The UK Government put forward a consultation to ban public sector organizations from paying ransomware demands. An enacted ban would prohibit central and local government organizations, as well as other bodies considered Critical National Infrastructure (CNI), from making payments to a threat actor in the event of a ransomware attack.
One pro-ban theory is that this kind of restriction would remove an attacker’s justification or desire to attack. Knowing they won’t get paid, an attack is a waste of time, right? But would this actually work? To the credit of pro-ban believers, there’s also no guarantee that payment to an attacker will result in the promised decryption or safe return of stolen information – attackers may just take the money and run.
Ideally, implementing a ban on payments minimizes the number and frequency of attacks by eliminating the reward of a payout. However, there are both ethical and moral dilemmas associated with not paying ransoms.
Where it concerns a CNI victim, there may be lives at risk. The easiest example is a hospital. Imagine your local hospital falls victim of a targeted ransomware attack and all of the internet-connected devices within the facility cannot properly function to sustain the lives of those inside. Or perhaps a water supply or electricity facility that provides service to the hospital is targeted.
These ransomware attacks would also impact the hospital and people’s lives. In the heat of the moment, those ransomware payments can be used to quickly calm the panic and return to normal, recovering bricked systems and getting critical services up and running.
Cybersecurity Strategist at Sysdig.
The potential impact of a ban
To put it bluntly, banning ransomware payments will not solve the problem. A total ban will make it much harder for some public sector organizations when the situation arises – and unfortunately, it will arise. As we covered, healthcare providers, for example, would be hugely affected. In my opinion, the onus should be on the victim organization to decide on whether to make a ransomware payment, especially when lives are on the line. Only those that are directly affected have enough insight and context to weigh this kind of decision based on the risks and impacts of whether or not the payment is made.
If the UK does decide to implement a full ban on payments, there will be even more pressure on public sector organizations to ensure their business continuity plans are sufficient enough to protect and recover their data following a ransomware attack. Inevitably, it will lead to a new regulation, mandating and checking that all organizations from large central bodies to small niche concerns and tertiary partnerships and shared services are all in adherence.
Presumably, each of these organizations already have their own technology investments and continuity plans in place, but to align with a ransomware payment ban and potential regulatory security requirements, they would have to make changes.
The time to plan for ransomware response is, of course, before an incident happens. So adequate continuity and data protection policies can be level-headedly implemented, scaled and – most importantly – tested. This planning phase, on a grander scale, would include making more resources available to help public sector organizations ensure they are resilient and that their backup plans work effectively.
Adopting a “center of excellence” approach would help organizations to be better prepared, protect their users, and recover more effectively. If the government were to be so kind as to implement the ban with a loophole, there would also need to be additional support for CNI organizations that must pay the ransom in order to get back to service delivery. Would there then be specific consideration for public-private partnership or outsourcing providers, and whether those private companies would also be covered by the ban?
Between theory and practice
There’s a fine line between preventing ransomware attacks by turning off the financial incentive and only encouraging attackers to change their tactics. Whereas ransomware attacks are currently often public fanfare, they could be forced into secrecy and we could see less intelligence sharing across the cybersecurity community under a ban.
Ransomware remains lucrative for attackers, so it likely won’t go away any time soon. In response, regardless of the ban, organizations have to adopt real-time threat detection and response capabilities to prevent potential attacks on their cloud deployments as quickly as possible. Ultimately, maintaining effective and tested data backups in the event of something going wrong remains a crucial part of the resiliency equation.
Separating systems across different networks or cloud environments also helps to prevent single points of failure that ransomware actors can exploit, reducing the blast radius and hopefully giving you some flexibility and access during an attack.
In a perfect world, organizations should be able to detect a potential attack and shut it down before the ransomware is deployed. This requires preparation and the right processes and security tools. By continuing to stay one step ahead and preventing attacks, we can hopefully argue against and avoid the ransomware payment ban.
We've featured the best data loss prevention service.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
