To pay or not to pay ransom: US Government worried about the implications of ransom payment

2024 is shaping up to be one of the worst years on record for ransomware attacks. The Office of the Director of National Intelligence (ODNI) had recorded over 2,300 ransomware incidents by mid-2024, and projections suggest that the total could surpass the 4,506 global attacks recorded in 2023.

Now, the U.S. government has come out to warn that paying ransom may be fueling the vice. In an opinion piece in the Financial Times, Ann Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, specifically warned against insurance policies reimbursing ransomware payments. Unfortunately, the decision to pay or not to pay ransom is not always as straightforward.

Why not to pay

Neuberger pointed out that by covering ransomware payments, insurance policies contribute to the problem. Criminals profit from ransom payments, making future attacks more likely. Cybersecurity expert Darren Williams of BlackFog echoes this sentiment, warning that “once sensitive data has been exfiltrated, it is gone forever.”

Even if a ransom is paid, there is no guarantee that hackers will uphold their end of the deal or that the data won’t be leaked later. The notorious ALPHV/BlackCat ransomware gang, for example, breached UnitedHealth Group’s subsidiary Change Healthcare in 2023. Despite a $22 million ransom payment, a second group, RansomHub, accessed the stolen data and demanded more money.

Moreover, paying a ransom can have legal implications. In the United States, the Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions on ransomware groups, making it illegal for U.S. persons to pay ransom to designated entities. Failure to comply with these sanctions can result in severe penalties.

Why businesses pay anyway

Despite government advice and ethical concerns, paying ransom is sometimes viewed as the least damaging option. Organizations hit by ransomware face overwhelming pressure to restore operations, especially when downtime leads to steep financial losses or critical data is at stake.

One organization that learned this the hard way was Pennsylvania’s Lehigh Valley Health Network (LVHN). The organization refused to meet a $5 million ransom payment following a ransomware attack in 2023 that exposed the sensitive data of 134,000 patients, including nude images of breast cancer patients. The cybercriminals then leaked the data online and LVHN ended up settling a $65 million class action lawsuit from the data breach victims.

Similarly, National Public Data (NPD), a background check provider, was targeted in a massive attack in 2024. The company failed to disclose the breach or protect affected individuals, leading to multiple lawsuits and its parent company’s bankruptcy. Although it remains unclear whether NPD paid the ransom, the reputational and financial fallout from the breach was devastating.

Government response

The US government has put various measures in place that it hopes can help mitigate the ransom problem. For example, under new SEC reporting rules, companies must disclose ransomware payments, making them hesitant to pay due to potential shareholder backlash or reputational damage.

Similarly, the upcoming Cyber Incident Reporting for Critical Infrastructure Act, set to take effect in 2025, will require more businesses, especially in critical sectors, to disclose ransomware attacks and any payments, adding another layer of complexity.

Ultimately, the U.S. government aims to reduce the financial incentive for ransomware attacks by discouraging ransom payments. Whether or not this leads to more regulation of cyber insurance companies as proposed by Neuberger remains to be seen.