Skip to main content

Is banning ransomware payments key to fighting cybercrime?

Image Credit: Adobe

Presented by Zscaler


By Rob Sloan, VP Cybersecurity Advocacy, Zscaler

Ransomware is a relentless threat that jeopardizes organizations worldwide. Criminals carefully calculate their demands to maximize the likelihood of payment, targeting organizations that can least afford prolonged disruptions. New UK government proposals might lead to a significant reduction in the threat against its public services.

In 2023 alone, according to blockchain data platform Chanalysis, ransomware payments exceeded $1 billion globally. The indications are that 2024 met or exceeded that total. Researchers at Zscaler’s ThreatLabz found a $75 million ransom payment last year and assessed that the UK received almost 6% of all ransomware attacks.

Paying a ransom is rarely a silver bullet. UnitedHealth Group disclosed a $3.09 billion loss due to the February 2024 attack against its Change Healthcare business, including $867 million in business disruption costs. That came after the business reportedly paid a $22 million ransom.

By removing the option of payment for the public sector and parts of the critical national infrastructure, the UK’s proposal aims to erode the profitability of ransomware attacks.

A proactive approach

The proposal has three parts, though the first carries most weight: a targeted ban on ransomware payments for all public sector bodies, including local government, and for specific owners and operators of critical national infrastructure. If the proposal becomes law, the UK sends a clear message: Its public sector will not fund cybercrime.

The second proposal covers a ransomware payment prevention regime, which would require any victim of ransomware to “report their intention to make a ransomware payment before paying over any money to the criminals responsible.” This allows the authorities to support the victim and advise them of alternative options, as well as checking to make sure payment would not violate sanctions or other legislation.

The third part proposes ransomware incidents must be reported, regardless of whether any payment is planned, though it is not yet clear whether that will apply to all victims or those above a certain financial threshold.

The bellwether effect

Most counter-ransomware initiatives focus on driving better protections for organizations, but the UK is trying to do something different: reduce the threat. I wholeheartedly support it. This proposal represents a bold and commendable step forward, and could signal a strategic pivot in the fight against ransomware.

The UK’s potential stance will be a bellwether. Assuming it is successful, my hope is that other nations will quickly adopt similar measures, creating a united front against ransomware. Moreover, private sector organizations, which may soon find themselves facing an increased threat as criminals shift focus to those organizations still able to pay, may find inspiration in the public sector’s resilience and voluntarily align themselves with the effort.

This ripple effect is crucial because ransomware knows no borders. Coordinated international efforts, supported by policies like the UK’s, are essential for dismantling global ransomware networks. As seen in the takedown of the LockBit network, collaborative law enforcement efforts can cripple ransomware operators when supported by robust intelligence and unified policies.

Addressing the challenges

Implementing a payment ban is not without challenges. In the short term, retaliatory attacks are a real possibility as cybercriminals attempt to undermine the policy. However, given the prevalence of targets worldwide, I believe most criminal gangs will simply focus their efforts elsewhere.

The government’s resolve would certainly be tested if payment of a ransom was seen as the only way to avoid public health data being leaked, energy networks being crippled, or preventing a CNI organization from going out of business. In such cases, clear guidelines as well as technical and financial support mechanisms for affected organizations are essential. Policy makers must develop playbooks for such scenarios and run education campaigns that raise awareness about the policy’s goals, emphasizing the long-term benefits of standing firm against ransom demands.

That said, increased resilience — both technological and organizational — are integral to any strategy. Enhanced cybersecurity measures are critical, in particular a zero-trust strategy that reduces an organization’s attack surface and stops hackers from being able to move laterally in the network. The U.S. federal government has already committed to move to zero-trust architectures.

Robust incident response plans, regular tabletop exercises, and a commitment from leadership to invest in resilience are also important in helping organizations withstand such attacks, while concerns about compliance and enforcement must also be addressed.

A vision for the future

By seeking to undermine the ransomware economy, the UK is taking a stand against cybercrime, reducing its attractiveness as a target and undermining the profitability of attacks. The proposal also aligns with ethical considerations: Paying ransoms perpetuates harm and funds criminal enterprises that often engage in other illicit activities. A refusal to pay is a refusal to contribute to this cycle.

The consultation seeks input from individuals and organizations by April 8, 2025. The proposal will then be formalized, drafted into a bill, and presented to Parliament where it must be approved by both the House of Commons and House of Lords before becoming law.

Banning ransomware payments would be groundbreaking, but with clear vision and steadfast commitment, this approach can herald a new era in the fight against ransomware. Bold action can lead to meaningful change and that has the potential to influence other nations and sectors, fostering a collective shift toward resilience and deterrence. I for one hope it succeeds.

Rob Sloan is VP Cybersecurity Advocacy at Zscaler.


Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact sales@venturebeat.com.