Should it be illegal to pay off hackers to regain your data?

• Ransomware criminals are holding computer systems hostage regularly, demanding large payments from victims to restore order
• Calls for governments to ban ransom payments to hackers were reignited following a cybercrime spree wreaking havoc around the world
• Organizations across the globe need to develop a ransomware payment policy, anticipating a potential future attack

Colonial Pipeline, the US’ largest pipeline was hit by a ransomware attack in early May, and the operators recently confirmed that they paid a US$4.4 million ransom to the cybercriminal gang responsible for the intrusion. However, when it comes to ransomware attacks, paying bad actors isn’t the right thing to do – in fact, some observers with experience reckon it should be illegal to pay off hackers. 

Law-enforcement agencies around the world are increasingly urging victims not to pay. But paying a ransom is not illegal and many organizations pay in secret. If there’s one thing any cop show teaches us though, is that paying off a blackmailer in no way guarantees to get your assets back. If anything, it proves to the offender that you are willing to shell out funds for your data – and as the one controlling access to said data, cyber opportunists might see the chance to repeatedly tap the same till. Hence, there is no guarantee that hackers will return sensitive data. Second, there is no guarantee cybercriminals won’t leverage and monetize the data anyway, returned or otherwise.

While ransomware has been around for about two decades, its popularity among the murky communities of the internet has been growing rapidly as of late, including when it comes to attacks on governments. According to an annual report on global cybersecurity, there were a total of 304 million ransomware attacks worldwide in 2020. This was a 62% increase from a year prior and the second-highest reported number of ransomware attacks since 2014, with the highest on record being 638 million attacks in 2016.

How does ransomware hold data hostage?

According to research firm Earnst & Young, ransomware is a type of malicious software cyber actors use to deny access or availability to systems or data. The cyber actor holds systems or data hostage, sometimes by encrypting them unreadably within the organization’s drives itself, until the ransom is paid. After the threat actors gain access to a network, they deploy ransomware to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. 

A recent and emerging tactic is for these threat actor groups to exfiltrate sensitive data and threaten to publicly disclose the data if the ransom is not paid, further extorting impacted companies.

Should bankrolling hackers be illegal?

The US government alongside other administrations around the world has recommended in the past that companies do not pay criminals over ransomware attacks, in case they invite further hacks in the future. In the case of Colonial Pipeline, as it is the most recent one, the chief of the company authorized the payment two days after because of uncertainty over how long the shutdown would continue.

In return for the Bitcoin payment, the company received a decryption tool so it could unlock the systems compromised by the hackers – although that was not enough to restart systems immediately, according to the newspaper.

According to reports, since last August the hackers responsible, DarkSide, have received at least US$90m in ransom payments from about 47 victims. And DarkSide is just one of at least a dozen prolific ransomware gangs making vast profits by holding companies, schools, governments, and hospitals to ransom. This is causing law-enforcement agencies globally to increasingly urge victims not to pony up. Now, the Ransomware Task Force (RTF) global coalition of cyber experts is lobbying governments to take legislative action.

It has made nearly 50 recommendations to curb the crime spree, but couldn’t reach a consensus over whether nations should ban ransom payments. One of the sticking points is that after a ransomware payment and the potential reclamation of sensitive data, there is no way to be sure the hackers do not still possess the illegal information, and it goes to reason that they will try to leverage and monetize it, either by trying to extort the organization again, or by selling the information to other interested parties. That’s why organizations handling the personal information of consumers — such as credit card information, Social Security numbers, and addresses — shouldn’t be allowed to pay ransoms. 

Furthermore, it could be argued that paying off hackers is tantamount to the sale of personal and sensitive information (albeit an unwilling exchange), another conundrum given the different data privacy laws and regulations in different countries. Instead of paying ransoms, there needs to be an effort to build awareness and empower a workforce to help digitally defend their organizations. Whichever path you choose – to pay or not to pay – it may take time to return to normal operations. Organizations should take steps to maintain their organization’s essential functions according to their business continuity plan.