Law enforcement authorities always suggest not paying ransoms. Mainly because It gives the crooks a big amount of money. This in turn encourages more attacks. Very often in the same organization. Big payoffs in turn mean that gangs can invest in hiring more hackers. This allows them to go after even bigger targets. This hence results in an endless cycle and growth of crime. Paying a ransom might save you pain in the short term. However, this means problems for everyone else in the longer run.
As of now many businesses in the UK are unlikely to be prosecuted for paying to a ransomware gang. Until and unless there is a reasonable chance of the money being used to fund terrorists. But many in the security industry feel that it should be a lot harder or at times even illegal to pay ransoms.
In a talk earlier this month RUSI, former head of the (NCSC) Ciaran Martin explained about how big a problem they consider ransomware to be. “For the attacker, the choice of the service would be incidental. They were just after money. But from the point of view of national harm, that incidental choice of the victim could be important. What most kept me awake at night was the prospect of physical harm inadvertently resulting from ransomware.”
Martin said if had “one policy card to play in the next year”, he would ask for “a serious examination of whether we should change the law to make it illegal for organizations in the UK to pay ransoms in the case of ransomware”.
“The case for doing so is not – and I stress is not – a slam dunk, and if the answer is no [to making paying ransoms illegal], we should think of something else to counter ransomware, because it’s the single biggest contemporary scourge in cyberspace right now.”
Martin said it was a curious that UK extortion laws are mainly based on the experience of kidnapping by terrorist groups. If you are struck by a ransomware group or organziation by a proscribed terrorist group, it is illegal to pay. However if the attackers are ordinary criminals or even state attackers, then it’s fine.
Many believe that as many as half of organizations pay up when hit with them. Which has made data-encrypting malware a major source of money for criminal gangs. Some versions of ransomware have raked in tens of millions. These are usually in the form of hard-to-trace cryptocurrencies. One such being Bitcoin.
Most victims feel they have little choice but to pay up. If an alternative is rebuilding all their computer systems and databases. Basically from scratch – and trying not to go out of business as they do it. Critics are warned being able to pay the ransom means that ransomware attacks will be viewed as just another cost of doing business. This means they are less likely to invest in the sometimes-costly security systems that would prevent such attacks.