Should ransomware payments be illegal?

Should insurance indemnify businesses who pay ransom demands?

Should governments take hostile action against known ransomware groups? Are they already doing that, but we just don't know about it?

These are some of the recent questions raised (rightly so) and debated by the insurance and wider business and public-interest communities.

In a previous post, I'd offered my opinion...in short, saying that I didn't think it was fair to make ransom payments illegal in the current environment, nor was it fair to prevent willing insurers from offering coverage for such payments.

As of this morning, REvil, the widely suspected Russian masterminds behind some of the most devasting ransomware attacks on global corporates (most recently via the Kaseya hack...demanding a $70m ransom payment!) - were taken off line. Perhaps this was after intervention from the Russian government, perhaps after intervention and pressure from the American government...

...next up, after a really informative call with our partners at Clyde & Co this morning, we discussed The Ransomware Payments Bill 2021, which requires Australian businesses and government agencies to notify the Australian Cyber Security Committee PRIOR to making a ransom payment. 

There are 2 potential positive steps here:

1.) Political pressure potentially having a positive impact on those governments otherwise taking a back-seat in holding hacking gangs accountable, and

2.) Legal frameworks looking for disclosure of threat-actor behaviour (include cryptocurrency wallet and payment details) which can aid government level action (hostile or clandestine...or both!) against known criminal cyber gangs.

There are some flaws with the latter, namely that for many businesses subject to ransom demand - the involvement of their c-suite, their insurers, their IT vendor partners is enough to slow down their potentially time-critical response - before they have to wait for a government agency to add their 2-pennies worth. Assuming it's a systemic event...then they may be waiting in line for some time before they get the 'go-ahead' to pay - these being business critical hours!

Either way, less of the damning tirade against insurance for fuelling the fire, and more by way of action at the highest levels of government. All positive stuff if you ask me!