kirill_makarov - Fotolia

Make ransomware payments illegal, say 79% of cyber pros

Report produced for MSSP Talion claims overwhelming support for the criminalisation of ransomware payments

More than three-quarters of security professionals and consumers alike believe that making ransomware payments to cyber criminals should be made illegal to stem to tide of attacks, according to research produced on behalf of Talion, a managed security services provider (MSSP) and backed by the Research Institute for Sociotechnical Cyber Security (Riscs).

The study, commissioned to support the launch of a cyber campaign collective dubbed #Ransomaware, also claimed that 81% of security pros believe sharing information about ransomware is the key to building better defences.

According to its manifesto, the group now wants to encourage organisations to speak up about ransomware attacks without shame. It said the more companies that are prepared to share details of how they were attacked, by whom, and what the consequences where, the more can be learned about tactics, techniques and procedures (TTPs) used by ransomware crews to fight back.

“We believe we need to stop cyber shaming organisations and move away from a culture of blaming individuals to a place where we can be open and transparent about how these attacks are taking place. Cyber criminals collaborate on their attacks, so we must collaborate to make our defences stronger. It is ‘us’ against ‘them’,” said Talion CEO Michael Brown.  

The campaign itself is backed by a coalition of cyber firms, experts and academics, with founding members – besides Talion and Riscs – including BAE Systems, 36 Commercial, Insight Enterprises, KnowBe4, the UK Cyber Security Association, Comparitech, Siemplify, Eskenzi PR, IT Security Guru, Outpost 24, Cydea, Devo Technology, Mishcon de Reya and Decipher Cyber.

Riscs director Madeline Carr, who is also professor of global politics and cyber security at University College London (UCL), said that collaboration and intelligence-sharing is widespread in other industries – such as healthcare – so similar initiatives in security should be supported.

“We need to band together with peers in our industries to look at ways of taking a collective response against ransomware attacks. Imagine if every law firm, university or utilities provider stood together and publicly stated, we will not pay ransoms. Cyber criminals will follow the money, what we need to do is cut them off at the source,” she said.

Former National Cyber Security Centre (NCSC) CEO Ciaran Martin – now a professor at the Blavatnik School of Government and a frequent commentator on ransomware trends – welcomed the #Ransomaware initiative.

“We need to look at all the different reasons why ransomware is causing so much harm. That includes tackling the tough questions like the flows of money, including looking seriously at payment bans. But we need to provide more support for victims too, and help them protect themselves in the first place,” he said.

The launch of the initiative comes hot on the heels of a groundswell of mainstream support for tackling the ransomware problem. High-profile incidents such as the May 2021 attacks on Colonial Pipeline and the Irish health service have propelled ransomware into the national headlines and spurred government action around the world. Earlier this week, the European Union (EU) announced its intent to set up a Joint Cyber Unit to coordinate collaboration and response to cyber crime across Europe.

The Talion report also revealed that when consumers were asked how they would want their employer to respond to a ransomware attack if their personal data was compromised, 37% would say they should refuse to pay.

Meanwhile, when UK consumers were asked how the government should respond to a Colonial Pipeline-style attack in this country, 46% said it should try to restore systems manually without paying and that they would cope with a fuel shortage, although 14% said the UK should respond with a physical or nuclear military attack. More worryingly, this figure rose to more than 40% in the 18-24 age group.

Earlier in 2021, poorly worded and widely misinterpreted statements contained in the government’s Integrated Review of Defence, Development and Foreign Policy raised the prospect that the UK would conduct nuclear strikes on cyber attackers. This is highly unlikely.

Read more about ransomware response

Read more on Hackers and cybercrime prevention