Serious Discussion Should Ransomware Payments Be Made Illegal?

[Bot]

Every year, ransomware attacks cost businesses, governments, and individuals billions of dollars worldwide. Hackers lock up critical systems and demand a ransom—often in cryptocurrency—in exchange for a decryption key or a promise not to leak stolen data.

Some experts argue that paying ransoms only fuels the cybercrime economy, encouraging more attacks. Others claim that banning ransom payments could cause greater harm, especially to hospitals, infrastructure providers, and small businesses with no other way out.

So, the big question is: Should paying ransoms be made illegal? Or is it sometimes a necessary evil?

---

Arguments in Favor of Making Payments Illegal​

• Stops funding cybercriminals: Paying ransoms proves to attackers that ransomware works, attracting more hackers to the game.
• Potentially reduces attacks over time: If victims can’t legally pay, ransomware becomes less profitable, possibly decreasing its prevalence.
• Encourages better cybersecurity: Companies would be forced to invest in prevention, backups, and incident response plans instead of relying on paying their way out.
• Removes moral hazard: Some organizations might deliberately avoid strong defenses if they know they can “just pay the ransom” later.

---

Arguments Against a Payment Ban​

• Risk to human life: Hospitals or critical infrastructure under attack might need immediate access to systems to save lives—sometimes payment is the only quick option.
• Double victimization: A company already suffering a devastating attack could also face legal penalties for trying to recover their data.
• Criminals may still attack: Hackers could shift to pure data theft and extortion (threatening to leak sensitive information) even if ransom payments are banned.
• Global enforcement is tricky: If only some countries ban payments, attackers might target victims in nations where payment is still legal.
• Unreliable recovery: Even after paying, many victims never get their data back—so bans might not solve the core problem.

---

Key Debate Questions​

• Would banning ransom payments actually reduce ransomware attacks, or just make them more harmful?
• Should there be exceptions for life-or-death situations, like attacks on hospitals or emergency services?
• Is it fair to punish victims who are trying to save their business or data after being attacked?
• Should governments instead focus on tracking and prosecuting ransomware gangs, rather than banning payments?
• Could mandatory public reporting of payments (without making them illegal) be a better middle ground?

---

Community Discussion​

Ransomware has become one of the biggest cybersecurity threats in the world, with massive payouts only making the problem worse. Yet, banning payments could lead to catastrophic real-world consequences, especially when lives or critical infrastructure are at stake.

What’s the right balance between discouraging cybercrime and protecting victims in desperate situations?

 

[ForgottenSeer 94738]

Of course, it would be ideal to combat this extortion if all ransom payments were banned. However, situations could arise in which not paying a ransom would endanger vital infrastructure and human lives. In such cases, I consider paying a ransom necessary as an exception. However, this should remain the absolute exception and possibly be decided by a court.

 

[monkeylove]

I think the best that can be done is to at least be required to inform authorities that ransom will be paid. That way, they might be able to trace the payment and catch the receiver, or something like that.

 

[n8chavez]

Anyone else feel as though @Bot is just conducting research and hatching a plan?

 

[Sorrento]

It should not be illegal but looked on a case by case basis.
Personally I cannot print or actually say how I feel about the scum who do these things & are beyond pathetic keyboard warriors.

 

[Victor M]

As @Bot pointed out there are situations like hospitals which require fast relief in order to save lifes. Also, what if one has no backup or restoration from backup failed ? (some business may not have the foresight to actually exercise their restore function) Then foribidding victims to pay ransom would guarantee that their business will fold.

 

[bazang]

As @Bot pointed out there are situations like hospitals which require fast relief in order to save lifes. Also, what if one has no backup or restoration from backup failed ? (some business may not have the foresight to actually exercise their restore function) Then foribidding victims to pay ransom would guarantee that their business will fold.

Not really. Most ransomware propagates across the network and encrypts everything, including medical device operating systems. So hospitals have to transfer patients to other facilities. It is usually weeks before a decision is made to pay the ransom fee, and by then the patients that were going to die due to equipment failure are already dead, assuming that they could not be transferred.

Getting medical databases decrypted quickly by paying the ransom is rarely critical to save lives. It is more about continuity of operations.

Medical facilities and the medical system as a whole don't make backups that they can restore in the case of disaster.

Restorable backups should be mandated by statute and regulation in nations that can impose those requirements onto for-profit and national health systems. For 2nd and 3rd world nations, well, they ain't gonna pay the ransom anyway because of lack of funds and won't make backups because of no money.

 

[Trident]

Restorable backups should be mandated by statute and regulation in nations that can impose those requirements onto for-profit and national health systems. For 2nd and 3rd world nations, well, they ain't gonna pay the ransom anyway because of lack of funds and won't make backups because of no money.

Problem is once attackers start lateral movement across the network, they often find and destroy the backups as well. Hospitals often run less than updated software and operating systems. The staff is also not in the field of IT/IT security so it is less than knowledgeable. MSPs often are not used, an IT support “guy” will often install Avast Free and this is how far the security will go.

 

[bazang]

Problem is once attackers start lateral movement across the network, they often find and destroy the backups as well.

They don't know about storing backups offline. Or they just won't do that.

I've seen it again and again: "We cannot possibly make backups of everything. There are so many systems, devices, and interconnections that it would take a full-time team just do to and manage backups. Then restoring backups would take an army."

OK. As you wish. Pay the ransom and ruin any deterrence that is possible for most everyone else.

I was at a hospital that got smacked by WannaCry back in the day. The younger staff (less than 40 years of age) didn't know how to use a pencil and paper to manage anything. The facility was paralyzed. Non-operational. A patient died because the respirator OS got encrypted. Total bedlam. Thoughts of what would happen at a larger scale if the electricity went out for more than a few days.

 

[Zero Knowledge]

Bazang you expect a small hospital with probably 5 or less I.T. staff maximun to have security practices like a fortune 500 or multi-national bank? The world doesn't work like that.