To pay or not to pay? Ransomware attacks are the new kidnapping
23 Jun 2023| and

From our vantage point in the UK, it’s hard not to be envious of the rigorous public debate taking place in Australia on the future legality of ransomware payments.

Over the past several years, ransomware attacks have become a persistent national security threat. The inability to respond effectively to this challenge has normalised what should be intolerable: organised cybercriminals harboured by hostile states regularly disrupting and extorting businesses and essential services, causing misery in the process.

Following last year’s cyberattacks against Optus and Medibank, the Australian government has signalled its willingness to address one of the thorniest and most contentious questions in cyber policy: whether to ban ransomware payments.

The debate over banning ransom payments has a long history. When it comes to terrorist-related kidnapping for ransom, the legislation—led by the United Nations Security Council—is clear. Payments are illegal.

The argument is that kidnapping works because it because it’s profitable, and so payments fuel the business and perpetuate attacks. The same logic is applied to ransomware. It is also a low-risk, high-reward criminal enterprise, with some experts suggesting that it’s more profitable than cocaine trafficking. As Coveware, a specialist ransomware negotiation firm, notes: ‘The profits ransomware actors generate are too high, and the risks are too low.’ There are almost no barriers to entry and the profit margin can be as high as 98%.

A ban on payments therefore makes logical sense. Stop the payments and the primary motivation for ransomware attacks will evaporate. Those seeking to get rich quick will look elsewhere.

Yet that logic has been applied before, in the kidnapping-for-ransom world, and despite some unilateral national bans against criminal payments and international prohibitions on payments to designated terrorist groups, hostage-taking continues. As Australia considers the possibility of banning ransomware payments, policymakers should consider the historical precedents.

As the so-called Islamic State expanded its self-declared caliphate, it sought to raise significant funds through the ‘sale’ of human life. As well as trading Yazidi slaves, the group kidnapped journalists and civil-society workers, offering their lives in return for tens of millions of dollars. For the hostages, their fate was decided by the nationality of their passports. Whereas the US and UK held fast and remained committed to the international prohibition on making payments to designated terrorist groups, watched their citizens murdered on the internet, and threatened the families with prosecution should they pay, other nations brought their nationals home safely to a presidential welcome in return for eye-watering sums.

Despite the legislative clarity on terrorism-linked kidnapping-for ransom payments, many countries placed the value of the lives of their citizens above compliance with international law and the potential for the payments to reward and encourage more hostage-taking.

For those who watched their family members murdered, the arguments of their governments in favour of non-payment rang hollow. The logic of political leaders and ‘securocrats’ that payment fuels the ambition and activities of the kidnappers, and thus non-payment will adversely affect their appetite for hostage-taking, has not survived contact with reality—a reality that is far more complex than those making policies and laws seem to recognise.

The reality is that when faced with a difficult decision, whether related to the life or death of a loved one or the survival of a business, pressure tells, and payments are often made. By outlawing ransom payments, authorities inadvertently exacerbate their challenge. Payment bans mean negotiations are conducted in secret, often without the knowledge of the authorities. One unintended consequence of the Italian government’s 1991 national ban on kidnapping-for-ransom payments to criminals, for instance, was that victims’ families simply stopped notifying law enforcement. This limits the willingness and ability of those involved to share information that might assist negotiation strategies, track money and identify perpetrators after ransoms are paid.

As with kidnapping, ransomware is mostly an opportunistic crime based on imperfect information about compromised victims. The Australian government shouldn’t assume that ransomware operators will avoid Australian organisations in the event of a ban, just as kidnappers don’t always know the nationality of their victims when they strike. And given the borderless nature of ransomware attacks, unilateral national action may present only a small inconvenience to cybercriminals. For a global threat, a credible global ban is required—but that’s not currently an attainable goal.

Countries that seek to outlaw ransomware payments may therefore end up disadvantaging their businesses and reducing their ability to respond to the threat. They could also lose valuable opportunities to disrupt criminals and collect information that would strengthen them against future attacks.

Of course, there are many differences between the offline and online worlds, and it would be wrong to suggest that the parallels are absolute. Paying a ransomware operator for data is not the same as paying for a human life. Yet the core criminal incentives, the opportunistic nature of the crimes and the inconsistent responses of the victims are similar, and the kidnap-for-ransom experience can be instructive, particularly when it comes to the challenges and unintended consequences of payment bans.

None of this dismisses the need for a rigorous and open-minded review of the policy options for ransomware and ransom payments in Australia and elsewhere. Regardless of whether payments are banned, a much more activist approach is required to disrupt the ransomware business model. The status quo is not acceptable. Policymakers are right that too many organisations pay, and often pay too much, when there are legitimate alternatives available.

Key to the success of the kidnapping-for-ransom response industry has been governance mechanisms established to ensure information sharing, professionalism and best practice to minimise the size of payments and the profitability of the crime. There’s room for greater regulation of the ransomware negotiation and payment services industries. As the kidnapping-for-ransom response industry has shown, governance is critical to ensuring an orderly market.

And finally, just like in kidnapping-for-ransom responses, responses to ransomware attacks must place the victim at the centre of the recovery strategy. This requires empathy, and governments can promote responsible victim behaviour. Usually this means acknowledging that there are sometimes legitimate reasons to pay, and providing more clarity on what constitutes a reasonable ‘last resort’.