Ransomware Ban Risks Bankruptcies, Fuels Dark Markets
2023's Record $1.1 Billion Ransom Payments
Victims paid a record $1.1 billion to cybercriminal groups in 2023. Former acting National Cyber Director Kemba Walden and the Institute for Security and Technology’s Ransomware Task Force argue an immediate ban is premature, citing the current lack of cybersecurity resilience among many critical infrastructure operators. State-level bans in North Carolina and Florida have not clearly indicated a reduction in attack rates, suggesting that localized restrictions alone do not successfully drive proactive defense investments or deter attackers without foundational resilience. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) already mandates reporting cyber incidents within 72 hours and ransomware payments within 24 hours, increasing transparency; a federal ban would further intensify regulatory scrutiny, potentially imposing strict liability under OFAC for unintentional payments to sanctioned entities.
State-Sponsored Disruptive Attacks Rise
Hostile nation-states, such as Russia, China, Iran, and North Korea, often use ransomware gangs to fund operations or exploit organizations. If financially motivated attacks diminish, these state-sponsored attacks, aimed purely at causing disruption and paralysis of critical infrastructure, could become more prominent. Cybercriminal syndicates are highly agile and may adapt by shifting targets to countries without bans or evolving their business models to pure data exfiltration and extortion without encryption.
Reporting Dries Up, Hiding Groups
The Atlantic Council argues that penalizing payments would disincentivize organizations from reporting incidents, "reducing crucial visibility needed for investigations and disruption efforts." This loss of transparency hinders intelligence gathering, making it harder to identify, attribute, and sanction new or rebranded criminal groups aligned with hostile states. Previous payment restrictions and sanctions have demonstrated how illicit transactions are driven to underground channels.
Payment Ban Risks Operational Bankruptcies
U.S. regulators face significant challenges in enforcing a nationwide payment ban without triggering widespread operational bankruptcies, as many critical infrastructure organizations, particularly under-resourced entities, lack mature backup systems and sufficient cybersecurity resilience to recover data without paying a ransom. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) defines critical infrastructure across 16 sectors, including energy, water, healthcare, transportation, finance, and telecommunications. Ohio's law, for instance, prohibits payments unless formally approved by legislative authority, underscoring the complexity of such exemptions; cyber insurance policies are already shifting to exclude reimbursement for payments to sanctioned entities and focus more on recovery costs rather than ransom payouts.
Under-Resourced Entities Face Collapse
Under-resourced entities face operational collapse under a federal ransomware payment ban. While such a ban would compel security investments for well-resourced critical infrastructure operators, it risks creating a two-tiered system. This policy would likely drive illicit payments further underground, reducing law enforcement's intelligence visibility and potentially empowering hostile nation-states to shift towards harder-to-attribute disruptive attacks. The success of such a ban hinges on thorough government support for incident response and data recovery, alongside enhanced international cooperation to track illicit funds and disrupt criminal networks.
Comments ()