It’s everywhere – national headlines, talk shows, podcasts, blogs and social media. The latest topic in tech has everyone talking: should paying off ransomware criminals be illegal?
Following the recent increase in ransomware attacks around the globe, governments are debating whether or not making ransom payments to hackers should be illegal. If you’ve been keeping up with recent news (and if you read our recent blog), you know that the attack against Colonial Pipeline was one of the more impactful ransomware attacks in the U.S. The company paid DarkSide $4.4 million in Bitcoin in return for a key to unlock its files, but unfortunately, that tool proved to be ineffective and the company was left to rebuild its network from the ground up.
According to an April report from Sophos, the likelihood of a company retrieving all of its stolen data from a ransomware attack is only 8%. This is one of many reasons why the FBI advises against paying ransomware attackers, as it does not guarantee businesses will retrieve their data. Other cons of paying ransomware criminals include incentivizing illegal activity, no guarantee that further attacks will not occur, and depending on your personal beliefs, the ethical dilemma of funding cybercrime. Paying the ransom increases your chance of unlocking files, recovering data quickly and saving money as paying the ransom is often cheaper than rebuilding an entire IT network. Ultimately, the decision to pay up or give it up has to be assessed on a case-by-case basis – no two businesses are the same.
This begs the question, is it even worth paying the ransom if the majority of companies aren’t getting their data back? Quite honestly, it’s the luck of the draw. From journalists and reporters to industry experts, everyone has an opinion on the matter. On one end of the spectrum individuals like Stephen L. Carter, an opinion columnist at Bloomberg, are very against the idea of criminalizing ransomware payments, calling it a “terrible idea.” He wrote that going after the victim is not the best way to handle this global issue, adding “Would you make it a crime for a mugging victim to give up his wallet?”
On the other hand, some experts believe payments fuel the market for cybercriminals, guaranteeing that their demands will be met. Chris Painter, co-chair of the Ransomware Task Force, believes that a move like this would need to be introduced incrementally and accompanied by supporting roles such as a victim’s recovery fund. In fact, The Cyber Response and Recovery Act was introduced in April and seeks to provide $20 million to help cover the cost of restoring IT functions for local governments, critical national functions and other entities recovering from ransomware attacks.
Hopefully, we will continue to see improvements now that the newly established Department of Justice digital extortion taskforce is up and running. After all, they did seize $2.3 million in Bitcoin from DarkSide following the Colonial Pipeline attack (hats off to them!).
As we look to the future, we can expect to see a greater focus on improving cyber resilience, not just on a national front but internationally. On June 24, President Biden and Vice President Harris announced their support for the Bipartisan Infrastructure Framework, a $1.2 trillion plan to make our economy more sustainable and resilient, preparing our nation’s infrastructure for the impacts of cyber attacks.
If you’re interested in taking a proactive, preventative approach to protecting your enterprise, commercial, government or education institution against cybersecurity attacks, request info from our team today.