Light Dark
June 10, 2024 By Jennifer Gregory 3 min read
News

The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after a ransomware attack.

“At present, the limited data available indicates that the majority of organizations globally are still underprepared to defend against or recover from a ransomware attack. This preparedness gap remains particularly problematic in resource-constrained critical sectors that are currently being heavily impacted by ransomware attacks, such as healthcare, education and government,” wrote the task force in the memo.

Task force sets milestones to achieve before possible payment ban

The memo alluded to a potential ban in the future and stated that the most effective approach to reducing payments is a multiyear approach. As part of the plan, the task force stated that governments and the technical community need to help businesses that are victims of attacks with recovery options other than paying the ransomware.

Additionally, governments and the technical community need to strengthen victim support to give organizations affected by attacks alternative options for recovery beyond paying the ransomware payment. To increase an organization’s ability to recover from an attack without paying the ransomware, the task force proposed the following four lines of effort, each with specific milestones:

  • Line of effort 1: Ecosystem preparedness
  • Line of effort 2: Deterrence
  • Line of effort 3: Disruption
  • Line of effort 4: Response

Current regulations related to paying for ransomware

While the task force declined to set a ban on making ransomware payments at this time, there are currently other regulations and laws that affect companies in their decision to make a ransomware payment. In 2020, the Treasury Department added potential sanctions for cyber insurers, digital forensics and incident response.

Additionally, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), inspired by the SolarWinds, Microsoft Exchange Server and Colonial Pipeline attacks, outlines reporting requirements for ransomware payment requests. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, as directed by CIRCIA, states that cyber incidents must be reported within 72 hours and ransomware payments must be reported within 24 hours.

Read the Definitive Guide to Ransomware

Is a ban a good idea or not?

As the debate about a federal ban continues as the U.S. works toward the milestones, organizations continue to make their own decisions to pay or not to pay ransomware. IBM’s official stance is never to pay ransomware attackers.

Positive effects of a federal ban on ransomware payments

  • A ban could result in less criminal activity. Because cyber criminals commit ransomware attacks to make money, a ban on paying ransomware could lead to fewer attacks. The 2024 IBM Threat Force Intelligence Report found an 11.5% drop in ransomware, likely due to many organizations no longer paying for ransomware.
  • Businesses do not always get their data back even after complying with cyber criminals’ demands. When a company makes a ransomware payment, they trust that the criminals will return their data. However, the Veeam Ransomware Trends Report found that 21% of companies did not receive their data back after paying.

Negative effects of a federal ban on ransomware payments

However, the task force and other experts feel there are many reasons not to put a ban into place at this time:

  • Organizations may go out of business. If an organization cannot recover its data and is prohibited from paying the ransomware, then they are not able to do business. As a result, the business, especially if it is smaller, may cease operations.
  • Victims may not report ransomware attacks and payments. If companies face penalties for paying, then they are likely to not report their payments. When payments are not reported, the government will no longer have accurate records.
  • There is potential for blackmail after the ransomware payment is made. Making payments illegal may produce unintended consequences, such as blackmail. After the attack, the criminals may blackmail the organization for more money to prevent publicity around the ransomware attack and payment.

Moving forward toward a ransomware-ready organization

With the task force providing a detailed roadmap, the goal is for organizations to improve their ability to defend and recover from an attack. Once businesses and government agencies make forward progress, the task force may revisit the feasibility of the ban. When businesses can recover their data relatively easily and get back online quickly, the question of paying ransomware payments becomes less of an issue.

 |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
January 13, 2025

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

December 30, 2024

DHS: Guidance for AI in critical infrastructure

4 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology. In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into…

December 26, 2024

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature