What is Old is New Again: Lessons in Anti-Ransom Policy

Understanding Ransom Policy to Combat Ransomware

While ransomware as an online threat may be relatively new, the criminal incentives behind the use of force and ransoms are not. Kidnapping for ransom as a crime has been traced as far back as ancient Rome, giving researchers and policymakers precedent when investing resources into long-term anti-ransomware efforts, such as ongoing considerations to ban ransomware payments to gangs, purchasing insurance, and mandating victim organizations to report ransomware attacks and payments. Below, we examine two case studies to shed light on lessons learned from two countries with a recent history of widespread kidnapping for ransom: Italy and Colombia.

Human kidnapping and ransomware are different versions of the same criminal concept: financial gain through the use of force and urgency — in other words, “kidnapping explicitly links funding and force”. There are natural differences between holding humans hostage for ransom and holding information for ransom: A company’s assets will never have the same value as a human life. While this is an important distinction to make, it also means that experimenting with different solutions to counter ransomware is less risky than a live rescue operation.

However, kidnapping can also be more complex for criminals than using ransomware. Maintaining a kidnapping operation takes a significant amount of resources and time: Perpetrators need to allot time to plan and execute a kidnapping, then ensure that the hostages are kept alive for the possibility of an exchange and payment (which requires food, shelter, and other resources). All the while, the kidnappers must ensure that they do not leave any trails for law enforcement to follow. If kidnapping is not the central criminal activity for a criminal group (it rarely is), they also need to maintain their other criminal or terrorist activities throughout the kidnapping and negotiation process. These factors all weigh on the cost-benefit analysis of conducting kidnappings. Ransomware, in contrast, is often the central activity for gangs and has a lower barrier to entry than kidnapping, even if operations are still expensive to maintain. The rise of ransomware-as-a-service (RaaS) lowers this barrier even further and ensures a steady stream of profit for gangs.

Given the prevalence of the two crimes, different policy measures have been proposed to counter both kidnapping and ransomware to de-incentivize criminals. We evaluate the viability and success of such measures against precedent in an effort to understand which policy measures could assist in combating ransomware.

Option 1: Ban Ransom Payments

In theory, a lack of payments would effectively reduce ransomware groups’ incentives and, over time, cause attacks to plummet. A majority of ransomware threat actors are financially motivated, meaning that they attack victims with the sole interest of collecting a ransom payment from them. In recent years, such reasoning has led policymakers to propose bans on ransom payments to attackers.

To measure the potential of payment bans in practice, we will consider the effect that similar bans have had in the past in the context of human kidnapping. In 1991, Italy banned families from making payments to Italian organized crime groups (such as the mafia or the ‘Ndrangheta) in an effort to curb endemic kidnapping. The law went so far as to freeze families’ assets to prevent them from paying kidnappers. In practice, the law appeared to work, with legal officials claiming that ransom kidnapping cases fell. A paper written by Cristina Barbieri, Assistant Professor in the Department of Political and Social Sciences at the University of Pavia, and Vittorio Mete, Associate Professor in Political Sociology in the Department of Political and Social Sciences at the University of Florence, also suggests that such bans directly affected crime groups’ decisions to conduct fewer and fewer kidnappings. (That said, these decisions were also influenced by the more “convenient” option of turning to the drug trade instead.) On the other hand, ransom payments continued to be sent through illicit channels to free loved ones, and the government had no way of knowing how many ransoms were being paid. Affected families disparaged the ban, as claimed by a New York Times article, stating that the little they could do to bring their loved ones back was reduced to even less.

While it is often noted, as the New York Times does, that there were 691 reported kidnappings in Italy between 1969 and 1998, the data provided in Barbieri and Mete’s paper shows that reported kidnappings were already well in decline when the ban was implemented. The number of reported kidnappings appears to have peaked at 73 in 1977 and was at fewer than 10 in 1990, the year before the ban went into effect (the number jumped to 12 in 1991). Unfortunately, the data published in Barbieri and Mete’s article does not appear to be available anywhere else for corroboration. But, based on their data, the year after the law went into effect, the number of kidnappings dipped to 1990 levels before increasing again in 1993 and finally tapering off after 1994.

