RE: Paying Ransomware Should be Illegal

avatar

You are viewing a single comment's thread:

Sure, they'll worry. But they'll figure out how to send Bitcoin anonymously if it saves them tens or even hundreds of millions of dollars and their jobs. Why on earth, as taxpayers, would we want to spend the time and money to prosecute victims (especially when it will probably be difficult and costly to do) instead of the criminals? If it is cheaper for company's to learn to protect themselves from such attacks then they will learn to do so. If ransomware gets too out of hand it will be the cause of its own destruction as it becomes more difficult and less effective.

Don't get me wrong, i hate ransomware and I hate the idea of giving those people money. But the idea of government being too incompetent or otherwise incapable of stopping these criminals instead going after the victims is a terrible idea.



0
0
0.000
18 comments
avatar

If it is criminal, then sending it risks their job, future employment, and freedom. Not sending it means they are simply following the law like everyone else. Nobody gets fired for doing what everyone else must do.

It is not about spending vast amount of taxpayer dollars on prosecution. Likely just one will send a message. But stopping the payments will help everyone, to the tune of hundreds of billions of dollars. Otherwise our tax dollars goes to fighting ransomware in ways that are not effective. This is actually better for the taxpayer.

Keep in mind, many of these 'companies' actually provide critical infrastructure to citizens: clean water, electricity, Internet, gas, transportation, food supplies, etc. Impacts to them translate to great impacts to all citizens.

Criminalizing the payments creates a forcing function for business to better protect themselves while it greatly undermines the motivation for attackers, thereby reducing the number of attacks. It is an effective and efficient way of reducing the risks of ransomware.

0
0
0.000
avatar

I guess that's where we disagree. I don't believe it would be efficient or effective...and it punishes the wrong people.

0
0
0.000
avatar

It is not intended to punish anyone but the criminals. Enacting this would greatly reduce all Ransomware, helping protect all potential victims.

Something similar was done for Privacy. EU made it illegal to collect and sell users data without their consent. A grace period was given for companies to properly adapt. The same can be done with outlawing the paying of ransoms.

0
0
0.000
avatar
(Edited)

You are comparing apples to oranges, or maybe even skyscrapers. A company can (for example) pay $1 million ransom to save $10 million in costs. Now the same government that cannot catch the criminals doing this want to say, no, you can't save that $10 million. Sounds a lot like punishing the victim to me. What does that have to do with violating my privacy? In that case the person having their privacy violated is the victim to the extent there is one.

Even if laws were enacted against paying ransom, I doubt such laws would involve jail time. Who would you jail when a corporation pays the ransom anyway? How would you prove who paid the ransom when it is paid via a crypto, especially one with strong privacy features? Neither the attackers or victims would be motivated to tell anyone what is going on. Attacks would still occur, ransoms would still be paid, you would just stop hearing about it in the news because those involved would keep it quiet. Seems like there is very little risk to those paying the ransom, at least in terms of being caught by the government. Assuming the law did not involve jail time, then a company would have to weigh the likelihood of being caught and the likely fine against the cost of paying the ransom and against the cost to the company if they don't pay the ransom. Most companies paying ransoms are doing so because it is saving them a massive amount of money.

Assuming such a law somehow managed to be effective (which again, is where we disagree...i don't believe it would be effective...at least not effective enough), it would still punish victims unless it was 100% effective.

In the long term I think this will become less of an issue without punishing the victims because companies will enact better procedures to prevent such attacks and better procedures for recovering from them without the need to resort to ransom.

0
0
0.000
avatar

They are a victim right up to the point that they provide material support for attackers who will harm others. Paying the ransom hurts others.

The good news, is if everyone stops paying then ransomware disappears and the risks go down significantly for everyone!

0
0
0.000
avatar
  1. No law will stop EVERYONE from paying ransom. In my opinion such laws would be ineffective and in reality wouldn't stop ransom from being paid. Again, how would one go about proving a company paid ransom, especially if paid in an anonymous manner? Such laws could even be counterproductive. It's better for companies to be able to freely admit to it to give law enforcement a chance in hell of tracking the money. There are kidnappings for ransom too. Unless the penalty is death, families will pay the ransom if they are able. Honestly, it isn't THAT hard for a company to have a plan in place to recover from such an attack in a manner cheaper and safer than paying ransom. Let company's learn their lesson and figure this out and let law enforcement go after the attackers. Company's can mitigate their own risk.

