We, the RTF Co-Chairs, have developed steps that governments and the private sector could take together to reduce the need for a prohibition on ransomware payments, or alternatively could provide a roadmap to facilitate an eventual imposition of a prohibition of ransomware payments.
We recognize that ransomware actors are inherently profit-motivated, and therefore a ban on payments could eventually result in less criminal activity. However, for several reasons detailed below, we believe a ban on payments under current circumstances will likely worsen the harms both for direct victims and, in turn, for society and the economy. In cases where bans have been introduced in limited ways (e.g., governments prohibiting themselves from paying ransoms), there has not been a clear decrease in ransomware attacks against these entities.
At present, the limited data available indicates that the majority of organizations globally are still underprepared to defend against or recover from a ransomware attack. This preparedness gap remains particularly problematic in resource-constrained critical sectors that are currently being heavily impacted by ransomware attacks, such as healthcare, education, and government. As such, a strong focus on operational engagement and aid that increases the preparedness of organizations in all sectors—most particularly those providing or supporting critical infrastructure—is essential to enable these organizations to better resist ransomware threats. Additionally, governments and the technical community need to strengthen victim support to give organizations who are affected by attacks alternative options for recovery beyond paying the ransom.
Additional downsides to a payment ban include concerns regarding its impact on reporting of ransomware incidents and the practicalities of a proliferation of exceptions. On the one hand, a no- exception ban could drive payments “underground,” putting them outside the view of investigative authorities. On the other hand, if exceptions are allowed, then the pressure to add exceptions will increase over time as governments confront the realities of disrupted services. Further, if the exceptions to the ban are public knowledge, then ransomware actors will preferentially target organizations in the excepted categories. If the exception requires organizations to apply for a waiver, the number of organizations using such a system will be small, as organizations typically want to pay a ransom in order to make the problem go away as quickly and quietly as possible. Having to wait on a time-consuming application process is directly at odds with this. Determining the consequences if an entity were to violate the ban on payments is also a difficult decision, as most entities would like to remain within the law but may consider alternatives if the perceived cost of abiding by the law are too high. Additionally, criminals may test a government’s resolve to enforce a ban by targeting attacks against organizations that provide services governments cannot tolerate being disrupted and that are least likely to have sufficient resilience.
We therefore believe that the most reasonable and effective approach to reducing payments, including the potential for eventually implementing a ban on payments if deemed relevant by national authorities, requires a multi-year approach based on milestones. To be clear, even if governments move aggressively to meet these milestones, it will take several years following the start of a process before prohibitions could be considered as one possible effective step.
Below are 16 proposed milestones that should be pursued to make this approach effective, falling into 4 different lines of effort. These milestones can and should be pursued concurrently. For example, many small businesses cannot tolerate a long-term disruption to their operations and they will cease to operate if they cannot bring in revenue. Therefore, governments cannot pursue one line of effort to the exclusions of the others if they want to reduce the impact of ransomware.
While some governments have made some progress against these milestones, considerable work remains even in the most proactive jurisdictions. These milestones are primarily based on recommendations made in the Ransomware Task Force report, and include reference numbers and the original proposed timelines for each Action in the RTF report. More details for each milestone can be found in the report.
