Hacker News new | past | comments | ask | show | jobs | submit login
Firms That Promised Ransomware Decryption Almost Always Just Pay the Hackers (propublica.org)
397 points by jkao-propublica 41 days ago | hide | past | web | favorite | 137 comments

Hey HN, I'm a reporter at the non-profit newsroom ProPublica. I used to be a software engineer in the Bay Area, but now I work primarily with data and code for news investigations.

We published a story today that found that a lot of the firms touting their ransomware decryption services actually end up paying the hackers (often behind the client's back) and then tacking on a fee.

Though you all would find it interesting. A great tidbit that my reporting partner Renee uncovered: a former deputy FBI director was paid to promote MonsterCloud, while knowing that they paid bitcoin to cybercriminals.

He's also a former TSA director. So of course, he partnered with their CEO on a side biz to put massage chairs in airports. ¯\_(ツ)_/¯

Anyway, thought this would be a story that HN would enjoy. Would love to hear y'all's thoughts since this is the community with the expertise & experience to comment. If you have things (ransomware or otherwise) you think we should look into, would love to hear as well. :-)

>put massage chairs in airports //

Do the chairs hack your phone or something, I've never seen anyone pay to use one, only sit on them without paying.

They have them in motorway service stations in UK as well as at airports.

>a former deputy FBI director >He's also a former TSA director.

That narrows it down a bit. With a name like that you'd hope he was more of a straight shooter.

From the article:

> former FBI Deputy Director John Pistole

I don't think it matters if the people are from Iran. It's still people messing with a hospital and paying them, for now, is the best strategy. Then a system put in to where paying them isn't necessary.

Well we're talking about the TSA here.

Thousands Standing Around, now with added massage chairs.

I would encourage you to read more political news/geopolitical discussion.

What does this comment mean? Like, read more in general, or what?

Yes, and about the topics I mentioned.

That wasn't helpful. Instead of repeating a vaguely condescending remark, please elaborate on what you think he needs to learn.

Um, guys, this is a little embarrassing but I was literally just making a lame pun about the dude's name.

awkward finger guns

I liked it. I even curled my upper lip appreciatively after reading and let out a derisive snort. At least I hope that's what it was.

I feel this is actually a decent service for a few reasons:

- Many average users don't want to understand cryptocurrencies, how to safely and securely buy and use it is a challenge in and of itself.

- They're on the hook and the client pays nothing if the ransomer fails to provide a working key.

- They'll also manage the ransom decryption software - if there's problems with it there are 3rd party tools that can often do a better job of decryption than the original decryption tool, again, this is something that's going to be complicated for average users to deal with.

- For some ransomware there are decryption processes available without the need to pay the ransom, figuring out which of these applies can be challenging

- Certain institutions may be unable or unwilling to work with the attacker directly - introducing a middle man to broker can help solve this.

Overall the piece seems somewhat hyperbolic.

Yeah, seems like a great service to a certain degree. But it's not the service they're selling and they're lying to their customers. Their service incentivizes ransomware authors, so this absolutely needs transparency. I assume most people go to them because they want the problem solved but they feel they shouldn't be paying the hostage takers. "we don't negotiate with terrorists" comes to mind. So if this service is doing exactly this and making the situation worse for everybody else, this is something that needs to be consciously weighed off and decided by the people considering their services.

If they're making money from ransomware they have no incentive to stop or prevent ransomware. Being the English speaking liaison for ransomware isn't really that different from being an accomplice after a certain point, they both get their cut as long as the industry is booming.

I wonder how many of these "white hat middlemen" are also the ransomware owners...

Obviously the two companies collaborating would give benefits to eachother, and it might just be a convenient way to seperate the illegal from the legal...

This was my first thought as well. What’s the biggest risk when you’re paying the ransom? That the thief will run off with the bitcoin without providing the key. The easiest way to mitigate that risk is to either collaborate with the thieves or become the thieves.

Bet they run the Antivirus companies too! It's all a racket!

