The US government is unlikely to make it illegal for organizations to pay ransoms to regain access to data following a ransomware incident or to keep cybercriminals from releasing sensitive data following a breach.
On July 27, Bryan Vorndran, assistant director of the FBI's cyber division, told lawmakers on the US Senate Committee on the Judiciary that the agency does not recommend companies pay ransoms because it doesn't guarantee the business will regain access to their data or prevent data from ultimately being leaked. However, Vorndran also stressed that banning ransomware payments is not the way to go — companies should always have the option, he said.
"[I]f you ban ransom payments, now you are putting US companies in a position of another extortion, which is being blackmailed for paying the ransom and not sharing that [information] with authorities," Vorndran told the Senate Committee. "It is a really complicated conversation, but it is our opinion that banning ransomware payment is not the road to go down."
Ransomware payments have become one facet of the debate over how companies and governments should handle cyberattacks, which have cost US and Western European companies billions of dollars over the past few years. The Biden administration has created a ransomware task force to form a strategy for reducing the threat of cyberattacks, but the number of attacks have grown, with more than half of attacks related to ransomware and the average ransom growing by 171% in 2020.
The problem has become so bad that some insurance firms will no longer pay ransoms to bail out affected companies.
Yet even companies that take security seriously run the risk of being breached by ransomware, says Mark Lance, a ransomware negotiator and head of incident response at GuidePoint Security. Lance agrees that banning ransomware payments would be bad and likely would not prevent ransoms.
"You can have all the organizations all over the world take security seriously, and it only takes one mistake to be hit by this," he says. "Early on there was a tendency to name and shame companies after a breach, and now we are seeing that threat has continued to expand, which is leading to companies worrying if they could be next."
The concerns come as governments search for solutions to the plague of attacks coming from cybercriminals who see US and Western European companies as cash cows to milk with crypto ransomware and cyber extortion. In May, oil and gas transport network Colonial Pipeline paid a $4.4 million ransom to recover its ability to operate its management systems, and meat producer JBS USA paid a whopping $11 million to cybercriminals to recover from its own ransomware attack.
Paying the criminals means that the attacks will continue, says Michael Hamilton, founder and CISO at Critical Insight, a provider of cybersecurity services.
Decisions to pay a ransom "assume that the criminals are good at their word and will return records on payment of the extortion demand," he says. "Empirically, this has been shown to be a poor assumption. The benefit of prohibiting ransom payments — with the federal government as a reinsurer — would mean that the insurance industry wouldn’t tip over paying for restoration, while we demonstrate to ransomware operators that we’re no longer in their ideal customer profile."
Everyone appears frustrated with the situation. At the hearing, US Sen. Benjamin Sasse (R-NE) questioned why the FBI and other agencies believe they are making headway against the problem of ransomware. He noted that ransomware payments have nearly tripled, with cryptocurrency intelligence firm Chainalysis stating that $350 million in ransoms were paid in 2020.
"Why do we think any of our deterrence is working?" Sasse said. "Not a hostile question [directed] at any of you personally, but you all spun this as if there is some success here. It is pretty hard to see that from where we sit."
The FBI and other Department of Justice officials did make a case for mandating the reporting of ransomware attacks and other breaches.
"Because far too many ransomware incidents go unreported, and because silence benefits ransomware actors the most, we wholeheartedly believe a federal standard is needed to mandate the reporting of certain cyber incidents, including most ransomware incidents," Vorndran stated in written testimony. "Unlike other types of cybercrimes, the victim will almost always know when a ransomware incident has occurred. The scope and severity of this threat has reached the point where we can no longer rely on voluntary reports alone to learn about incidents."