BlockFo Header Logo
Open a case

Should we ban ransomware payments? It’s an attractive but dangerous idea

Crypto Law

17 August 2023

Cointelegraph By Christos Makridis

Original blog post

A successful cyberattack on critical infrastructure — such as electricity grids, transportation networks or healthcare systems — could cause severe disruption and put lives at risk.

Our understanding of the threat is far from complete since organizations have historically not been required to report data breaches, but attacks are on the rise according to the Privacy Rights Clearinghouse. A recent rule from the United States Securities and Exchange Commission should help clarify matters further by now requiring that organizations “disclose material cybersecurity incidents they experience.”

As the digital world continues to expand and integrate into every facet of society, the looming specter of cyber threats becomes increasingly more critical. Today, these cyber threats have taken the form of sophisticated ransomware attacks and debilitating data breaches, particularly targeting essential infrastructure.

A major question coming from policymakers, however, is whether businesses faced with crippling ransomware attacks and potentially life threatening consequences should have the option to pay out large amounts of cryptocurrency to make the problem go away. Some believe ransoms be banned for fear of encouraging ever more attacks.

Following a major ransomware attack in Australia, its government has been considering a ban on paying ransoms. The United States has also more recently been exploring a ban. But other leading cybersecurity experts argue that a ban does little to solve the root problem.

Ransomware and the ethical dilemma of whether to pay the ransom

At the most basic level, ransomware is simply a form of malware that encrypts the victim’s data and demands a ransom for its release. A recent study by Chainalysis shows that crypto cybercrime is down by 65% over the past year, with the exception of ransomware, which saw an increase.

“Ransomware is the one form of cryptocurrency-based crime on the rise so far in 2023. In fact, ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June,” said Chainalysis.

Even though there has been a decline in the number of crypto transactions, malicious actors have been going after larger organizations more aggressively. Chainalysis continued:

“Big game hunting — that is, the targeting of large, deep-pocketed organizations by ransomware attackers — seems to have bounced back after a lull in 2022. At the same time, the number of successful small attacks has also grown.”

The crippling effect of ransomware is especially pronounced for businesses that heavily rely on data and system availability.

Ransomware revenue is up. (Chainalysis)

The dilemma of whether to pay the ransom is contentious. On one hand, paying the ransom might be seen as the quickest way to restore operations, especially when lives or livelihoods are at stake. On the other hand, succumbing to the demands of criminals creates a vicious cycle, encouraging and financing future attacks.

Organizations grappling with this decision must weigh several factors, including the potential loss if operations cannot be restored promptly, the likelihood of regaining access after payment, and the broader societal implications of incentivizing cybercrime. For some, the decision is purely pragmatic; for others, it’s deeply ethical.

Attacks by organization type. (Chainalysis)

Should paying ransoms be banned?

The increasing incidence of ransomware attacks has ignited a policy debate: Should the payment of ransoms be banned? Following a major ransomware attack on Australian consumer lender Latitude Financial, in which millions of customer records and IDs were stolen, some have begun to advocate for a ban on paying the ransom as a way of deterring attacks and depriving cybercriminals of their financial incentives.

In the United States, the White House has voiced its qualified support for a ban. “Fundamentally, money drives ransomware and for an individual entity it may be that they make a decision to pay, but for the larger problem of ransomware that is the wrong decision… We have to ask ourselves, would that be helpful more broadly if companies and others didn’t make ransom payments?” said Anne Neuberger, deputy national security advisor for cyber and emerging technologies in the White House.

There are good reasons not to pay a ransom, but good reasons to pay as well. (Pexels)

While proponents argue that it will deter criminals and reorient priorities for C-suite executives, critics, however, warn that a ban might leave victims in an untenable position, particularly when a data breach could lead to loss of life, as in the case of attacks on healthcare facilities.

“The prevailing advice from the FBI and other law enforcement agencies is to discourage organizations from paying ransoms to attackers,” Jacqueline Burns Koven, head of cyber threat intelligence for Chainalysis, tells Magazine.

“This stance is rooted in the understanding that paying ransoms perpetuates the problem, as it incentivizes attackers to continue their malicious activities, knowing that they can effectively hold organizations hostage for financial gain. However, some situations may be exceptionally dire, where organizations and perhaps even individuals face existential threats due to ransomware attacks. In such cases, the decision to pay the ransom may be an agonizing but necessary choice. Testimony from the FBI recognizes this nuance, allowing room for organizations to make their own decisions in these high-stakes scenarios, and voiced opposition to an all out ban on payments.”

