U.S. government unlikely to ban ransomware payments

The US government is unlikely to make it illegal for organizations to pay ransoms to regain access to data following a ransomware incident or to keep cybercriminals from releasing sensitive data following a breach.

On July 27, Bryan Vorndran, assistant director of the FBI’s cyber division, told lawmakers on the US Senate Committee on the Judiciary that the agency does not recommend companies pay ransoms because it doesn’t guarantee the business will regain access to their data or prevent data from ultimately being leaked. However, Vorndran also stressed that banning ransomware payments is not the way to go — companies should always have the option, he said.

“[I]f you ban ransom payments, now you are putting US companies in a position of another extortion, which is being blackmailed for paying the ransom and not sharing that [information] with authorities,” Vorndran told the Senate Committee. “It is a really complicated conversation, but it is our opinion that banning ransomware payment is not the road to go down.”

Ransomware payments have become one facet of the debate over how companies and governments should handle cyberattacks, which have cost US and Western European companies billions of dollars over the past few years. The Biden administration has created a ransomware task force to form a strategy for reducing the threat of cyberattacks, but the number of attacks have grown, with more than half of attacks related to ransomware and the average ransom growing by 171% in 2020.

The problem has become so bad that some insurance firms will no longer pay ransoms to bail out affected companies.

Yet even companies that take security seriously run the risk of being breached by ransomware, says Mark Lance, a ransomware negotiator and head of incident response at GuidePoint Security. Lance agrees that banning ransomware payments would be bad and likely would not prevent ransoms.

“You can have all the organizations all over the world take security seriously, and it only takes one mistake to be hit by this,” he says. “Early on there was a tendency to name and shame companies after a breach, and now we are seeing that threat has continued to expand, which is leading to companies worrying if they could be next.”

To read the complete article, visit Dark Reading.