The Ministry of Justice and Security in the Netherlands is planning to develop a new legal context that will basically outlaw ransom payments, prohibiting both cybercrime insurers and victims from meeting the demands of crooks. This was reported by a news outlet that claims to have internal sources, so it’s not official yet, but a high-ranking official has confirmed that they’re investigating ways to reduce ransom payments. The problem lies in the fact that victims give hackers the incentive to continue to target crucial entities in the country by paying ransoms, thus feeding the same vicious cycle.
As expected, companies that experience regular cyberattack troubles and the insurers who are paid to support them have been critical of these plans. As they said, the political sentiment is understandable, but the government shouldn’t act on this overnight. Instead, every stakeholder should be called for discussions, and expert and public consultation rounds should be held. The insurers warn that companies could be put into greater danger by outlawing ransom payments or forced to experience catastrophic consequences.
For Chief Public Prosecutor Michael Zwinkels, the case is simple. If no Dutch company pays any ransom, criminals will simply stop attacking them. The payments keep the ecosystem going, says Zwinkels, and every payment is used for scaling up the infrastructure and resources used for the next attack, and so on. Giving victims a “cheaper way out of their troubles” is not sustainable, and everyone should instead focus on building up their security stance and also a better backup and restoration strategy.
In the Netherlands, roughly 50% of all ransomware victims end up paying the demanded ransom, either to get back to normal operational status quicker or to avoid negative publicity. However, paying the ransom doesn’t guarantee that the actor won’t eventually leak the stolen files, causing the same reputation damage that the victim paid to avoid in the first place. This makes a case for the credibility of these actors, who have earned a reputation for themselves.
On the matter of encryption, we see that in most cases, the keys provided by the actors to those who paid the ransom are working relatively well. Restoring from backups can take several weeks or even months, so half of all victimized firms prefer to just pay the amount and take the risk. It’s a complicated matter, and it remains to be seen if the government’s plans will remove any of the complications or if they will make the problem even more acute.