Coming from a military intelligence background, focusing on the financing of terrorist groups, I saw the power of the dollar over bad actors. A dollar removed from their back pocket, or to that end, in the pocket of others, sometimes had more of an effect than a bomb or a bullet. If we can influence the battlefield, by reducing money flows and reducing the chance of our troops ending up in kinetic actions, then it is an obvious course of action to take.
This is the mentality I had when I first started applying my conventional military training to the cyber domain a decade ago. So, when leading voices like Ciaran Martin suggest that it is time to ban ransom payments to threat actors in the cyber domain, it is hard not to agree. There will always be arguments for and against it, but it is clear that the current approach is not working. And where we there have been efforts to stop public sector entities paying ransoms, or preventing payments to groups that are identified as terrorist entities or are on sanctions lists, we have also seen a reduction in these regions, sectors or entities being targeted.
Payments made to these groups are also likely to be used to fund additional nefarious or illicit crimes. There are also likely to help fund the economies that allow them to operate from so freely, and line the pockets of corrupt officials in states that wish to undermine our way of life.
Recent operations from the NCA and their international peers against the LockBit ransomware group were a great coup. Using the group’s own psychological and information operations against them was great to see and I take my hat off to them. With a combination of effective law enforcement actions and the lowering of the likelihood of earning money from being a bad actor, can have a real and tangible affect.
In the military, when we removed money from the back pockets of certain terrorists, we saw a direct reduction in their activities. Others would become more desperate, make mistakes, or make enough noise in their discontent that they made it easier for us to target them. This is the same principle.
Much like in some countries where banks are tasked with identifying and preventing extortion payments, crypto exchanges should also be prevented from handling payments linked to crimes such as ransomware, putting even more pressure on these actors. Although the regulation and supervision of these entities is a whole other discussion.
There are several arguments against banning ransom payments, but I do have one significant concern above all others. It is possible that it will shift threat actors’ attentions away from corporate entities and towards fraud-based activity targeting individuals. This level of capability in an actor being directed towards mass fraud scams of the public will ultimately shift the problem onto those who cannot afford it. This is why governments, telecommunications providers, infrastructure providers, service providers, domain and email providers must all do more to reduce the ability of threat actors to operate as freely as they do.
Banning ransom payments is a good and right step forward, but must be done at the same time as providing additional resources to law enforcement and intelligence agencies. Additional requirements also need to be put on the providers of systems and infrastructures used by these actors. In the UK we have a national cyber security strategy but it is not joined up enough to deal with this threat affectively. A ransomware task force with the remit to push change in multiple government departments, agencies, arm’s length bodies and law enforcement is needed to make the ban both effective and limit unintended consequences.
