Security Experts Call for Ransomware Payment Ban

John Lister's picture

A former cyber security chief says governments should ban organizations from paying money to ransomware gangs. Ciaran Martin likened such payment to bans on paying terrorist kidnappers.

The call has had a mixed response, with critics calling it an unfair constraint on business freedoms.

Martin was the first head of the United Kingdom's National Cyber Security Centre. That's an organization overseen by the country's intelligence services that advises businesses and the public on cyber security threats.

Ransomware has become a business worth an estimated $20 billion a year to criminals who gain access to computer networks and then encrypt files. The growth is partly through an expansion in tactics: as well as demanding payment to restore access to the files, some gangs also threaten to publicly expose any sensitive data on the networks.

A United States-led program has already seen 40 governments around the world agree not to pay ransoms in such cases. Many governments also advise businesses to never pay ransoms, with the logic being that it increases the incentive for future attacks. (Source:

Comparisons To Terrorism

Now Martin has told The Times that governments should make it illegal for businesses to pay money to ransomware gangs. He likened it to existing bans in some countries on businesses paying money to terrorist groups who have kidnapped staff members.

There's something of a chicken-and-egg situation as Martin noted such a ban would be more effective if governments offered more support to help businesses improve cyber security to prevent ransomware attacks.

Australia has considered such a ban but put it on hold for two years to give businesses time to improve their defenses.

Cultural Attitudes Vary

The Times suggests the idea of a legal ban on ransomware payments would be particularly unpopular in the US, which in turn influences attitudes in other countries. That's partly because the US is particularly wary of constraints on how businesses operate. (Source:

Another issue is that private healthcare companies in the country are prime targets for ransomware. Public health concerns may make lawmakers wary about removing even the slim possibility that ransomware gangs might live up to their promises to restore data after payment.

What's Your Opinion?

Do you support a ban on businesses paying ransoms? Is it more important to create a united front against cyber crime or to let organizations make their own decisions about payments? Are their more effective ways that governments could combat ransomware?

Rate this article: 
Average: 5 (5 votes)


ronangel1's picture

Any ban would not work because companies would still pay to get data back under the table using
offshore accounts paying ransom offshore so it could not be traced and them found out.

The way around this would be that all companies have duplicated multi-layer automatic isolated backups that even if data on the whole system was destroyed all they had to do would be to restore the data. The governments could have an assistance program with people ready to come and help instantly. These backup systems would have to be to a certain standard which was government and insurance company-approved and compulsory! Would all end overnight once implemented.
I have no data of any use to anyone but have a backup storage drive mirroring it on the computer.
also, TWO Portable plug-in hard drives both mirror the information which are spaced on backups and kept in a fire safe. Both are NEVER removed from the safe at the same time. To me, any loss of data would be at the most short term and inconvenient. That is of course encrypted stuff on my website server and in the cloud as well. If I can do it so can companies with unlimited funds and insurance back up!

Chief's picture

Why don't they just outlaw illegal activity?

That went over well /sarc off

Dennis has been preaching the value of backups using Acronis since I've been reading him beginning the last millennium.

Yeah, ransomware sucks, but even if your data is that valuable, the risk/reward scenario still holds true. Remember, the higher the value, the higher the cost to either protect or retrieve.

Dennis Faas's picture

I'm more of a Macrium Reflect fan now ever since Acronis started pushing cloud backups and their UI became increasingly buggy and confusing. Macrium Reflect version 8 is still free but it's the last free version.