Survey and analysis of U.S. policies to address ransomware

Ransomware poses a critical threat to the U.S. economy
and critical infrastructure. The frequency of attacks has
increased dramatically in recent years, enabled by the
growing prominence of cryptocurrencies, which provide an
effective means of ransom payment. In this article, we review
existing policies, players, and technologies involved in the
ransomware ecosystem, discussing the potential efficacy of
these policies and technologies in discouraging ransomware
attacks.
First, we survey the economic and technical forces
driving ransomware attacks, outlining measures institutions
can take to protect themselves, and summarizing the
financial and political factors that motivate companies’
decisions when faced with a ransomware attack. In the
second half of the article, we systematize existing and
pending U.S. regulatory proposals intended to mitigate
the impact of ransomware, investigating: (1) blanket bans
on ransomware payment, (2) mandatory reporting of
ransomware incidents and payments, and (3) regulation
of cryptocurrency exchange platforms. We examine the
effectiveness of each of these policies as a means of
preventing ransomware attacks, evaluating their impact on
key players in the ransomware market.

R ansomware attacks are on the rise and show no signs of abating. Referred to as the "digital pandemic" of 2021 [1], ransomware has evolved into a thriving industry capable of threatening even the most sophisticated organizations [2]. In 2021 alone, 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Food and Agriculture, and Emergency Services sectors, were targeted by ransomware attacks [3]. Qualitatively, ransomware incidents have had widespread impact on critical services and infrastructure in the United States and abroad. Hospitals, schools, local governments, transportation, and energy companies have all been targeted, often with disastrous effects [4,5].
Ransomware's growing popularity is primarily due to how lucrative these attacks can be for cybercriminals. The collective value of ransomware payments totaled at least $400 million globally in 2020, an increase of over 300% from the amount paid in 2019 [4,6]. This number is estimated to be over $600 million for 2021, and will likely only continue to increase absent any regulatory changes [7].
However, for victims of attacks, direct financial loss is only one of several potential consequences. For businesses, loss of consumer confidence, compromised data, and general disruption to operations are possible in the aftermath of an attack, all of which directly or indirectly impact ordinary civilians. For example, in May 2021 the Colonial Pipeline Company was forced to shut down operations in response to a ransomware attack, disrupting the energy supply of much of the East Coast and leading to panic buying and widespread fuel shortages [8].
Both the public and private sectors have taken action in response to the increased frequency and severity of ransomware attacks. In this article, we summarize the technical and economic factors contributing to the rise of ransomware, and argue that even if institutions do everything 'by the book', technical solutions alone cannot prevent all ransomware attacks. We first discuss the emergence of modern ransomware, focusing on the role of cryptocurrencies and cyber-insurance. We then discuss the technical means for mitigating ransomware and their weaknesses, followed by a discussion on current policy proposals concerning ransomware, detailing the pros and cons for each policy. We then conclude with a number of key takeaways and considerations for policymakers.

The modern ransomware ecosystem
As defined by the U.S. Federal Bureau of Investigation (FBI), ransomware is a "type of malicious software, or malware, that prevents a victim from accessing their computer files, systems, or network infrastructure" [9]. Once a victim has been locked out, attackers demand financial payment in exchange for recovery of systems or data.
Ransomware has evolved dramatically since it was first distributed via floppy disk in 1989 [10]. Early versions of ransomware embedded the secret key, a string of random characters used for encryption and decryption, within the source code of the attack, making it easy for victims to retrieve the key and recover their files. The late 2000s saw the emergence of modern ransomware as attackers began to use more sophisticated cryptographic techniques [11]. For example, in the 2017 WannaCry attack, one of the keys required to decrypt the victim's files is never locally stored on the victim's machine, making it impossible to recover using classic forensic techniques [12]. Such technical measures provide a much stronger guarantee that victims will not be able to recover their data without the assistance of the attacker.
In addition, it has become more common for ransomware attacks to be carried out by diverse entities, particularly by non-technical actors who purchase malware from others, commonly referred to as Ransomware-as-a-Service (RaaS) [13]. Certain groups specialize in the ransomware development process, hiring programmers, reverse engineers, and other technically skilled workers. They then rent their services and ransom software to affiliates, usually groups with lower technical expertise, for a share of the ransom, typically around 20-25% [14]. As a result, it has never been easier for technically unsophisticated individuals to deploy ransomware.
The primary reason behind the recent rise in both the number of attacks and their effectiveness, however, is innovations in payment methods. Namely, cryptocurrencies have shifted the dynamics of the ransomware ecosystem.

