Survey and analysis of U.S. policies to address ransomware

Jenny Blessing*, Jules Drean*, and Sarah Radway* 

Edited by Patrick Whartenby and Kevin McDermott

Article | Aug. 29 2022


DOI: 10.38105/spr.iyuyqypkzm


  • There are few existing regulations and standards governing ransomware at the federal and state levels.
  • Private sector self-regulation is insufficient, as organizations often lack the economic incentive and resources to maintain security standards recommended by federal agencies.
  • The proliferation of ransomware is heavily enabled by cryptocurrencies. Thus, any regulation of cryptocurrency exchanges or payments will have a substantial impact on ransomware spread.

Article Summary

Ransomware poses a critical threat to the U.S. economy and critical infrastructure. The frequency of attacks has increased dramatically in recent years, enabled by the growing prominence of cryptocurrencies, which provide an effective means of ransom payment. In this article, we review existing policies, players, and technologies involved in the ransomware ecosystem, discussing the potential efficacy of these policies and technologies in discouraging ransomware attacks.

First, we survey the economic and technical forces driving ransomware attacks, outlining measures institutions can take to protect themselves, and summarizing the financial and political factors that motivate companies’ decisions when faced with a ransomware attack. In the second half of the article, we systematize existing and pending U.S. regulatory proposals intended to mitigate the impact of ransomware, investigating: (1) blanket bans on ransomware payment, (2) mandatory reporting of ransomware incidents and payments, and (3) regulation of cryptocurrency exchange platforms. We examine the effectiveness of each of these policies as a means of preventing ransomware attacks, evaluating their impact on key players in the ransomware market.

Open Access


This MIT Science Policy Review article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit by/4.0/.

Jenny Blessing

Department of Computer Science and Technology, University of Cambridge

Jules Drean

Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology

Sarah Radway

Department of Computer Science, Fletcher School of Law and Diplomacy, Tufts University