Should Ransomware Payments Be Banned?

Ransomware attacks have become so extensive, and so expensive, that their effects ripple through the entire economy: They have in effect become a kind of universal tax. This is the premise of an article from Lawfare, a blog published in cooperation with the Brookings Institution. Three major recent high profile attacks  – on Colonial Pipeline, meat provider JBS, and IT software provide Kaseya VAS –  “are almost certainly the tip of a very large iceberg,” the authors write. Many victims are resolving these attacks quietly and for a lot of money, in order to avoid adverse publicity that can be “almost as harmful to a business as the attack itself.”

Among the potential solutions to this problem, the most controversial is  an outright prohibition on paying ransoms. Proponents argue it would deprive ransomware groups of “fuel,” but others say it would merely drive them in the direction of entities, like hospitals or utilities, least able to afford downtime, and that it would increase the incentive not to report the incident.

This article looks at current law – including the FCPA, the “material support statute,” The Trading with the Enemy Act and the International Emergency Economic Powers Act – analyzing how each does and does not potentially address ransomware payments, and how Congress might (possibly with certain exceptions) further restrict these payments. “Right now,” the writers conclude, “the U.S. is unable even to quantify the tax. At a minimum, Congress should consider banning ransomware payments made without notice both to authorities and to shareholders.”