Ransomware in the age of cryptocurrency
The rise of ransomware is inextricably linked to the rise of cryptocurrencies, which provide a stable, unregulated, and pseudonymous ransom payment channel and have quickly become the mechanism of choice for perpetrators [15]. Like any other industry, cybercrime is heavily shaped by underlying economic factors: without a clear revenue stream, hackers will not expend the resources to find and exploit a vulnerability.
Prior to the widespread emergence of Bitcoin and other cryptocurrencies, ransomware payments had to be made through standard banking channels which were both (1) feasible for law enforcement to trace through traditional legal methods and (2) governed by a variety of anti-money laundering and other security regulations. Financial extortionists quickly realized they could not rely on centralized, traditional payment systems like Visa or MasterCard as these entities could not only identify the attacker with relative ease but would also react to illegal activity by shutting down the payment channel used and, at times, forcibly reverting payments [16]. As a result, extortionists switched to more lenient payment systems like gift cards or premium-rate phone numbers [11]. While more reliable and effective in preserving the anonymity of the culprit, these new platforms inherently limited the amount of money that could be obtained from the victim.
Cryptocurrencies, in contrast, are largely unregulated and provide a reliable path to profitability by enabling perpetrators to demand extremely large ransoms, well beyond the transaction limits of gift cards [6]. This motivated cybercriminals to move from targeting individuals to targeting organizations, which have the financial resources and motivation to pay large ransoms [16]- [18].
In addition, cryptocurrencies are pseudonymous. While most cryptocurrency transactions are publicly viewable by anyone (in contrast to traditional banking systems), the real-world identities of the payment sender and recipient are masked, and there are a variety of technical mechanisms that can obfuscate a payment trail from one user to another (see Figure 1). In the case of ransomware, this means that the identities of perpetrators can be hard to pinpoint. Furthermore, U.S. residents are free to use cryptocurrency exchange platforms located in other countries or jurisdictions, making it challenging to apply U.S. mandates such as suspicious activity reporting or payment bans. However, as discussed later, law enforcement has been able to trace and even recover payments in certain high-profile cases.
Taken together, with the introduction of cryptocurrency as a payment mechanism, the economic incentives of various actors converged: cybercriminals were given a payment channel by which they could receive much larger ransoms in a reliable manner, while the newly-targeted companies had a comparatively easy-to-use mechanism to pay the ransoms. Cryptocurrencies shifted ransomware from low-revenue, consumer-oriented attacks to a more enterprise-focused model with substantially higher revenues.

The emergence of cyber-insurance
The economic incentives for companies to pay ransoms have been amplified by the rapid adoption of cyber-insurance, where thousands of dollars of ransom can be covered for a reduced deductible of as little as $10,000 [19]. If it is cheaper to pay the ransom than to try to restore a system, this cost-benefit analysis will drive the insurance company's recommendations or actions [20]. Thus, by setting ransoms to be less expensive than the estimated cost of fully restoring the system, attackers vastly increase their chances of receiving payment. While companies can decrease potential costs by maintaining frequent storage backups, in some cases the ransom will still be the cheaper and less complicated option.
Organizations frequently rely on cyber-insurance policies to finance the cost of recovery and/or ransom payments [21]. As the frequency and severity of ransomware and other cyberattacks have increased, insurers are charging higher premiums and sometimes even asking to see evidence of strong security practices and baseline network defenses. Some insurers have even gone as far as hiring outside firms with technical security expertise to vet potential clients' security practices [21].