The point is not to discount the number of kidnapping victims — one kidnapping victim is too many — but the law was implemented at a time when kidnappings in Italy were already in steep decline. Is it possible that the law helped accelerate that decline? Maybe, but it is hard to determine based on the numbers available.

Colombia first banned payment of kidnapping ransoms in 1993, at the start of the peak of kidnappings by the FARC-EP, a Marxist guerilla group. The measure was struck down soon after by a high court, which argued that any ban impinged on victim families’ right to privacy. But this was not just a problem for Colombian families; the problem extended to multinational corporations with expat employees in Colombia. In 2011, the Colombian government threatened to restrict any multinational company from conducting business that was found to pay ransom demands for kidnapped employees. This followed the kidnapping of 23 employees of the Canadian energy company Talisman Energy after reports that the company had struck a deal with the rebels of around $2.6 million to release the employees.

Naturally, governments trying to avoid more kidnappings want to avoid “feeding” the incentive for groups to continue kidnapping people. Over time, a forceful ban on payment may decrease the amount of paid ransoms in some cases, but it has also meant that some of those who still pay ransoms simply refrain from reporting it. Instead, victims turn to private negotiators or security firms to get their loved ones back, seeing as they have less support from governments to recover their loved ones. Not only can this increase the problem’s severity for governments, but it can also reduce the visibility that they have into the problem.

In practice, some payments are already banned at the federal level when they concern the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions. However, these sanctions are more concerned with financial controls at the national level than with cybersecurity-based policy surrounding ransomware payments; as such, they are outside the scope of this evaluation.

Option 2: Ransom Insurance

Another proposed tool against both ransomware and kidnapping ransoms is purchasing insurance plans through private means. Clients purchase kidnapping insurance to claim in the case that they are kidnapped, and policies typically cover ransom payments, medical insurance, and loss of income related to the kidnapping. In the case of ransomware, ransomware insurance typically covers ransom payments, attack restoration costs, as well as lost income.

Kidnapping insurance is a protection that is consistently popular with individuals and organizations traveling to regions where "governments are weak and territory is disputed". These individuals and organizations are particularly keen on getting insurance, especially considering that kidnapping is, unfortunately, on the rise once again in Colombia.

Similarly, the inability of law enforcement to stem the tide of ransomware attacks, in part due to the recalcitrance of the Russian government in arresting ransomware groups, has driven the adoption of cyber insurance.

Experts from King’s College London and the Royal United Services Institute (RUSI) found that over time, the kidnapping insurance industry has shaped norms that decrease filed claims by protecting targets as well as de-incentivizing the use of physical violence. This approach has also been aided by crisis negotiation firms to handle ransom negotiations. On the other hand, these same experts found fewer positive effects from the ransomware insurance market, mostly given that this insurance market is still maturing. However, there is enough concern about cyber insurance interfering with reporting that a new proposed cybersecurity law in Massachusetts specially mentions cybersecurity companies, stating: “This provision requires that cybersecurity insurers cannot place limits on the ability of the insured to notify the government of a cybersecurity incident or data breach.”

Some perceive that ransomware insurance will only worsen the problem of ransomware, as threat actors may target insured victims knowing that they have the funds to pay a ransom. Some ransomware groups have even claimed that they specifically look for victims who have cyber insurance (though one should always be skeptical of any claims from ransomware groups). An article by Kyle Logue and Adam Shniderman at the University Michigan argues that this is not always true, however, especially when insurers also implement hardening to their clients to reduce their cyber risk, processes that are also used in the kidnapping insurance market. They also posit that governments could regulate the ransomware insurance market to reduce criminal incentives (by banning ransom payment payouts but covering all other costs, for instance). Additionally, insurance companies can use data to gain insight into the security posture of their prospective clients and help assess their risk level.

On the whole, the ransomware insurance market is still developing when compared to the established kidnapping ransom market. It is principally an option for companies who are willing to implement an insurance company’s security standards to transfer, rather than solely accepting or mitigating, the risk of a ransomware attack.

