State Could Ban Gov't Ransomware Payments

John Lister's picture

New York state senators want a legal ban on local governments paying ransomware demands. The bipartisanship move is based on the idea that paying up simply incentivises the attacks.

Ransomware is malicious software that encrypts files on a hard drive so that they become unusable. Cyber criminals then demand a hefty ransom to unlock the files.

Two state senators, one Democrat and one Republican, have each proposed broadly similar bills. They are currently in the committee stage and its likely that one will go ahead to a full vote of the New York State Senate.

Both bills are based on similar principles: that paying attackers to regain access costs taxpayer money and also encourages further attacks, raising the public costs in the long run.

In both cases, the proposed law would outright ban municipal corporations and other government entities in the state from paying a ransom after a cyber-attack.

Cities Could Get Funding Boost

The main difference is the timing and the associated measures. One bill would simply ban ransom payments, effective immediately.

The other bill would bring in the rule from the start of 2022. In the meantime, the state would allocate $5 million to a special fund to help local governments from cities down to villages to boost their cyber defenses.

Officials Split Over Tactics

If either bill passed it would be the first such law in the US. TechRader notes that the US Conference of Mayors, which represents leaders of cities with populations of at least 30,000, passed a resolution last year agreeing not to pay ransom demands. However, that's not legally enforceable. (Source:

Several major cities including Baltimore, Atlanta and New Orleans have been attacked by ransomware in recent years, though they didn't pay up. At least two small cities in Florida have paid ransoms, largely by claiming on specialist insurance policies. In other cases, rumors suggest officials have paid the scammers but kept the payment a secret to avoid encouraging similar attacks. (Source:

What's Your Opinion?

Do you agree it should be illegal for public bodies to pay ransomware demands? If so, is it right to accompany the new law with extra money for cyber defenses? Does it make more financial sense for local government to take out insurance against ransomware rather than make their systems as attack-proof as possible?

Rate this article: 
Average: 5 (8 votes)


Dennis Faas's picture

The only thing that will save you from a ransomware infection is having properly secured offline backups. Even so, once files are restored, the system(s) on the network will need to be looked at to ensure they are clean and no remote access is allowed and/or severely restricted with the correct infrastructure in place.

Under no circumstances should anyone be running Remote Desktop (RDP), TeamViewer and similar services openly on their machine (as a service and/or with open ports on router), or you are asking to get hacked.

DavidInMississippi's picture

I agree with Dennis 100%.

With huge hard drives now being not just affordable, but downright CHEAP (I just looked up a Seagate 5TB external HDD on everyone's favorite online store - it was $109!), there is no excuse for not backing up your data. Even in the cloud, you can get 2TB of cloud storage from DropBox, iCloud, Google, and more for about $100 a year, and many of them keep daily backups for 30 days, so if you get corrupted or ransomware encrypted, you just roll back to a day when your files weren't corrupted and restore from there.

The more critical your data is, the more critical your backup.

It causes me intense chagrin to encounter people (including especially government agency people) who never have the time or the budget to do backups, but always seem to find the money for the ransom. How do you spell DUH??

Not backing up your computers is like driving without a seat belt or owning a home or car without insurance. Just not worth the risk.

Listen to Dennis, people. BACK UP YOUR SYSTEM and DATA REGULARLY!

kitekrazy's picture

I often wonder that the least competent people in the tech industry often work for governments. No extra funding should be necessary. Just back up your stuff.