Technical approaches to ransomware mitigation
As the capabilities and frequency of ransomware attacks increase, there are extensive and evolving best practices and industry standards that organizations can take to lessen the likelihood or impact of a ransomware attack [22,23]. We outline technical strategies surrounding ransomware incidents, examining (1) how organizations can prevent attacks, (2) how organizations can detect attacks, and (3) how organizations can recover from attacks. We examine the roles of both system administrators and system users.
Preventative measures: Preventative methods of mitigating ransomware attacks involve creating infrastructure and systems that are more resilient to attack.
System administrators play a large role in ransomware attack prevention [24]. When making network design choices, administrators can partition network infrastructure as damage control, limiting the flow of information between different systems to ensure that an attack does not propagate easily. When maintaining networks, system administrators should implement firewalls and monitor and address any known hardware or software vulnerabilities in their systems. In particular, it is critical that administrators ensure that software update, i.e., patches, take place regularly, so that systems are not left open to attack through known vulnerabilities.
One of the most important technical mitigation techniques is to create frequent backups of important systems and data. In the event system access is lost as part of a ransomware attack, administrators can retrieve the backup copies and recover most, if not all, compromised data [25].
System administrators can further focus on improving security threats related to human factors that have been shown to be damaging and preventable [26]. By creating user-centered systems and training personnel on everyday security threats like phishing emails [25,26], companies can lower the likelihood of attacks. They may also go a step further and mandate various organization-wide security policies such the use of strong antivirus software, multi-factor authentication schemes, or a password manager with strong security features.
Detection measures: Alternatively, detection methods allow system administrators to recognize potentially malicious system access mid-attack. Administrators can monitor and investigate anomalies in network activity to detect and block traffic resembling potential ransomware attacks or traffic from known malicious IP addresses or applications [25].
Academic researchers have also proposed defense methods with the potential to invalidate common ransomware attacks [27]- [30]. For example, Mehnaz et al. [30] proposed a system that monitors file system activity in order to detect encryption from a malicious program. Their tool is able to differentiate between a normal user activity and the execution of a malware, making it possible to prevent the attack at a very early stage.

Recovery measures:
Regardless of whether a ransom is paid, there are two components to recovery from an attack: (1) restoring systems to full functionality and (2) seeking attribution and restitution.
Regarding restoring system functionality, organizations that have implemented system backup mechanisms can largely rely on these backups after experiencing an attack. This decreases the likelihood that the ransom will need to be paid, as organizations have alternate ways of recovering their systems [25]. However, if system functionality cannot be easily restored, companies may pay the ransom. In this case, recovery efforts turn to attribution and payment recovery. Groups may attempt to trace ransomware payments with the goal of identifying the attacker and ultimately recovering the payment.
Ransomware payment is almost always demanded in cryptocurrency -typically Bitcoin -because these payment forms are largely unregulated and comparatively easy to use [6]. However, although accounts are pseudonymous, the transactions themselves are published publicly as part of Bitcoin's decentralized audit requirement. Prior academic work has shown that it is possible to trace these financial transactions end-to-end, i.e., from the victim's initial payment to when the cryptocurrency is converted to cash by the ransomware perpetrators, with reasonable accuracy [17,18,31]. Over the last half-decade, federal agencies have spent over $10 million in contracts with Chainalysis, a cryptocurrency-tracing firm, alone in attempts to recover payment addresses.
In several high-profile cases, law enforcement has been able to successfully identify perpetrators and recover ransom payments. For example, in June 2021, the U.S. Department of Justice (DOJ) announced it was able to recover $2.3 million of the $4.4 million that Colonial Pipeline had paid to cybercriminals the previous month [32]. DOJ's press release revealed that it traced the payment to a specific Bitcoin address and recovered it through possession of the equivalent of the password for that particular address [32]. While it is unknown how exactly the DOJ managed to come by the password for that address, this example illustrates that, in certain cases, it is possible for law enforcement to trace and recover victim payments. This is a promising area for future academic and industrial research.

