The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Cybersecurity pros are split on banning ransomware payments

Placeholder while article actions load

with Aaron Schaffer

Some cybersecurity pros want to ban ransomware victims from paying hackers to unlock their computer systems. They argue it’s the only way to halt a wave of debilitating and increasingly brazen cyberattacks for profit.

But such bans could do more harm than good, forcing companies out of business if they can’t get back online, other experts warn. They could also endanger lives and livelihoods if hospitals, schools and other critical services are shut down for days on end.

It’s very contentious,” James Shank, chief architect of community services at the cybersecurity firm Team Cymru, told me. “Some people adamantly believe you can’t solve the problem without banning. … On the other side, you have victims that are really impacted by ransomware and their viability as businesses is threatened.

The debate has taken on newfound urgency amid a crush of damaging attacks. 

A ransomware attack on Colonial Pipeline created fuel shortages across the United States and long lines at gas stations. In that case, the company caved and paid a $4.4 million ransom — a move CEO Joseph Blount called “the right thing to do for the country” in a Wall Street Journal interview

Irish health-care system officials, meanwhile, are refusing to pay up following a ransomware attack that has blocked access to electronic scans and X-rays across the nation.  

Cybercriminals also are getting bolder in their demands. The hackers who locked up the networks of CNA Financial Corp., one of the country's largest insurance firms, demanded and received a mammoth $40 million ransom to unlock those networks in March, Bloomberg News reported yesterday. 

U.S. law enforcement has typically urged companies not to pay ransoms but never moved to ban such payments. 

Congressional action since the Colonial breach has focused on better securing oil and gas infrastructure rather than prohibiting ransomware payments. 

President Biden declined to comment last week on Colonial’s decision to pay a ransom to the hacking group, which U.S. officials say is based in Russia but not affiliated with the Russian government. 

That drew jibes from some Republicans who used it to paint the president as weak on cybercrime. 

Former Trump secretary of state Mike Pompeo (R):

Shank described the issue of payment bans as among the most contentious in cybersecurity. 

He was a member of a ransomware task force composed of more than 60 cybersecurity experts and former top government officials that produced its report in April — and notably deadlocked on the question of prohibiting ransom payments.   

Michael Daniel, White House cybersecurity coordinator during the Obama administration, was a leading proponent of such bans on the task force and made his case to the BBC: “Ransomware attacks are primarily motivated by profit … and without profit, attackers will shift away from this tactic,” he said. 

Ransomware gangs are also likely using ransom payments for far more dangerous crimes “such as human trafficking, child exploitation, and terrorism,” warned Daniel, who now is president of the Cyber Threat Alliance.

He cautioned, however, that bans should be implemented slowly and cautiously to limit the damage to victims.  

Jen Ellis, an executive at the cybersecurity firm Rapid7 and another task force member, made the case against bans. 

“Banning payments would almost certainly result in a pretty horrific game of 'chicken,' whereby criminals would shift all their focus toward organizations which are least likely to be able to deal with down time — for example hospitals, water-treatment plants, energy providers, and schools,” she said. “The hackers may expect the harm to society caused by this down time to apply the necessary pressure to ensure they get paid. They have very little to lose by doing this — and potentially a big payday to gain.”

The group did list off a series of changes governments should make before banning ransomware payments if they choose to do so, including setting up public funds to help victims recover from attacks without draining their own bank accounts and phasing in bans so they apply to the most critical services last. 

For his part, Shank said he can “see both sides of the issue” and believes it’s better for law enforcement to focus on making it harder for ransomware gangs to operate and to spend the payments they typically receive in cryptocurrency than to ban ransom payments outright. 

Here are more expert thoughts:

Chris Krebs argued on “Face the Nation” for requiring a license before companies make ransomware payments so they’re required to help law enforcement track where the money is going. Krebs led the Department of Homeland Security's cybersecurity efforts during the Trump administration but was fired for disputing the former president's false claim that the election was stolen. 

Jason Clark, chief security and strategy officer at the cybersecurity firm Netskope, fretted that a ban would just lead companies to pay ransoms in secret:

Maurice Turner, cybersecurity fellow at the Alliance for Securing Democracy, worried a premature ban might lead to companies taking even more drastic and illegal actions, such as trying to hack the hackers:

Bryson Bort, CEO of the cybersecurity firm Scythe and an adviser at the Army Cyber Institute at West Point, supported the ban, which he compared to bans on terrorist financing. 

Dmitri Alperovitch warned ransomware payments are sometimes the best of bad options. He’s former chief technology officer at the cybersecurity company CrowdStrike and chairman at the Silverado Policy Accelerator, a nonprofit think tank.

Correction: An earlier version of this newsletter incorrectly identified Jason Clarke's employer. This version has been corrected. 

