Apparantly new legislative Push: Is the USA on the way to ban Ransomware Payments?

Following up on the OFAC & Fincen advisories of last year and strongly worded messages from President Biden towards especially Russia in June, the US Treasury Department is apparently preparing to sanction “financial exchanges that facilitate delivery of illicit digitalpayments to hackers (, ).

While these reports have not yet been officially confirmed, it appears that this is latest step in an escalating. This latest legislative push is comes in the wake

While this is certainly a step in the right direction, the many crypto exchanges in unregulated jurisdictions or possibilities of over the counter (OTC) transactions of crypto currencies for other assets (e.g. private bank wires or cash), are likely to dampen the effect of this measure. Afterall, while the ransom might be paid by US companies or its subsidiaries, there are no real impairments in moving the crypto currency around. It stands to reason that most of the ill-gotten gains of ransomware attacks are (or will be, once legislative measures take effect) transferred quickly outside of the reach of US law enforcement.

While there has been no indication of further steps, if the above measures do not yield the desired effect of a noticeable drop in ransomware attacks and facilitated payments, a complete prohibition of ransomware payments might be in the cards.

In the context of cyber insurance, there has been a long debate if ransomware payments itself should be insurable (see e.g. our article on AXA France refusing Ransomware Cover). From the perspective of insurance carriers, an outright banning of ransomware payments rather than just a prohibition of the insurance coverage, seems to be highly preferable. To illustrate the difficulties that not only ransomware causes cyber insurers, but also the problems with legislative actions combating it, consider the following cases:

1. Status Quo: Ransomware (payment of the ransom, as well as forensic and cyber security services are insurable) payments are insurable and for affected entities legal to pay

There is currently a ransomware epidemic that is likely to some extent fueled by the insurability of ransomware payments, as cyber criminals have the justified expectations that their ransom demands are more likely to be paid by an entity that has insurance coverage.

Worse, this is a classical game theoretical Signaling Game, where entities with insurance cover are actually incentivized not to disclose it to their share- and stakeholders. This clearly showcase the unsatisfactory Status Quo, as this situation is an obvious violation of the Revelation Principle, a necessary condition for a stable allocation in Economics.

2. The US bans insurance coverage for ransomware payments (but not forensic, cyber security services etc. to remedy the situation)

In this scenario, in case of a ransomware attack the insured party will receive help via the insurance company, but the payment itself will not be covered.

This situation would in practice likely introduce a massive perverse incentive for insurers to either:

  1. Make the payment on behalf of its clients still (as long as it is clearly cheaper than the necessary services to remedy the situation and the perceived likelihood of the extorters providing the decryption key is high enough)
  2. Induce the client to make the payment on its own behalf, likely as early as possible to save spending on forensics/cyber security.

Both these cases would in practice put the entire cyber insurance system into a dubious light that will likely turn off future customers, once the first reports surface of insurers either breaking the law (1) or putting pressure on clients in an emergency (2).

A possible solution for this would be to deny all assistance for ransomware attacks from the insurance coverage, i.e. no forensic or cyber security help in case of a ransomware attack. However, as this would basically gut the arguably most important coverage element of current policies, this would in turn put a question mark on the entire business of insuring cyber incidents.

3. The US bans all ransomware payments

In this scenario, the in 2) outlined perverse incentives disappear from the side of the insurance carrier, while for the insured the situation, at least in the immediate aftermath of such a legislative measure taking effect, is not unproblematic. While in the mid- and long term the ransomware activity should be diminished by the reduced possibilities to monetize the crime, many businesses will still be faced with a choice of either taking a hefty loss or breaking the law by making a ransomware payment.

Ransomware, no matter what lawmakers, insurance carriers, or the affected business will do next, is not going away anytime soon. It is of utmost importance that the general public, but especially lawmakers around the world realize the problem, possible solutions to it and the drawbacks that these solutions introduce, and how these drawbacks can be mitigated.

References

Reuters. 2021. “U.S. to Target Ransomware Payments in Cryptocurrency with Sanctions.” https://www.reuters.com/business/finance/us-target-ransomware-payments-cryptocurrency-with-sanctions-wsj-2021-09-17/ (September 20, 2021).
Washington Post. 2021. “U.S. Aims to Thwart Ransomware Attacks by Cracking down on Crypto Payments.” Washington Post. https://www.washingtonpost.com/business/2021/09/17/biden-sanctions-ransomware-crypto/ (September 20, 2021).

Daniel Kasper

Daniel Kasper is the principal of Cyber Economics.