Technical measures alone are not sufficient
Although leveraging the technical solutions outlined above can greatly help reduce harm caused by ransomware, it is common wisdom that no system can be vulnerability-free. Zero-day exploits -vulnerabilities unknown to the software developers and users -are extremely common and have an average life expectancy of 6.9 years before discovery [33]. These zero-days can have significant consequences: in the WannaCry attack, hundreds of thousands of computers were targeted through a previously unknown vulnerability in the Windows operating system [12].
Moreover, system administrators cannot perfectly protect against human threats: users are ultimately a weak link in any system and a significant source of vulnerabilities. Using weak passwords and falling for phishing emails are examples of extremely common user behaviors that introduce insecurity into an otherwise technically sophisticated system.
Ransomware extortion cases leverage a complex business ecosystem with unexpected incentive alignments that need to be studied and addressed accordingly. For instance, even if an organization is following security best practices, there is no guarantee that it will not be in the company's best interest to still pay the ransom. Even if a victim has put in place backup mechanisms and other methods to recover their files in the event of an attack, the cost of doing so, both in terms of time and other resources, will often outweigh the amount requested as ransom since ransom amounts are typically calculated by attackers to incentivize a victim to pay [19,34]. As discussed previously, the current cyber-insurance market only contributes to these incentives to pay the ransom.
For these reasons and more, seeing the ransomware crisis as a purely technical problem that only calls for technical solutions is a reductive approach which is insufficient to stop the spread of ransomware attacks. To efficiently target the ransomware ecosystem, legislative tools and solutions will need to be leveraged.

Current policies surrounding ransomware attacks and payments
Following recent events such as the Colonial Pipeline and Brenntag attacks, U.S. policymakers have increasingly come to recognize the economic and geopolitical threats posed by ransomware. We will examine the two main approaches that are currently being explored in U.S. policy to regulate ransomware directly: (1) blanket bans on ransomware payments and (2) mandatory reporting of attacks and payments. We additionally survey regulations concerning cryptocurrency and other digital currencies given their prominence in facilitating ransomware payments. We examine and evaluate these policy approaches through key players in the ransomware ecosystem: (1) large institutions, (2) small institutions and public sector organizations, and (3) critical infrastructure. While these categorizations are not comprehensive or mutually exclusive (and in some cases overlap substantially), we believe that they capture the fundamental motivations driving ransomware policy decisions.
Blanket bans on ransomware payments: Given that the most common motivation behind ransomware is financial gain, some have proposed blanket bans on ransomware payments as a method of deterring cybercriminals. Under such a policy, organizations hit by ransomware would be legally prohibited from sending a ransom payment to the perpetrators and therefore unable to recover access to their systems through direct means.
While such bans represent a substantial ask of organizations hit with ransomware, they directly impact the motivation driving the ransomware ecosystem. Proponents of these bans argue that a ban on such payments would largely eliminate cybercriminals' motivation to launch ransomware in the first place, since any ransom could not legally be paid, and the overall revenues of these criminal organizations would decrease [35].
There are also more granular options than instituting a blanket ban: a policy could take into consideration whether or not the target is critical infrastructure and ban only payments for infrastructure that is non-critical. Such a tiered policy would represent an acknowledgment of the vastly disparate security impact ransomware can have depending on its target.

