Will the UK's Ransomware Proposal Work? Trustwave Weighs in on the Potential Impact

The recent UK Home Office proposal designed to hinder and disrupt ransomware operations through several proposed measures, including a targeted ban on ransomware payments, has again brought this question into the public square. The question of whether to pay a ransom demand is a decades-long argument with ardent opinions on both sides.

Trustwave's subject matter experts took some time to discuss the proposal, its practicality, possible impact, and any unexpected consequences that may arise if the proposal is adopted.

But first…

Background on the UK Proposal

The proposal includes three main components:

1. Targeted ban on ransom payments for critical national infrastructure (CNI) and the public sector: This would prohibit public sector organizations and CNI operators from paying ransoms, aiming to protect essential services and deter attacks on critical infrastructure.
2. Ransomware payment prevention regime: Victims would be required to report their intention to pay a ransom to the government before making any payment. These reports would allow authorities to gather intelligence, support investigations, and potentially block payments that violate sanctions or terrorism financing laws.
3. Mandatory incident reporting: Organizations would be required to report ransomware attacks to the government, regardless of whether they intend to pay a ransom, providing valuable data on the scope and nature of ransomware attacks helping to inform future interventions and strategies.

The proposal is under public consultation until April 8, with the government seeking input from various stakeholders, including businesses, cybersecurity experts, and the public. The consultation will help refine the proposals and ensure they are effective and proportionate. Here's what our Trustwave SpiderLabs experts had to say:

• Shawn Kanady, Global Director of SpiderLabs Threat Hunt Team at Trustwave: This is an interesting move from the UK government and definitely one to watch closely. If they raise the barriers to ransomware payments and it proves effective, we could see ransomware operators shift their focus to countries without similar restrictions, making places like the US or others more appealing to attack.
• Damian Archer, VP, Consulting & Professional Services Americas at Trustwave: I don't think payment of ransomware is the right move in many situations (and I think ransomware brokerage services are a HUGE red flag when I see them in a portfolio), but there are always going to be exceptions.
  
  However, like all cyber legislation, the devil tends to be in the details. How are they going to police this? What happens in a non-recoverable situation that is causing a threat to life in CNI? This regulation is probably designed to force organizations to make improvements in their ability to recover from attacks using more of a stick than a carrot.
• Karl Sigler, Senior Manager Security Research, Trustwave SpiderLabs: If companies are not motivated by the 'carrot' of improving their business through solid security practices, then there's always the 'stick' of legal fines and fees. This could influence the ecosystem, but ultimately, unless the C-suite truly understands the risks of paying ransoms, they won't take action until after they've been hit by an attack. And that's the cycle we've always been stuck in—getting the C-suite to grasp the real risks.
• Darren Van Booven, Lead Principal Security Consultant - Americas at Trustwave: Generally speaking, ransomware operators continue because people (or insurance companies) keep paying the ransom. In theory, I think the net effect of any prohibition like this will probably make ransomware operators target somebody else for an easier payday. It won't always work, but it's a net effect.
  
  And to Damian's point, there should be provisions to make exceptions if there are life/safety implications at stake.
• Shawn: Damian and Darren make a great point. Another key question is how the UK will handle a major incident if a threat actor decides to test this policy, particularly in something as critical as the NHS. Will the government allow the hospital to fail, or will they permit the payment to be made? And how long will bureaucratic processes take to act?
• Karl: A few high-profile prosecutions under this law could certainly help shift the mindset, but without consistent enforcement, it risks becoming a toothless measure.
• Darren: When it comes to the proposed ransomware payment prevention regime proposal, this is one of those concepts that sounds nice on paper, but it will never work in practice. Having seen many of these situations play out for real, the government is inherently too slow to make this a feasible idea. Usually, there is a tight deadline to pay the ransom, and I can't imagine any government organization able to take these requests and do the investigative work they're talking about before the clock countdown runs out.
  
  Mandatory ransomware incident reporting is not an issue from my perspective provided there is a clear definition of an incident and requirements around the who/what/when/where/why/how of reporting in a secure manner. We've had mandatory incident reporting for years now for all parts of the US Federal government, Defense Industrial Base contractors, and some parts of CNI. I'm sure some organizations get breached and don't report it, but they jeopardize their ability to contract with USG if they ever get found out.
  
  The US just started requiring it for publicly traded companies through the new SEC regulations that went into effect.
• Shawn: We'll have to wait and see if the overall policy is fully written into law and what impact it has. If it succeeds, we (the US) may eventually consider similar (anti-ransomware) measures. Ultimately, we need to hold certain institutions to higher security standards. The entry points for attackers are still too wide open, and there are many ways to reduce the ROI for cybercriminals.

While many governments have regulations regarding ransomware payments, and the general consensus from law enforcement is not to pay such demands, if the Home Office proposal is accepted, it would be the broadest ban on payments. Trustwave will keep an eye on this proposal's progress and its potential impact.