North Carolina Ban Affects State/Local Governments, Public Schools and Universities
As ransomware continues to pummel organizations left, right and center, two states have responded by banning certain types of ransom payments, and more look set to soon follow suit. But in the words of one expert, the bans could have “terrible consequences.”
“The laws prohibiting ransom payments could lead to terrible consequences.”
North Carolina’s law applies to state and local government agencies, as well as public schools, community colleges and universities. All such victims must also rapidly report such attacks to the state’s IT department and “consult with” them. The law prohibits not just paying ransoms but even communicating with attackers, say BakerHostetler attorneys Elise Elam and Benjamin Wanger.
By contrast, Florida’s law doesn’t ban communicating with attackers – for example, to better understand what might have been stolen – and also “appears to exclude public school districts and universities from the list of public entities that are prohibited from paying a ransom,” Elam and Wanger say.
Other states are considering similar strategies, with Pennsylvania’s senate in January passing a bill – which the state House has yet to vote on – banning taxpayer-funded agencies and organizations from paying a ransom. As CPO Magazine recently reported, similar laws are under consideration in Arizona, New Jersey, New York and Texas.
What could possibly go wrong?
“The laws prohibiting ransom payments could lead to terrible consequences,” Alan Brill, senior managing director in the cyber risk practice at the consultancy Kroll, tells me. “Look at the costs to Baltimore when it decided to forego what would now be seen as a small payment and ended up spending millions trying to recreate/restore data.”
In other words, by prohibiting state agencies from potentially paying a ransom, lawmakers may be creating a situation in which more – not less – taxpayer money gets spent to clean up the problem.
“While paying a ransom is never the goal, it is possible that small ransom payments in exchange for a decryptor would be far less expensive – and disruptive – than trying to rebuild or restore encrypted systems,” says attorney Lisa Sotto of Hunton Andrews Kurth LLP.
In the hit on Baltimore in May 2019, for example, attackers wielding RobbinHood ransomware encrypted Baltimore city systems, demanding 13 bitcoins – then worth about $75,000 – for a decryption key. The city refused to pay, instead spending an estimated $18 million or more on cleanup.
One school of thought: At least the city got in place the systems and processes it should have already had.
But the attack disrupted services. Also, responding to an incident is costly, as is trying to rapidly overhaul infrastructure. The city no doubt paid over and above what it would have paid if it had upgraded its infrastructure not in the midst of a crisis.
“While we need to find ways to disincentivize ransomware threat actors, tying the hands of state and local government agencies does not seem like the way to do it,” Sotto tells me.
“Instead, it punishes the agencies that would suffer enough as it is if hit with a ransomware attack,” she adds.
Talking to Attackers Sometimes Helps
Brill, who regularly helps victims recover from ransomware attacks, also says that “prohibiting communications can end up being directly counterproductive.” Victims may not know exactly what all ransomware attackers have encrypted or stolen, and finding out may take substantial time and energy. Likewise, negotiators can sometimes reduce the ransom being demanded by a large factor. In some cases, attackers may also provide a decryptor without a victim having to pay.
Perhaps state legislators are attempting to look tough by essentially telling ransomware gangs to look elsewhere. No doubt they also don’t want the political baggage associated with spending taxpayer money to enrich criminals.
“A ransomware payment to the evil ‘insert one of four known protagonists’-affiliated cybercriminals for multimillion-dollar amounts is bad optics at the political level when infrastructure is crumbling, inflation is climbing and social services such as policing and justice, healthcare, and other government services are under immense strain and financial pressure,” says Ian Thornton-Trump , CISO of Cyjax.
Previously, he says, many victims could pay for cleanup – and sometimes the ransom payment – using their cyber insurance or by making a business-disruption claim. But as such payouts have skyrocketed, insurers have restricted coverage, preferring policyholders that have robust cybersecurity practices.
No Deterrent Effect
No one I spoke to believes state-level moves to ban ransom payments will have any deterrent effect. Bans might sound good in theory. But experts have long warned that they would likely have numerous unintended consequences (see: Ransomware: Would Banning Ransom Payments Mitigate Threat?).
Furthermore, why should attackers care who’s supposedly been banned from paying a ransom? Most have an “attack first, sort it out later” approach. In many cases, it’s not clear they even know what an organization does before they hit its network with ransomware.
When an attack goes wrong, leading to public fallout – as in the case of Conti hitting Ireland’s national health service in March 2021 – as a PR move, criminals will sometimes release a “free” decryptor.
Ireland put that decryptor to work, literally deploying the army to run it on affected systems. That plus $48 million in cleanup costs got the health service up and running again. Now, how much more would the cleanup have cost without the decryptor?
Lawmakers can opt to do things differently, but there’s no sign criminals will care. “Ransomware actors likely will not be deterred by these laws,” Sotto says. “The laws are narrow in their coverage so do not carry much weight in discouraging criminals from plying their wares against ‘low-hanging fruit’ entities – whether government or private sector.”