Current and proposed policies: In November 2021, North
Carolina became the first state to enact a policy banning ransomware payments when Governor Cooper signed into law a ransomware provision included in the state's budget (1). The law effectively bans payments from "any ... entity over which the state government has oversight responsibility", which in practice is largely comprised of state and local governments and state-funded educational institutions. At least four additional state legislatures -New York (SB S6806A, SB S6154), Pennsylvania (SB 726), Texas (HB 3892), and Florida (HB 7055) -have introduced similar legislation banning or significantly restricting ransomware payments, though none of these proposed bills have yet made it through their respective legislatures, with some dying in committee.
Most legislation restricting ransomware payments has only proposed such a mandate for public sector institutions, i.e., state and local government agencies. In New York, however, Senate Bill S6806A (2) goes a step further and includes "business entities" and "health care entities" in its list of institutions affected by the prohibition, making it the only legislation to propose extending the ban to the private sector.
Currently, several federal agencies, including the FBI and the U.S. Department of the Treasury, have adopted stated policies discouraging organizations from paying ransoms. However, these policies are non-binding and acknowledge that companies will likely bend to economic factors "to protect their shareholders, employees, and customers" [36].
Perspectives of key players: Proposals to ban ransomware payment have received mixed reactions due to the tremendous diversity in organizations hit by ransomware and their varying ability to pay. Large companies and other institutions frequently oppose such policies, as they have the financial means to pay ransoms and would prefer to have the option to do so. On the other hand, many schools, local governments, and other smaller, underfunded state organizations would benefit from payment bans, since they are less likely to be able to pay the ransom regardless.
There are also important distinctions between ransomware targets: critical infrastructure is often targeted precisely because cybercriminals know the ransom is likely to be paid out of necessity. When critical infrastructure is damaged or taken offline, this can result in loss of life, such as if a hospital is hit with ransomware. One can imagine several other scenarios which, while not deadly, would make it difficult not to pay a requested ransom. For example, suppose a state voting system on which presidential election results are stored is hit with ransomware as the polls close. If that is the only way of accessing those particular votes, it is an open question whether the ransom should be paid. These ethical considerations make blanket bans challenging in practice.
Potential impact of payment bans: Payment bans receive criticism because they can be difficult to enforce. Since payments primarily take place in cryptocurrencies, which are pseudonymous, there is no clear-cut enforcement method. While mandating domestic banks and coin exchange platforms to report any transactions that resemble ransom payments from a company could be enough to enforce the law, many companies could likely keep some amount of liquidity in cryptocurrencies or use foreign banks and foreign coin exchange platforms that are not subject to local laws. To clearly evaluate the impact of such bans on the ransomware value chain, more research will be required.
Moreover, while the vast majority of cybercriminals are motivated by financial gain, this is not true for all, and a blanket ban would not eliminate all motivation to launch attacks. Indeed, some of the biggest ransomware attacks such as WannaCry and NotPetya where attributed to state actors [37]. Thus, this may not be the most adequate method for security practitioners to think about this threat.
Mandatory reporting of ransomware incidents or payments: Mandatory reporting, simply put, means that an organization hit by a ransomware attack is required to provide information about the attack to the federal government. Numerous policymakers and federal agencies have pointed to the lack of data surrounding ransomware attacks as a factor in our inability to fight the ransomware epidemic on a national scale [38,39]. Mandatory reporting is intended to provide greater insight into the ransomware environment: policymakers hope to deter future attacks through learning about current groups, targets, and models involved in the ransomware threat.
Current reporting landscape: Until recently, there was no comprehensive ransomware reporting requirement in the United States. Instead, U.S. policy consisted of limited, industry-specific regulation. Only one sector had faced mandated reporting for computer incidents: the financial sector, which has long been heavily regulated due to the potential for direct civilian harm. In 2021, financial regulators including the Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve ruled that banks must inform their primary regulators within 36 hours of discovery of any incident, including ransomware attacks, that may impact the bank's ability to function [40].
In March of 2022, however, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (3) was enacted as part of a larger federal appropriations bill, representing a landmark shift in federal policy. CIRCIA requires "covered entities", i.e., most likely organizations traditionally considered to be critical infrastructure, to notify the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of when they suffer a "cyber incident", where cyber incident constitutes not just ransomware but a variety of different computer security attacks. CIRCIA further includes a specific ransomware provision, requiring organizations to report ransomware payments to CISA within 24 hours and specifying quality standards for these reports. While the exact definition of what constitutes a "covered entity" within critical infrastructure has not yet been determined by CISA, CIRCIA represents the most comprehensive federal legislation concerning ransomware to date.
Proposed legislation: It is clear that current U.S. ransomware reporting regulation is not comprehensive: a limited group of institutions face relatively strict standards, namely, banks under the FDIC and critical infrastructure under CIRCIA, while many other public and private sector organizations remain unaffected.
In this way, the current mandatory reporting framework functions similarly to the U.S.'s current approach to data privacy: regulation is scattered and only covers particularly vulnerable groups. For example, student data privacy is regulated by FERPA, the data privacy of children under 13 is regulated by COPPA, and federal government data privacy practices are regulated by the General Services Administration [41]. This legal structure has benefits: it allows for stronger oversight of groups with vulnerable clientele and greater potential impact when hit with ransomware. However, there are also inherent problems with this approach to cyber policy: it leaves behind a vast portion of private and public sector groups.
To address these concerns, broader federal legislation has been proposed in addition to CIRCIA: the Ransom Disclosure Act of 2021 (4) introduces mandatory reporting of ransomware payments for not just critical infrastructure but any public or private organization that participates in or affects interstate commerce or receives federal funds, including local governments.
Perspectives of key players: Incident and payment reporting proposals have generally received bilateral support among industry leaders and government [42], representing private industry's acknowledgment that some degree of regulation is needed to tackle ransomware. Some in the private sector have been resistant to mandatory reporting legislation out of concern for the impact on their company's reputation -U.S. officials have cited "concerns about possibly scaring off potential or existing customers, damaging their stock value, or incurring potential legal liabilities." [43]. This fear of disclosure is a significant burden to the open sharing of information regarding current ransomware attacks and is the primary cause for resistance to reporting legislation covering a more expansive set of entities, such as the Ransom Disclosure Act.
An additional point of divergence among involved entities is the timeline under which organizations hit with ransomware would have to report the incident and/or payment, with some proposed regulations requiring reports within 24 hours of the incident while others allow for 72 hours. In general, industry has lobbied for a longer timeframe, arguing that shorter periods are overly burdensome. The version of CIRCIA that was ultimately passed, for instance, adopts a 72-hour reporting period, with industry groups testifying in support of this timeframe [42].
Potential impact of reporting: Mandatory reporting of ransomware is favorable for government agencies; by receiving and distributing details regarding previous attacks, governments may ensure their own systems, and other companies' systems, will be protected. This largely stems from the wealth of information provided in reports: by examining successful malware attacks, security engineers can learn from the exhibited exploit(s), identify existing vulnerabilities that allowed the attack to occur, and resolve them to protect against future attacks. If this vulnerability needs to be addressed by an organization in the private sector, the government can direct resources towards facilitating this update, or if the vulnerability needs to be prevented on a case-by-case basis, a government agency such as CISA can add the circumstance to its best practices. As a related benefit, mandatory reporting allows for the creation of improved systems to prevent attacks: with sufficient information about vulnerabilities, researchers can create stronger defenses and test the resilience of existing anti-malware software.
Lastly, mandatory reporting permits greater ease of attribution. Through looking at large collections of malware, trends emerge in source code that can help to identify the authors -be that by looking at language or structural similarities of code, or through the use of automated tools -for example, Kaspersky's Threat Attribution Engine [44]. Attribution is important in understanding the motivations of attackers, to predict and prevent future attacks. Most importantly, such evidence can assist law enforcement working to develop a case against cybercriminals and hold them accountable.
Cryptocurrency regulation: Given ransomware's heavy dependence on cryptocurrency as a payment system, an alternative regulatory approach is to regulate the cryptocurrency ecosystem instead of regulating ransomware directly.
Current policies: While there are no federal laws explicitly governing cryptocurrencies, the Financial Crimes Enforcement Network (FinCEN) within the Treasury Department has determined that the 1970 Bank Secrecy Act also applies to cryptocurrencies [45]. Specifically, all "money service businesses" are within the purview of this and other anti-money laundering laws that have been around for several decades. In theory, this means that cryptocurrency exchanges and most other entities involved in cryptocurrency transactions need to comply with certain currency transaction reporting, as well as suspicious activity reporting for transactions of over $2,000 [45].
In addition to the various anti-money laundering laws, over the past few years other federal agencies have moved to set their own regulations and oversight mechanisms. The Internal Revenue Service (IRS) now considers cryptocurrency to be "property" for tax purposes, and the Securities and Exchange Commission (SEC) governs digital assets in the same manner as traditional currency.
In the United States, in the absence of federal regulation, numerous states have proposed and enacted laws governing virtual currencies. According to the National Conference of State Legislatures (NCSL), as of December 2021 seventeen states have passed laws concerning cryptocurrency and thirty-three have pending legislation [46]. Some of these regulations have focused specifically on preventing cryptocurrency's utility as a mechanism for money laundering: for example, Missouri's HB 1277 modified a pre-existing money laundering law to include virtual currency in its scope [46].
Perspectives of key players: Cryptocurrency exchange platforms have been the main subject of regulatory proposals from federal agencies, but agencies have seen varying levels of cooperation among platforms. While FinCEN officially mandates that entities providing cryptocurrency services are subject to certain reporting requirements, in practice there are numerous exchanges and brokers, including many based within the United States, that play host to lesser-known cryptocurrencies and do not comply with FinCEN regulations. These exchanges allow such illicit and often illegal activity as their underlying revenue model depends on this business [45]. As a result, this reporting disparity causes what the SEC describes as a "huge gap in oversight", as ransomware perpetrators and victims can send and receive payments much more easily [45].

