I have run a poll on Twitter asking whether or not paying ransomware should be made illegal. This is paying ransom to online attackers who have encrypted your files, in the hope of retrieving a decryption key in return.

Paying ransomware already is illegal in many countries, but in many others it remains legal.

The result was 59% in favour of this being illegal and 41% against. So clearly this is an issue that divides opinion.

Reasons why paying ransomware should NOT be criminalised:

Making it illegal is criminalising the victim.
In some cases, paying the ransom is the only hope the victim has of getting their data back again.
Difficult to enforce any law because it is hard to prove that money was paid out.

Reasons why paying ransomware should be illegal (criminalised or remain illegal):

It’s funding criminals. The money often goes to support other crimes. Ransomware attacks are becoming more prevalent due to people paying out. This is putting more and more people at greater risk.

There is no guarantee that paying the ransom will result in the victim getting their data back. It sometimes just results in further demands for more money.

There is a lack of reliable data on how many attackers give out the decryption keys on receiving payment.

Any moderately skilled black hat installs at least one concealed backdoor to allow them back in for a later round of extortion. Paying out is likely to lead to more attacks on the victims as well as others.

It’s important for everyone to understand the importance of regular backups and have some idea of actions they could take in the event of a breach.