Ransomware Payment Bans, Oracle’s Breach, and the Realities of Cyber Resilience
This episode of the Continuous Compliance Podcast brings Commvault’s Darren Thompson (Field CTO, EMEA) and Jakob Lewandowski (Associate General Counsel, EMEA) into a timely discussion on ransomware, the alleged Oracle breach, and the UK’s proposal to ban ransom payments across public sector and critical infrastructure. Their analysis goes beyond headlines to unpack operational, legal, and policy trade-offs that matter to IT and security leaders.
Why it matters: Ransomware is now a systemic operational risk. Payment bans may change attacker incentives, but only if organizations can reliably recover without paying. The conversation surfaces what readiness actually entails—and the unintended consequences regulators must anticipate.
Oracle’s Alleged Breach: Between Statements and Reality
Thompson notes the reported Oracle incident is “still in flux,” with the truth likely sitting between the vendor’s disclosures and the attackers’ claims. Early signs suggest a traditional (non-cloud) environment may be affected, but the blast radius is uncertain. The larger lesson: even well-resourced enterprises face situational ambiguity during active incidents, complicating communications and recovery decision-making.
On paying ransoms, Thompson’s position is clear: organizations should plan well enough never to face the pay-or-don’t-pay dilemma. In practice, many lack the tested, auditable, minimum-viable-company recovery capabilities to avoid considering payment. He supports Oracle’s stance not to pay but emphasizes that stance only works when recovery and containment plans are robust and proven.
The UK’s Proposed Ransomware Payment Ban
Policy intent: break the payment cycle
Lewandowski frames ransom as an economic system: attack, negotiate, pay, launder, reinvest in more attacks. The UK proposal aims to disrupt that system at the negotiation/payment nodes for public sector and critical national infrastructure, which the government describes as “world leading.” The expectation is that criminal focus will shift away from banned domains, reducing attack frequency and impact in those sectors—though attacks will likely move elsewhere geographically or sectorally.
Compliance and legal realities
Lewandowski stresses: paying a ransom is not regulatory compliance. It does not fulfill notification duties or mitigate liability. Organizations must document decision-making, engage trusted experts, coordinate with law enforcement, and check anti-money-laundering, sanctions, and export-control constraints if payment is contemplated. In jurisdictions with “do not negotiate” policies, enforcement and transparency gaps complicate oversight—another reason regulators are seeking stronger reporting and control mechanisms.
The Hard Case: PII/PHI Extortion and the “Do Not Pay” Stance
What if attackers threaten to leak sensitive citizen data and the ransom is “affordable”? Both speakers maintain a principled “do not pay” position. Thompson cautions that bans only work if victims are prepared—encryption, clear roles, tested playbooks, and rapid recovery are prerequisites. Without readiness, a ban forces organizations into long, painful restores while managing public fallout. Lewandowski highlights that long-term deterrence depends on breaking the payment cycle, even when immediate incentives pull in the opposite direction.
Unintended Consequences Policymakers Must Consider
- Attack displacement: Criminals may target non-covered sectors or geographies.
- Underground payments: Bans risk driving negotiations and payments off the books through intermediaries.
- Delayed reporting and reduced cooperation: Fear of penalties may suppress timely engagement with authorities.
- Perception of “punishing victims”: Added burdens on already-impacted organizations can create political and practical pushback.
- One-size-fits-all risk: The impact of disrupting a hospital differs from a library; context-sensitive exceptions may be necessary.
Data Exfiltration: Managing Harm When Control Is Lost
Thompson underscores a persistent blind spot: once data is exfiltrated, downstream use is opaque. The harm profile varies by data type and transparency. Payment rarely guarantees deletion or containment. Practically, post-breach priorities include rapid, clear disclosure; targeted guidance to affected individuals; credential resets; and identity/financial monitoring support. Over time, programs should mature data classification to prioritize protections on high-impact data (e.g., sensitive IP, clinical data) while maintaining strong baselines across the estate.
Resilience Over Blocking-and-Tackling Alone
Prevention and detection remain essential, but neither eliminates the need for recovery at scale. Thompson argues that many organizations perform checkbox exercises rather than realistic, high-stress testing of catastrophic scenarios. Resilience maturity should include:
- Clear definition of minimum viable company and application/data dependencies.
- Proven recovery architectures and immutable, isolated backups.
- Rigorous, scenario-based exercises with executives and operators.
- Data classification and encryption aligned to business impact tiers.
- Documented, rehearsed incident response with legal, comms, and law enforcement touchpoints.
Regulatory Evolution: Balance Deterrence and Practicality
Lewandowski expects consultation feedback to split across two themes: raising baseline resilience and recovery capabilities, and tightening controls on negotiations and payments to increase visibility and deterrence. The fine line: avoid creating the optics—and reality—of punishing victims while still cutting off the economic lifeblood of ransomware. Calibrated policy, strong reporting frameworks, and sector-specific readiness programs will be critical to implementation success.
Key Takeaways
- “Do not pay” only works if you can restore minimum viable operations quickly—invest in tested recovery, immutable backups, and clear playbooks.
- Ransom payments are not compliance; document decisions, involve trusted experts, and coordinate with law enforcement.
- Expect displacement effects from payment bans; regulators should anticipate underground payments and reporting friction.
- Classify and encrypt data by business impact; focus highest protections on the most damaging data types.
- Run realistic, exec-level resilience exercises—tabletop alone is insufficient for real-world recovery pressure.
Conclusion: What This Means for IT Leaders
Ransomware is as much an economic and operational problem as it is a technical one. Payment bans can curb attacker returns, but only if organizations—and especially public sector entities—are prepared to recover without paying. For IT leaders, the mandate is clear: shift from checkbox prevention to demonstrable resilience. Build recovery muscle memory, classify and protect high-impact data, document decision pathways, and align executives around tested playbooks. The organizations that operationalize resilience—not just security—will be best positioned to weather policy shifts and the next inevitable incident.