Takeaways
Having examined the technical and economic factors behind the proliferation of ransomware and summarized the existing policy landscape, we conclude by reviewing key takeaways and considerations for policymakers.
Critical infrastructure: Any proposed regulations concerning ransomware or ransomware payments should consider distinguishing between critical infrastructure and other potential targets. Certain organizations, e.g., hospitals and other healthcare entities, could potentially lead to loss of life if a ransom is not paid, suggesting different payment and/or reporting policies may be needed for such critical organizations.
Financial trade-offs: Proposals to ban ransomware payments should take into account the various financial trade-offs organizations hit with ransomware will face. The financial cost of rebuilding or restoring compromised systems and networks frequently far exceeds the ransom itself [19], and this calculation does not include the time and human resources that would further be expended.
Degree of impact on ecosystem: Mandatory reporting policies are inherently responsive, requiring organizations to take certain actions once an attack has already taken place. While such policies help to build a greater technical understanding of current ransomware techniques and exploits used, they represent an indirect deterrence against future attacks: there is an implicit assumption that the information gleaned from reports will be acted upon, and that the various actors in the ecosystem will be able to collaborate and use this knowledge to prevent future attacks.

Role of cryptocurrencies:
The shift to cryptocurrency as the de facto ransom payment method is driving the modern ransomware market. To regulate cryptocurrency, then, is to regulate ransomware. Enforcement processes, reporting efforts, and regulatory proposals can be more effective by targeting the interdependence of cryptocurrencies and ransomware.
In summary, the ransomware industry and accompanying cryptocurrency ecosystem are constantly evolving. Any laws regulating either of them directly have been around for less than three years, so it is difficult to fully appreciate what the effects will be. Nonetheless, we argue that technical solutions alone will not be enough to prevent ransomware attacks. In the absence of a technical panacea, regulatory policy is essential to prevent ransomware from continuing to wreak havoc within the U.S. public and private sectors.
While CIRCIA (3) and other federal actions have made progress towards tackling the ransomware epidemic, incident reporting mandates are ultimately passive legislation that come into play only once an attack has already occurred. In order to substantially deter ransomware attacks, we need regulatory policy that addresses the underlying economic motivations and payment ecosystem that allow ransomware to proliferate in the first place.

Open Access
This MIT Science Policy Review article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/ by/4.0/.