Why making ransomware payments illegal could backfire

Zscaler Australia Pty Ltd

By Johnny Yeo, Solutions Architect at Zscaler
Monday, 06 February, 2023


Why making ransomware payments illegal could backfire

2022 saw an unprecedented number of high-profile cybersecurity breaches in Australia. As the nation implores preventive tactics, the debate of making ransom payments illegal has escalated within the Australian Government.

Minister for Cyber Security Clare O’Neil announced that the government is considering banning ransomware payments, in the wake of notable breaches. However, making ransomware payments illegal could embolden cybercriminals and make them more profitable.

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands, according to data from Chainalysis. The argument for outlawing payment is straightforward; it asserts to criminal actors from the outset that they won’t see a monetary gain from their efforts, working as a deterrent to the malicious behaviour. However, by outlawing payments organisations can potentially “shut down the ecosystem” that empowers and funds the criminals involved. Outlawing payments can create a tidal wave of reactive behaviour from cybercriminals targeting vulnerable organisations, to continue to get what they want, potentially, creating more harm than good.

The threat to operational stability can be staggering

Making ransomware payments illegal could be a threat to operational stability because it could increase the pressure on organisations to not pay the ransom, even if it means losing access to important data or systems. Depending on exactly what data is encrypted and held for ransom, organisations can be brought to a complete standstill; in some cases, the entire business might be destroyed.

Losing a core database that facilitates everyday operations could have broad economic implications. Time is critical in such a situation due to the ripple effects of supply chain disruption. Losing vital data can lead to longer downtimes and increased costs.

Outlawing ransomware payments can create a precarious situation where employees and customers are held hostage by the potential consequences of a data leak, with no opt-out of making a ransom payment. Additionally, employees looking to save their business can face legal ramifications, creating a purgatory of uncertainty.

Outlawing ransomware payments could shift criminal focus to especially vulnerable organisations

Given the above context, how will criminals respond if payments become illegal? One line of thought is that they will put greater emphasis on more vulnerable organisations and, therefore, presumably be more likely to break the law. It’s one thing for criminals to target big corporations that offer hundreds of services and products. Companies are equipped to pick up the pieces and move on in the wake of a cyber incident.

The situation is not the same for organisations like hospitals, where the services are a matter of life and death, and executives who can’t legally pay ransoms are forced to watch helplessly as an incident unfolds. This could also put individuals at risk if they are unable to access critical services such as healthcare, banking or emergency services.

Small and medium-sized businesses, with their lack of financial and technical resources, are also more likely to be negatively impacted by legislation than enterprise companies. Smaller organisations are less likely to have the proper systems to protect themselves and fewer resources to recover from an attack. Criminals may also shift to other forms of cybercrime, such as stealing data or launching distributed denial of service (DDoS) attacks, which can also be profitable.

Paid ransoms can, in some cases, protect sensitive data

Aside from the consequences to organisations if ransomware is outlawed, there’s also the question of the data itself. If exceptionally sensitive data, like the personally identifiable information, is held for ransom and an agency can’t pay because payment is illegal, the consequences can be dire. Data could be leaked in secondary extortion or sold to the highest bidder, jeopardising assets or perhaps even families. Instances of ransomware actors blackmailing patients with their healthcare information are no longer speculative.

In some cases, paying a ransom can help protect sensitive data. This is because ransomware attacks often involve the encryption of important files, making them inaccessible to the victim. If the victim is unable to access the decryption key, they may have no choice but to pay the ransom in order to regain access to the encrypted files. If the victim has no backups or data recovery methods, paying the ransom may be the only way to retrieve the sensitive data.

Legal complexities abound

Outlawing ransomware payments is a complicated process. Not only are legal ramifications complicated within a country, but for multinational organisations, entirely different laws can and do apply.

If a company operates globally and Australia outlaws ransom payment, is that company required never to pay ransoms at all — or does that only apply to threats that originate in its Australian-based branches? Cross-border transactions can also make it difficult for law enforcement agencies to track and prosecute the criminals involved.

This area is fraught with legal, ethical and practical concerns. Organisations may also choose to pay a ransom to prevent the release of sensitive data. This could be seen as an act of self-defence and would be difficult to prosecute.

While making ransomware payments illegal could be a step in the right direction in fighting cybercrime, a number of legal complexities would need to be addressed in order to effectively enforce the law and protect the rights of organisations that are the victims of ransomware attacks. Organisations may be hesitant to report attacks to the law enforcement out of fear of being prosecuted for making a payment to the attackers.

Paying ransoms should not be considered a primary solution; however, the option should remain when determining the risks and benefits. The appropriate agency to determine this is the organisation involved, not the government. These situations should be assessed on a case-by-case basis to determine the best and safest outcome for the organisation, its employees and customers.

Image credit: iStock.com/glegorly

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd