Paying Ransomware Should be Illegal

in STEMGeekslast year

Ransomware is a growing problem that must be STOPPED! Cybercriminals are accumulating fortunes by impacting individuals, businesses, critical systems, and digital services. Some victims are paying ransoms in the tens of millions of dollars.

In today’s video, I explore a radical option that strategically may defeat ransomware from the inside! I have surveyed the professional community and will chat about the challenges, objections, and opposition to outlawing victims from paying digital extortions to cybercriminals.

You are welcome to vote in the LinkedIn poll and add your comments to the discussion:

Interested in more cybersecurity insights, rants, and strategic viewpoints? Subscribe to the Cybersecurity Insights channel on YouTube:

Follow me on:

Posted with STEMGeeks


Ransomware is the absolute worst!

If someone's data is worth that much money to them, making it illegal isn't going to stop them from paying the ransom. Paying a normal ransom isn't illegal either as far as I know. You can even by insurance for both cases.

 last year 

If directly supporting criminals becomes illegal then Insurance companies won't do it either.
It is no longer limited to data, but also uptime of systems (gas lines, electrical grids, water supply infrastructures, emergency services, etc.).
Companies will stop paying if executives realize they could go to jail.

Given that ransom is likely to be paid in bitcoin, proving ransom has been paid could be difficult. Even if they pay cash it could be hard. I don't think such laws would have any practical effect. If a loved one of mine was kidnapped and I could get them back with a ransom, no law would stop me. If a corporation can save millions (or more) by paying a ransom, no law is likely to stop them either. Better to go after the criminals than the not a fan of laws that screw other people because of what bad people do. Paying a ransom isn't any more "supporting criminals" than being robbed.

 last year 

It will greatly dissuade companies. Executives are willing to risk company money, but not their own freedom. If this is a crime, the penalty may be them going to jail. Most are not willing to do that.

And here is the reality for those that pay, both individuals and companies, the attacker will simply extort them forever. They will threaten to expose the 'victim' as breaking the law and paying the ransom. So they can demand ransoms indefinitely and they will have the data to show the ransom was paid. A perfect permanent paycheck for attackers.

Most of these "ransomware" attacks have to do with holding data hostage in the sense that the owner of the data can't get to it because it has been encrypted by the attacker, not because it is necessarily damaging if exposed (though of course it could be). Ransom is generally paid when the cost to recover the data is more than the ransom. Perhaps because they have a poor backup strategy in place or the time lost would be more costly. I would assume most companies hit by this type of attack would take precautions so that it wouldn't happen again or that they could at least recover quickly (better security, more frequent back-ups, etc.). Obviously, it is a different story if the release of the data would be damaging. In that case a ransom does no good for the reasons you say.

But again, executives don't have to worry about going to jail if the method of payment in untraceable. Good luck proving a particular executive was responsible for executing a bitcoin transaction. I still vote for punishing the people actually committing the crime. Not those who are being extorted.

 last year 

Executives will worry. First the extortionist when then threaten the executives to report them to the authorities. Now they have a victim forever. Second, even if they do pay and get the keys, it take a lot of people and hard work to decrypt. It will be obvious to many people, any of which could report the company or extort the executives themselves. C-suite people, in their comfy chairs, don't want those kinds of risks, where they can go to jail.

Sure, they'll worry. But they'll figure out how to send Bitcoin anonymously if it saves them tens or even hundreds of millions of dollars and their jobs. Why on earth, as taxpayers, would we want to spend the time and money to prosecute victims (especially when it will probably be difficult and costly to do) instead of the criminals? If it is cheaper for company's to learn to protect themselves from such attacks then they will learn to do so. If ransomware gets too out of hand it will be the cause of its own destruction as it becomes more difficult and less effective.

Don't get me wrong, i hate ransomware and I hate the idea of giving those people money. But the idea of government being too incompetent or otherwise incapable of stopping these criminals instead going after the victims is a terrible idea.

 last year 

If it is criminal, then sending it risks their job, future employment, and freedom. Not sending it means they are simply following the law like everyone else. Nobody gets fired for doing what everyone else must do.

It is not about spending vast amount of taxpayer dollars on prosecution. Likely just one will send a message. But stopping the payments will help everyone, to the tune of hundreds of billions of dollars. Otherwise our tax dollars goes to fighting ransomware in ways that are not effective. This is actually better for the taxpayer.

Keep in mind, many of these 'companies' actually provide critical infrastructure to citizens: clean water, electricity, Internet, gas, transportation, food supplies, etc. Impacts to them translate to great impacts to all citizens.

Criminalizing the payments creates a forcing function for business to better protect themselves while it greatly undermines the motivation for attackers, thereby reducing the number of attacks. It is an effective and efficient way of reducing the risks of ransomware.