IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Should State Governments Ban Ransomware Payments?

Given the surge of ransomware attacks and increasing costs of payments to unlock stolen data in 2024, some states have banned public ransomware payments. But experts are divided on whether it's the right move.

digital illustration of a sack of money printed with binary code
Adobe Stock
In 2021, North Carolina became the first state to prohibit public ransomware payments, even going so far as to ban negotiations with cyber criminals. It was a groundbreaking move. Florida followed suit in 2022, but its legislation took a less stringent approach, covering a narrower range of entities and omitting some of the stricter provisions found in North Carolina’s law.

North Carolina and Florida’s bans are the only ones that exist at the state level, but they have ignited a nationwide conversation about the best way to combat this pervasive cyber threat. Years later, experts still haven’t come to a unified conclusion about whether it’s the right approach.

The heart of the matter lies in a moral and fiscal dilemma: Should governments refuse to fund criminal enterprises, even when the alternative could mean crippling disruptions to essential services like hospitals, schools and public safety? What if the “high road” of refusing to pay ultimately costs taxpayers more in the long run, through service outages, recovery efforts and the potential for further attacks?

Law enforcement agencies like the FBI firmly advocate against paying ransoms, fearing it only emboldens cyber criminals. Yet, some organizations feel they have no choice but to pay.

Meredith Ward, deputy executive director of the National Association of State Chief Information Officers (NASCIO), acknowledges the complexity of the issue: “There is not an opposing view, but a couple of different viewpoints.” She emphasizes that NASCIO, as a national organization, does not take a formal position on whether agencies should ban payments, recognizing the diverse needs and circumstances of individual states. Ultimately, NASCIO believes states should decide whether payment bans are the right approach for them.

Is a nationwide ban or state bans on ransomware payments the answer? The jury is still out.

THE DATA DILEMMA: UNCLEAR IMPACT OF EXISTING BANS


When weighing the pros and cons of ransomware payment bans, a critical question emerges: Do they actually work?

North Carolina Chief Information Officer James Weaver said measuring success is hard to do with the current data available. While the state mandates that local governments report all significant cyber incidents, it’s difficult to isolate the effect of the ban from other factors influencing attack rates.

“The intent really is to take an option off the table,” Weaver said, emphasizing that agencies are now directed to focus immediately on recovery and remediation rather than engaging in negotiations with cyber criminals.

According to data from the North Carolina Attorney General’s Office, after a steady climb the number of ransomware attacks slightly fell from 2022 to 2023. However, attacks still numbered in the hundreds: There were 843 ransomware data breaches to both public- and private-sector entities in North Carolina in 2023.

Weaver said the ban on public ransomware payments “has not eliminated those types of attacks,” and added that there’s also a challenge to establishing a baseline to gauge the legislation’s true impact. “I can’t necessarily say it’s reduced anything.”

However, he is hoping that eventually the tide will shift in a measurable way.

“One would hope down the road, the fact that we will not pay ransomware events — that the funding stream that many of these nefarious actors are counting on is not present for them — might have some kind of outcome,” he said. But he acknowledged that some attacks are motivated by factors beyond financial gain, such as the desire to cause disruption or chase clout in what’s becoming a crowded field of hackers.

He feels the legislation would have a bigger punch if it was universal.

“If we collectively do that, eventually at the end of the day, it’s not going to be profitable for anybody to sit here and do ransomware attacks for money,” Weaver said. “Everybody’s got to contribute their part into this. If we could across the country get something along these lines, that would be fantastic.”

Bar graph showing total ransomware payments reported to the North Carolina Attorney General's office from 2020 to 2023

HIGH STAKES


The stakes of ransomware attacks are not just financial or operational; they can have devastating consequences for residents.

Attacks have crippled 911 call centers, thus delaying emergency response times. They’ve shut down power grids, leaving people without the resources they depend on to survive. The ripple effects of such attacks can be catastrophic, upending the lives of vulnerable residents.

“A ban sounds good, until it happens to you,” said Mark Weatherford, a senior fellow with the Center for Digital Government.* “Now, you’re staring down the barrel of a gun and have to make that decision.”

Weatherford argued that a universal ban might have been effective years ago, but the situation has grown too dire and criminals understand how much is at stake. He said a more impactful fix would be for the world, including countries like China and Russia, to attack crime by holding bad actors accountable.

“As a global community, we need to say, ‘We’re going to hunt you down, we’re going to knock on your door and we’re going to drag you out, kicking and screaming,’” he said. “We need to treat it like a capital offense, not just because people die, but there are serious implications to ransomware depending on the organization.”

