Security Experts Call for Ransomware Payment Ban
A former cyber security chief says governments should ban organizations from paying money to ransomware gangs. Ciaran Martin likened such payment to bans on paying terrorist kidnappers.
The call has had a mixed response, with critics calling it an unfair constraint on business freedoms.
Martin was the first head of the United Kingdom's National Cyber Security Centre. That's an organization overseen by the country's intelligence services that advises businesses and the public on cyber security threats.
Ransomware has become a business worth an estimated $20 billion a year to criminals who gain access to computer networks and then encrypt files. The growth is partly through an expansion in tactics: as well as demanding payment to restore access to the files, some gangs also threaten to publicly expose any sensitive data on the networks.
A United States-led program has already seen 40 governments around the world agree not to pay ransoms in such cases. Many governments also advise businesses to never pay ransoms, with the logic being that it increases the incentive for future attacks. (Source: itpro.com)
Comparisons To Terrorism
Now Martin has told The Times that governments should make it illegal for businesses to pay money to ransomware gangs. He likened it to existing bans in some countries on businesses paying money to terrorist groups who have kidnapped staff members.
There's something of a chicken-and-egg situation as Martin noted such a ban would be more effective if governments offered more support to help businesses improve cyber security to prevent ransomware attacks.
Australia has considered such a ban but put it on hold for two years to give businesses time to improve their defenses.
Cultural Attitudes Vary
The Times suggests the idea of a legal ban on ransomware payments would be particularly unpopular in the US, which in turn influences attitudes in other countries. That's partly because the US is particularly wary of constraints on how businesses operate. (Source: thetimes.co.uk)
Another issue is that private healthcare companies in the country are prime targets for ransomware. Public health concerns may make lawmakers wary about removing even the slim possibility that ransomware gangs might live up to their promises to restore data after payment.
What's Your Opinion?
Do you support a ban on businesses paying ransoms? Is it more important to create a united front against cyber crime or to let organizations make their own decisions about payments? Are their more effective ways that governments could combat ransomware?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 20 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
randsomware
Any ban would not work because companies would still pay to get data back under the table using
offshore accounts paying ransom offshore so it could not be traced and them found out.
The way around this would be that all companies have duplicated multi-layer automatic isolated backups that even if data on the whole system was destroyed all they had to do would be to restore the data. The governments could have an assistance program with people ready to come and help instantly. These backup systems would have to be to a certain standard which was government and insurance company-approved and compulsory! Would all end overnight once implemented.
I have no data of any use to anyone but have a backup storage drive mirroring it on the computer.
also, TWO Portable plug-in hard drives both mirror the information which are spaced on backups and kept in a fire safe. Both are NEVER removed from the safe at the same time. To me, any loss of data would be at the most short term and inconvenient. That is of course encrypted stuff on my website server and in the cloud as well. If I can do it so can companies with unlimited funds and insurance back up!
Outlawing ransomware payments
Why don't they just outlaw illegal activity?
That went over well /sarc off
Dennis has been preaching the value of backups using Acronis since I've been reading him beginning the last millennium.
Yeah, ransomware sucks, but even if your data is that valuable, the risk/reward scenario still holds true. Remember, the higher the value, the higher the cost to either protect or retrieve.
Macrium Reflect
I'm more of a Macrium Reflect fan now ever since Acronis started pushing cloud backups and their UI became increasingly buggy and confusing. Macrium Reflect version 8 is still free but it's the last free version.