UK Cyber Ransom Ban Risks Collapse of Essential Services (ft.com)
- Reference: 0180108189
- News link: https://news.slashdot.org/story/25/11/17/1631207/uk-cyber-ransom-ban-risks-collapse-of-essential-services
- Source link: https://www.ft.com/content/3dc82018-2d3a-444e-8400-07d4c27a7665
> The proposal, announced by the Home Office in July, is designed to deter cyber criminals by making it clear any attempt to blackmail regulated companies such as hospitals, airports and telecoms groups will not succeed. If enacted, the UK would be the first country to implement such a ban.
>
> But companies and cyber groups have told government officials that making paying ransoms illegal would remove a valuable tool in negotiations where highly sensitive data or essential services could be compromised, according to two people familiar with the matter. "An outright ban on payments sounds tough on crime, but in reality it could turn a solvable crisis into a catastrophic one," said Greg Palmer, a partner at law firm Linklaters.
[1] https://www.ft.com/content/3dc82018-2d3a-444e-8400-07d4c27a7665
Meh (Score:2)
If you ban it theyâ(TM)ll just start hiring âoenegotiatorsâ around the same value they were being ransomed for.
Re: (Score:3)
> If you ban it theyâ(TM)ll just start hiring âoenegotiatorsâ around the same value they were being ransomed for.
You don't need a negotiator if you're not allowed to pay a ransom. The negotiators are just there to help you get the lowest ransom payment.
Re: Meh (Score:2)
No no, theyâ(TM)re paying the negotiators *not* the ransom obviously
Not going to make any actual difference (Score:4, Insightful)
In previous ransomware attacks against government computers, such as NHS England, NHS Scotland, British Library, various school trusts, and some local councils, they have not paid the ransom.
We do need to ban ransom payments from the private sector to make the business model of these gangs not work. There is no other way to do it.
Re: (Score:1)
None of it matters unless the threat actors believe there is no degree of pain to severe they could inflict that would make governments chose to pay.
These are at least in some cases foreign state sponsored actors - there is no reason to think say that when attacking hospital / public health administration, that some number of people literally dying because care can't be manage is 'a problem' for them.
So all no ransom payment policies do unless they are truly absolute is make the threat actors so their are s
Re: (Score:2)
It's not cost effective or usually plausible to go after them once the data has already been encrypted. Important files are suddenly unreadable, and a popup says that you need to post a certain amount of money to a crypto exchange. There's intentionally nobody to contact, no person with a disguised voice on a telephone giving elaborate cash drop instructions.
Paying criminals off incentivizes more criminals to engage in criminal behavior. The cost of good security is much lower than the cost of having gove
Re: (Score:1)
bitcoins are highly trackable; most activities that can convert large sums of crypto to spendable cash are typically trackable. At least by nation state actors.
The norm right now and they way they get away is people say - "Oh Salt Typhoon, nothing more we can do than have the ambassador send a pointed but respectful letter" is in China.
If instead we just had some human intelligent asset, kill some of those operators, things might actually change. They could also escalate of course, but then that is really j
The answer is simple (Score:2)
Treat ransomware attacks exactly the same as hardware failures or natural disasters
Have multiple layers of backup available
Re: (Score:2)
> Treat ransomware attacks exactly the same as hardware failures or natural disasters Have multiple layers of backup available
That's the best option for sure. Sometimes the problem isn't getting the data restored, it's that the ransomware group now has sensitive or personal data that would be a major issue if released to the public.
Re: (Score:3)
Game theory. They possess the data. Paying them not to release it doesn't guarantee they delete it but does incentivize them to come after you for more payments NOT to release it, like, rent seeking. Best not to pay and let it leak, financially. Mitigate all actionable intel first of course (account numbers, etc).
Re: (Score:2)
> Game theory. They possess the data. Paying them not to release it doesn't guarantee they delete it but does incentivize them to come after you for more payments NOT to release it, like, rent seeking. Best not to pay and let it leak, financially. Mitigate all actionable intel first of course (account numbers, etc).
Sort of. What's kind of silly is that the ransomware groups have to show some level of "honesty" when it comes to not releasing ransomed data. If a company pays the ransom, then the data is ransomed again by that group (or any other group claiming to have the same data), then future companies will not pay at all based on the reputation of the ransomware group not fulfilling their side.
I spoke to a ransomware negotiator a couple years ago that was former FBI. He said that most "professional" ransomware gr
Just make the penalty a fine (Score:3)
Make the fine for paying ransomware 3x any ransom paid. If a company is really set one paying the ransom, it will come with a much higher price, and use that money to fight cybercrime and protect infrastructure.
Re: (Score:2)
> Make the fine for paying ransomware 3x any ransom paid. If a company is really set one paying the ransom, it will come with a much higher price, and use that money to fight cybercrime and protect infrastructure.
You might want to consider how the incentives for the government work in that situation.
How will they tell ? (Score:1)
Given the UK's appalling NHS and public transport services, I suspect a cyber attack on them will pass unnoticed by the public.
Trivially easy to get around... (Score:3)
This is trivially easy to get around.
Company ABC has a "security is no ROI" stance. They get ransomwared. The CEO of ABC puts out a PR memo that "oh no, hackers can punch through any defenses, we are pretty much helpless, and nobody could have seen that RID 500 could have been the target of credential stuffing. That stuff is too technical for anyone." They hire XYZ company from offshore. They pay XYZ company the ransom + a consulting fee. XYZ pays the ransom, forwards the keys. Company ABC then says that they were able to use a third party that decrypted all their stuff and allowed them to function.
If later it is found that XYZ paid the ransom, perhaps via the fact that they did so via obvious blockchain transactions, as opposed to tumbling or moving to Monero and back to another BTC wallet, company ABC can just shrug, and claim plausible deniability, and how can they know? It isn't like a corporation would ever have execs go to jail or anything like that.
uh (Score:2)
If your essential service can be taken down by ransomware, you need a better backup and recovery strategy. If we get popped with ransomware we can nuke the system and have it rebuilt inside 5 min from either a snapshot, or a completely clean rebuild.
Just don't computer (Score:2)
If you don't have a fallback to manual proceses for your computerized systems you don't have a DR plan for when your systems are wiped out by a fire sharknado tsunami hurricane earthquake or when The Great Oops happens at us-east-1.
Who exactly gave this advice (Score:5, Insightful)
to the UK government? Sounds like the UK government is getting advice from the cybercriminals themselves, because the reality is that, once a cybergang successfully attacks an org, the outlook is really, really grim.
[1]https://www.halcyon.ai/blog/be... [halcyon.ai]
If you pay the ransom, there is an 8% chance that the attackers will a) keep their word and b) actually provide keys to fix the problem.
So, there's a 92% chance that you pay the ransom, your data is still compromised/destroyed and the criminals probably turn right around and attack you again next month, since you've already shown yourself to be a soft target. Oh, and they sell your stolen data to anyone with a checkbook simultaneously. Don't fool yourself that they'll keep any sort of promise.
Don't. Pay. The. Ransom.
[1] https://www.halcyon.ai/blog/beyond-ransoms-the-financial-impact-of-ransomware-attacks
Re: (Score:2)
This need modded up. When I read the headline I was instantly suspicious of motives of those giving such bad advise, it has a bad smell to it.
Re: (Score:1)
The 2025 Veeam report (your halcyon link cited the 2024 version) reinforces your point about the risk of being re-attacked: "among those that paid a ransom, 69% were attacked more than once"!
And it looks like that 92% you mentioned (from the 2021 report) is now perhaps more like 17%:
"Did your organization pay a ransom to recover its data?
17% Yes, but we still could not recover our data
47% Yes, and we were able to recover our data
2% No, and we could not recover our data
25% No, but we were able to recover our
Yeah you need to do both sides of an issue (Score:5, Insightful)
The policy is good but it needs to be coupled with efforts to incentivize and enforce these companies to comply with security protocols and proper backups and get them in a position where they won't get ransom-wared in the first place, you need a national IT security policy and you need to enforce it, very similar to resturants and the health inspector.
That means spending some money and making some effort otherwise you are just shuffling the problem around. If you're serious it should be a no brainer to spend that money otherwise it's just more empty "tough on crime" policies that will go nowhere.
Re:Yeah you need to do both sides of an issue (Score:4)
I like to joke, and it's only partially a joke, that there are two kinds of computer systems. Serious ones and toys.
If it's a toy system then you can upgrade to the latest version, do whatever changes you want etc and if it breaks, well that's OK because it's just a toy.
If it's a serious system then you can upgrade to the latest version, do whatever changes you want etc and if it breaks, then that's also OK because you have a well funded, well designed, fully scrutinised and tested recovery policy and already tested all your changes in a properly representative system. Right. Right?
CNI would count as Serious++.
Of course I love it when people tell me that "No, no, no, this is critical but we have no funding and it's running on some old servers we found in a skip"
At that point I note that delegation can work upwards as well as down, especially when it comes to responsibility and accountability.
Re: (Score:3)
> this is critical but we have no funding
That one is the best, like what a statement to make unironically.
Re: (Score:2)
While an ounce of prevention is worth a pound of cure. There also needs to be a task force prepared to act in order to address incidents promptly, especially when it comes to systems that support government, finance and utilities; instead of waiting for bureaucracy to figure it out each time it happens.
Re: (Score:2)
Exactly and I am sure someone made this analogy before me but like the health inspector you as a business may at any time get a visit from the "IT Inspector" so check that you have proper backups and protocols in place. That requires competent people who understand these things and diligence. If it's important enough to make a law like being discussed then it's important enough to have enforcement agencies.