Opinion A general ban on ransomware payments, as was floated by some this week, sounds like a good idea.
This is because a payment ban would inevitably have to include an exception for incidents where not paying the ransom poses a serious risk of death, bodily harm, or terrorist attack.
No one is going to victim blame a hospital, or argue in favor of allowing patients to die instead of paying a ransom.
We are already seeing criminals increasingly focus on hospitals and health-care facilities.
In 2023, ransomware gangs breached 46 hospital systems in the US with a total of 141 hospitals between them, and at least 32 of the 46 had patient data including protected health information, stolen.
While all of this should be a security wake-up call for any critical infrastructure organization, preventing future ransomware chaos requires a solution that's more disaster preparedness than just prohibiting payments to criminals.
Such a ban would need to be universal or else ransomware crews will simply focus on victims in other geographic regions that don't prohibit payments.
Or, perhaps even worse, it would run the risk of becoming an attempt to rewrite international law by nations that already provide safe harbor to ransomware crews and use the illicit proceeds to fund state-sponsored terrorism and weapons programs.
A global approach to stopping cybercrime is needed, and it's a good idea in theory.
Another roadblock is the lack of security maturity across sectors, which Megan Stifel, chief strategy officer for the Institute for Security and Technology and the executive director of the IST's Ransomware Task Force, pointed out in an earlier interview with The Register.
Some of the 2023 ransomware victims in these sectors include the city of Oakland, California, and New York's Suffolk County, both of which declared states of emergency, and Dallas, Texas, which also saw its IT systems crippled by cybercrime gangs.
The MOVEit breaches affected millions of individuals when a Russia-linked ransomware crew stole data belonging to the Louisiana Office of Motor Vehicles, the Colorado Department of Health Care Policy and Financing, and the Oregon Department of Transportation.
According to security shop Emsisoft's count, at least 108 K-12 districts and 72 post-secondary schools fell victim to ransomware crews in 2023, compared to 45 ad 44, respectively, a year earlier.
Some 95 government entities experienced ransomware infections last year, compared to 106 in 2022.
State and local government agencies and schools collect a ton of sensitive information that can be financially lucrative to criminals, and these orgs don't have the resources to defend themselves against ransomware.
It would be nice if it could provide a magic-bullet response to ransomware.
Having said that, a ban on ransomware payments is becoming more palatable than it was even a couple years ago, and this year's international Counter Ransomware Initiative summit, held at the White House, is one such indication.
At the event, the US persuaded all 50 member countries to sign on to a joint policy statement under which they agreed not to pay ransom demands.
While the no payment pledge only applies to the national governments' themselves, not private companies, it couldn't get the needed support even a year prior.
In lieu of a complete ban on ransom payments, be prepared.
This Cyber News was published on go.theregister.com. Publication date: Sat, 06 Jan 2024 13:43:03 +0000