RE: Paying Ransomware Should be Illegal
You are viewing a single comment's thread:
Okay, you put a lot of thought an effort into your response. I will do the same and address your points and questions.
The problem still exists in Columbia. One of the major issues is that it became so profitable that it created corruption with officials, similar to what the cocaine trade has done there. This is one of the terrible side effects when crime is allowed to run rampant. It warps the very system that should be stopping it. We don’t want that to happen with cybercrime and yet we are already seeing cybersecurity product/services companies go that direction because they have a financial incentive. Ransomware and other attacks drive up sales. So, many cybersecurity firms DON’T want paying ransoms to be outlawed as it will be too effective in stopping ransomware.
Outlawing paying ransoms is not punishing victims. It is putting controls in place to greatly LESSEN the number of victims and impacts to the nation in the long term.
There are NOT reasonable controls to stop ransomware. This is why it is growing so fast and we are seeing big corporations and government agencies get impacted.
Ransomware has been around for decades and has continued to grow even in the face of new products, services, and the ‘adaptation’ you are referring to.
I know, I have been in the industry for over 30 years and consult to academia, businesses, and governments around the globe. I also work with some of the biggest cybersecurity companies.
I can tell you that the attackers are actually adapting faster than the security, in large part because of the massive injection of funding they are receiving from ransom payments! This must stop, otherwise security tech won’t catch up.
Ransoms for businesses (source of the survey) were in the 200k-2mil range. This is not the range for when grandma gets ransomware and can’t access pictures of her grandchildren. That is much lower. Also, there are a ton of metrics coming out with a trend of every higher top-end ransom ranges. More studies will be published next quarter.
The 2031 is a predictive estimate. We do these in the industry and publish the results so we can be held accountable later on to see if it was a good prediction. Cybercrime Magazine published those numbers. Here is the source: https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/
Mitigation (prevention) of attacks is a weak point. Sure if you ‘can’ do it the problem goes away. The point is it is not possible given all the other constraints (usability, human interaction, reliance on code, human errors, social engineering, HW/FW/OS/App vulnerabilities, etc.). It is HUGELY complex and tech is constantly changing.
Government enforcement is simple. Pass a law to make it criminal to pay ransoms. In that one act, most executives would not risk jail time or the end of their career. And practically, it is not easy to hide a ransomware infection, hide spending millions to buy a key, and hide using that decryption key to restore files. Many people will be involved. It just takes one to whistle-blow (and there are financial rewards for doing it too).
Even more likely is that the cybercriminals, who are extorting for the unlock key, will simply then shift to extort the payer because they broke the law (in paying the ransom). They can make demands forever as the evidence is permanently stored in the blockchain, email, etc.
For laws to be effective, the government doesn’t need to catch and prosecute everyone. It is about deterrence.
Payments are absolutely material support to the enemy. The criminals are the enemy. Payments are financial resources that will both motivate and facilitate them to improve, scale, and continue more attacks.
We cannot look at this as a one company or one payment situation. This is a systemic problem where everyone is connected and affected. If you pay a ransom to ‘save’ your company, that attacker then might take down a hospital, power grid, or water supply later on. The problem just gets bigger. This is why we have laws, to consider the greater good when individuals want to pursue what is best for themselves.
The OFAC just came out with those rules this year. But it is too narrow a scope and organizations are going around it. A full fledged law needs to be passed.
Yes, the problem still exists in Columbia in that kidnappings are not at 0. However, they are down over 90% since the peak. Without outlawing ransoms. I am not suggesting that we allow cybercrime to run rampant, I am suggesting methods other than punishing those victimized by cybercrime.
Yes, it is. That may not be the intent but if you are faced with going out of business or losing a loved one because you are the victim of a cyberattack or a kidnapping and you could solve the problem by paying a ransom but you cannot legally do it, that is effectively a punishment. At least it is if you pay the ransom and get caught. If you don't pay the ransom then you lose too.