  2. Providing material support is not what harms others. The attackers are what harm others and should be the target of law enforcement. You could use the same argument for paying taxes. Unless you think paying taxes never harms others.

0
0
0.000
avatar
  1. No need to stop everyone, just put a big enough dent into the activity to make it really unlikely for criminals to get paid. The biggest group we need to stop are the businesses, who are paying HUGE sums (ex. $40million by one recent company).

If we don't move strategically, this gets MUCH worse. Did you know that for a while Kidnapping was the second largest contributor to GDP for the country of Columbia (after cocaine distribution). It was because more and more ransoms were paid. The problem skyrocketed! We want to avoid that with ransomware.

  1. YES, material support to the enemy does harm people. That is why it is illegal in most cases and even considered treason in war. Should people be allowed to invest in murder-for-hire crime organizations or knowingly fund terrorists that will kill women and children? We are talking about a criminal element who purposely seeks to cause harm and victimize to others.

I am doing a video series on Ransomware. Here is the first vid that talks about impacts:


Would like your thoughts. (this is a good discussion by the way!)

0
0
0.000
avatar

So in Columbia, did they solve the problem my making paying ransom illegal? That's a rhetorical question as that is not how the problem was solved. So what is the point of the comparison? To show you don't need laws to prevent paying ransom to solve the problem? In that case, I agree!

I agree with what needs to be accomplished, I just disagree punishing victims is a valid and reasonable way to get there. Unlike failed states, there are reasonable technical solutions to preventing and recovering from ransomware attacks that can significantly limit their effectiveness. Companies will adapt and ransomware will decline over time. Maybe not today or tomorrow or next year, but in the not too distant future. Remember when some new virus was in the news every day? Especially in the Windows 95/98 days... Operating systems became more secure and anti-virus software got better. The same will happen with ransomware.

I've only skimmed the video so far but I'm not contesting that ransomware is a problem. I'm just contesting your proposed solution. I might contest some of the numbers presented in that video though. 75,000 attacks daily I believe. That the ransom amounts only fall in the range of 200,000 and up I don't believe. In fact, i know otherwise so I'm not sure where those arbitrary numbers came from...maybe it was referring to attacks only on corporations and not on individuals? And the cost of ransomware in 2031 is unknowable but I would be willing to bet that technical solutions, education and improved procedures would keep it well below the amount stated in the video by then. While it can be more complicated that it sounds, all companies and individuals really have to do to mitigate such attacks is to keep frequent backups of important data. Restoring from a recent backup has to be cheaper than paying a ransom and waiting (hopefully) for decryption.

You still haven't explained how government would be able to enforce such laws given both the victim and the attacker would be disinclined to let government know about it. Or, if you want to extend such laws to kidnappings, why on earth you think people would pay attention to such laws when trying to save their loved ones.

Your examples as far as "material support to the enemy" are off base. People aren't paying ransoms to commit treason, they are doing it to save their company, irreplaceable data, loved ones, or whatever it is they are trying to save. If the government considers these people "the enemy" then I suggest they destroy the enemy. Not their victims. Which is very well what such laws might do. By this logic, if a thief had me at gunpoint and I gave him money then I would go to jail and i should have just let him kill me instead. After all, giving him the money is "giving material support to the enemy".

If the law by itself prevents such attacks, then the point is moot. No one would ever have to break the law because they wouldn't be attacked. If they are attacked, then clearly such a law did not help them and in fact potentially causes great harm if obeyed.

Oh, and apparently paying ransom is already illegal according to https://cisomag.eccouncil.org/paying-ransom-is-now-illegal-u-s-dept-of-treasury-warns/ and https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

Has it helped?

