Making Ransom Payments: The Road to Digital Hell

Ransomware attacks, in which cybercriminals encrypt an organisation's data and demand payment to restore access, have become increasingly common. Today, many organisations choose to pay the ransom to avoid major operational disruptions. But is that a sustainable solution in the long run?

Over the past year, Sweden has been hit by a series of major ransomware attacks that have shaken both the public and private sectors. These attacks have resulted not only in significant financial losses but also in serious disruptions to critical societal functions. Against this backdrop, the question of whether ransom payments should be made illegal has become increasingly relevant.

A Vicious Cycle

By paying ransoms, we help finance a lucrative and rapidly growing criminal industry. Every payment is like pouring fuel on an already raging fire. When organisations demonstrate a willingness to pay, cybercriminals gain even stronger incentives to launch additional attacks. This creates a vicious cycle in which organisations are forced to choose between paying extortionists or risking the loss of critical data and valuable business secrets.

Prevention Is Better Than Cure

By making ransom payments illegal, we can break this cycle. Suddenly, ransomware attacks become far less profitable because the likelihood of organisations paying decreases significantly. If paying one's way out of a crisis is no longer an option, organisations will be compelled to take a more proactive approach to cybersecurity.

Benefits of banning ransom payments:

• Reduced incentives for cybercriminals: Removing the financial reward makes ransomware attacks less attractive.
• Greater focus on preventive measures: Organisations will be forced to invest more in cybersecurity and preventive measures to protect themselves.
• Increased resilience: By preparing for attacks and maintaining robust backup systems, organisations can minimise the damage even if they are compromised.

Tax-Deductible Ransoms – A Contradiction?

It is paradoxical that organisations paying extortion-like fees can deduct these expenses from their taxes. Allowing ransom payments to be tax-deductible undermines the very purpose of banning them. Public funds should not be used to finance criminal activity.

Making ransom payments non-deductible would send a clear signal that this behavior is unacceptable. Financial transactions also leave an audit trail showing that a ransom has been paid, and auditors should arguably have a responsibility to identify and report such payments.

Security Is No Guarantee, but Recovery Is Essential

Even organisations that invest in the best available security solutions can still fall victim to cyberattacks. Cybercriminals continue to evolve, finding new ways to circumvent even the most advanced protection systems. That is why it is essential for every organisation to have a robust recovery plan capable of restoring systems and data if the worst should happen.

Objections and Solutions

Of course, some argue that a complete ban on ransom payments is unrealistic. It can also be difficult to trace and prove that an organisation has paid a ransom. There may be grounds for legal exceptions in situations where human lives or critical infrastructure are at stake. However, even in such cases, strict rules should govern how these payments are handled, and there should still be legal consequences.

In the long term, implementing such measures only in Sweden would not be enough. Similar regulations would ultimately be needed around the world. But Sweden has an opportunity to lead by example. The advantage of acting earlier and more decisively than others is that Sweden may become a less attractive target for cybercriminals.

Could a "Ransomware Tax" Be an Alternative?

One alternative would be to combine the removal of tax deductibility with the introduction of a ransomware tax. This would further encourage organisations to strengthen their cybersecurity efforts, as the financial consequences of an attack would increase substantially. It would also reduce organisations' ability to pay ransoms, resulting in less money flowing to criminals. Revenue from such a tax could be earmarked to support preventive cybersecurity initiatives and help organisations improve their resilience against attacks. The tax would need to be substantial—for example, five times the ransom amount—to achieve the desired effect and ensure that more resources are directed towards prevention than end up in the hands of cybercriminals.

Conclusion

Making ransom payments to cybercriminals illegal—or subjecting them to punitive taxation—is an important step towards a safer digital world. By reducing the financial incentives that drive cybercrime, we can decrease the number of attacks and encourage organisations to take a more proactive approach to cybersecurity.

It is time to say no to extortion and build a digital future where security and integrity are at the centre.

Joakim Öhman

CEO and Founder, Elastx