Option 3: Mandate Reporting of Ransom Payments

In what is perhaps a middle ground between freezing the bank accounts of victims to prevent them from paying ransom and using private insurance solutions, a third option lies in mandating attacked entities to report attacks, regardless of whether or not they paid ransom amounts. Currently, we rely on a slew of different sources to cross-check the state of the ransomware environment. These sources include state-based filings (like New York), regulatory filings (like the new rule from the US Securities and Exchange Commission [SEC] mandating cyberattack reports), and ransomware groups’ dark web extortion sites, among others. Put together, these ultimately produce a clear picture of the true state of ransomware. In the United Kingdom (UK), companies report incidents at the national level through a dedicated portal (the information of which is not available to the public). There is no single data source to assess who is being attacked, which group is attacking, and whether or not the victim paid ransom amounts.

One option to remediate this is mandating the reporting of ransomware attacks and submitted payments. For example, the US Department of Health and Human Services (HHS) mandates that healthcare companies report breaches in certain circumstances and make a redacted version of that data available to anyone. Because of this policy, there is more insight into healthcare breaches in the United States than in any other sector. It is far from perfect, but it could serve as a good model to build upon. While mandating ransomware attacks and ransom reports would not be enough to stop the issue, it could create a higher degree of visibility into the problem. Such was the case during Colombia’s peace process following negotiations with guerilla groups. A key job of the council assembled to see the process through (abbreviated as the JEP) has been to investigate kidnappings. Using several streams of reporting, the JEP was able to identify a total of 21,000 kidnapping victims between 1993 and 2012 in an effort to reunite families. This detailed reporting also helped the group pick out motivating trends and patterns from the group’s kidnapping, including “to finance the guerilla organization, to exchange kidnapped victims for captured FARC-EP combatants, and to acquire territorial control”.

Outlook: What Would Really Stop Ransomware Attacks?

How to stop ransomware attacks is a question that stakeholders in and out of the cybersecurity realm alike ask themselves when faced with daily reports of ransomware and data extortion victims. We have examined some of the major policy proposals to curb the activity of ransomware and identified that these are predominantly focused on curbing one factor: ransom payments themselves. While there is currently no single solution to prevent all ransomware attacks simultaneously, the incentive to conduct the crime is based on a cost-benefit analysis that, if disrupted, could translate to fewer attacks from ransomware groups over time.

In short, if ransomware stops being financially lucrative when compared to the costs of maintaining ransomware operations, threat actors (those who run ransomware operations for profit) would very likely begin to lose interest in launching attacks and turn to other options. Because ransomware groups tend to be financially motivated, they normally target victims opportunistically to extort ransom payments from them. If their cost-benefit analysis were to fail, they would be less likely to continue maintaining the complex setup needed to extort payments from victims.

Part of this cost-benefit analysis is attention from law enforcement, a factor that is also true for human kidnappers. In Italy in the early 1970s, the Sicilian mafia decided to ban its members from conducting kidnapping. A leading mafia boss, Tommaso Buscetta, stated that this prohibition stemmed from wanting to avoid attracting the attention of law enforcement to Sicily as a result of kidnapping, even if it meant that it would give the mafia less territorial control (in nearby regions, other groups had used kidnapping to strengthen its criminal networks and increasingly challenge state authority).

In April 2023, US Deputy Attorney General Monaco described a “pivot” in US law enforcement’s strategy against cybercrime. Rather than relying on lengthy investigations to allow for the arrest of criminals (even though these investigations are still conducted), law enforcement is opting to disrupt big-name criminal operations directly to prevent illicit payments. Indeed, this activity is part of the US government’s broader strategy to make ransomware "no longer profitable" — a strategy no better embodied than by the recent takedown of LockBit’s public extortion and backend infrastructure by an international law enforcement coalition led by UK’s National Crime Agency. Indeed, attention from law enforcement is another factor that increasingly imposes costs on ransomware groups, even if less directly than banning their payments.

At its core, ransomware is a criminal justice issue rather than a uniquely technical or cybersecurity one. This means that ransomware will continue to be a constant in the cyber threat ecosystem. On the other hand, "stopping" ransomware means increasing the costs in the cost-benefit calculation of ransomware threat actors.