The push to ban ransomware payments has resurfaced as we enter 2024, sparking debates on the effectiveness of such a policy measure. Proponents of a ransomware payment ban argue that it would minimize ransomware payments and force cybercriminals to cease attacking organizations within the country. However, some experts believe that such a ban would signal capitulation and the government’s inability to defend against cyber extortion.
But could a ban work, and is there a precedent for it? While some US states have enacted ransom payment bans on state agencies or organizations, there has not been a significant decline in ransomware attacks within these states. Additionally, Australia, with favorable characteristics such as a small cybercrime addressable market and strong public support, opted to enact more stringent reporting requirements and made large investments in law enforcement and prevention instead of implementing a ransom payment ban.
When considering the effectiveness of a ransomware payment ban, it is essential to acknowledge that cybercriminals often have more experience in dealing with ransom payment decision-making than federal policymakers. They can introduce shady service providers and may not bother to research if a victim is located in a state with a ban.
If the US were to enact a national ban on ransom payments, it is predicted that a large illegal market would be spawned overnight to service ransomware victims, as demand for ransom payment services would still exist. Furthermore, companies may stop reporting if ransom payments were banned, fearing admission to a crime. The Federal Bureau of Investigation (FBI) has expressed concern over the negative impact of a ban, stating that it would put US companies in a position to face further extortion by not reporting ransom payments and sharing that information with authorities.
However, mandatory reporting has proven to be effective in some cases. For example, the US Treasury issued guidelines in 2021, outlining diligence and reporting requirements for ransomware victims that led to an increase in reporting to law enforcement. Additionally, in 2023, the New York Department of Financial Services (NYDFS) issued guidelines that require detailed disclosure from covered entities on ransom payments, imposing fines or loss of operating capabilities for entities that fail to follow these guidelines.
Overall, the debate on ransomware payment bans remains ongoing, with proponents and opponents presenting various arguments on the potential effectiveness of such a policy measure. While the ban could spawn an illegal market for ransom payment services, and companies might stop reporting, there are examples of successful reporting guidelines that have led to increased cooperation with law enforcement and effective diligence practices. The decision to enact a ransomware payment ban or focus on other preventive measures ultimately rests on the government’s evaluation of its potential impact on cyber extortion.