Another complicating factor is that an increasing number of ransomware attacks, according to Chainalysis, may not have financial demands but instead focus on blackmail and other espionage purposes.

“In such cases, there may be no feasible way to pay the attackers, as their demands may go beyond monetary compensation… In the event that an organization finds itself in a situation where paying the ransom is the only viable option, it is essential to emphasize the importance of reporting the incident to relevant authorities.”

“Transparency in reporting ransomware attacks is crucial for tracking and understanding the tactics, techniques and procedures employed by malicious actors. By sharing information about attacks and their aftermath, the broader cybersecurity community can collaborate to improve defenses and countermeasures against future threats,” Koven continues.

Could we enforce a ban on paying ransomware attackers?

Even if a ban were implemented, a key challenge is the difficulty in enforcing it. The clandestine nature of these transactions complicates tracing and regulation. Furthermore, international cooperation is necessary to curb these crimes, and achieving a global consensus on a ransom payment ban might be challenging.

Banning ransomware payments risks criminalizing victims. (Pexels)

While banning ransom payments could encourage some organizations to invest more in robust cybersecurity measures, disaster recovery plans and incident response teams to prevent, detect and mitigate the impact of cyberattacks, it still amounts to penalizing the victim and making the decision for them.

“Unfortunately, bans on extortions have traditionally not been an effective way to reduce crime — it simply criminalizes victims who need to pay or shifts criminals to new tactics,” says Davis Hake, co-founder of Resilience Insurance who says claims data over the past year shows that while ransomware is still a growing crisis, some clients are already taking steps toward becoming more cyber-resilient and able to withstand an attack.

“By preparing executive teams to deal with an attack, implementing controls that help companies restore from backups, and investing in technologies like EDR and MFA, we’ve found that clients are significantly less likely to pay extortion, with a significant number not needing to pay it at all. The insurance market can be a positive force for incentivizing these changes among enterprises and hit cybercriminals where it hurts: their wallets,” Hake continues.

The growing threat and risk of cyberattacks on critical infrastructure

The costs of ransomware attacks on infrastructure are often ultimately borne by taxpayers and municipalities that are stuck with cleaning up the mess.

To understand the economic effects of cyberattacks on municipalities, I released a research paper with several faculty colleagues, drawing on all publicly reported data breaches and municipal bond market data. In fact, a 1% increase in the county-level cyberattacks covered by the media leads to an increase in offering yields ranging from 3.7 to 5.9 basis points, depending on the level of attack exposure. Evaluating these estimates at the average annual issuance of $235 million per county implies $13 million in additional annual interest costs per county.

One reason for the significant adverse effects of data breaches on municipalities and critical infrastructure stems from all the interdependencies in these systems. Vulnerabilities related to Internet of Things (IoT) and industrial control systems (ICS) increased at an “even faster rate than overall vulnerabilities, with these two categories experiencing a 16% and 50% year over year increase, respectively, compared to a 0.4% growth rate in the number of vulnerabilities overall, according to the X-Force Threat Intelligence Index 2022 by IBM.

Read also


Features

Bitcoin payday? Crypto to revolutionize job wages… or not


Features

Powers On… Why aren’t more law schools teaching blockchain, DeFi and NFTs?

A key factor contributing to this escalating threat is the rapid expansion of the attack surface due to IoT, remote work environments and increased reliance on cloud services. With more endpoints to exploit, threat actors have more opportunities to gain unauthorized access and wreak havoc.

“Local governments face a significant dilemma… On one hand, they are charged with safeguarding a great deal of digital records that contain their citizens’ private information. On the other hand, their cyber and IT experts must fight to get sufficient financial support needed to properly defend their networks,” says Brian de Vallance, former DHS assistant secretary.

“Public entities face a number of challenges in managing their cyber risk — the top most is budget. IT spending accounted for less than 0.1% of overall municipal budgets, according to M.K. Hamilton & Associates. This traditional underinvestment in security has made it more and more challenging for these entities to obtain insurance from the traditional market.”

