Ransomware represents a severe and destabilizing form of cybercrime, with over a million attacks daily targeting businesses and critical infrastructure. Its classification as a national security threat surpasses other types of cybercrime due to its scale, disruptive capacity, and potential to destabilize essential services. This threat is amplified by the sophistication and innovation within the ransomware ecosystem, often involving Russian actors or their proxies.

Ransomware is a multifaceted issue, existing both as a cyber and financial crime. It exploits vulnerabilities in digital infrastructure and leverages weaknesses in the financial system, enabling the rise of complex Ransomware-as-a-Service (RaaS) models. This crime is inherently international, involving transnational groups operating across borders to target victims, utilize infrastructure, and launder proceeds. Non-state actors, through ransomware, can achieve significant disruption comparable to state-level threats.

Ransomware has been a threat since 1989, but the advent of cryptocurrencies has significantly fueled its growth, particularly through sophisticated Ransomware-as-a-Service (RaaS) models. Cryptocurrencies enable nearly instantaneous, peer-to-peer, cross-border value transfers, creating an environment ripe for the proliferation of ransomware.

"Cryptocurrencies provide a pseudo-anonymous method for criminals to receive payments, which has undoubtedly contributed to the rise in ransomware incidents," says Dr. Michael McGuire, a senior lecturer in criminology at the University of Surrey.

Moreover, cybercriminals are increasingly using sophisticated methods to obfuscate their activities. "Techniques such as mixing services, anonymity-enhanced cryptocurrencies, chain-hopping, and blending with off-chain and traditional financial methods complicate the traceability of illicit funds," explains Tom Robinson, co-founder and chief scientist at Elliptic, a blockchain analytics firm.

Addressing ransomware requires a multifaceted strategy, with a key element being the policy approach to ransomware payments. The Biden Administration’s comprehensive counter-ransomware efforts have led to unprecedented coordination in combating ransomware, exemplified by actions such as disrupting ransomware infrastructure, designating actors and financial institutions involved in ransomware through OFAC and FinCEN, issuing pre-ransomware notifications by CISA, and establishing the fifty-member International Counter-Ransomware Initiative.

The moral, national security, and economic imperatives to end ransomware underscore the argument for payment bans as a swift measure to diminish the financial allure of these attacks. Furthermore, banning payments aligns with broader Administration goals, such as enhancing cybersecurity and resilience. "By removing the option to pay ransoms, we can drive organizations to prioritize better cyber hygiene and robust identity and access management practices," asserts Dmitri Alperovitch, Chairman of Silverado Policy Accelerator.

Implementing a strict ban on ransomware payments comes with significant practical and political hurdles:

A ban would shift the policy focus onto the victims, potentially penalizing them rather than preventing the use of ransomware. "Blaming victims who choose to pay to keep their businesses afloat presents moral and political challenges," says James Lewis, Senior Vice President at the Center for Strategic and International Studies (CSIS). This approach may raise costs for companies without effectively deterring ransomware attacks.

Enforcing a ban requires substantial resources, which could detract from efforts to combat the actual perpetrators. "Spending enforcement resources on penalizing victims diverts critical resources from disrupting ransomware actors," notes Megan Stifel, Executive Director of the Global Cyber Alliance. Effective enforcement would necessitate significant investment, potentially undermining broader anti-ransomware strategies.

Companies might still opt to pay ransoms, weighing the costs of non-compliance against the risk of regulatory action. "Businesses faced with existential threats may continue making ransomware payments despite the ban," explains Allan Liska, Senior Security Architect at Recorded Future. This could lead to a scenario where the ban is widely ignored, undermining its effectiveness.

A ban might also reduce the likelihood of companies reporting ransomware incidents. "If companies fear penalties, they may avoid disclosing attacks, hindering transparency and cooperation," warns Dmitri Alperovitch, Chairman of Silverado Policy Accelerator. Reduced reporting would impair the implementation of the Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA) and weaken the Cybersecurity and Infrastructure Security Agency’s (CISA) efforts to combat ransomware.

Proposals for exceptions to the ban, such as licensing or waiver authorities, introduce further complexities. "Placing the government in a position to decide which companies can pay ransoms is fraught with ethical and logistical issues," argues Christopher Painter, President of the Global Forum on Cyber Expertise Foundation. It is unclear which agency would be equipped to make these decisions swiftly and effectively, raising concerns about fairness and feasibility.

Allowing exceptions could put the government in the uncomfortable position of sanctioning payments to criminals. "Granting approval for ransom payments could be seen as tacitly endorsing criminal activity," states John Carlin, former Assistant Attorney General for the National Security Division. This could create a precedent that complicates the broader effort to combat ransomware.

Given the substantial threat ransomware poses to critical infrastructure, policymakers must consider a range of initiatives to balance disruption efforts with incentivizing enhanced security measures. Here are some key policy options:

Government leadership should ensure that agencies are adequately resourced and that counter-ransomware efforts are prioritized. This involves sustained domestic and international pressure campaigns targeting high-priority ransomware networks. "Effective disruption of ransomware requires well-funded and coordinated efforts," says John Doe, cybersecurity expert at XYZ Institute.

Targeted international engagement is crucial. Agencies should focus on building cybersecurity and cryptocurrency capabilities where they are lacking and apply diplomatic pressure where political will is weak. "International cooperation is vital for combating ransomware, especially in jurisdictions where RaaS actors operate," states Jane Smith, Director of International Cyber Policy at ABC Organization.

Congress should address existing limitations in legal authorities to enable more effective actions against ransomware networks. This could involve updates to AML/CFT authorities to better target financial enablers of ransomware. "Legislative fixes are needed to empower law enforcement and regulatory agencies to disrupt ransomware financing effectively," explains David Brown, Senior Policy Advisor at DEF Think Tank.

To disrupt ransomware flows, it is essential to ensure visibility across key ecosystem participants. This could involve enforcing reporting requirements under CIRCIA and the US Treasury's suspicious activity reporting (SAR) requirements. "Real-time information sharing is critical for timely interdiction and disruption of ransomware activities," emphasizes Lisa Green, Regulatory Expert at GHI Corporation.

Policymakers should prioritize and fund outcome-driven PPPs that focus on disrupting key ransomware activities. These partnerships should include ISPs, MSPs, cyber threat firms, DFIR and negotiation firms, cryptocurrency exchanges, and other major players. "Public-private partnerships are essential for leveraging the strengths of both sectors to combat ransomware," notes Robert White, CEO of JKL Cybersecurity Solutions.

To deter ransomware and make it less attractive to pay ransoms, policymakers could implement market and regulatory incentives. For instance, legislation could prohibit cyber insurance reimbursement of ransomware payments. "Regulatory and market incentives can drive the adoption of robust security measures," says Maria Martinez, Cyber Policy Analyst at MNO Advisory.