Theres nothing that can’t be made worse
The Treasury has moved to prohibit payment of ransomware ransoms. They’ve said there will be some exceptions, and it is obvious that this won’t be an effective complete global ban on payment. The result, a partial ban on payment, is the worst possible ransomware environment for victims. The impact of different legal regimes governing ransom payments are well documented and understood, see RUSI here.
Banning ransomware payments seems like a means of removing the financial reward for the gangs. It makes intuitive sense that if the victims cannot pay, then the gangs will stop using ransomware. Unfortunately the counterintuitive truth is that an incomplete, ineffective, partial ban will actually make objectively ransomware worse for everyone.
If there is a complete universal global ban, then ransomware ceases to be a source of money and the ransomware gangs stop. Or at least migrate to something else that makes money. We know this scenario is not going to happen.
What’s the worst that can happen?
A partial ban creates significant unintended consequences. Firstly, the ransomware gangs still make money from ransomware, so they do not cease operations. Then, to encourage payment they become more drastic and extreme in their actions. They have to make a stronger incentive to encourage people who are dissuaded by the ban, but might pay if given sufficient “encouragement”. Then, because the prohibition on payment drives it underground – with all the limited transparency and brutal mechanisms for enforcing compliance — the ransom prices rise. This environment: higher prices, more aggressive ransomware gangs, fewer reputable companies negotiating and handling the ransom payments (and thereby managing the gangs); it is the worst possible situation for everyone.
How to control attacker behaviour
The only entity with power to control the behaviour of ransomware gangs is the one providing their protection. The gangs need a place to operate and somewhere to convert their crypto currency into hard currency. They are cashing out hundreds of thousands of dollars in crypto, and there is no way that isn’t raising “know your customer” alerts for money laundering.
The only controlling entity is the one that allows the gangs to operate. The gangs are completely at the mercy of whichever entity provides protection (yes, it’s Russia). This is the rule everywhere that kidnapping gangs operate, and ransomware gangs share this trait with kidnap&ransom (K&R) gangs with regards to their operational requirements.
Private governance. Better than nothing? Hmm
The current situation, where there is no criminalisation of payment has created a market place where a number of companies working with insurers are handling the vast majority of ransomware incidents. There are crisis responders who help the companies recover, who arrange a minimal payment, and who get paid by the insurers. This is market governance and it keeps the prices down because there is a sort of gentlemen’s agreement between the gangs and the payment companies. Also, the lack of prohibition means these companies operate in the open and they can share information about pricing etc internally and with each other. (Transparency)
The status quo is not the ideal world, but it is far better than the nightmare of ineffective partial prohibition.