It can be better to know, but ignore the truth, to avoid unsavoury corporate discussions like:

“Are we paying a bribe? I’ll have to create a new line item in SAP for that” asks Alice from accounting,


“I need them to sign this form saying they haven’t tortured anyone in the past 5 years”, Bob from procurement auditing.


“Please have one of their senior directors sign this form declaring that none of their funds employees are based in any of these embargoed countries. I’ve attached the list.” Charlie from legal

> Their service incentivizes ransomware authors, so this absolutely needs transparency.

I don't think that companies that offer ransomware decryption services have a problem with this incentive. More ransomware means more customers for their "decryption services". ;-)

For most people, they want their problem solved, plain and simple. And they rather not know the details on how you solved it or how it affects others. especially when it comes to something as urgent as someone holding your data hostage. So to a degree, I am OK with this service.

> they want their problem solved, plain and simple. And they rather not know the details on how you solved it or how it affects others

In general, this sounds like a dangerous attitude. Asking people to do "whatever it takes" to solve an immediate problem, with no consideration of wider or longer-term effects, frequently leads to more trouble in the end.

Yep, I agree, but it's easier said than done, especially when there's a hair on fire situation.

Wow, is the world drowning in cynicism? I want a service that breaks the ransomware encryption and researches into that direction to ultimately make the incredibly hurtful extortion of vulnerable computer users not viable. To me these companies are criminals if they facilitate the extortion.

Exactly at this point the "decrypter" companies are just partners of the cyber-criminals, they have the same incentives, share the same profits and both are unethical.

Not quite the same incentive - one needs to stay anonymous as they are breaking the law, and the other is legal and can operate in plain sight.

It's legal to lie about paying the extortioners?

At worst, it’s breach of contract. At best, it makes the accounting and legal checks on your supplier very easy.

$10k to Bob’s IT consultancy within the same state is a lot easier than $10k that ultimately leads to a country that may be embargoed.

> easier than $10k that ultimately leads to a country that may be embargoed

In which case the middleman/coconspirator would add one more, completely unrelated crime to their list.

Those aren't incentives, those are just operational parameters.

The incentive in both cases is money, specifically from people who feel vulnerable enough to pay but not so vulnerable that they give up hope.

front-end vs back-end

sales vs engineering

triage vs diagnostics

collections vs billing

Sounds like a complete service being offered by two separate legal entities with the purpose to evade.

Most ransomware is using standard public key cryptography, there is no chance of breaking it. If it is broken, only the intelligence agencies would know. They wouldn't use this weapon on something so trivial.

In that case companies shouldn't be advertising services they cannot provide without facilitating crime (especially since they lie and tell their customers they aren't paying the criminals). Smells an awful lot like fraud, if not an outright criminal conspiracy given they are skimming the proceeds of a crime.

Lots of ransomware is very poorly written. There have been a number of ransomware cases in which people were able to recover the keys.

There is indeed such a service, it's called "versioned remote backup". As long as the ransomware is not specifically targeting the backup client in order to damage the backed-up files, you just reinstall and restore.

And all of that would be a fine service if they were honest about it.

Plausible deniability for a CTO that doesn't want to be known for negotiating with terrorists As A Service?

TNaaS: Terrorist Negotiation as a Service. It's the biggest new craze since blockchain.

There already exists ransom insurance (the real-life kind of ransom), and private ransom negotiators, so TNaaS isn't such a stretch at this point.

Professional negotiator is a well respected role and they're used all the time by police etc. This seems like a fairly direct analogue, so...?

(Full disclosure since someone else was asking for it: I have nothing to do with any of this stuff.)

Other than the fact that they are directly facilitating crime...

It would be a crime to put hospital patients in danger

I'd throw two more hats into that ring:

- It looks bad to the public if companies directly pay the ransomware creator. Decryption companies can act as a PR "buffer" in that respect.

- By funneling the western worlds contact with ransomware creators through a small number of companies, we create an incentive for ransomware creators to follow through with providing the decryption keys and not play games with the price. If they fail to hold up their end of the bargain, their reputation will immediately be ruined within the small number of companies that do this.

And surely there is nothing wrong with the alignment of ransomware authors' and this friendly service's incentives.

