States Prohibit Ransomware Payments

When you are hit with a ransomware attack, you typically have a few options. You can restore from backups (if you have backups). You can rebuild your network and all the devices on it. Or you can pay the ransom. Which of these tactics you decide to take is frequently dependent upon the cost of each one, including the potential reputational cost and legal costs associated with picking one option over another. It makes little sense to pay $2 million to rebuild your network in the face of a demand for a $5,000 ransom.

However, municipalities—including state and local governments, towns and villages which are often victims of ransomware attacks—may no longer have the option of paying the ransom even where that makes logical and economic sense. Increasingly, state legislatures have made it illegal to use public funds to pay ransom in ransomware cases. This reflects an ideological view that, if everyone agrees not to pay ransom, ransomware attacks will subside because they are unlikely to be successful for the ransomware threat actor. It reflects a form of the tragedy of the commons: If just one person agrees to pay a ransom, then everyone is at risk. But if nobody is permitted to pay a ransom, everyone is protected.

It’s not clear that there is any empirical evidence to support this theory, though. While ransomware threat actors tend to be logical and select their targets based on their likelihood of paying, ransomware threat actors are not a homogeneous group. Some intentionally target particular victims with specific types of ransomware in hopes of getting payment. Others engage in spray-and-pray, selecting targets of opportunity in the hopes that any of them might be willing to pay the ransom. Still others unleash ransomware on a network where it spreads from computer to computer and from system to system. In those cases, they may attack both state actors and commercial entities.

In addition, legislation is not only targeted at municipalities and states. Some proposed legislation and regulation also targets commercial entities, including banks, hospitals and other institutions, and prohibits them from paying the ransom as well. In addition, those states that prohibit paying a ransom directly also prohibit the paying of ransom indirectly. This means that insurance companies, forensics firms, accounting firms and others are similarly prohibited from paying a ransom. Indeed, the wording of some of these regulations is so broad that it might be interpreted as prohibiting commercial entities with government contracts from using funds they have received under those contracts to pay after a ransomware attack on their own infrastructure.

This is in addition to guidance by both the U.S. Department of the Treasury’s Office of Foreign Asset Control and the Financial Crimes Enforcement Network (FinCEN) advising companies that decide to pay a ransom that they may violate U.S. anti-money laundering and domestic and international sanctions by making such payments.

All in all, it makes the ransomware situation significantly more complicated. For example, if a municipality has commercial insurance against ransomware attacks and there is a ransomware incident in which the threat actor demands a small payment, the insurance company is now prohibited from making that payment to mitigate the harm or damage. Instead of paying the $5,000 ransom, the insurance company is now required by law to pay the $25 million cost of rebuilding the entire network. What we can expect to see is that insurance companies will cap their damages and losses at either the cost of the ransom demand or the cost of rebuilding—whichever is lower.

This also reflects the continued ideology among regulators and legislatures that punishing the victims of cybercrime is an effective deterrant. While the goal of increasing the security of all players is laudable, the end result is that companies that suffer data breaches, attacks, ransomware incidents or other forms of cybercrime run the risk of themselves being investigated and prosecuted. This is true whether the company had a reasonable information security program or did absolutely nothing to protect themselves or defend against an attack. From a civil perspective, companies will be expected to have reasonable information security programs designed to prevent ransomware attacks, or, at a minimum, to be resilient and cheaply and effectively rebuild after a ransomware attack, since there may not be the option to pay the ransom.

On June 28, 2022, Florida Governor Ron DeSantis signed HB 7055, which, among other things requires, effective July 1, 2022, that all state agencies report cybersecurity and ransomware incidents, and that every state employee receives substantive training in cybersecurity. All good things. However, Florida also joined the increasing number of states, beginning with North Carolina in April of this year, Pennsylvania, Texas, Arizona (HB 2145) and New York which have either banned—or which seek to ban—the paying of ransom in ransomware cases. The New York proposal not only prohibits government agencies from paying ransom but also prohibits businesses and health care entities in the Empire State from paying ransom. A proposed federal law, The Ransomware and Financial Stability Act of 2021, 117 H.R. 5936, would also prohibit any U.S. financial institution from making a ransomware payment in excess of $100,000 without authorization from the treasury department. Federal law also requires entities in the critical infrastructure sector to notify the government within 24 hours if they have made a ransomware payment.

In the short run, what this means—initially for municipalities and, ultimately, for everyone—is that they will be unable to perform genuine risk analysis; is it more cost-effective to pay the ransom or rebuild or restore data? Like the cities of Baltimore and Atlanta, they will be forced to pay millions or tens of millions of dollars in lost time and rebuilding costs even when the ransom demands are relatively small. It also means that, just like with data breaches, data theft and other cyberattacks, the government will dedicate resources not to catching criminals and preventing crimes, but in punishing the victims of those crimes for failing to take adequate steps to prevent the crimes from happening.

Paying ransom is always controversial. In a way, it provides an economic incentive for threat actors to continue to do what they are doing. It also provides economic support to the threat actors that they use to further other criminal activity. Finally, because of the nature of cryptocurrencies, we cannot know where the money is going after it is paid. Is it being used to finance additional cyberthreats? Is it being used to finance wars in Ukraine? Is it being used by terrorist organizations?

Most of these laws also prohibit not only the payment of funds for ransom, but also prohibit the indirect payment by insurance companies, forensics companies and others. Thus, these entities have to ensure that no state or municipal funds are being used in the payment of ransom.

The statutory language may also be broad enough to make it an offense for a covered entity to pay gray hat hackers, even as part of a bug bounty program. For example, the Florida statute’s definition of a “ransomware incident” is:

” … a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies, or otherwise renders unavailable a state agency’s, county’s, or municipality’s data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data, or otherwise remediate the impact of the software.”

So, if a gray hat hacker accesses a state agency’s data and demands a payment to provide information about how they were able to do this so that they can remediate the impact, the payment of this “fee” may now be prohibited under Florida law.

Insurance companies offering ransomware insurance may now include clauses indicating that they will reimburse the costs of the ransom demand or the costs of remediation or rebuilding—whichever is lower. For an entity that refuses to pay (or is prohibited from paying) ransom, the risk of loss falls on the state, not the insurer. Or, more accurately, on the taxpayers.

Nobody wants to pay ransom. If nobody paid ransom, the threat actors might—might—move on to a new form of attack. But foreclosing the option means that these victims of attacks have fewer options to respond to ransomware and extortionware attacks and run the risk of themselves being prosecuted for trying to fix a broken system.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark