The cybercrime wave wreaking havoc around the world is again prompting calls for governments to ban ransom hackers.
Every day, hackers take computer systems hostage and demand large payments from victims to restore order.
The CEO of Colonial Pipeline admits that his company paid hackers nearly $ 4.5 million last week after their attack forced the company to stop transporting fuel.
But research by bitcoin analyst Elliptic suggests it’s just a drop in the ocean.
Don’t miss out on BBC Africa:
Since last August, DarkSide hackers have received at least $ 90 million in ransom from an estimated 47 victims, according to Bitcoin data.
DarkSide is just one of twelve numerous ransomware gangs that make huge profits from buyouts of companies, schools, governments and hospitals.
They work anonymously, so it’s hard to track them down.
And many operate in countries that do not want to stop them.
Ransomware attacks prevent victims from gaining access to computer systems or data until the ransom is paid.
Law enforcement agencies around the world are increasingly urging victims not to pay.
But paying the ransom is not illegal.
And many organizations pay in secret.
Today, a global coalition of cyber experts, the Ransomware Task Force (RTF), is lobbying for government action.
She made about 50 recommendations to stop the crime wave, but could not agree on a ban on ransom payments.
We asked two of its members why.
‘Banning payments will result in but pretty awful “puzzle”
Jen Ellis, Rapid7’s vice president of public affairs and communications, says, “Most people agree that in an ideal world, the government should prohibit ransom payments.”
“Since ransomware is a profit-motivated crime, hopefully it will generally discourage this type of crime.”
“And no one will help fund organized crime.”
“The problem is that we don’t live in a perfect world.”
In the world we live in, banning payments will almost certainly lead to a terrifying headache as criminals focus on organizations that are least likely to experience downtime, such as hospitals, water treatment plants, energy providers, and schools.
“Hackers can expect the damage to society caused by these downtime to exert the necessary pressure to get the money.”
“They have nothing to lose by doing this – and they can potentially make a big salary.”
“Let’s say the government creates a fund to support these organizations so they don’t have to pay.”
“If this happens, attackers can focus on small businesses and non-profit organizations that do not have the resources to defend themselves.”
“They could be completely ruined if they don’t pay.”
“In the face of bankruptcy, these organizations may consider secret payment, which will further put them at the mercy of criminals who may threaten to be made public.”
“These problems are not easy to overcome.”
“It will take time, awareness and a sustainable investment.”
“Banning payments is a big goal.”
“But we must be pragmatic in our approach so as not to cause significant economic and social damage.”
“Banning payments would make life easier for organizations”
Cyber Threat Alliance President and Chief Executive Officer Michael Daniel says: “The case for a no ransom is clear.”
“Ransomware attacks are primarily about profit.”
“And without profit, the pirates will abandon this tactic.”
“In addition, the profits from ransomware are used to finance other, even more dangerous crimes such as human trafficking, child exploitation and terrorism.”
“Finally, payments lead to other attacks, which further enhances the usefulness of this tactic.”
“No organization wants to pay the ransom.”
“On the contrary, they believe they have no choice, whether it be the threat of insolvency, damage to reputation due to disruptions in service or the risk of human lives or large-scale economic disruption.”
“Indeed, from a purely organizational and short-term perspective, paying a ransom is often an economically viable solution.”
“We need to break this cycle and deprive the ransomware ecosystem of fuel.”
“A ban on payment would make it easier for the organization by eliminating the legal possibility of payment.”
“Consequently, well-designed bans will provide targeted organizations with leverage against their attackers.”
“Such bans should not be imposed immediately.”
“In fact, these bans should only be introduced after governments have established effective victim support mechanisms.”
“Bans on payments should be part of a broader campaign to improve prevention, deterrence, dysfunction and response.”
“Those who oppose the ban on payments are raising a great question about potentially high-value organizations that could be attacked during the transition period, which could even lead them to bankruptcy or be under tremendous pressure to restore service.”
“Therefore, for payment bans to have the desired effect, governments will need to provide businesses with the resources and support they need to counter these attacks.”