How many times have the FBI and CISA urged entities NOT to pay ransom because it just encourages the attackers to attack more, while others suggest that a total ban would make things a lot worse? On January 14, the U.K. government opened a consultation, Ransomware legislative proposals: reducing payments to cyber criminals and increasing incident reporting. The proposal has three objectives:
- to reduce the amount of money flowing to ransomware criminals from the UK, thereby deterring criminals from attacking UK organizations
- to increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing our intelligence around the ransomware payment landscape; and
- to enhance the government’s understanding of the threats in this area to inform future interventions, including through cooperation at international level
CMS Law provides an overview of how those objectives would be addressed.
Meanwhile, In the U.S…….
In the U.S., the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) administers and enforces sanctions against targeted foreign jurisdictions and regimes, including ransomware gangs. Victims that pay sanctioned gangs or affiliates without prior approval to pay from the government risk legal consequences, although DataBreaches is not aware of the government ever prosecuting a victim for paying ransom even to sanctioned ransomware gangs.
Apart from OFAC sanctions, some states have begun to prohibit state agencies or public entities from paying ransom demands. Florida, North Carolina, and Tennessee have all enacted legislation in the past few years that prohibit state agencies from paying ransom in the event of a ransomware attack, although their laws are somewhat different and do not apply to private entities. Unfortunately, we don’t seem to have enough data to show whether there has been any reduction in the number of ransomware attacks on state agencies in those states since their laws took effect.
Other states are also considering legislation that would prohibit payments, but can and should the government prohibit all ransomware payments without exception? And can and should such laws also apply to the private sector?
Maybe We Should Prohibit Payments in the U.S.
As a healthcare professional who was also an emergency medical technician in her past, DataBreaches used to take the position that the healthcare sector should not have a flat prohibition against ransom payments. If we are talking about hospitals and medical entities providing urgent services like ambulance services and urgent care centers, lives are on the line and may be lost if the entities have their systems encrypted and do not have backups that can be used to rapidly restore services and functions. Or that was DataBreaches’ position a few years ago. But that approach probably has had the unfortunate effect of making things worse overall.
From the Mouths of Criminals
The following is a fragment of an interaction this week between a threat actor and DataBreaches:
Them: This period i am extremely heat up on breaching healthcare, medical and insurance companies, both in Asia and in the States. Had multiple success being paid for this industry
Me: Any chance I can discourage you from hitting U.S. healthcare/medical/healthinsurance ? I assume you won’t encrypt them, but even so… if entities start pulling servers offline to investigate a breach, it can really interfere with patient care.
Them: i understand you but Asia, UK and Canada ain’t responding. US more often than not, pays
Me: US entities that have paid you — are they hospitals, or clinics, or pharmacies, or insurers, or what?
Them: Pharma and insurers
So What Do We Do?
In 2021, the Ransomware Task Force published RTF Report: Combating Ransomware. In 2024, they followed it with a Roadmap to Potential Prohibition of Ransomware Payments. They write, in part:
We therefore believe that the most reasonable and effective approach to reducing payments, including the potential for eventually implementing a ban on payments if deemed relevant by national authorities, requires a multi-year approach based on milestones. To be clear, even if governments move aggressively to meet these milestones, it will take several years following the start of a process before prohibitions could be considered as one possible effective step.
Below are 16 proposed milestones that should be pursued to make this approach effective, falling into 4 different lines of effort. These milestones can and should be pursued concurrently.
As entities in other countries increasingly refuse to pay ransom or even respond to attackers, even more attackers will likely attack U.S. entities.
HHS has proposed rules to strengthen baseline cybersecurity requirements for entities regulated by HIPAA, but where is the financial support for entities to implement the heightened requirements? This may not be within HHS’s authority, but why doesn’t every state have a “Strike Team” that can help critical entities secure their systems better and that can assist them with rapid response if there is a cyberattack? If rural entities and small and medium businesses had more assistance proactively and reactively, that might help disincentivize ransom payments, couldn’t it?
In 2024, we saw the havoc and risk to patient health and healthcare entities from the ransomware attack on Change Healthcare. Entities were not getting paid for services because insurance claims were not being processed, and without payment, staff could not get paid, and entities needed loans to survive. Patients couldn’t get their prescriptions renewed, either, and patient care was disrupted in other ways as well. Is it any wonder, then, that the threat actor who communicated with DataBreaches noted that “pharmas and insurers” were more likely to pay?
While DataBreaches is more and more tempted to want to see a total prohibition on ransom payments, I stop and remember what it means to have lives on the line.
Pay ransom or ban it? Some days it feels like a Hobson’s choice.