Australia's government is considering a ban on ransomware payments — do you think that could be effective? Why or why not?

4k views3 Upvotes24 Comments

Associate Vice President, Information Technology & CISO in Education, 1,001 - 5,000 employees
Kill the supply, kill the demand. If it's illegal to pay (not sure what the penalties would be), it'll surely make it less attractive for attackers to target any company in Australia.

On the other hand, the penalty may be worth it considering all factors.
C-Suite in Healthcare and Biotech, 10,001+ employees
This is a complicated question. Does the government have the authority to ban such things? Will banning payments create two 'criminals' instead of just one? Will the banning punish the victim...and the many peripheral victims who are impacted when a business is offline (or healthcare organization)?

These questions aside, paying the criminals does continue to bring more criminals to the feeding trough, so to speak. If you cut off the financial win, there is a good possibility it might impact those doing the attacks. However, I don't think that just Australia doing this will be enough of an impact. It would have to be an international stance. 

I do suspect that we are still a long way from where cybercrime will evolve into. If the ransomware payments go away, it will just result in a change in how the cyber criminals find ways to gain from the compromise. 
Director of Information Security in Energy and Utilities, 1,001 - 5,000 employees
I agree that this is a complicated question.  They have the authority to regulate how their government works, but I doubt that they can issue an executive order to ban ransomware payments without passing a law.

Regardless, I don't know if it is effective.  It is a business decision and only the business owner knows the answer. Let's say it got banned.  How do they stop international ransomware payment brokers from getting the encryption key on behalf of the business?
CISO in Software, 10,001+ employees
I agree that it is complicated, but I also agree that it is similar to terrorism payments.  Do not pay terrorists, make it illegal to pay ransomware, it will reduce this tactic significantly.
Director, Strategic Security Initiatives in Software, 10,001+ employees
It will be - as more visibility and ownership!
Director of Information Security in Telecommunication, 10,001+ employees
As many have already said, this is a very complicated question, with many - too many - factors involved.

In an ideal world, reducing the flow of money toward ransomware cybercriminals would subsequently reduce ransomware instances.

Unfortunately, the world we live in is not ideal and is much more complicated. 

Globalization is one of the aspects that need to be taken into consideration when discussing this topic: global companies and local companies will keep competing in the Australian region, however, they will be regulated by different laws and requirements. Would you consider this to be fair?

Head of Information Security in Finance (non-banking), 1,001 - 5,000 employees
If a ban on ransomware payments, there is a lot of terrorist action from hackers. Especially, healthcare and government data will be the main targets. But just try.  
VP of Information Security in Finance (non-banking), 201 - 500 employees
Not really effective against existing malware, but could significantly impact revenue of criminals going forward. Question will remain on how this could be applied in multi-national organizations with presence in Australia.
CISO in Retail, 51 - 200 employees
Banning ransom payments to companies can certainly help the Australian economy to immunize itself against the rising and growing ransom phenomenon in the world. A problem is that the Australian government must create a financial grant or financial assistance for those companies that were affected by ransom and did not pay. Otherwise, the legislation will collapse private companies whose information was encrypted and were unable to retrieve it due to failure to pay the attacker.
CISO in Healthcare and Biotech, 2 - 10 employees
I do not believe a government ban would be either helpful nor effective.  While it might deflect some ransomware attacks in-country, it will not prevent all such attacks.  

Even should the affected company pay the ransomware demand, half the time there is no de-crypter supplied.  Some common de-crypters are offered by third-parties, if the attack is broad enough to catch them or lame enough to uncover them.  Damned if you do or damned if you don't pay the bad guys.

More effective to lay out strategies and options for companies to avoid getting impacted in the first place, working with cybersecurity companies on training, tools, and read-only data backups.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
41.7k views131 Upvotes319 Comments