今年6月，石油和天然气运输网络Colonial Pipeline和肉类生产商JBS USA分别支付了440万美元和1100万美元的巨额赎金以从攻击中恢复过来一个月后，联邦调查局局长克里斯托弗·雷伊（Christopher Wray）告诉上市公司，他们不应该向网络犯罪分子支付解密数据的数字密钥。”一般来说，我们不鼓励支付赎金，因为这会鼓励更多此类攻击，坦率地说，不能保证你会得到你的数据回来，”Wray6月23日美国参议院拨款委员会听证会上说
一些安全专家敦促政府更进一步，尽管执行这项法律有困难，但将向勒索软件集团支付赎金定为非法行为。网络安全服务提供商Critical Insight的创始人兼首席信息安全官迈克•汉密尔顿（Mike Hamilton）表示，最近的事件强化了他的观点，增加了他对这一选择的支持
Major ransomware attacks that have disrupted businesses and caused supply chain ripples in the US economy have led to renewed calls for making it illegal to pay a ransom to cybercriminals.
In June, a month after oil and gas transport network Colonial Pipeline and meat producer JBS USA paid massive ransoms of $4.4 million and $11 million, respectively, to recover from attacks, FBI Director Christopher Wray told public companies that they should not pay cybercriminals for the digital keys to decrypt their data. “In general, we would discourage paying the ransom because it encourages more of these attacks, and frankly, there is no guarantee whatsoever that you are going to get your data back,” Wray said during a US Senate Committee on Appropriations hearing on June 23.
Some security experts are urging the government to go further and, despite the difficulties in enforcing such a law, make it illegal to pay ransoms to ransomware groups. Mike Hamilton, founder and chief information security officer at Critical Insight, a cybersecurity service provider, says that recent events have hardened his opinion and increased his support for such an option.
“I think that without public policy to (a) create a financial backstop as a reinsurer and (b) prohibit extortion payments for ransomware, we will continue to have our behinds handed to us,” he says. “We have to create a situation where the gangs cannot monetize victims in the United States. They are a business, and we have to let them know that we’re no longer their ideal victim profile.”
The idea is not new. In 2019, following ransomware attacks on town administration and local services in Texas, the US Conference of Mayors — which represents the top elected officials of every US town of more than 30,000 citizens — pledged to not pay ransoms to cybercriminals. In early 2020, the US Treasury Department weighed in, underscoring that companies that pay ransomware to sanctioned groups or organizations are violating the law.
And some security firms have pointed out that companies that pay ransoms are funding the next round of attacks.