To Pay or Not to Pay? Ransomware Attacks Are the New Kidnapping

Despite the legislative clarity on terrorism-linked kidnapping-for ransom payments, many countries placed the value of the lives of their citizens above compliance with international law and the potential for the payments to reward and encourage more hostage-taking.

For those who watched their family members murdered, the arguments of their governments in favour of non-payment rang hollow. The logic of political leaders and ‘securocrats’ that payment fuels the ambition and activities of the kidnappers, and thus non-payment will adversely affect their appetite for hostage-taking, has not survived contact with reality—a reality that is far more complex than those making policies and laws seem to recognize.

The reality is that when faced with a difficult decision, whether related to the life or death of a loved one or the survival of a business, pressure tells, and payments are often made. By outlawing ransom payments, authorities inadvertently exacerbate their challenge. Payment bans mean negotiations are conducted in secret, often without the knowledge of the authorities. One unintended consequence of the Italian government’s 1991 national ban on kidnapping-for-ransom payments to criminals, for instance, was that victims’ families simply stopped notifying law enforcement. This limits the willingness and ability of those involved to share information that might assist negotiation strategies, track money and identify perpetrators after ransoms are paid.

As with kidnapping, ransomware is mostly an opportunistic crime based on imperfect information about compromised victims. The Australian government shouldn’t assume that ransomware operators will avoid Australian organizations in the event of a ban, just as kidnappers don’t always know the nationality of their victims when they strike. And given the borderless nature of ransomware attacks, unilateral national action may present only a small inconvenience to cybercriminals. For a global threat, a credible global ban is required—but that’s not currently an attainable goal.

Countries that seek to outlaw ransomware payments may therefore end up disadvantaging their businesses and reducing their ability to respond to the threat. They could also lose valuable opportunities to disrupt criminals and collect information that would strengthen them against future attacks.

Of course, there are many differences between the offline and online worlds, and it would be wrong to suggest that the parallels are absolute. Paying a ransomware operator for data is not the same as paying for a human life. Yet the core criminal incentives, the opportunistic nature of the crimes and the inconsistent responses of the victims are similar, and the kidnap-for-ransom experience can be instructive, particularly when it comes to the challenges and unintended consequences of payment bans.

None of this dismisses the need for a rigorous and open-minded review of the policy options for ransomware and ransom payments in Australia and elsewhere. Regardless of whether payments are banned, a much more activist approach is required to disrupt the ransomware business model. The status quo is not acceptable. Policymakers are right that too many organisations pay, and often pay too much, when there are legitimate alternatives available.

Key to the success of the kidnapping-for-ransom response industry has been governance mechanisms established to ensure information sharing, professionalism and best practice to minimize the size of payments and the profitability of the crime. There’s room for greater regulation of the ransomware negotiation and payment services industries. As the kidnapping-for-ransom response industry has shown, governance is critical to ensuring an orderly market.

And finally, just like in kidnapping-for-ransom responses, responses to ransomware attacks must place the victim at the center of the recovery strategy. This requires empathy, and governments can promote responsible victim behavior. Usually this means acknowledging that there are sometimes legitimate reasons to pay, and providing more clarity on what constitutes a reasonable ‘last resort’.

Jamie MacColl is a research fellow in the cyber research group and Tom Keatinge is the director of the Centre for Financial Crime and Security Studies at the Royal United Services Institute. This article is published courtesy of the Australian Strategic Policy Institute (ASPI).