0
0
0.000
avatar

Okay, you put a lot of thought an effort into your response. I will do the same and address your points and questions.
The problem still exists in Columbia. One of the major issues is that it became so profitable that it created corruption with officials, similar to what the cocaine trade has done there. This is one of the terrible side effects when crime is allowed to run rampant. It warps the very system that should be stopping it. We don’t want that to happen with cybercrime and yet we are already seeing cybersecurity product/services companies go that direction because they have a financial incentive. Ransomware and other attacks drive up sales. So, many cybersecurity firms DON’T want paying ransoms to be outlawed as it will be too effective in stopping ransomware.
Outlawing paying ransoms is not punishing victims. It is putting controls in place to greatly LESSEN the number of victims and impacts to the nation in the long term.
There are NOT reasonable controls to stop ransomware. This is why it is growing so fast and we are seeing big corporations and government agencies get impacted.
Ransomware has been around for decades and has continued to grow even in the face of new products, services, and the ‘adaptation’ you are referring to.
I know, I have been in the industry for over 30 years and consult to academia, businesses, and governments around the globe. I also work with some of the biggest cybersecurity companies.
I can tell you that the attackers are actually adapting faster than the security, in large part because of the massive injection of funding they are receiving from ransom payments! This must stop, otherwise security tech won’t catch up.
Ransoms for businesses (source of the survey) were in the 200k-2mil range. This is not the range for when grandma gets ransomware and can’t access pictures of her grandchildren. That is much lower. Also, there are a ton of metrics coming out with a trend of every higher top-end ransom ranges. More studies will be published next quarter.
The 2031 is a predictive estimate. We do these in the industry and publish the results so we can be held accountable later on to see if it was a good prediction. Cybercrime Magazine published those numbers. Here is the source: https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/
Mitigation (prevention) of attacks is a weak point. Sure if you ‘can’ do it the problem goes away. The point is it is not possible given all the other constraints (usability, human interaction, reliance on code, human errors, social engineering, HW/FW/OS/App vulnerabilities, etc.). It is HUGELY complex and tech is constantly changing.
Government enforcement is simple. Pass a law to make it criminal to pay ransoms. In that one act, most executives would not risk jail time or the end of their career. And practically, it is not easy to hide a ransomware infection, hide spending millions to buy a key, and hide using that decryption key to restore files. Many people will be involved. It just takes one to whistle-blow (and there are financial rewards for doing it too).
Even more likely is that the cybercriminals, who are extorting for the unlock key, will simply then shift to extort the payer because they broke the law (in paying the ransom). They can make demands forever as the evidence is permanently stored in the blockchain, email, etc.
For laws to be effective, the government doesn’t need to catch and prosecute everyone. It is about deterrence.
Payments are absolutely material support to the enemy. The criminals are the enemy. Payments are financial resources that will both motivate and facilitate them to improve, scale, and continue more attacks.
We cannot look at this as a one company or one payment situation. This is a systemic problem where everyone is connected and affected. If you pay a ransom to ‘save’ your company, that attacker then might take down a hospital, power grid, or water supply later on. The problem just gets bigger. This is why we have laws, to consider the greater good when individuals want to pursue what is best for themselves.
The OFAC just came out with those rules this year. But it is too narrow a scope and organizations are going around it. A full fledged law needs to be passed.

0
0
0.000
avatar
The problem still exists in Columbia. One of the major issues is that it became so profitable that it created corruption with officials, similar to what the cocaine trade has done there. This is one of the terrible side effects when crime is allowed to run rampant. It warps the very system that should be stopping it. We don’t want that to happen with cybercrime and yet we are already seeing cybersecurity product/services companies go that direction because they have a financial incentive. Ransomware and other attacks drive up sales. So, many cybersecurity firms DON’T want paying ransoms to be outlawed as it will be too effective in stopping ransomware.

Yes, the problem still exists in Columbia in that kidnappings are not at 0. However, they are down over 90% since the peak. Without outlawing ransoms. I am not suggesting that we allow cybercrime to run rampant, I am suggesting methods other than punishing those victimized by cybercrime.

Outlawing paying ransoms is not punishing victims.

Yes, it is. That may not be the intent but if you are faced with going out of business or losing a loved one because you are the victim of a cyberattack or a kidnapping and you could solve the problem by paying a ransom but you cannot legally do it, that is effectively a punishment. At least it is if you pay the ransom and get caught. If you don't pay the ransom then you lose too.

Mitigation (prevention) of attacks is a weak point. Sure if you ‘can’ do it the problem goes away. The point is it is not possible given all the other constraints (usability, human interaction, reliance on code, human errors, social engineering, HW/FW/OS/App vulnerabilities, etc.). It is HUGELY complex and tech is constantly changing. Government enforcement is simple. Pass a law to make it criminal to pay ransoms. In that one act, most executives would not risk jail time or the end of their career. And practically, it is not easy to hide a ransomware infection, hide spending millions to buy a key, and hide using that decryption key to restore files. Many people will be involved. It just takes one to whistle-blow (and there are financial rewards for doing it too). Even more likely is that the cybercriminals, who are extorting for the unlock key, will simply then shift to extort the payer because they broke the law (in paying the ransom). They can make demands forever as the evidence is permanently stored in the blockchain, email, etc.

