Emsisoft: Ban Ransom Payments to Stop Ransomware Attacks

A new Emsisoft ransomware report shows the continuing escalation of attacks in 2023 and calls for a ransom payment ban as the only solution.

More than 2,200 U.S. hospitals, schools and governments were directly impacted by ransomware over the course of the past year, with many more indirectly impacted via attacks on their supply chains, according to the Emsisoft report. Additionally, ransomware either directly or indirectly impacted thousands of private sector companies.

Attacks on hospital systems, K-12 school districts, post-secondary schools and governments totaled 321 in 2023, up from 220 in 2022 and 192 in 2021.

Emsisoft estimates that ransomware is responsible for some American deaths. Take, for example, a delay in patient treatment at hospitals that results from a ransomware attack. The longer the ransomware problem remains unfixed, the more people will die, the report says. And the economic harm and myriad of societal harms that ransomware causes will also continue for as long as the problem continues.

Ransom Payment Ban Would Work as Other Efforts Fail

Brett Callow, ransomware expert and threat analyst at Emsisoft, said there's nothing surprising about the state of ransomware in 2023.

Emsisoft's Brett Callow

“Unfortunately, it was entirely predictable,” he said. “Unless drastic action is taken, 2024 is likely to be a repeat of 2023, which was a repeat of 2022, which was a repeat of 2021, etc. What we’re currently doing is not working.”

Governments have formed task forces, international coalitions and pledged not to pay ransoms, while law enforcement has disrupted operations across the ransomware ecosystem, dismantled botnets, seized crypto assets and made arrests, according to Emsisoft's report. But despite all of this, ransomware stubbornly remains as much of a problem as ever.

“Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles,” Callow said. “The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either. For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them. The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”

Attackers Would Pivot to Less Disruptive Cyber Crime

Emsisoft believes a ransom ban would force bad actors to pivot quickly and move from high-impact, encryption-based attacks to other less disruptive forms of cyber crime. It would make no sense for them to expend time and effort attacking organizations that could not pay.

“Business email compromise (BEC) is extremely profitable, but far less disruptive than encryption-based ransomware attacks, Callow said.

A ransom payment ban would work the same way as existing restrictions, Callow said. That includes Office of Foreign Assets Control (OFAC) sanctions, for example, and the bans in North Carolina and Florida.

Craig Jones, vice president of security operations at Ontinue, said banning ransom payments to combat ransomware is a complex proposition. While it could discourage attackers by cutting off their financial incentives, enforcing such a ban is challenging, especially with the anonymity provided by cryptocurrencies.

“Additionally, in critical situations, organizations may still choose to pay ransoms covertly to recover vital data or restore operations, undermining the ban's effectiveness,” he said. “A more holistic approach might be more effective: enhancing cybersecurity defenses, promoting international cooperation to track and prosecute cybercriminals, and regulating the cyber insurance industry. This multifaceted strategy addresses the root causes and repercussions of ransomware without the significant enforcement challenges and potential negative consequences of a ban. Such an approach acknowledges the complexities and the global nature of cyber threats, offering a balanced solution to mitigate ransomware risks.”

Ransom Payment Ban Doesn't Address Gray Areas

Ken Dunham, cyber threat director in Qualys’ threat research unit, said regulatory, insurance coverage and industry standards must strike a balance to counter adversarial tactics and challenges seen in the real world. It’s easy to take any given solution and, in a black-and-white approach, consider it best without understanding the gray areas the real-world introduces when breaches happen.

Qualys' Ken Dunham

“Take for example a hospital that may have disruption of facilities due to a breach, with lives at stake if restoration and payout doesn’t occur,” he said. “Do you then say due to regulations, they cannot pay a ransom, which may lead to loss of life? In the real world, the implication of a breach gets messy, with interdependencies, impact to third parties, and reliance upon critical infrastructure and life support in some extreme cases. The best approach is to find the right balance between applying pressure through proactive SecOps, cybersecurity frameworks and maturity, changes in the insurance industry and regulatory requirements, coupled with law enforcement tactics and breach support services tied to incident response.”

Kicking a Victim When They're Down

John Bambenek, president of Bambenek Consulting, said the only analogy is research into banning ransom payments for kidnapping by the nation of Colombia, and in that case, the ban didn’t prevent people from paying, and it didn't stem the problem of kidnapping.

“More importantly, it’s a policy born of kicking a victim when they are down,” he said. “Is it better that a business close down due to ransomware to achieve a purely theoretical marginal benefit of less ransomware? Even more poignant, we know that when hospital systems get ransomware, the mortality rate goes up. How many preventable deaths are we willing to accept for this purely theoretical benefit of less ransomware?”