Many organizations have recently been targeted by ransomware hackers, who access and encrypt IT systems before demanding payment to free them. Aside from the well-publicized attack on Colonial Pipeline, recent victims have been one of the largest US meatpackers and the Irish health care network. Cyber pirates may have sabotaged my family's annual Martha's Vineyard holiday by attacking the Steamship Authority, which handles ferry transportation to the Island and limiting access to its reservation systems.

In response to the mounting danger, an increasing number of observers have come to believe that the best approach to combat ransomware assaults would be to make paying the ransom illegal. Officials in the Biden administration have stated that the idea has potential.

Extortion is always, and in all places, wrong. But it doesn't imply it's never a good idea to give in. Even the most upright citizen may succumb to a sufficient danger. Attempting to change this through laws is equivalent to criminalizing human nature.

Consider the following example. Assume a state legislature, fed up with the number of people being mugged on the street, passes legislation making it a crime to give cash to a mugger. The act may lower the number of muggings, by only placing the expense of this public benefit – fewer robberies — on the victims. However, delivering my money to a mugger who is brandishing a pistol at my head is entirely sensible. Punishing me to reduce crime is an unusual way for a free society to act.

However, it is possible that complying with a ransomware demand is not as sensible as it appears. Even for those who pay, the odds of recovering all of their data are minimal. As per Sophos research from April 2021, the chances of receiving all of the data is 8%. (On average, 65% of the information was retrieved.) To take one recent example, after Colonial Pipeline paid the hackers at DarkSide $4.4 million in Bitcoins, the decryption tool it acquired was so inadequate that the firm had to reconstruct its network from scratch.

Businesses, though, continue to try. According to Sophos research, 32% of targeted companies eventually pay up. And the price is growing. According to February research from Palo Alto Networks, the average ransomware payout almost tripled between 2019 and 2020, rising from $115,123 to $312,493. (The average will rise slightly next year when the $4.4 million paid by the Colonial Pipeline is deducted, even though more than half of that has been reclaimed.)

Hijacking computer networks has grown into a lucrative business. And the danger is just going to become greater. The increase of cloud computing has resulted in the emergence of potential risks. Consider cryptocurrencies as well. According to a November 2020 study, the rising use of smart contracts implemented on the blockchain may make ransomware assaults increasingly viable – and virtually difficult to fight.

Given the increasing costs to businesses and consumers, not to mention the threats to national security, it's obvious to notice why regulators want to tighten the screws. However, clamping down by going after the victims is only one of many terrible ways of addressing the problem. (Another awful proposal is to punish corporations who pay hackers who've been authorized by the federal government)

A further foolish idea is to outlaw cryptocurrency, the preferred method of payment for digital extortionists worldwide. Once again, we are pursuing a crime by penalizing the victim. To continue with the previous comparison, combating ransomware by prohibiting the use of Bitcoin and Ethereum will be like stating, "Okay, we won't make it illegal for you to give your wallet to a mugger, but you're not permitted to bring cash." There would be even more muggings until you pay the mugger with something that police can trace.”

There can be better alternatives. Better training, for example. Unlike in the movies, most ransomware assaults do not happen because a brilliant hacker infiltrated the firewall from a remote place. They occur when an employee with appropriate access clicks on a fraudulent email or uses an insecure password.