Federal Mandate Banning Payments Would Backfire
Having a federal mandate that prohibits businesses from paying ransoms would be a dogmatic and binary action that doesn’t consider the lack of good options for victims, according to Sophos CEO Kris Hagerman. A narrow U.S. government directive doesn’t reflect the dozens of different data points businesses should take into account when determining whether to pay a ransom, Hagerman said.
For instance, Hagerman said a hospital that’s had 10 life-supporting systems knocked offline during a ransomware attack might decide it’s worth paying the ransom. Organizations must consider how well-positioned they are to get their systems back online without a decryptor key as well as the likelihood of re-infection, and the private sector must get better at detecting and defending against ransomware.
Organizations hit with ransomware should report as many details of the incident as possible to law enforcement and government officials to prevent the hackers from compromising other companies in a similar manner, Hagerman said. Sharing more information quickly through proper channels will reduce fragmentation in the victim landscape and improve the quality and timeliness of the victim’s response.