Taking the Ransom Out of Ransomware? Debate on Ransomware Payments Picks Up
The price tags of several high-profile ransomware attacks have made headlines over the past couple of months. Colonial Pipeline, which supplies roughly 45% of the fuel for the East Coast, paid a $4.4 million ransom to hackers (though the FBI reportedly recovered some $2.3 million of it back). JBS USA, a major meat processing company, paid $11 million. With hackers making millions of dollars through single attacks, a debate has arisen about what to do, if anything, about ransomware payments. Some have proposed banning them outright, taking issue with the incentive structure such payments appear to create, while others warn about the negative and unintended consequences an outright ban could have, especially for the victims of an attack.
In the first camp, a few high-profile government officials have recently signaled their opposition to ransomware payments on the ground that they could spur more attacks. For instance, FBI Director Christopher Wray testified before Congress a few weeks ago about the FBI’s policy that “companies should not pay the ransom for a number of reasons,” including that such payments may “encourage more of this kind of activity” and that victims “can pay the ransom and not get [their] system back, and that’s not unknown to happen.” He ultimately underscored, however, that “whether they pay the ransom or not,” victims of ransomware attacks should be sure to coordinate with law enforcement “right out of the gate.”
Going a step further, in a recent interview on NBC’s “Meet the Press,” U.S. Energy Secretary Jennifer Granholm stated that she would support legislation banning ransomware payments. While noting that she did not know “whether Congress or the president is at that point,” she shared her view that “we need to send this strong message that paying a [ransom] only exacerbates and accelerates the problem. You are encouraging the bad actors.”
But contrary to this perspective, many experts and members of the business community have questioned the wisdom behind an outright ban, noting that it could paralyze organizations in responding to such attacks. For example, an article recently published in Forbes catalogues responses to the idea from a series of cybersecurity experts, with many warning of the unintended consequences such a ban could have. The experts warn, for example, that if companies were unable to pay the ransom, they may lose their data for good and be left with a gutted computer system or a flood of lawsuits instead. This could be especially devastating for organizations that hold people’s lives in their hands or provide critical infrastructure, such as hospitals, police departments, or energy companies. Indeed, when explaining his decision to pay hackers a ransom, the CEO of Colonial Pipeline, Joseph Blount, explained that he felt he had no choice but to pay given the shutdown’s effect on the country. Experts have also warned that such a ban could incentivize hackers to threaten victims even more aggressively, forcing them to consider potentially breaking U.S. law and surreptitiously making the payments anyway.
Notably, the Ransomware Task Force, a group assembled in December from members of the private and public sectors, has stopped short of recommending a ban on ransomware payments. In a comprehensive report released in late April, the Task Force acknowledged the case for a ban, but also underscored that ransomware attacks are easy to launch, so hackers “would likely continue to mount attacks and test the resolve of both victim organizations and their regulatory authorities.” The Task Force opined that hackers would focus on areas “where governments have not implemented the same policy or are unable to provide a safety net for victims,” and to “apply additional pressure,” would take aim at organizations considered “essential to society,” including “healthcare providers, local governments, and other custodians of critical infrastructure.” Rather than recommending a ban, then, the Ransomware Task Force recommended that governments establish greater resources to support ransomware responses, while mandating that organizations both consider other alternatives before making payments and report any payments they actually make.
Given the increasing frequency of ransomware attacks, we are likely to hear more on this debate over the coming months. Indeed, Senator Mark Warner, chairman of the Senate Intelligence Committee, said recently that whether Congress should pass a ban on ransomware payments is a “debate worth having.”
Aside from such preliminary discussion, however, there has been no major movement from the federal government on the issue. Last year, we wrote that the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) released an advisory warning parties who pay or facilitate ransomware payments that they may face substantial legal consequences if a payment is made to a party subject to U.S. sanctions. As many hacker groups are not parties subject to U.S. sanctions, however, this is far from an outright ban. More recently, the Biden administration formed a multi-agency task force led by the Department of Justice that will, among other things, work to freeze ransomware payments made through cryptocurrency platforms, though this too is far from a ban.
There has also been some movement on the state level. Earlier this year, New York legislators introduced two bills that would prohibit municipalities from making ransomware payments. And more recently, the North Carolina House passed a similar bill that would prohibit state and local agencies from making ransomware payments. These legislative efforts are, of course, focused on what governmental entities can and cannot do, and they have no bearing on the action private ransomware victims may take.
Though it is unclear whether Congress will move to pass legislation to prohibit ransomware payments at this juncture, any ban—to the extent one is implemented—will likely be phased in over time. Co-chair of the Ransomware Task Force Chris Painter has opined as much, noting in a recent interview that, in line with the Task Force’s report, he would expect legislation to focus first on steeling the resiliency of the private sector to such attacks and establishing resources like victim recovery funds.
Consistent with the government’s efforts to help improve the private sector’s preparedness for and defenses against ransomware attacks, the United States Cybersecurity & Infrastructure Security Agency (“CISA”) recently launched its new StopRansomware.gov website, which it describes as “a whole-of-government approach that gives one central location for ransomware resources and alerts.” Among other features available from CISA is a new ransomware readiness self-assessment tool called Cyber Security Evaluation Tool (CSET®), which is designed “to help organizations better assess how well they are equipped to defend against and recover from a ransomware incident.” It remains to be seen how effective these new tools and resources are at preparing the private sector for future ransomware attacks, and whether this is part of a process to help mitigate the downsides of a ban or restriction on the payment of ransomware ransoms.
We will continue to monitor these developments.