It would be decent if it openly advertised as middleman broker service for paying the ransom to the criminals. False advertising is always a bad sign - if you need to hide what you're doing from your client, you know the client wouldn't like it, and are setting up to deceive them.

Full disclosure?

I'd never heard of this historical precedent:

> The father of ransomware was Harvard-educated anthropologist Joseph L. Popp Jr. While researching the theory that AIDS originated in green monkeys in East Africa, Popp in 1989 mailed more than 20,000 floppy disks about AIDS education to people interested in public health. When recipients ran the disk, their computers froze, and a message on the screen instructed them to send up to $378 to a post office box in Panama for a second disk that would restore their access.

I found this interesting story with details about how he was caught, set free, and left behind an unusual legacy including founding a eponymous butterfly conservatory. https://medium.com/un-hackable/the-bizarre-pre-internet-hist...

Interesting, thanks! This reminds me of all the random shareware we'd get on floppies in the early 90s, Apogee and such.

Holy crap, that message:

> ATTENTION I have been elected to inform you that throughout your process of collecting and executing files, you have accdientally ¶HÜ¢KΣ► yourself over: again, that's PHUCKED yourself over. No, it cannot be; YES, it CAN be, a √ìτûs has infected your system. Now what do you have to say about that? HAHAHAHAHA. Have ¶HÜÑ with this one and remember, there is NO cure for AIDS.

This isn't the AIDS malware in question. You are looking for Aids Info Disk/PC Cyborg Trojan.

No, message was a bit more inconspicuous. https://pastebin.com/U6zHcN8k

I choose to believe he made the computer virus as an abstract metaphor for aids.

> Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four of the payments.

I didn’t think Bitcoin transactions were intended to be anonymous and difficult to track, why would Bitcoin use a public ledger if that was the intention? I was under the impression other cryptocurrencies are trying to solve for “anonymous and difficult to track.”

The term is pseudonymous - the list of all transactions is available for anyone to look at but in theory you can't link bitcoin addresses to people.

However, in practice, most people buy bitcoins via a method that requires ID, which links their ID to one of their addresses. Multiple addresses can then be linked together by cluster analysis based on usage patterns

They are intended to be roughly anonymous, as in not-identifiable, not untraceable. Bitcoin also predates all other cryptocurrencies, and is the most widely used or prolific.

Last I checked, there were also several operational mixing services that would gladly launder your funds for you (for a nominal fee). It's more surprising to me that they didn't end up using a system like this before performing the final payment capture. But maybe if they're overseas, they don't care?

What other cryptocurrencies are trying to solve is making transactions anonymous and hidden by default. You can hide your identity and tumble your coins to achieve both in bitcoin if you know what you are doing. But there are plenty of stories of people who did not know how to use Bitcoin in an anonymous way and investigators were able to track transactions.

They are anonymous because although you can see the ledger, you don’t know who is the owner. All the ledger says is ‘whoever knows the private key for this public key can spend this money’. You can still catch people once they convert it to normal currencies though.


How do we know that they (MonsterCloud) weren't also the criminals on the other side of the bitcoin transaction?

Is it possible this was all a giant payola/extortion ring?

I mean, the criminals were just that reliable, organized and scrupulous about unlocking their victims?

If it became known that ransomware criminals never actually decrypt your data they would lose their "business", so it is in their interest to actually do it.

It certainly is not impossible that the decrypting company would be so scummy but it is in the same vein as accusing a home security company financing burglars to go on rampage.

> If it became known that ransomware criminals never actually decrypt your data they would lose their "business", so it is in their interest to actually do it.

This opens up one of those weird moral dilemmas akin to asking whether it's moral to hack someone's exposed device to patch a security hole: Would it actually be a net positive to create a ransomware variant that had no decryption key, but acted like it did?

There've been a few cases where the ransomware was not decryptable - sites like BleepingComputer frequently discuss which ransomware have been cracked by researchers, which are currently actively run and will provide keys and which are undecryptable and you shouldn't pay in any circumstances. Basically it just makes things more complicated, but people are still willing to pay if they can in their specific case and the one they're infected with is reported as regularly providing good keys.