Cybersecurity reform should involve rigorous regulatory standards, incentives for improving cybersecurity measures and support for victims of cyberattacks. Public-private partnerships can facilitate sharing of threat intelligence, providing organizations with the information they need to defend against attacks. Furthermore, federal support, in the form of resources or subsidies, can also help smaller organizations – whether small business or municipalities – that are clearly resource constrained so they have funds to invest more in cybersecurity.

Toward solutions

So, is the solution a market for cybersecurity insurance? A competitive market to hedge against cyber risk will likely emerge as organizations are increasingly required to report material incidents. A cyber insurance market would still not solve the root of the problem: Organizations need help becoming resilient. Small and mid-sized businesses, according to my research with professors Annie Boustead and Scott Shackelford, are especially vulnerable.

“Investment in digital transformation is expected to reach $2T in 2023 according to IDC and all of this infrastructure presents an unimaginable target for cybercriminals. While insurance is excellent at transferring financial risk from cybercrime, it does nothing to actually ensure this investment remains available for the business,” says Hake, who says there is a “huge opportunity” for insurance companies to help clients improve “cyber hygiene, reduce incident costs, and support financial incentives for investing in security controls.”

Encouragingly, Hake has noticed a trend for more companies to “work with clients to provide insights on vulnerabilities and incentivize action on patching critical vulnerabilities.”

“One pure-technology mitigation that could help is SnapShield, a ‘ransomware activated fuse,’ which works through behavioral analysis,” says Doug Milburn, founder of 45Drives. “This is agentless software that runs on your server and listens to traffic from clients. If it detects any ransomware content, SnapShield pops the connection to your server, just like a fuse. Damage is stopped, and it is business as usual for the rest of your network, while your IT personnel clean out the infected workstation. It also keeps a detailed log of the malicious activity and has a restore function that instantly repairs any damage that may have occurred to your data,” he continues.

Ransomware attacks are also present within the crypto market, and there is a growing recognition that new tools are needed to build on-chain resilience. “While preventative measures are important, access controlled data backups are imperative. If a business is using a solution, like Jackal Protocol, to routinely back up its state and files, it could reboot without paying ransoms with minimal losses,” said Eric Waisanen, co-founder of Astrovault.

Ultimately, tackling the growing menace of cyber threats requires a holistic approach that combines policy measures, technological solutions and human vigilance. Whether a ban on ransom payments is implemented, the urgency of investing in robust cybersecurity frameworks cannot be overstated. As we navigate an increasingly digital future, our approach to cybersecurity will play a pivotal role in determining how secure that future will be.

Mandatory disclosure and the threat of getting sued may force companies to improve cybersecurity. (Pexels)

Emory Roane, policy counsel at PRCD, says that mandatory disclosure of cyber breaches and offering identity theft protection services are essential, but it “still leaves consumers left to pick up the pieces for, potentially, a business’ poor security practices.”

But the combination of mandatory disclosure and the threat of getting sued may be the most effective. He highlights the California Consumer Privacy Act.

“It provides a private right of action allowing consumers to sue businesses directly in the event that a business suffers a data breach that exposes a consumer’s personal information and that breach was caused by the business’ failure to use reasonable security measures,” Roane explains. That dovetails with a growing recognition that data is an important consumer asset that has long been overlooked and transferred to companies without remuneration.

Greater education around cybersecurity and data sovereignty will not only help consumers stay alert to ongoing threats — e.g., phishing emails — but also empower them to pursue and value more holistic solutions to information security and data sharing so that the incidence of ransomware attacks is lower and less severe when they do happen.

Bans rarely work, if for no other reason than enforcement is either physically impossible or prohibitively expensive. Giving into ransoms is not ideal, but neither is penalizing the entity that is going through a crisis. What organizations need are better tools and techniques – and that is something that the cybersecurity industry, in collaboration with policymakers, can help with through new technologies and the adoption of best practices.

HackersHackingPaymentsRansomware

Read also

  

This is a syndicated article. To read the full article, click here.

