JACKSONVILLE, Fla. – A Jacksonville cybersecurity expert said a federal ban on paying ransoms with taxpayer money might deter some cyberattacks, but it could come with its own set of consequences.
RELATED: Leader of ransomware group that attacked Jacksonville Beach threatens more cybercrimes
The primary motive of cybercriminals is money, sometimes extorting millions of dollars. It’s something that ransomware thieves say is a powerful business model.
“The business works and always will work,” Lock Supp, leader of LockBit, said in a podcast.
It’s the reason why 40 countries in a United States-led alliance signed a pledge in 2023 never to pay ransom to cybercriminals to eliminate the hackers’ funding mechanism.
The international policy endorsement never transformed into actual law with the United States deciding against an outright ban on ransom payments.
States took action of their own.
In New York, a Senate bill establishes that no local or state taxpayer funds can be used to pay ransoms for ransomware attacks.
Pennsylvania and Texas are also introducing similar laws.
Another New York bill seeks to penalize any government, business, or healthcare entity $10,000 if it makes a ransomware payment.
Tyler Chancey of Scarlett Cybersecurity said an outright ban on extortion payment could have its own set of consequences and it wouldn’t stop the crime.
“What you could see happen is cyber criminals shift their tactics. The biggest attacks we’re seeing next to a ransomware attack would be what’s called a business email compromise...and this happened recently to a local county clerk,” Chancey said.
He referred to a cyberattack on the St. Johns County Clerk of Court in 2023. The cybercriminals changed a construction company’s banking within the clerk’s website.
Officials didn’t realize county funds were being paid directly to cybercriminals until over $1 million was transferred.
“These attacks compromise your email account and they sit there for weeks on end,” Chancey said. “They learn all your transactions, your business and they intercept payment information coming in and they change the information to someone to something else. So you think you paid your vendor, you paid your contractor, but in reality, you’ve just paid a threat actor, and it sometimes takes weeks to discover that money’s gone.”
The Biden administration only strongly encourages public and private entities not to pay the ransom. A spokesperson for the Department of Health and Human Services has said it has not officially taken a position on banning cyberpayments but instead is deferring to the National Security Council and FBI.