May 13, 2021

Make paying a ransom illegal?

After watching the Colonial ransom attack, I wonder if passing a law making it illegal for a business to pay a ransom would stop such attacks in the US. If the profit motive is removed such attacks would end (or switch countries). Your views?



It shouldn’t be illegal, but there should be a hefty fine for the compromise depending on the situation and severity.

Making it illegal could destroy a business or risk lives. Look at what happened when some hospitals were hit with this. Also the governments are not immune to this as well, look at cities that have been hit with ransom ware.


It would just make victims not disclose.


This would not work. Imagine a hospital gets hit with ransomware and now they have to wait for the FBI and Homeland to come in and investigate. Their system could be down for days. This is the most direct example of how lives could be at risk, but it also applies to electric grids or nuclear plants.

The best thing the government can do is basically force companies and quasi government companies to hire more security personnel through regulation and standard enforcement. Right now companies are looking at the average salary of an entire SOC and are saying “dam this is more overhead than the accounting department. F that.” And then they just pray nothing happens to them.

The difference between the accounting department and the security department though is if the accounting department messes up (under current regulations) the company gets hit with hefty fines and are open to liability. Right now in the security sector all we have really are standards people are SUPPOSED to follow in the US. All the regulation now only applies to the privacy of consumer data; nothing about crypto malware safeguards or how many times you need to audit your network by a third party. Nothing.


It is already illegal to pay certain individuals and groups. I Don’t think broadening the scope to include ransom sources not already listed would be a positive direction. It could actually hurt in that business may delay or fail to report attacks.


I think they would just search a get around -> like hitting you with a ransome ware and than there would be the cyber security company /person that you have to pay because they allready “cracked” the software and can decrypt your data, of course only if you hire and pay them… And in reality its the same person…


Imposing fines on a company for not having security in place makes as much sense as fining someone for not having health insurance. Unless the government is going to offer a standard security service to help these businesses, big and small, get up to par, I think that’s a very unfair solution.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.