You might also like

Trump supports bill to buy 1 million BTC — Senator Lummis  
Trump supports bill to buy 1 million BTC — Senator Lummis  

28 May, 2025

US President Donald Trump supports the BITCOIN Act and has a team of experts in the White House working to roll out landmark digital asset legislation in the coming weeks, according to Wyoming Senator Cynthia Lummis. Speaking at the Bitcoin 2025 conference in Las Vegas, Nevada, Lummis said she is bringing the BITCOIN ACT to the “attention of the American people and the world,” adding that, “President Trump supports the bill.”In March, Lummis reintroduced the BITCOIN Act — landmark legislation that directs the US government to acquire 1 million Bitcoin (BTC) over five years. The acquisitions would be financed using existing funds within the Federal Reserve System and the Treasury Department. As Cointelegraph reported, the Trump administration has reiterated the need to use “budget-neutral ways” to acquire Bitcoin without burdening taxpayers.Source: CryptoGoosAt the Bitcoin Conference, Lummis said the Trump administration has a team working on “digital asset issues,” including legislation on stablecoins, market structure and the Bitcoin Strategic Reserve.“They will probably roll out in that order,” she said.“The Senate Banking Committee has passed the stablecoin bill out of committee,” said Lummis, adding: “We’re getting close to being ready to have it on the floor. We’ve worked for untold hours with the minority party to satisfy them, and we should be voting on it the week before we get back from this break.”Related: Senator Lummis’ new BITCOIN Act allows US reserve to exceed 1M BitcoinGENIUS Act on stablecoins is “going to pass,” says White House crypto czarThe White House seems to be in alignment with Senator Lummis. Last week, Trump’s top crypto adviser, David Sacks, said the GENIUS stablecoin bill is “going to pass” the Senate with bipartisan support after clearing a key procedural vote on May 19.On May 19, the Senate voted 66 to 32 to advance debate on the GENIUS Bill. Source: US SenateGENIUS refers to the Guiding and Establishing National Innovation for US Stablecoins Act, possibly the most comprehensive federal push to establish a legal framework for dollar-pegged stablecoins.Stablecoins have become one of the most prominent use cases for blockchain technology, with some industry advocates arguing that they could help extend the US dollar’s dominance as the global reserve currency.Collateralized, dollar-backed stablecoins like Tether’s USDt (USDT) and Circle’s USDC (USDC) account for more than 85% of the $250 billion market, according to CoinMarketCap.Related: Former CFTC chair criticizes STABLE Act amid calls for urgent regulatory clarity

Growing BTC reserve requires Congressional legislation — VanEck exec  
Growing BTC reserve requires Congressional legislation — VanEck exec  

28 May, 2025

Building a permanent US strategic Bitcoin reserve would likely require targeted legislation rather than executive action, according to VanEck’s head of digital assets, Matthew Sigel. Speaking at Bitcoin 2025 in Las Vegas, Sigel said the most viable path forward may involve inserting Bitcoin mining incentives into the congressional budget reconciliation process.According to Sigel, the most effective path to growing a US strategic Bitcoin reserve would be through targeted amendments to congressional budget legislation. These could include tax credits for mining companies that use methane gas and other incentives aimed at encouraging miners to share a portion of their mined BTC with the federal government. He argued that such an approach would allow the reserve to grow organically over time. Sigel also highlighted the limitations of executive actions in achieving this goal:”The problem with executive action is that it’s going to prompt lawsuits. And anything over $100 million is going to get sued by the Elizabeth Warrens of the world. So, I would say start with something maybe in the Exchange Stabilization Fund for $100 million.”US President Donald Trump established the US Bitcoin Strategic Reserve through a March 7 executive order. According to the order, the US government can only acquire Bitcoin through budget-neutral strategies or asset forfeiture, prompting a range of different ideas on how to add to the government’s stockpile of nearly 200,000 BTC.From left to right, Alex Thorn, Matthew Sigel, Matthew Pines and Fred Thiel. Source: Turner Wright/CointelegraphRelated: Bitcoin’s new highs may have been driven by Japan bond market crisisLawmakers, officials pitch different ideas to grow strategic Bitcoin reserveWyoming Senator Cynthia Lummis, the US lawmaker who introduced legislation for a Bitcoin strategic reserve in July 2024, proposed converting a portion of the gold certificates held by the US Treasury to Bitcoin.Converting gold to Bitcoin would allow the US government to purchase more Bitcoin without incurring a cost to the taxpayer, Lummis said.Bo Hines, the executive director of the President’s Council of Advisers on Digital Assets, echoed the idea in March 2025.Hines called on the US Treasury to revalue its gold holdings, which are currently priced at just $42.22 per troy ounce, and convert a portion of those gains to Bitcoin. This strategy would also be budget-neutral, Hines said.The price of gold reached an all-time high of $3,500 per ounce in April but experienced a minor pullback to around $3,300 on May 27.Magazine: TradFi fans ignored Lyn Alden’s BTC tip — Now she says it’ll hit 7 figures: X Hall of Flame