PAYING THE PRICE, ONE WAY OR ANOTHER


In 2024, data is no longer just ones and zeros — it’s the lifeblood of modern government.

The financial fallout of a ransomware attack both now and for years to come can be astronomical if the data is never retrieved.

“We can say, ‘We didn’t pay,’ and then the public pays a different price,” said Alan Shark, executive director and CEO of Public Technology Institute (PTI). “To freeze the local government from serving citizens is really huge. You can see why there’s a pushback.”

The cost of rebuilding compromised systems isn’t the only consideration for agencies. They might also end up footing the bill for failing to protect stolen data.

“There’s an obligation, not written but implied, that the government has to do something,” Shark said. “That might mean credit monitoring for a year or two, [but] when you start thinking about thousands of citizens, if not millions, in some places that could be really expensive.”

Meanwhile, the purse criminals are demanding is also going up. The first ransomware attack, back in 1989 when an attack was waged on floppy disks, came with a demand of a couple hundred dollars to release the encrypted files. In today’s climate, data is king, so it’s not unheard of for a ransomware gang to ask for millions of dollars.

Adding to the complexity, there’s no guarantee that paying the ransom will result in the release of encrypted data. The rise of “ransomware as a service” has democratized cyber crime, allowing even novice hackers to launch sophisticated attacks.

Shark noted that while established ransomware gangs once adhered to a code of conduct, the influx of new players who can pay to play has eroded that trust.

A report from the intelligence unit at cybersecurity firm Sophos found more than a dozen ransomware varieties were advertised for purchase on online forums by potential hackers, with prices ranging from a modest $50 to $1,000 a month for a subscription.

Shark said that while in the past there was no evidence ransomware actors weren’t holding up their end of the bargain, aspiring lone wolf newbies — the market for those black market subscriptions — don’t always follow the same code of conduct.

“Anybody could be an overnight criminal,” Shark said. “What’s happening now in some cases is people are getting careless, the code is gone. There have been cases where somebody has paid and they have not gotten their files released.”

This new “blanket of uncertainty” makes the decision of whether to pay a ransom even more challenging, particularly for public agencies of all sizes. Shark concludes that a blanket ban on payments may be too simplistic an approach for the complex reality of ransomware.

“Having a law banning payment is well intentioned, but it’s too flawed to be taken seriously,” Shark said.

Line graph showing the national costs of ransomware attacks from 2019 to 2023

CYBER INSURANCE: A COMPLICATING FACTOR


Cybersecurity insurance, often kept under wraps by agencies for fear of attracting cyber criminals, adds another layer to the ransomware payment ban debate.

Obtaining cyber insurance coverage has gotten increasingly difficult, with many firms requiring robust security measures before issuing policies. Furthermore, insurance contracts often mandate immediate notification in the event of an attack, potentially influencing how agencies respond to ransomware demands.

According to North Carolina’s Weaver, the implementation of the payment ban has shifted interactions with insurance companies.

“There’s times when cyber insurance companies may want to have the ability to negotiate, and we’ll have to remind them that for the state of North Carolina, that is not an option,” Weaver said. “We tell them the focus has got to be on fixing.”

While controversial, cybersecurity insurance can play a role in mitigating the financial impact of ransomware attacks. Weatherford pointed out that insurance companies have been known to successfully negotiate lower ransom payments.

“Sometimes the bad guys feel better about negotiating with an insurance company because it’s business to business,” Weatherford said.

However, Shark questions the ethics of insurance companies paying ransoms on behalf of public agencies.

“It’s one thing for a local government to take money out of its own coffers,” he said, suggesting that using private insurance funds blurs the lines between public and private responsibility. “It’s no longer public money, it’s coming from the insurance — like car insurance.”

Shark feels that if insurance companies knew paying ransomware was off the table, it could have crippling effects to the cyber insurance market.

Despite the ongoing debate, NASCIO’s Ward notes she doesn’t anticipate any additional states enacting similar legislation this year, particularly with election season underway. However, she acknowledges the unpredictable nature of cybersecurity threats means that anything is possible.

“It only takes one high-profile incident,” Ward said. “You never know what’s going to motivate a state to introduce something and really go after it.”

The question of whether to ban ransomware payments continues to evolve — it’s not simply a matter of right or wrong. It’s a balancing act between competing priorities, a search for the least harmful path in a high-stakes game.

This story originally appeared in the September/October 2024 issue of Government Technology magazine. Click here to view the full digital edition online.
Nikki Davidson is a data reporter for Government Technology. She’s covered government and technology news as a video, newspaper, magazine and digital journalist for media outlets across the country. She’s based in Monterey, Calif.