Countries pledge to not pay ransoms, but experts question impact

All 50 members of the International Counter Ransomware Initiative endorsed a joint policy statement last week asserting “relevant institutions under our national government authority should not pay ransomware extortion demands.”

Cyber authorities representing the collection of 48 countries, the European Union and Interpol, gathered for the third year in Washington, to advance efforts to fight ransomware activity. “As long as there’s money flowing to ransomware criminals, this will continue to grow,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said in a pre-summit briefing.

The international policy endorsement follows a period of consistently disruptive ransomware activity. U.S. officials decided against pursuing an outright ban on ransom payments last year, but reconsidered their stance in mid-2023.

The pledge signifies multilateral intent to combat the payments that fuel ransomware attacks, but it is limited in both scope and impact, according to cybersecurity experts.

“Words matter, and ‘should not,’ versus ‘will not’ pay ransoms is unlikely to discourage the private sector from acquiescing to extortion demands,” Rick Holland, VP and CISO in the office of the CISO at Reliaquest, said via email.

“Paying a ransom has risks, but at the end of the day, it is a business decision. When comparing a potential material business impact on the company versus paying a ransom to minimize or eliminate that impact, many leadership teams will elect to pay the ransom,” Holland said.

The pledge is also limited to CRI member countries and institutions under their respective authority. “In the U.S., that excludes private industry, as well as state and local jurisdictions,” Katell Thielemann, VP distinguished analyst at Gartner, said via email.

“For most organizations, these joint statements aren’t very meaningful when they must make decisions while under attack,” Thielemann said. “A good recent tale of two ransomware events is Caesars versus MGM. Different payment decisions with different outcomes.”

There is no mandate to ban governments or businesses from paying ransom demands, but the CRI pledge could be a step toward that.

“While currently toothless, the declaration may nonetheless be a small, shuffling step in the direction of more restrictive rules around the payment of ransoms. And that could be a good thing,” Brett Callow, threat analyst at Emsisoft, said via email.

“If governments really want to stop organizations paying ransoms, they’ll need to legislate,” Callow said. “Current counter-ransomware strategies are very clearly not working, so new ones are desperately needed.”

Ransomware victims in the U.S. paid $1.5 billion in ransoms between May 2022 and June 2023, according to a senior administration official.

“Fundamentally if we want to impact the disruptive impact of ransomware we have got to discourage and press for not paying ransoms,” the senior administration official said.

CRI members are developing information-sharing platforms to quickly share threats, a forum and mechanism for countries to request incident response assistance from members, and a shared blacklist of crypto wallets ransomware actors use.

“We know that cryptocurrency payment demands underpin most ransomware attacks, and crypto funds end up fueling nefarious goals around the world,” Thielemann said.

While CRI members’ endeavor to curtail ransomware activity is global, U.S. organizations remain the No. 1 target. Americans are hit by 46% of global cyberattacks, Neuberger said.