Paying fortifies ransomware gangs but scant support for bans

The dilemma surrounding ransomware payments has left U.S. officials fumbling about how to respond to such demands

BOSTON -- If your business falls victim to ransomware and you want simple advice on whether to pay the criminals, don't expect much help from the U.S. government. The answer is apt to be: It depends. “It is the position of the U.S. government that we strongly discourage the payment of ransoms,” Eric Goldstein, a top cybersecurity official in the Department of Homeland Security, told a congressional hearing last week. But paying carries no penalties and refusing would be almost suicidal for many companies, especially the small and medium-sized. Too many are unprepared. The consequences could also be dire for the nation itself. Recent high-profile extortive attacks led to runs on East Coast gas stations and threatened meat supplies. The dilemma has left public officials fumbling about how to respond. In an initial step, bipartisan legislation in the works would mandate immediate federal reporting of ransomware attacks to assist response, help identify the authors and even recuperate ransoms, as the FBI did with most of the $4.4 million that Colonial Pipeline recently paid.