Chat room

Some Twitter users were astounded by the CNA ransom's size. Editor and writer Silvia Killingsworth:

Krebs, with a healthy dose of sarcasm:

Newstalk's Jess Kelly:

Josh Corman, a senior adviser at the Cybersecurity and Infrastructure Security Agency:

The keys

Yet another ransomware attack is hampering care at hospitals, this time in New Zealand. 

The Waikato District Health Board’s IT systems are offline amid an investigation into the breach, CyberScoop’s Sean Lyngaas reports. The hospital chain provides health services for about 425,000 people

Elective surgeries at one hospital had to be postponed, while the number of outpatient clinics had to be “reduced” at others. Some cancer patients may need to be moved to other facilities in the country. 

The board said its IT staff had been working to get the “systems back online and have been making good progress.” The CEO of the board, Kevin Snee, said the process of restoring the systems is “likely to run into and beyond the weekend,” the New Zealand Herald reported

Maricopa County voting machines can no longer be trusted after partisan audit, a top Arizona election official says. 

The machines could have been tampered with during the audit in a way that would make them more susceptible to hacking, Secretary of State Katie Hobbs (D) told Maricopa County’s Board of Supervisors, the Arizona Republic’s Jen Fifield reports.

Replacing the voting machines would cost the county millions of dollars. The election review was commissioned by Arizona’s GOP-led state Senate. It is being led by Cyber Ninjas, a firm whose founder has promoted baseless claims that the 2020 election was marred by fraud.

“I have grave concerns regarding the security and integrity of these machines, given that the chain of custody, a critical security tenet, has been compromised and election officials do not know what was done to the machines while under Cyber Ninjas’ control,” Hobbs wrote, arguing that “decommissioning and replacing those devices is the safest option as no methods exist to adequately ensure those machines are safe to use in future elections.”

New details are emerging about a blockbuster 2011 hack that paved the way for SolarWinds.

The breach compromised the digital credentials inside key fobs used by customers of the cybersecurity firm RSA, compromising tens of millions of users at government and military agencies and major corporations, and delivering their secrets to Chinese military hackers.

It was “the original massive supply chain attack, Wired’s Andy Greenberg writes in a deep dive about the breach based on extensive interviews with RSA executives whose 10-year nondisclosure agreements recently expired. 

The wild cat-and-mouse game included two groups of hackers linked to the Chinese military within RSA's network. The second attack, RSA’s former chief security officer Sam Curry said, was “much more skilled.”

After 10 years of rampant state-sponsored hacking and supply chain hijacks, the RSA breach can now be seen as the herald of our current era of digital insecurityand a lesson about how a determined adversary can undermine the things we trust most,” Greenberg writes. Read the whole story here.

Industry report

Cyber insurance prices are going up, according to a government watchdog.

Demand for cyber insurance policies is increasing, while coverage limits for some industries are decreasing, the Government Accountability Office found. Insurance companies are also offering more tailored cyber policies.

Colonial Pipeline accused of negligence in proposed class action (Bloomberg Law)

Cyber insecurity

Ireland is looking into a decryption tool posted online that could unlock its medical systems.

Health Minister Stephen Donnelly said the government did not pay a ransom for the decryption key, the Financial Times’s Laura Noonan reports. The news came as Ireland prepares for a potentially devastating release of the hacked records within days.

“Specialists from the National Cyber Security Centre were working with private contractors to check the decryption tool to make sure it was not a trick to cause further harm, the government said,” Reuters reports.

Hackers have said they will release the files unless Ireland pays a $20 million ransom by Monday. Dublin’s High Court has issued an injunction banning the sharing, processing and publishing of data taken by the hackers. 


  • Gen. Keith Alexander, the former commander of U.S. Cyber Command and director of the NSA, speaks at a cybersecurity conference hosted by the U.S. Chamber of Commerce at 9:15 a.m. on May 25.
  • Ben Bernstein, senior special counsel at the Securities and Exchange Commission, discusses cyber governance at a Cyber Crossroads event at 11:35 a.m. on May 25.
  • A House Science Committee panel holds a hearing on software supply chain security in the wake of the cyberattack on SolarWinds and other companies on May 25 at 2 p.m.
  • Former Undersecretary of Defense for Policy Michèle Flournoy, the co-founder of WestExec Advisors, speaks at the Institute for Security and Technology’s Strat-Tech conference at 2:10 p.m. on May 25.   
  • Secretary of Homeland Security Alejandro Mayorkas testifies before a Senate Appropriations Committee panel on President Biden’s budget request at 2 p.m. on May 26. 
  • The Senate Homeland Security and Governmental Affairs Committee holds a confirmation hearing for top nominees to the Department of Homeland Security on May 27 at 10:15 a.m.

Secure log off

We have no words.