Security experts have started the year in a confrontational mood after a leading security vendor urged the US government to prohibit ransomware payments.
Emsisoft, known for its work in ransomware decryption, released new analysis this week revealing that 2207 US hospitals, schools, and government entities were directly affected by ransomware in 2023. It also stated that many more were indirectly impacted through attacks on their supply chains, while thousands of private sector businesses were likely to have suffered. Research estimates suggest that ransomware may have caused the death of around one American per month between 2016 and 2021.
Citing the increasing economic and societal harm and the risk to life posed by ransomware, Emsisoft argued that drastic action is necessary, as law enforcement, government, and industry efforts have had minimal impact.
Emsisoft threat analyst Brett Callow highlighted that current strategies against ransomware are ineffective and that prohibiting ransomware payments is the only solution to financially disincentivize attacks. He emphasized that a ban is the only approach likely to work.
A total ban is neither possible nor essential
The firm dismissed the idea that a ban would force payments underground or encourage threat actors to target critical infrastructure providers like hospitals. It argued that a ban would not necessarily lead to more frequent attacks on these organizations.
Emsisoft claimed that a ban does not have to be watertight, as long as enough payments are stopped to make ransomware unprofitable.
The Wrong Focus
Forescout VP and Europol special advisor, Rik Ferguson, agreed that a ban on ransomware payments could force organizations to focus on improving their security posture. However, he argued that “further punishing the victim of a criminal act” is the wrong approach. He suggested focusing on the financial systems that make the paper trail of cryptocurrency transactions opaque.
Ferguson concluded that where critical services are interrupted, organizations should always have the option to pay if lives are at risk.