The question of whether to criminalise the payment of ransomware demands has lingered at the intersection of cybersecurity, ethics, and public policy for years. And it’s easy to see why. There’s one truth that very few would dispute: paying ransom funds to cybercrime. It feeds a criminal economy that’s become increasingly industrialised, professionalised and, in some cases, state-aligned. But while that truth is uncomfortable, it’s also incomplete.
So, should ransom payment be criminalised?
Patchwork Legislation and the Illusion of Progress
At first glance, the idea offers a kind of moral and legal clarity. But scratch the surface, and it quickly becomes less convincing. Organisations hit by ransomware are already under intense pressure, and many must navigate a maze of existing sanctions, money laundering, and terrorist financing laws. Adding criminal liability for ransom payment may look like simplification, but in practice, it introduces new legal risks when victims are least able to manage them.
Legislators are not blind to the problem, but their approaches vary widely. In the United States, North Carolina led the charge by banning public entities from paying or even communicating with attackers. Florida followed with a similar law, albeit with carve-outs for schools and negotiations. New York has gone further, proposing a ban that would apply to private companies as well. In July 2025, the UK joined them by announcing that public sector bodies would be barred from paying ransoms
Australia has not banned payment but now mandates reporting for any ransom payment by entities covered under its Security of Critical Infrastructure (SOCI) Act, with possible expansion to other businesses. The intent is to increase visibility and regulatory response without eliminating the payment option outright.
France takes a different stance again. While payment remains legal, businesses must file a police complaint within 72 hours to qualify for insurance coverage. This approach incentivises disclosure and cooperation with law enforcement, rather than attempting prohibition through legislation..
The Evidence Gap: When Policy Meets Reality
The intent behind these measures is clear. The belief is that if you cut off the money supply, the attacks will stop. But the evidence tells a different story. Criminals are not waiting for laws to pass. If anything, they’re accelerating their operations to take advantage of jurisdictions before payment becomes impossible. Several major breaches in 2024 targeted public sector organisations in regions actively pursuing bans. That’s not a coincidence. It’s a strategy.
What we’re seeing is not deterrence but displacement. Attackers shift targets and tactics as legislation tightens, but the overall threat doesn’t diminish. There’s little to suggest that payment bans, on their own, reduce the number or severity of incidents. What does correlate more strongly is preparedness: rapid detection, resilient architecture, and tested recovery plans.
The Hygiene Hypothesis Falls Short
Supporters of criminalisation often argue that removing the ability to pay will force organisations to get serious about cybersecurity. Without the fallback of payment, the logic goes, businesses will have no choice but to improve their defences.
It’s a compelling idea, but one rooted in optimism rather than observation. Many sectors remain chronically underfunded, understaffed, and overexposed. Healthcare is a case in point. Despite years of policy attention and sector-specific guidance, it continues to suffer repeated and high-impact ransomware attacks. In 2024 alone, tens of thousands of patients were affected by breaches in jurisdictions where payment bans were already in place or under active discussion. Our research into this trend provides a deeper look at how ransomware continues to outpace policy, particularly in critical public services.
Ransomware Without Encryption: A New Normal
Meanwhile, ransomware operators are evolving their playbook. For years, backups offered a reliable fallback. So criminals started going after the backups too. More recently, they’ve adapted again. The threat of leaking sensitive data, once secondary to encryption, has become the main act. In some campaigns, encryption has been abandoned altogether. Why bother building and maintaining complex malware when the mere threat of exposure can compel payment?
These are business decisions for threat actors, not ideological shifts. They are responding to defensive strategies and shifting their own methods accordingly.
From Incident Response to Incident Avoidance
When a breach no longer involves encryption, there’s nothing to restore. Backups become irrelevant. In these cases, prevention is everything. That means taking a serious look at two critical but underused defences: dynamic network segmentation and encryption of data at rest, in transit, and in use. Neither is easy to implement, particularly in environments with legacy infrastructure or operational technology. But they are both highly effective at making sensitive data difficult to access, hard to steal, and, if compromised, virtually impossible to weaponise.
These are the kinds of investments that change the game, not after-the-fact payments, but systemic controls that reduce exposure and disrupt the extortion cycle.
Criminalisation Casts Shadows
Banning payments also risks pushing them underground. If paying a ransom becomes illegal, some organisations may still choose to pay, just not publicly. That creates a new layer of legal liability, reputational risk, and regulatory complexity. It doesn’t solve the problem; it buries it.
Punishing victims may feel principled, but it’s not productive. A better focus would be on the financial systems that enable ransomware in the first place. Cryptocurrency remains the lifeblood of this ecosystem. As global regulatory frameworks catch up, we may finally see meaningful disruption of that infrastructure. Traceable transactions and enforceable identity verification will do more to choke off criminal funding than simply outlawing the act of payment.
When Payment is the Least-Worst Option
There will always be scenarios in which the consequences of data loss are too severe to ignore. Not just financial collapse, but service outages, systemic failure, and even loss of life. In those situations, however undesirable the outcome, the option to pay may remain the least-worst decision.
That’s not a loophole. It’s a concession to the fact that, in crisis, rigid policy may not offer the flexibility that real-world outcomes demand. Criminalising ransom payments without exception risks replacing one kind of ambiguity with another. What we need is a framework that supports prevention, disrupts financing, and, when necessary, allows for a pragmatic response without criminalising the desperate.
Rik Ferguson is VP of Security Intelligence at Forescout and also one of the leading experts in cybersecurity. He is also a Special Advisor to Europol's European Cyber Crime Centre (EC3) and an advisor to the European Union.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.