This was my first thought. Why not be on both sides of this. Make double the money

quote 1 : “The reason we have such a high recovery rate is that we know who these attackers are and their typical methods of operation,” he said. “Those victims of attacks should never make contact themselves and pay the ransom because they don’t know who they are dealing with.”

quote 2: " It stopped dealing with the SamSam hackers after the U.S. government identified them as Iranian and took action against them, he said. Until then, he said, the company did not know they were affiliated with Iran. "

There you have it, the way of the managers, lie lie and more lies, as long as $$$ can be made.

Also this. Quote: "Witherspoon was especially impressed by his primary contact at MonsterCloud, Zack Green. “Zack’s title, dear God, it’s a mile long title. He seems to know a lot.” Green’s titles on his email signature include “Ransomware Recovery Expert,” “Cyber Counterterrorism Expert,” “Cyber Crime Prevention Expert” and “Cyber Intelligence Threat Specialist.” We called MonsterCloud asking for Green but were told he was in a meeting."

In my experience on dealing with US managers, the longer the titles they have, the dumber the person is.

Sounds more like a bullshit artist than an idiot.. otherwise they wouldn't be getting enough jobs to stay a profitable enterprise.

> the longer the titles they have, the dumber the person is.

"I've been here 3 years, I want a promotion...."

"Here's a pointless fancier title with no pay bump"

I guess the only surprising part to me was paying behind the clients back and charging a little more.

Because on the surface, of course you pay the ransom! I specifically selected insurance that stated up front they would pay a ransom if they had to. I think this has to be fairly common knowledge outside of infosec.

Perhaps some CTO/CIO/CFO types would rather the peace of mind or the idea that they aren’t helping these ransom-entrepreneurs out by paying them.

MonsterCloud quote: “Our goal is to restore the data and help the customer. If we need to walk to the moon on broken glass, we will. We don’t care how, what, where, whatever. Our goal is to get the data out.” Sounds like if they don't care how, paying the criminals is a viable option for them.

I love propublica and donate monthly. Good to see it getting some great tech coverage. Thanks for your reporting!

Thanks for the reminder to donate, they really do fine work. AC Thompson is an acquaintance and his coverage of fringe extremists is thorough and anxiety inducing, but his investigations have led to bad guys going to jail many times over.

Buying discounted receivables is one of the oldest businesses around. That it happens to be for a criminal ransomware organization is new.

The instinct to contact ransomers and say, "hey, I see you have some uncertainty in how much money you are going to collect. Do you want a guaranteed amount now, or a risk adjusted figure later? If now, I can offer you $x for a key I can use on as many customers as I can..."

Ethics aside, that's really impressive deal making.

Let's be honest. There's only one way this ends. You have vigilante ransomware dudes who promise to decrypt the ransomed stuff and then abscond with the money. Poison the well and people will just assume they've lost the data.

That actually would probably work... especially if the vigilantes masqueraded as the “genuine” hackers convincingly. Then you (or the companies covered in TFA) would just have no way of knowing whether there is any chance of recovering the data for real.

As the probability of recovery goes down, the likelihood of being willing to pay the ransom also goes down.

Though in a way this feels a bit like going around _actually shooting_ people in order to “poison the well” for a group that goes around _threatening to shoot_ people, but not actually shooting them if they pay up.

Yes, and also with the guys not actually shooting if you pay working hard on establishing a brand everyone can "trust". They could for instance sign their releases of malware so it couldn't easily be spoofed by the proposed vigilantes.

Another option would be to hire a data security firm to do ongoing penetration testing at your business, perhaps even to the point of supplying employee email addresses. Then if the business is penetrated by the security firm, they can give notifications of what needs to change, who needs to be educated about clicking on email links, etc.

Why am I not surprised?

They just provide plausible deniability to clients, who may not be able to pay the ransom for legal reasons.

Or their clients are naive I don’t recognize that they’re being charged more to “decrypt” than the cost of the ransom, or (plausibly) the client is intentionally not paying the ransom because they (incorrectly) believe it means they aren’t giving money to criminals.

