Paying ransomware criminals shouldn’t be wrong

Lots of companies have lately been victimised by ransomware hackers — cybercriminals who infiltrate and encrypt IT systems, then demand money to unlock them. In addition to the much-publicised attack on Colonial Pipeline, recent victims have included one of the biggest US meat packers and the Irish health care system. Cyber pirates might have derailed my family’s annual Martha’s Vineyard vacation by targeting the Steamship Authority — which controls ferry service to the Island — and blocking access to its reservation systems.

In response to the growing threat, more and more observers have become attracted to the theory that the best way to stop ransomware attacks is to make paying the ransom illegal. Biden administration officials have suggested that the notion has merit.

May I suggest, politely, that this is a terrible idea.

Extortion is always and everywhere wrong. But that doesn’t mean it’s never rational to give in. Even the most upstanding citizen might yield to a threat sufficiently severe. To try to alter this by legislation is to outlaw human nature.

Consider a simple example. Suppose a state legislature, sick and tired of the number of people being robbed on the street, decides to make it a crime to give money to a mugger. The legislation might well reduce the supply of muggings, but only by imposing the cost of this public good — fewer robberies — on the victims. Yet handing my wallet to the mugger who is pointing a gun at my head is completely rational. Punishing me to lower the crime rate is a peculiar way for a free nation to behave.

But maybe agreeing to a ransomware demand is less rational than it seems. Even for those who pay, the chances of full data recovery are slim.  An April 2021 report from Sophos places the likelihood of getting all the data back at 8%. (On average, the amount of data recovered was 65%.) To take the most prominent current example, after Colonial Pipeline forked over $4.4 million in Bitcoins to the hackers at DarkSide, the decryption tool the company received in return proved so ineffective that the company wound up rebuilding its network from scratch.

Still, businesses keep trying. The Sophos report estimates that 32% of targeted organisations pay up in the end. And the cost is rising. Between 2019 and 2020, the average ransomware payout nearly tripled, from $115,123 to $312,493, according to a February report from Palo Alto Networks. (The average will pop a bit next year once the $4.4 million ponied up by the Colonial Pipeline is accounted for, even though more than half has been recovered.)

Hijacking computer networks has become big business. And the threat is going to get worse. The rise of cloud computing has created fresh vulnerabilities. And consider cryptocurrency itself. An analysis published in November 2020 found that the growing appeal of smart contracts run though the blockchain might make ransomware attacks more feasible — and nearly impossible to defeat.

Given the growing cost to business and consumers — to say nothing of the risks to national security — it’s easy to see why regulators want to crack down. But cracking down by going after the victims is one in a long list of bad ideas for dealing with the problem. (Punishing companies that pay hackers who have been sanctioned by the federal government is another bad idea.)

Another bad proposal is banning cryptocurrencies, the form of payment favoured by digital extortionists everywhere. Once more, we’re going after a crime by punishing the victim. To continue the previous metaphor, to fight ransomware by banning Bitcoin and Ethereum would be a bit like saying “Okay, we won’t make it illegal for you to give your wallet to a mugger, but you’re forbidden to carry cash. Unless you pay the mugger with something authorities can trace, there will be more muggings.”

There are better solutions. Improved training, for instance. Unlike the way hacking is portrayed in the movies, most ransomware attacks don’t occur because some clever coder breached the firewall from a remote location. They arise because an employee with sufficiently high-level access clicks on a malicious attachment or uses an unsafe password.