Digital Transactions Authoritative, insightful and timely information for payments professionals
Online attacks in which criminals seize control of victims’ data are rising, and government agencies are far from immune. That’s now leading states to consider laws prohibiting state agencies from paying ransoms to get the decryption key that would unlock what are often vital files.
North Carolina in May and Florida in July put into effect laws that ban payment of ransoms in such cases, and more states are expected to follow suit with their own versions of such bans, Bankinfosecurity reports.
In the case of North Carolina, the new law requires immediate reports of any ransomware attacks to state authorities. In addition to banning payments, it bars victimized state agencies from talking to the attackers. Florida’ law doesn’t bar such communication, according to the report. Pennsylvania’s senate in January passed a ban on state agencies paying ransom, and like bans are being debated in Arizona, New Jersey, New York, and Texas, the Bankinfosecurity report says, citing reporting by CPO Magazine.
States are starting to consider such laws in response to a rising tide of ransomware attacks, many of which victimize private organizations but also target government agencies, including school districts.
And such attacks have multiplied rapidly in recent years as online thieves shift tactics to exploit weaknesses in victims’ defenses, allowing the attackers to realize payoffs not from the outright sale of stolen data but from demanding ransom payments from the victims. The problem is global. Some 79% of cybersecurity professionals around the world reported in April that their organizations had been hit by a ransomware attack in the past 12 months.
Meanwhile, the fraction of all data breaches that involve a ransom demand has ballooned from less than 1% of all breach incidents in 2016 to 21% last year, according to data from Risk Based Security Inc.
With such attacks, online criminals encrypt data stored by victim companies or agencies and then demand payment to supply the decryption key. Once obtained, the key may or may not unlock the data. The average ransom payment across all businesses globally is about $170,000, according to the security firm Sophos.