Or they maintain back channels to the groups and negotiate discounted rates on the basis of reliability of pay outs.

I was actually wondering about that - or alternatively ye olde protection racket type thing: they being the original authors of the attack.

Of course it’s much more plausible that they’re just scumbags looking to make an “honest” profit of a criminal act.

We aren't being presented any evidence that they are playing both sides of the table that brazenly. However, I can't see a situation where if the firm were in a position to stop the ransomware globally that they would actually do so.

Maybe an altruistic individual within the company, but not as a directed managerial effort.

Like I said - probably just general scummy behavior rather than criminal behaviour

I believe they would because the press will be worth it for future business. Not all ransomware but certain strains.

If they are a UK company with a prominent young leader it seems just as likely to get you investigated or indicted.

The article says there are groups that will do this for you explicitly, and one hopes for lower fees than the companies that claimed they were doing it without paying the ransom.

As much as I want to appreciate this story, it's lines like this that reflect poorly on it's authenticity:

> In a video posted online touting MonsterCloud’s services, Pinhasi wears a dark suit and tie and rimless glasses. At lunch, the 43-year-old sported a white long-sleeve T-shirt emblazoned with the logo of teen retailer Abercrombie & Fitch.

How does this subtract from authenticity? It's literally facts.

How is it an ad hominem attack to describe his attire? You could argue it's irrelevant, but you'd find such descriptions in nearly any piece of this sort.


It is a clear ad hominem attack on Pinhasi. It adds nothing to the story, especially without context. This piece masquerades as a serious discussion about the ethics of ransomware services but goes out of it's way to equate their personal habits with that of their business.

Unless you've got tools on the level of what the CIA or NSA has, you're probably not cracking the encryption, but I agree it's bad to mislead your clients (and also creates some conflict of interest concerns). It kind of reminds me of when a family member is having computer problems and asks me to fix things. They think I have some sort of deep knowledge of how the computer works and can pinpoint their exact problem to fix it, when in reality I just back up their files and reinstall windows without really knowing why things were messed up.

Outsourcing the "we don't negotiate with terrorists" problem...

This must be a result of pure ignorance of the victims.

As far as I understand, ransomware simply applies RSA on the victim's data. If the victims understood what that meant, they would understand that it is entirely unrecoverable. The data is simply gone without the private key.

If the data were recoverable that would mean RSA had been broken, and the entire world would know about that. Normal people would understand because the global financial system would need to stop entirely while they switched to a new algorithm.

There have been plenty of documented cases of crypto-related software having bugs which allowed for full decryption (including many examples of it happening in the land of ransomware which doesn't need strong encryption to extort money out of technically-illiterate people).

If you are being sold a product which is based on a lie (let alone a lie that you won't pay criminals and skim money off the proceeds of the crime), then it is always the fault of the seller. Blaming the people who were lied to as being ignorant is a bit rich.

(Also, RSA is not really efficient for encrypting large amounts of data. I'm willing to bet that most ransomware uses secret-key crypto like AES or ChaCha20 for the actual encryption and then transmits the secret key back to the C&C server or does some form of key-exchange to generate a secret key. Which means that the attacked machine had a copy of the secret key at some point.)

That assumes they applied the encryption correctly. There are many ways to mess it up, and there have been anti-ransomware software made for buggy versions of ransomeware in the past.

There are implementation details that could make the data recoverable even when RSA is used. The data itself is typically encrypted using a symmetric cipher (e.g. AES) and the key used for it would be encrypted using RSA. However, if the key for the symmetric algorithm was generated in a predictable way (e.g. using a pseudo-RNG initialized from the system time), it could be possible to bruteforce it in reasonable time.

Just because RSA is secure doesn't mean that the specific implementation will be. I've read about versions of this where the decryption key was held in a specific location in RAM for example.

It's worth checking it's not fake ransomware - that claims to encrypt your files, but ... doesn't actually bother!

c.f. https://www.infoworld.com/article/3062552/how-to-tell-if-you...

