There has been a lot of discussion recently about countries enacting laws to ban ransom payments to all ransomware actors. The effectiveness of these laws is a topic for another, much longer post, but I want to talk a little bit about the “waiver exception” discussed in many of these proposed laws.

The waiver exception is exactly how it sounds: It is illegal to pay a ransom, unless you get a temporary government waiver allowing it (in the UK this is referred to as a license [Warning: PDF]). It makes sense to have a waiver system in place because some organizations will be so devastated by a ransomware attack that they will have no choice but to pay, and governments (most of the time) don’t want to punish victims.

The problem with government waivers, as well-intentioned as they are, is that they create an orderly, repeatable process that the bad guys will undoubtedly exploit.

Here is what I mean, look at an early ransom note (huge thanks to the team at ZScaler Threatlabz for compiling these) from the Dharma ransomware group:

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins

(I added the bold text). Now, take a look at a more recent ransom note from the Akira ransomware group:

If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:

1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/.

2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion.

3. Use this code - [snip] - to log into our chat.

(again, I added the bold). These are some surprisingly helpful ransomware actors, right? Unsurprisingly, ransomware groups are very helpful in providing instructions to victims if it will increase the likelihood that the ransomware actor will get paid.

This is what I see as the most likely scenario if governments enact a waiver system to ransomware payment bans. The ransomware groups will figure out how the waiver systems work and simply provide that information to all victims who claim they can’t pay a ransom because of ransom ban payment laws.

Should we not enact something because bad actors will likely abuse it? No. If we did that we’d have to get rid of social media, email and likely the entire Internet (except Gopher, there has never been a Gopher worm/virus). But, I do think it is important to understand as fully as possible how the bad guys will learn to take advantage of the rules we put in place, so we can enable proper safeguards.