Yes "prevention" is very hard...but not impossible. However, what is not particularly hard is having mitigation plans that don't just involve prevention but also involve recovery. Recovery is much easier than prevention as long as you have a recovery plan. Cheaper than ransom in most cases too. No company should ever lose a significant amount of data that they can't recover from their own backups.

How effective a law is depends on how likely it is to actually be prosecuted. How costly is it for government to do the investigation necessary to prosecute a person or company that was just trying to put their lives back together. I can think of ways company's could avoid being caught or get around such laws. Once a company has bought crypto, tracking what they do with it can be very difficult (depending on the crypto). They could also hire consulting services to recover their data in other countries. The company would pay them a fee. The consulting service may then use the fee to pay the ransom, or get back the data some other way if they can. That's simplistic example but there are typically tons of ways for company's to get around laws like this. I see no reason to believe it would be effective. Even if it were effective in reducing the number of attacks, that would be no comfort for those that continued to be victims of cyberattacks. They go from having bad options to no options. As far as cyberattackers making further demands, that would kill their own business so it seems unlikely to happen on a large scale. Some level of honesty is needed in order for extortion to continue working. What keeps company's paying is the fact that other companies that have paid have recovered their data.

Payments are absolutely material support to the enemy.

I'll try to keep that in the back of my mind if I am ever held at gunpoint, literally or figuratively.

0
0
0.000
avatar

Instituting regulations that benefit everyone is not a punishment. Do you consider the privacy laws, that protect everyone's data, punishment? It was also claimed that those privacy laws would 'punish' businesses by causing them to go out of business (they did not). It was fear mongering because people didn't want to change.

Right now, companies are not investing in sufficient prevention or recovery. They are instead relying on cyber-insurance to pay the ransom. That helps nobody but the attackers. Change must occur. What you are proposing is to remain with the status-quo. That only benefits the cybercriminals, cybersecurity firms, and insurance companies. It harms businesses and citizens.

For every way you can think how a company can get around such a law, I can find a very plausible way they get caught and someone goes to jail. Executives generally won't risk that. Again, look at previous regulation that companies then adopt as the 'norm' of doing business. This too would happen with an anti-ransomware payment law. They would simply adjust their policies and processes. It becomes the norm.

0
0
0.000
avatar

Instituting regulations that benefit everyone is not a punishment. Do you consider the privacy laws, that protect everyone's data, punishment? It was also claimed that those privacy laws would 'punish' businesses by causing them to go out of business (they did not). It was fear mongering because people didn't want to change.

Right now, companies are not investing in sufficient prevention or recovery. They are instead relying on cyber-insurance to pay the ransom. That helps nobody but the attackers. Change must occur. What you are proposing is to remain with the status-quo. That only benefits the cybercriminals, cybersecurity firms, and insurance companies. It harms businesses and citizens.

For every way you can think how a company can get around such a law, I can find a very plausible way they get caught and someone goes to jail. Executives generally won't risk that. Again, look at previous regulation that companies then adopt as the 'norm' of doing business. This too would happen with an anti-ransomware payment law. They would simply adjust their policies and processes. It becomes the norm.

0
0
0.000
avatar

Instituting regulations that benefit everyone is not a punishment. Do you consider the privacy laws, that protect everyone's data, punishment? It was also claimed that those privacy laws would 'punish' businesses by causing them to go out of business (they did not). It was fear mongering because people didn't want to change.

Right now, companies are not investing in sufficient prevention or recovery. They are instead relying on cyber-insurance to pay the ransom. That helps nobody but the attackers. Change must occur. What you are proposing is to remain with the status-quo. That only benefits the cybercriminals, cybersecurity firms, and insurance companies. It harms businesses and citizens.

For every way you can think how a company can get around such a law, I can find a very plausible way they get caught and someone goes to jail. Executives generally won't risk that. Again, look at previous regulation that companies then adopt as the 'norm' of doing business. This too would happen with an anti-ransomware payment law. They would simply adjust their policies and processes. It becomes the norm.

0
0
0.000
avatar

Instituting regulations that benefit everyone is not a punishment. Do you consider the privacy laws, that protect everyone's data, punishment? It was also claimed that those privacy laws would 'punish' businesses by causing them to go out of business (they did not). It was fear mongering because people didn't want to change.

