Statewide Bans on Ransomware Payments Bring New Challenges

Cyber criminals will keep making ransomware attacks as long as they see profits outweigh the effort and risks. Some states have responded by prohibiting state and local government entities from paying the extortionists — a move North Carolina and Florida took in 2021 and 2022, respectively, and which several others have mulled as well.

State bans like these keep taxpayer money from funding cyber crime, but such small-level, standalone prohibitions are unlikely to have a big impact on the ransomware problem, said Jen Ellis — Institute for Security and Technology (IST) adjunct senior policy adviser and Ransomware Task Force co-chair — in response to a Government Technology question during an IST webinar.

A nationwide ban applying to both public- and private-sector victims would reach farther, however, and past years have seen cyber researchers debate the pros and cons. Deputy National Security Adviser Anne Neuberger said in May that federal officials had “grappled” with the question of whether to ban most extortion payments while allowing the federal government to grant waivers.

If the U.S. means to do so, there are plenty of risks and challenges to consider, cyber experts said during yesterday’s webinar.

That includes introducing and launching such a policy.

Silas Cutler is an adjunct senior cyber threat adviser at IST and a principal reverse engineer at cybersecurity company Stairwell. He worried that busy small-business owners may not be keeping up with the latest cybersecurity legislation and could accidentally commit a crime if they pay after a hypothetical ban passes. That would give cyber attackers leverage to keep extorting the businesses in exchange for keeping the fact of the payment quiet.

Another concern is attackers are likely to respond to a payment ban by testing how well it sticks. Attackers may intensify their focus on the victims most likely to feel compelled to pay, such as small- to medium-sized businesses — which may not be able to stay afloat during an interruption to their operations — and essential service and critical infrastructure providers where “disruption isn’t really…