The former chief executive of the UK's National Cyber Security Center (NCSC) has called on the government to ban organizations from making ransomware payments.
writing in The timesCiaran Martin, who served as the NCSC's inaugural chief executive, suggested a ban could help stop the growing proliferation of ransomware, referring to the “seemingly optimistic attitude” of British policymakers towards cybercriminal groups.
“Ransomware is by far the most damaging cyber threat to most businesses right now. We have to find a way to make banning ransom payments work,” he wrote.
Martin suggested any ban would need a better support network for affected businesses. However, the lack of such a policy is partly due to the United States' reluctance to introduce a ban amid concerns that it would unjustifiably limit companies.
Similar concerns have been raised that this could be a particular problem for the country's hospitals, many of which are in the private sector.
Currently, many governments, including the UK, have a policy of not paying bailouts themselves. In October 2023, 40 countries pledged their support to the International Ransomware Initiative (CRI) as part of an effort to create a more aligned global approach against cybercrime.
Participating nations agreed not to make payments and committed to sharing information and creating a blacklist of digital wallets used to deposit and move ransomware payments.
The official advice for UK-based companies is that they should not pay ransoms under any circumstances. The NCSC suggests that even when companies do so, there is no guarantee that they will regain access to their data or systems, that computers will remain infected, and that those who pay will be more likely to be attacked in the future.
Across the cybersecurity community, there are mixed feelings about whether or not a ban should be introduced.
Oliver Norman, vice president for the UK and Ireland at data management firm Veritas, said that regardless of a ban, the outcome of incidents will remain the same, with organizations more likely to be attacked in the future and not They will receive assurances that their data is returned safely.
“Whether prohibited or not, paying not only places the organization as a target for future attacks,” he said. “There is also no guarantee that all data will be returned even if a payment is made; we estimate that 32% of companies that paid ransoms lost more than half of their data.”
Others, however, believe that a ban is impractical.
“Banning ransomware payments can often have additional implications, and this is not the first time this idea has arisen. Although prevention is better than cure, there are still multiple cases where the only option has been to pay,” said Jake Moore , global cybersecurity advisor at the security firm ESET.
“Being caught between a rock and a hard place is not a position any business wants to be in, but if the law is directed in only one direction, then businesses can easily close down and the potential for loss of livelihood can turn this in a forced and repressive decision”.
Moore warned there is also a danger that taking ransom payments underground could lead to more lawsuits, as well as criminalizing victims.
“While the long-term effects of banning ransom payments may seem idyllic, the path necessary for all businesses to move toward this ideal will be challenging, if not impossible,” he said.
Moore's comments follow strong criticism of cybersecurity company Emsisoft in January after it called for a complete ban on ransomware payments.
Emsisoft urged lawmakers to introduce legislation aimed at stopping companies from engaging with cybercriminals, but critics argued it would “shift the focus of crime” from perpetrators to victims.
Currently, according to a recent report by data management and security company Cohesity, more than nine in ten UK companies have a no-payment policy, but virtually all those who have been victims of a ransomware attack have paid up.