Yes "prevention" is very hard...but not impossible. However, what is not particularly hard is having mitigation plans that don't just involve prevention but also involve recovery. Recovery is much easier than prevention as long as you have a recovery plan. Cheaper than ransom in most cases too. No company should ever lose a significant amount of data that they can't recover from their own backups.
How effective a law is depends on how likely it is to actually be prosecuted. How costly is it for government to do the investigation necessary to prosecute a person or company that was just trying to put their lives back together. I can think of ways company's could avoid being caught or get around such laws. Once a company has bought crypto, tracking what they do with it can be very difficult (depending on the crypto). They could also hire consulting services to recover their data in other countries. The company would pay them a fee. The consulting service may then use the fee to pay the ransom, or get back the data some other way if they can. That's simplistic example but there are typically tons of ways for company's to get around laws like this. I see no reason to believe it would be effective. Even if it were effective in reducing the number of attacks, that would be no comfort for those that continued to be victims of cyberattacks. They go from having bad options to no options. As far as cyberattackers making further demands, that would kill their own business so it seems unlikely to happen on a large scale. Some level of honesty is needed in order for extortion to continue working. What keeps company's paying is the fact that other companies that have paid have recovered their data.
I'll try to keep that in the back of my mind if I am ever held at gunpoint, literally or figuratively.
Instituting regulations that benefit everyone is not a punishment. Do you consider the privacy laws, that protect everyone's data, punishment? It was also claimed that those privacy laws would 'punish' businesses by causing them to go out of business (they did not). It was fear mongering because people didn't want to change.
Right now, companies are not investing in sufficient prevention or recovery. They are instead relying on cyber-insurance to pay the ransom. That helps nobody but the attackers. Change must occur. What you are proposing is to remain with the status-quo. That only benefits the cybercriminals, cybersecurity firms, and insurance companies. It harms businesses and citizens.
For every way you can think how a company can get around such a law, I can find a very plausible way they get caught and someone goes to jail. Executives generally won't risk that. Again, look at previous regulation that companies then adopt as the 'norm' of doing business. This too would happen with an anti-ransomware payment law. They would simply adjust their policies and processes. It becomes the norm.
Instituting regulations that benefit everyone is not a punishment. Do you consider the privacy laws, that protect everyone's data, punishment? It was also claimed that those privacy laws would 'punish' businesses by causing them to go out of business (they did not). It was fear mongering because people didn't want to change.
Right now, companies are not investing in sufficient prevention or recovery. They are instead relying on cyber-insurance to pay the ransom. That helps nobody but the attackers. Change must occur. What you are proposing is to remain with the status-quo. That only benefits the cybercriminals, cybersecurity firms, and insurance companies. It harms businesses and citizens.
For every way you can think how a company can get around such a law, I can find a very plausible way they get caught and someone goes to jail. Executives generally won't risk that. Again, look at previous regulation that companies then adopt as the 'norm' of doing business. This too would happen with an anti-ransomware payment law. They would simply adjust their policies and processes. It becomes the norm.
Instituting regulations that benefit everyone is not a punishment. Do you consider the privacy laws, that protect everyone's data, punishment? It was also claimed that those privacy laws would 'punish' businesses by causing them to go out of business (they did not). It was fear mongering because people didn't want to change.
Right now, companies are not investing in sufficient prevention or recovery. They are instead relying on cyber-insurance to pay the ransom. That helps nobody but the attackers. Change must occur. What you are proposing is to remain with the status-quo. That only benefits the cybercriminals, cybersecurity firms, and insurance companies. It harms businesses and citizens.
For every way you can think how a company can get around such a law, I can find a very plausible way they get caught and someone goes to jail. Executives generally won't risk that. Again, look at previous regulation that companies then adopt as the 'norm' of doing business. This too would happen with an anti-ransomware payment law. They would simply adjust their policies and processes. It becomes the norm.