I want to start this off by stating that the threat actors that conduct these attacks must be stopped and I hope one day we will be able to make that happen. Ever since the Colonial Pipeline ransomware attack, federal and state lawmakers are proposing laws that would ban the payment of ransoms. I have overseen 1300+ cybersecurity incident response cases, with most of those being ransomware for Fortune 100 to small mom and pop companies, and most of the time the ransoms are paid. There are a few reasons behind those payments that lawmakers are overlooking. 

  1. These threat actors are not only encrypting the enterprise but backups are encrypted or wiped (there are mitigations that could have prevented this). This makes the ability to recover quickly impossible, and all data is lost for good. 
  2. The threat actors have in recent years started to exfiltrate sensitive data from the victim’s environment prior to encrypting the environment. This data is then used to blackmail the victim. Most of the data taken could have serious reputational damage and legal action against the victim. Paying the ransom in most cases prevents this data from being leaked to the public, and at that time the data is returned to the victim with proof of deletion provided by the threat actor. 
  3. The cost associated with a complete rebuild of an environment can be astronomical and time-consuming. The time it takes to restore operations causes significant financial losses for the victims, compounded by the cost of hiring an outside firm to restore operations from ground zero can bankrupt most victims. 

The economic damage from outlawing payment of ransoms will be significant, it will cause businesses to close their doors and their employees to lose their jobs – putting a bigger burden on unemployment benefits and other federal aid. Federal and state lawmakers need to consult with cybersecurity professionals to better understand these threat actors and the long-term effects of such proposed laws before passing them. 

There are ways to reduce risks to companies across the globe that need to be stressed from lawmakers and some of those are cyber awareness training, zero trust architecture, defense in depth, multi-factor authentications, segmented and offsite backups, asset management, and vulnerability management to name a few. 

Conversant Group can answer any additional questions you may have. We can help you solve large and small problems.