When ransomware hits a business, the firm has two options.  They can choose to pay the ransom to unlock their data. Or, they can refuse to pay the ransom and attempt to unlock their data and recover their systems using their own tools or outside help.  In an ideal world, firms recognize the growing threat of ransomware and similar attacks and are prepared accordingly with backups and threat monitoring. However, this is not a perfect world and there are over 4,000 ransomware attacks every day.  Some attackers have succeeded in locking businesses out of their data, thus forcing the difficult choice of whether to pay the ransom or not.

Fierce debate among cyber professionals

There is a fierce debate among cybersecurity professionals as to whether to pay ransom, with both sides making valid points.  The ‘Pay the Ransom’ camp argues that paying is the fastest way for a business to recover its data and systems. They can more quickly get back to work and reduce revenue loss.

On the other hand, the “Not Pay” faction argues that by paying the ransom, you are encouraging similar attacks. What’s worse, even if you pay the ransom, there is no guarantee you will get your data back. We saw this with the Colonial Pipeline attack.  The ‘Not Pay’ camp argues that paying ransom should be your absolute last option, even if it comes at the cost of some revenues.

The ‘Not Pay’ camp puts a large premium on firms being able to resolve a ransomware attack on their own, even though attackers are getting savvier with their attacks and ransom demands.  Interestingly, attackers will often adjust their demands to make it slightly more reasonable to pay the ransom then engage with a managed security services provider (MSSP) to resolve the attack.

Outlawed ransom payments

Recently, the “Not Pay” camp got a major boost. Four states announced they will partially or completely outlaw ransom payments.  In North Carolina, Pennsylvania, and Texas, state laws are being introduced to outlaw taxpayer money being used to pay ransoms.  Most likely this will affect municipalities that are hit with ransomware, rather than private businesses that would have to dip into their own funds.  New York is taking the matter a step further by proposing a bill to outlaw ransom payments almost entirely in both the private and public sectors.  Though these state actions align with official FBI guidance to not pay ransom, there are many in the technology community who feel these actions constitute overreach by the government.

Government takes action

The federal government has started taking ransomware threats more seriously.  President Biden created a cybersecurity task force and law enforcement has acted quickly to recovery ransom payments made in cryptocurrency.  State governments are also looking to get involved,  given that smaller and less well-resourced cities are becoming higher profile attack targets.

Some question the wisdom of completely cutting off a potential avenue back to functionality for companies and government entities.  Recently, top FBI officials advised Congress against federal legislation banning ransomware payments.  According to a recent article from The Hill, Bryan Vorndran, assistant director of the FBI’s Cyber Division, stated “It would be our opinion that if we ban ransom payments, now you are putting U.S. companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities,” Vorndran testified. “It is a really complicated conversation, but it is our position that banning ransom payments is not the road to go down.”   Based on this, it seems unlikely we will see outright banning of ransomware payments at the federal level anytime soon.

State governments are another matter.  Often when a municipality suffers a ransomware attack, the federal government in the form of the FBI steps in to lead enforcement action against the perpetrator. However, the cost of an actual attack is usually borne by the state or local government.  This is likely the impetus behind some of the state-level laws currently working their way through various legislatures.  Depending on how these legislative sessions play out and which experts the various states bring in to help craft their laws, the legal landscape of ransomware payments could well change over the next few years.

Here to stay

Ransomware is not going anywhere.  In fact, given the ease with which ransomware is deployed and used one can only assume its use will only increase.  Therefore, it’s important to pay attention to the ever-changing legal landscape.  Though it may seem unlikely such legislation will pass, it should not be discounted.  Many cybersecurity experts hope state and local authorities will follow the federal government’s lead and increase their ability to track down attackers, recover the ransom paid, and generally make life difficult for the attackers.

Some within the technology community have proposed a dual strategy.  They’d like to see the federal government takes an offensive posture against potential attackers while state and local governments focus on more defensive measures for municipalities and businesses. These measures would include software hardening and defensive requirements.  Either way, all public or private entities should take the threat of ransomware attacks seriously.

Cyber experts are ready to help you

At Infoaxis, we understand the time to prepare is now before an attack happens.  It’s a critical time to harden your defenses and take a proactive approach towards cybersecurity for you and your staff.  Despite the importance of being aware of the legal landscape surrounding the response to a ransomware attack, nothing is better than preventing an attack in the first place.

About the Author

JoshuaJoshua Silberman, CISSP, CCSP, CISA, is a cybersecurity leader responsible for the direction, design, and development of cloud transformation and cybersecurity at Infoaxis.

Reach Joshua at 201.236.3000 or jsilberman@infoaxis.com.