Countries pledge to not pay ransoms, but experts question impact

Cyber authorities representing the collection of 48 countries, the European Union and Interpol, gathered for the third year in Washington to advance efforts to fight ransomware activity. “As long as there’s money flowing to ransomware criminals, this will continue to grow,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said in a pre-summit briefing.

The pledge signifies multilateral intent to combat the payments that fuel ransomware attacks, but it is limited in both scope and impact, according to cybersecurity experts. “Words matter, and ‘should not,’ versus ‘will not’ pay ransoms is unlikely to discourage the private sector from acquiescing to extortion demands,” Rick Holland, VP and CISO in the office of the CISO at Reliaquest, said via email. “Paying a ransom has risks, but at the end of the day, it is a business decision. When comparing a potential material business impact on the company versus paying a ransom to minimize or eliminate that impact, many leadership teams will elect to pay the ransom,” Holland said.

“While currently toothless, the declaration may nonetheless be a small, shuffling step in the direction of more restrictive rules around the payment of ransoms. And that could be a good thing,” Brett Callow, threat analyst at Emsisoft, said via email. “If governments really want to stop organizations paying ransoms, they’ll need to legislate,” Callow said. “Current counter-ransomware strategies are very clearly not working, so new ones are desperately needed.”

Cybersecurity Dive  11/06/2023