You are viewing a single comment's thread from:

RE: Paying Ransomware Should be Illegal

in STEMGeeks5 months ago

If someone's data is worth that much money to them, making it illegal isn't going to stop them from paying the ransom. Paying a normal ransom isn't illegal either as far as I know. You can even by insurance for both cases.

 5 months ago 

If directly supporting criminals becomes illegal then Insurance companies won't do it either.
It is no longer limited to data, but also uptime of systems (gas lines, electrical grids, water supply infrastructures, emergency services, etc.).
Companies will stop paying if executives realize they could go to jail.

Given that ransom is likely to be paid in bitcoin, proving ransom has been paid could be difficult. Even if they pay cash it could be hard. I don't think such laws would have any practical effect. If a loved one of mine was kidnapped and I could get them back with a ransom, no law would stop me. If a corporation can save millions (or more) by paying a ransom, no law is likely to stop them either. Better to go after the criminals than the not a fan of laws that screw other people because of what bad people do. Paying a ransom isn't any more "supporting criminals" than being robbed.

 5 months ago 

It will greatly dissuade companies. Executives are willing to risk company money, but not their own freedom. If this is a crime, the penalty may be them going to jail. Most are not willing to do that.

And here is the reality for those that pay, both individuals and companies, the attacker will simply extort them forever. They will threaten to expose the 'victim' as breaking the law and paying the ransom. So they can demand ransoms indefinitely and they will have the data to show the ransom was paid. A perfect permanent paycheck for attackers.

Most of these "ransomware" attacks have to do with holding data hostage in the sense that the owner of the data can't get to it because it has been encrypted by the attacker, not because it is necessarily damaging if exposed (though of course it could be). Ransom is generally paid when the cost to recover the data is more than the ransom. Perhaps because they have a poor backup strategy in place or the time lost would be more costly. I would assume most companies hit by this type of attack would take precautions so that it wouldn't happen again or that they could at least recover quickly (better security, more frequent back-ups, etc.). Obviously, it is a different story if the release of the data would be damaging. In that case a ransom does no good for the reasons you say.

But again, executives don't have to worry about going to jail if the method of payment in untraceable. Good luck proving a particular executive was responsible for executing a bitcoin transaction. I still vote for punishing the people actually committing the crime. Not those who are being extorted.

 5 months ago 

Executives will worry. First the extortionist when then threaten the executives to report them to the authorities. Now they have a victim forever. Second, even if they do pay and get the keys, it take a lot of people and hard work to decrypt. It will be obvious to many people, any of which could report the company or extort the executives themselves. C-suite people, in their comfy chairs, don't want those kinds of risks, where they can go to jail.

Sure, they'll worry. But they'll figure out how to send Bitcoin anonymously if it saves them tens or even hundreds of millions of dollars and their jobs. Why on earth, as taxpayers, would we want to spend the time and money to prosecute victims (especially when it will probably be difficult and costly to do) instead of the criminals? If it is cheaper for company's to learn to protect themselves from such attacks then they will learn to do so. If ransomware gets too out of hand it will be the cause of its own destruction as it becomes more difficult and less effective.

Don't get me wrong, i hate ransomware and I hate the idea of giving those people money. But the idea of government being too incompetent or otherwise incapable of stopping these criminals instead going after the victims is a terrible idea.

 5 months ago 

If it is criminal, then sending it risks their job, future employment, and freedom. Not sending it means they are simply following the law like everyone else. Nobody gets fired for doing what everyone else must do.

It is not about spending vast amount of taxpayer dollars on prosecution. Likely just one will send a message. But stopping the payments will help everyone, to the tune of hundreds of billions of dollars. Otherwise our tax dollars goes to fighting ransomware in ways that are not effective. This is actually better for the taxpayer.

Keep in mind, many of these 'companies' actually provide critical infrastructure to citizens: clean water, electricity, Internet, gas, transportation, food supplies, etc. Impacts to them translate to great impacts to all citizens.

Criminalizing the payments creates a forcing function for business to better protect themselves while it greatly undermines the motivation for attackers, thereby reducing the number of attacks. It is an effective and efficient way of reducing the risks of ransomware.

I guess that's where we disagree. I don't believe it would be efficient or effective...and it punishes the wrong people.