The Biden administration is allegedly preparing to sanction financial exchanges that facilitate illicit digital payments to cybercriminals.

The sanctions could take effect as early as next week. According to the Wall Street Journal, the move is part of a broader administration strategy to curb ransomware attacks, which the Biden administration has clearly stated is a national security threat. In these attacks, cybercriminals encrypt the victim’s computers, deploy malware and demand ransoms in return for a key. The ransoms are often paid in cryptocurrency, virtual or digital money that takes the form of tokens or “coins,” secured by cryptography, making it nearly impossible to counterfeit and difficult to track. 

With the sanctions, the Biden administration aims to disrupt cryptocurrency’s role in ransomware attacks, thus disrupting the flow of money to ransomware operations. After the ransomware attack on Colonial Pipeline, the administration launched an initiative to create a global coalition to target countries that harbor ransomware criminals. This new effort would build on this initiative, which launched back in May. 

In addition, the sanctions aim to disincentivize businesses from paying the ransoms, which does not guarantee the organization will get any of its data back and possibly encourages threat actors to continue to target more victims, offering an incentive for others to get involved in this illicit market. 

Though the Biden administration has done more for cybersecurity awareness and guidance than we’ve seen to date, says Bill O’Neill, Vice President of Public Sector at ThycoticCentrify, a Washington D.C.-based provider of cloud identity security solutions, the notion of disincentivizing businesses from paying out a ransom to attackers will likely only end up backfiring and having an adverse effect economically.

O’Neill explains, “The average business folds to ransomware demands most often because they lack the proper knowledge, resources, and technology to gain control of the stolen data. Penalizing business owners for complying will only hurt them twofold while doing nothing to ultimately stop attacks from happening .”

If attackers can’t get their ransom, they’ll make their money on the black market with the data they stole, O’Neill notes. “Their victims, however, will be exponentially worse off and possibly open to additional attacks. The better approach would be to continue instituting policies and programs to raise awareness and educate businesses about the best ways to stay safe and deter attacks, as well as providing resources surrounding key technologies to implement to help further minimize risks. Additionally, critical infrastructure should heighten their cybersecurity policies to protect against ransomware, leveraging critical features such as Privileged Access Management (PAM) and Zero Trust and Identity as outlined in the Presidential Executive Order (EO) on Improving the nation’s cybersecurity posture.”

There is debate on both sides of the issue, says Chris Morales, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based digital IT and security operations company.

“On one hand, yes, focusing on the financials will always hurt crime. I like to believe most security experts agree the rise in ransomware is directly correlated to a decentralized and unregulated currency that enables a pseudonymous transaction to occur. So yes, I think limiting the payment hurts,” Morales explains. “On the other hand, if we limit a company’s ability to pay, then who actually suffers? Many companies are facing the risk of massive financial loss or no longer being in business. Paying for extortion is painful, and I do believe it is not the right option. But that is also a very idealistic view. My question is, if we enable this kind of rule, then great. Maybe it will work. But who suffers? What assistance will be offered to companies trapped in a bad situation that will impact all of us? Many of these attacks target the supply chain of goods directly affecting all of us.”

Morales says, “These policies need to include a contingency plan. You cannot just say no without an alternative option.”