I don't, the damage might get the board or shareholders to remove me and put in someone who doesn't mind paying so much. Either way, it's a lot easier for them to believe that I'm bluffing than if they know I'll face consequences for paying them and will be considering that.
That could happen, but shareholders facing the prospect of their shares becoming a lot less valuable by sustained loss of activity tend to forget why they put that rule in, even if you managed to get them to instate it in the first place which isn't easy. Some companies can try it, but I think most won't and those who will will often cancel it when it gets important, so I still favor a legal ban on paying ransoms.
is to hunt the criminals down and remove them from the environment.
Sure the government can get their Extortion Payment out of the Victim too,,,, and call it a FINE....
But why not do the right thing and use the government resources to remove the intentional criminal?
use fire, and video it, I want to watch.
Having an immutable backup system... The more "realtime" the more the cost escalates!
Couple this with the sentiment, backups are boring and checking them even more so :). (enhanced in the "I want me gratification now" modern society)
So when a business get ransomwared, my thoughts are ....
1. Were they lazy
2. Were they incompetent
3. Were they "tight"
4. Sat down and made the cynical bean counter decision.... that ransomeware will be "cheaper"
... Some combination of above
PS that's why I recommend synology nas for small sme's
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2026
