Security experts have started the year in a fighting spirit after a leading security seller has called on the US government to prohibit ransomware payments.
Noted for his work in Ransomware Coding, Emsisoft revealed new analysis this week and claimed that 2207 American hospitals, schools and government agencies were directly affected by ransomware in 2023.
It argued that many more indirectly were struck through attacks on their supply chains, while thousands of more companies in the private sector had probably also suffered. The research that ransomware estimated probably killed about one American a month between 2016 and 2021.
Given the increasing economic and social damage and the risk of ransomware’s life, Emsisoft argued that it is time to take drastic action – and notes that law enforcement, government and industry have had a minimal impact so far.
“The current strategies for counter-redomware amount to little more than building speed thresholds and beating moles. The reality is that we will not defend our way out of this situation, and we will not go out,” Emsisoft-Drewery Analist Brett Callow argued.
“As long as ransomware payments remain legally legitimate, cyber criminals will do what is needed to collect them. The only solution is to fully discourage attacks by fully prohibiting payment of requirements. At the moment a ban is the only approach that will probably work.”
A total ban is neither possible nor essential
The company rejected the idea that a ban would force underground payments, especially of critical infrastructure providers such as hospitals that have no other option, and that it would encourage threat factors to focus on these organizations.
“If there were a ban, we would be of the opinion that bad actors would run quickly and transfer from large impact coding to other less disturbing forms of cyber crime. It really would not make sense to spend time and efforts on offensive organizations that could not pay,” Emsisoft argued.
“In addition, bad actors are already ruthless to the care providers, local governments and other preservators of critical infrastructure – ruthless, day in, day out – and it is far from certain that they would have the stimulans or the means to attack them more often.”
The seller claimed that a prohibition does not have to be watertight – it is about ensuring that sufficient payments are stopped to ensure that ransomware stops becoming profitable.
The wrong focus
Forescout VP and Europol Special Advisor, Rik Ferguson, agreed that a ransomware payment ban could force organizations to concentrate more on improving their safety attitude. But he argued that “the victim of a criminal act further punishing” is the wrong approach.
“We must concentrate on the financial systems that make the paper track so opaque,” he explained in a LinkedIn -post.
“We can hope that as emerging cryptocurrency regulations come in force, the identities of both senders and recipients of cryptocurrency transactions will become clear, so that criminals are again thought about their silver-plating strategies.”
Where critical services are pushed offline or lives in danger, organizations must always have the opportunity to pay, Ferguson concluded.