Right now, companies are not investing in sufficient prevention or recovery. They are instead relying on cyber-insurance to pay the ransom. That helps nobody but the attackers. Change must occur. What you are proposing is to remain with the status-quo. That only benefits the cybercriminals, cybersecurity firms, and insurance companies. It harms businesses and citizens.

For every way you can think how a company can get around such a law, I can find a very plausible way they get caught and someone goes to jail. Executives generally won't risk that. Again, look at previous regulation that companies then adopt as the 'norm' of doing business. This too would happen with an anti-ransomware payment law. They would simply adjust their policies and processes. It becomes the norm.

0
0
0.000
avatar

No, I support privacy laws. But this is a different issue with different circumstances. Adhering to privacy laws IS a burden on business. However, protecting themselves from cyber attacks is in their own best interest. Why would businesses continue to do something (or not do something) that causes them harm? That's why I believe it will happen without a law punishing victims. I don't necessarily support the "status quo", I just don't support your solution. I'll never support a solution that basically says that if I am held at gunpoint and give a thief my wallet that I am going to go to jail.

Until businesses have actual technical solutions to these problems in place, adjusting their current policies and processes will only help them to go out of business if they are the victim of such an attack. We don't need a law protecting businesses that are unwilling to protect themselves. If they are unable to protect themselves then a law won't help them if they are attacked and will be of questionable effectiveness in preventing such an attack. As long as attacks are essentially as easy as a phishing email, lessening the chances of the attackers getting paid isn't really much of a deterrent. They'll just make it up on volume. Somebody will still pay, regardless of law.

0
0
0.000
avatar

How is applying good security controls not in their best interest? Right now, companies are transferring the risk to insurance, instead of investing in good security.

Regardless, the problem gets worse over time as payments are made, making the RISKS greater for everyone! Paying ransoms is a short term fix that creates a long term cancer. Without change, more and more companies will go out of business because of ransomware (current stats show between 60%-90% of SMB are out of business within 2 years of a cybersecurity incident).

There are no silver-bullet technical solutions! There won't ever be anything that can block all the potential attack vectors. The way to stop these attacks is to target the motivation of the attackers themselves.

0
0
0.000
avatar

How is applying good security controls not in their best interest? Right now, companies are transferring the risk to insurance, instead of investing in good security.

It is in their best interest. That's my point. As time goes by, companies will put more effort into security and other mitigation procedure. They are already starting to. I know the company I work for is. Without having a law that outlaws paying ransom I might add.

Regardless, the problem gets worse over time as payments are made, making the RISKS greater for everyone! Paying ransoms is a short term fix that creates a long term cancer. Without change, more and more companies will go out of business because of ransomware (current stats show between 60%-90% of SMB are out of business within 2 years of a cybersecurity incident).

Isn't it the responsibility of those companies to do what is necessary to mitigate those risks? If 60-90% of companies go out of business now because of ransomware (it would seem to me that "cybersecurity incident" might encompass a lot more than ransomware though?), what will that percentage be if paying ransoms are outlawed? Fewer attacks? Maybe... A higher percentage of those attacked going out of business? Almost certainly.

There are no silver-bullet technical solutions! There won't ever be anything that can block all the potential attack vectors. The way to stop these attacks is to target the motivation of the attackers themselves.

There are no silver bullet laws either. And while there are no silver-bullet technical solutions that will block all ransomware, having good backup plans and procedures in place IN COMBINATION WITH whatever technical prevention solutions are available can make successful attacks less likely and recovery cheaper than ransom thereby solving the problem, at least better than any law. Why is it you think having proper backup procedures in place won't accomplish this? Why would you need to pay a ransom if you can restore the vast majority of your data from your own backups? I wonder how many companies have paid a ransom a second time because of another attack?

0
0
0.000
avatar

It is great that your company is investing more in security, but that it is not the overall industry trend of investment necessary to mitigate ransomware. We are seeing a repeat of what companies did during the early years of data breaches. Ignore the risks, transfer the risk to insurance, but not actually improve the security. It was not until regulations required them to notify customers of a data breach (then they had to pay for credit monitoring, etc.) did things change. They went kicking and screaming, saying such a privacy regulation would bankrupt them. It did not. It was just them fighting against spending to keep their customers data secure. Same is true now. Most companies want to secure a ransomware insurance policy versus spend on security and IT backups.

The financial incentives, which should align to the benefit of the consumer, were upside down. It took regulation to change things. Same is true now. I see it every day.

0
0
0.000