ZKPs can prove I'm old enough without telling you my age  
ZKPs can prove I'm old enough without telling you my age  

27 May, 2025

Opinion by: Andre Omietanski, General Counsel, and Amal Ibraymi, Legal Counsel at Aztec LabsWhat if you could prove you’re over 18, without revealing your birthday, name, or anything else at all? Zero-knowledge proofs (ZKPs) make this hypothetical a reality and solve one of the key challenges online: verifying age without sacrificing privacy. The need for better age verification todayWe’re witnessing an uptick in laws being proposed restricting minors’ access to social media and the internet, including in Australia, Florida, and China. To protect minors from inappropriate adult content, platform owners and governments often walk a tightrope between inaction and overreach. For example, the state of Louisiana in the US recently enacted a law meant to block minors from viewing porn. Sites required users to upload an ID before viewing content. The Free Speech Coalition challenged the law as unconstitutional, making the case that it infringed on First Amendment rights. The lawsuit was eventually dismissed on procedural grounds. The reaction, however, highlights the dilemma facing policymakers and platforms: how to block minors without violating adults’ rights or creating new privacy risks.Traditional age verification failsCurrent age verification tools are either ineffective or invasive. Self-declaration is meaningless, since users can simply lie about their age. ID-based verification is overly invasive. No one should be required to upload their most sensitive documents, putting themselves at risk of data breaches and identity theft. Biometric solutions like fingerprints and face scans are convenient for users but raise important ethical, privacy, and security concerns. Biometric systems are not always accurate and may generate false positives and negatives. The irreversible nature of the data, which can’t be changed like a regular password can, is also less than ideal. Other methods, like behavioral tracking and AI-driven verification of browser patterns, are also problematic, using machine learning to analyze user interactions and identify patterns and anomalies, raising concerns of a surveillance culture.ZKPs as the privacy-preserving solutionZero-knowledge proofs present a compelling solution. Like a government ID provider, a trusted entity verifies the user’s age and generates a cryptographic proof confirming they are over the required age. Websites only need to check the proof, not the excess personal data, ensuring privacy while keeping minors at the gates. No centralized data storage is required, alleviating the burden on platforms such as Google, Meta, and WhatsApp and eliminating the risk of data breaches. Recent: How zero-knowledge proofs can make AI fairerAdopting and enforcing ZKPs at scaleZKPs aren’t a silver bullet. They can be complex to implement. The notion of “don’t trust, verify,” proven by indisputable mathematics, may cause some regulatory skepticism. Policymakers may hesitate to trust cryptographic proofs over visible ID verification. There are occasions when companies may need to disclose personal information to authorities, such as during an investigation into financial crimes or government inquiries. This would challenge ZKPs, whose very intention is for platforms not to hold this data in the first place.ZKPs also struggle with scalability and performance, being somewhat computationally intensive and tricky to program. Efficient implementation techniques are being explored, and breakthroughs, such as the Noir programming language, are making ZKPs more accessible to developers, driving the adoption of secure, privacy-first solutions. A safer, smarter future for age verificationGoogle’s move to adopt ZKPs for age verification is a promising signal that mainstream platforms are beginning to embrace privacy-preserving technologies. But to fully realize the potential of ZKPs, we need more than isolated solutions locked into proprietary ecosystems. Crypto-native wallets can go further. Open-source and permissionless blockchain-based systems offer interoperability, composability, and programmable identity. With a single proof, users can access a range of services across the open web — no need to start from scratch every time, or trust a single provider (Google) with their credentials.ZKPs flip the script on online identity — proving what matters, without exposing anything else. They protect user privacy, help platforms stay compliant, and block minors from restricted content, all without creating new honeypots of sensitive data.Google’s adoption of ZKPs shows mainstream momentum is building. But to truly transform digital identity, we must embrace crypto-native, decentralized systems that give users control over what they share and who they are online.In an era defined by surveillance, ZKPs offer a better path forward — one that’s secure, private, and built for the future.Opinion by: Andre Omietanski, General Counsel, and Amal Ibraymi, Legal Counsel at Aztec Labs.This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.