Making it illegal for companies to pay up when hit with ransomware could finally halt the ‘scourge of the internet’.


Steve Ranger

| September 28, 2020 — 11:02 GMT (04:02 PDT)

| Topic: Security

Police always advise ransomware victims against paying off the criminal gangs that have encrypted their computer systems – and there are many good reasons for that.

At the most basic level, even after the companies have handed over the money, it’s not always certain they will get their data restored. They are negotiating with crooks after all.

But even if they do get their data back, paying up is still a bad idea. It gives the crooks a big payday, which encourages further attacks – perhaps even on the same organisation again. And that big payoff means that gangs can invest in hiring more software developers and hackers to go after even bigger targets.

Paying the ransom might save you pain in the short term but means a bigger problem for everyone else in the longer run.

Currently businesses in the UK are unlikely to be prosecuted for paying up to a ransomware gang – unless there is a reasonable chance of the payment being used to fund terrorism. But at least one senior figure in the security industry thinks that it should be a lot harder or even illegal to pay ransoms.

In a speech earlier this month at security think tank RUSI, former head of the National Cyber Security Centre (NCSC) Ciaran Martin explained just how big a problem the agency considers ransomware to be.

“Right up until my final hours at NCSC last month, I remained of the view that the most likely cause of a major incident was a ransomware attack on an important service,” he said.

“For the attacker, the choice of the service would be incidental. They were just after money. But from the point of view of national harm, that incidental choice of victim could be important. What most kept me awake at night was the prospect of physical harm inadvertently resulting from ransomware.”

He added: “Criminal ransomware used recklessly by amoral criminals is one of the biggest but least discussed scourges of the modern internet.”

Martin said if he had “one policy card to play in the next year”, he would ask for “a serious examination of whether we should change the law to make it illegal for organisations in the UK to pay ransoms in the case of ransomware”.

“The case for doing so is not – and I stress is not – a slam dunk, and if the answer is no [to making paying ransoms illegal], we should think of something else to counter ransomware, because it’s the single biggest contemporary scourge in cyberspace right now.”

Martin said it was a curious anomaly that UK extortion laws are largely based on the experience of kidnapping by terrorist groups.  That is, if you are ransomwared by a proscribed terrorist group, it is illegal to pay, but if the attackers are ordinary criminals, or even state attackers, then it’s fine. “Surely that needs a look,” he said.

It’s thought that as many as half of organisations pay up when hit with ransomware, which has made data-encrypting malware a major source of revenue for sophisticated criminal gangs. Some versions of ransomware have raked in tens of millions in ransom, usually in the form of hard-to-trace cryptocurrencies like bitcoin.

SEE: Mobile security: These seven malicious apps have been downloaded by 2.4m Android and iPhone users

Many victims feel they have little choice but to pay up if the alternative is rebuilding all their computer systems and databases effectively from scratch – and trying not to go out of business as they do it. 

But critics have warned being able to pay the ransom means that ransomware attacks are viewed by some as just another cost of doing business, which means they are less likely to invest in the sometimes-costly security systems that would prevent such attacks.

If paying the ransom were no longer a legal option, companies would have to make sure their systems were robust enough to stop the attackers in the first place. But it would also put much more pressure on police to track down gangs as well.


Steve Ranger

| September 28, 2020 — 11:02 GMT (04:02 PDT)

| Topic: Security

By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.

You will also receive a complimentary subscription to the ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.

You agree to receive updates, alerts, and promotions from the CBS family of companies – including ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe at any time.

By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.

Recent clashes highlight concerns that forcing students to use remote exam monitoring software is an affront to personal privacy.

The agency has gone to market seeking to introduce a “liveness” solution to the digital identity app.

Pastebin adds ‘Burn After Read’ and ‘Password Protected Pastes’ to the dismay of the infosec community

Incorrect server settings on the Twitter Developer portal led to browsers caching API keys, account access token and secret.

© 2020 CBS Interactive. All rights reserved.
Privacy Policy |
Cookies |
Ad Choice |
Advertise |
Terms of Use |
Mobile User Agreement



World news – US – Ransomware is your biggest problem on the web. This huge change could be the answer | ZDNet

En s’appuyant sur ses expertises dans les domaines du digital, des technologies et des process , CSS Engineering vous accompagne dans vos chantiers de transformation les plus ambitieux et vous aide à faire émerger de nouvelles idées, de nouvelles offres, de nouveaux modes de collaboration, de nouvelles manières de produire et de vendre.

CSS Engineering s’implique dans les projets de chaque client comme si c’était les siens. Nous croyons qu’une société de conseil devrait être plus que d’un conseiller. Nous nous mettons à la place de nos clients, pour aligner nos incitations à leurs objectifs, et collaborer pour débloquer le plein potentiel de leur entreprise. Cela établit des relations profondes et agréables.

Nos services:

  1. Création des sites web professionnels
  2. Hébergement web haute performance et illimité
  3. Vente et installation des caméras de vidéo surveillance
  4. Vente et installation des système de sécurité et d’alarme
  5. E-Marketing

Toutes nos réalisations ici


Please enter your comment!
Please enter your name here