Four states propose laws to ban ransomware payments

Following the epic ransomware attacks on Colonial Pipeline and top meat producer JBS, some government officials have called on Congress and the administration to ban organizations from making ransom payments to threat actors. The goal of such a ban would be to codify the FBI’s current advice: Don’t pay ransomware attackers lest you encourage more of the same.

Despite some support at the federal level, most administration officials don’t seem to embrace the idea of an outright ban fully. “Typically, that is a private-sector decision, and the administration has not offered further advice at this time,” Anne Neuberger, deputy national security adviser for cybersecurity, told reporters at a White House press briefing in May. No member of Congress or the Senate has yet introduced legislation banning ransom payments.

Four states propose to ban ransom payments

But the picture is different at the state level. So far, four states have five pending pieces of legislation that would either ban paying a ransom or substantially restrict paying it. In New York, Senate Bill S6806A “prohibits governmental entities, business entities, and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.”

Another New York Senate bill, Senate Bill S6154, provides money so that local governments can upgrade their networks. But it also “restricts the use of taxpayer money in paying ransoms in response to ransomware attacks.”

New York stands alone in terms of barring private sector businesses from paying a ransom. Legislatures in North Carolina (House Bill 813), Pennsylvania (Senate Bill 726), and Texas (House Bill 3892) are all considering bills that would prohibit the use of state and local taxpayer money or other public money to pay a ransom payment. This public money prohibition would likely hamstring local governments from paying off ransomware attackers.

Pennsylvania Republican State Senator Kristin Phillips-Hill tells CSO she introduced her “Safeguarding the Commonwealth from Ransomware Attacks” bill to discourage at least some ransomware attacks, those aimed at public agencies, by removing the attackers’ financial incentives. If cybercriminals are rewarded for their efforts, they will simply continue to launch ransomware attacks, she says.

Phillips-Hill’s bill also aims to develop guidelines agencies should follow in beefing up their preparedness to respond to ransomware attacks. The bill, however, does not appropriate any funds to help agencies bolster their ransomware response capabilities.

Banning ransom payments could hurt more than help

These bills are understandable reactions to the frightening shut-down of both Colonial Pipeline and JBS in the wake of their high-profile infections. But legislation banning ransom payments would likely cause more harm than good, industry experts say, particularly given the short response windows and complexity of most ransomware attacks.

“In the end, I think you’re going to be hurting just by banning payments,” Tyler Hudak, incident response practice lead at TrustedSec, tells CSO. “You’re gonna be hurting more than helping.”

The harm from banning ransom payments is particularly true given the growing sophistication of ransomware attackers, who often lurk in networks for weeks, mapping out the organization, stealing data to hold hostage in a second ransom demand, and possibly wiping out system backups. “If attackers are successful and they are able to remove backups, then sometimes the only way to get that data back is to pay the ransom,” Hudak says.

“Whether or not to pay a ransom is an extremely hard choice for a business to make,” Adam Kujawa, director of Malwarebytes Lab, tells CSO. “Despite what many may believe, paying the ransom isn’t the most expensive part of an attack and certainly isn’t the end of the experience for businesses under attack. There are many larger issues here that need to be considered, including how to prevent these attacks in the first place and how to crack down on the actors themselves.”

An outright ban on ransom payments “would mean that many businesses tempted to pay the ransom may be less likely to disclose a breach, which would impact both our understanding of the latest ransomware threats and leave customers of impacted businesses in the dark,” Kujawa says.

Bill Siegel, CEO of ransomware first responder firm Coveware, agrees. “I think the idea of an out and out prohibition as an immediate fix to the problem is kind of pedantically academic at best,” Siegel tells CSO. “It would actually lead to the development of a very murky market of service providers that are either offshore or are not law-abiding that cater to companies that have to pay in order to save their businesses.”

Paying ransom could mean survival

The problem is that many, if not most organizations, might collapse if paying a ransom is not an option. “If you need to pay, it’s because you’re in pain,” Siegel says.

Banning ransom payments is akin to deciding that some organizations should live but others should die. “Which business sectors, municipalities, schools, or non-profit organizations are you okay with losing?” asks Chris Ballod, associate managing director, Kroll. “Our official position is we would prefer you don’t pay the ransom, but we understand when it’s between the jobs of a thousand people, the livelihoods of a thousand people, and paying a ransomware actor. We understand you’re going to make that decision.”

Even more concerning for municipalities is the potential shut-down of essential services. “You can imagine, worst-case scenario, let’s say a 9-1-1 system gets compromised and ransomed,” TrustedSec’s Hudak says. If they can’t pay a ransom, “they have to rebuild a 9-1-1 system from the bottom up. That’s not an overnight job. That’s something that’s going to take days or weeks to do.”

Mandatory ransomware attack reporting a better alternative

A better alternative to banning ransom payments is requiring companies to report ransomware attacks to a central authority, as most of the state bills also do. “We’ve clearly seen that a more effective strategy against ransomware is for everyone to share their attack data and use that information to empower our investigative services to go after the criminals, not the victims,” Malwarebytes Kujawa says.

Coveware’s Siegel says that “the United States should do something at the federal level to require reporting and to require some subset of information to be collected. It is a very good idea because there could be a centralized repository for mandatory notification and coordination of what to do with the active attacks, whether it be law enforcement investigation, aggregation of data, to put out notices, whatever.”

On the other hand, mandating ransomware attack reporting requirements at the state level could likely impose unnecessary burdens on organizations, Siegel says. “It becomes very complicated because companies exist across different states. It could actually add to the cost of compliance with any sort of notification requirements associated with these attacks.”

The best solution is to harden infrastructure

The best solution to managing ransom infections is to harden infrastructure to handle these attacks better while also hiring more security personnel. “You still can’t keep going with old legacy servers and firmware and one to two people servicing an organization with several thousand employees and endpoints,” Siegel says. “That’s just the recipe for the attacks continuing.”

Ballod points to the more significant investments in data protection technology fostered by the EU’s General Data Protection Regulation (GDPR) as a critical factor in why ransomware attacks are not as severe in Europe as they are in the U.S. “It’s made [European] targets more hardened. It’s just made them harder to get into, [making them less attractive], particularly when you’ve got wide open targets here in the United States, or more of them, anyway,” he says.