Sortof Off Topic: If your data is important, back it up to something that automation, daemons and users can't tamper with. i.e. Immutable after ${n} minutes or hours. Replicate that data to multiple places and ensure it is also immutable in that location. I think everyone knows this, but make excuses not to do it. i.e. cost, laziness, indifference, risk takers, etc.

Don't the hackers almost always just take you money and demand more without actually decrypting anything?

No, that is counter to their making money. The way to make money through ransoming something on a regular basis is to always ensure you follow through.

There are actual cases in history of ransomers attacking fellow ransomers who don't follow through for hurting the shared business model.

I think that time has passed. I've heard of too many cases of "ransomware" that just wipes your disks and asks for money that I wouldn't pay up.

"True" ransomware requires a key management infrastructure with a capacity for delivering a service. Setting up a bitcoin recipient takes next to no resources. If you were criminally minded, what would you do?

It would harm the ransomware-maker's reputation? Just pick a new name every week.

At least one ransomware program gives you the option to pick one file to decrypt for free, to prove that the files can be recovered.

Fine, I won't really delete the files, but move them all into a hidden ZIP file. When the user picks the one file to rescue, the code will pull that file out then delete the ZIP. You've got an hour to make your choice before the ZIP gets deleted anyway.

Remember, ransomware-makers aren't providing a service anyone wants. They have inserted themselves into the system and only care about getting their victim's money.

I'd expect them to increase the price for decrypting this particular file you've chosen rather than actually decrypting it then.

you're assuming the knowledge on how to make a ransomware business is freely disseminated. it's not, there are very particular darknet websites and societies that keep each other updated on the latest techniques and likely targets for attack. It is trivial for them to hear about an attack where the person didn't follow through on the unlock and at that point they just freeze the offender out of their "club".

It is that way in the ransomware/game cracking/early piracy(before release) "scene"

I am an ordinary software engineer and I could build "ransomware" that does nothing but wipe the victim's disks and demands money be paid to a hard-coded bitcoin address in a convincing looking way. I don't need criminal contacts to do that.

sure you'd succeed...once. then how do you find another target that would also work with your delivery system? what companies have data sensitive enough for a ransom attack to work? Making a living off ransomware isn't easy if you're a lone wolf

In this hypothetical, I'm not delivering actual ransomware, but something that just demands money and will never actually release the files.

But this is my original point. Someone hit by an attack has no way of knowing what type of attacker they are facing.

Will the attacker return my files if I pay up? They might, but there's a very reasonable possibility they can't or won't. Remember, they just want your money. They have no reputation to maintain because they're already criminals.

No, the reputation they have to maintain is of following through on their threats ie maintain their aura of fear. If i KNOW a ransomware attack means an instant loss of data it takes away the sting - it just becomes the same as if the harddrive containing the data went poof. However if there is a chance for me to get the data back you better believe i will try as hard as i can to get the password from the datajackers.

> Just pick a new name every week.

Can't a bitcoin (or whatever a cryptocurrency) recipient ID be used as a brand name?

That's only true if you have an established brand that is hard to forge. Or if enforcement of the shared brand is reliable enough to deter exploiters. But the whole point of ransomware attacks is that they're hard to trace and are being performed by people who are insensitive to enforcement. So my expectation is that it's a crapshoot and always will be.

Sounds like you wouldn't need clout in the ransomeware community if you snagged a big enough cow to keep milking. Whats to stop you from just not following through? It's a file system and you are a completely anonymous hacker located anywhere on earth, not a physical hostage that the CIA could extract and shoot you in the head in the process. There's no incentive at all to follow through, you can lock it again and disappear into thin air if you wanted.

Yes and no. One offs that are personally targeted at you or anonymous scams, it makes sense to just keep asking for more money.

But when ransomware has a name, it needs a “good” reputation to be successful. Just paying must be a well known and publicised way to get your files back - that’s what makes it easier to everyone to just pay. If the ransomware gains a reputation for not holding up their end, no one will pay.

Why does a ransomware need a name and reputation? The results should speak for themselves if the program works. If the files are critical, people will pay as much as they possibly can.

People will not pay unless they believe the files will be unlocked, which they will do en mass only if they have some publicity with positive indications it’ll work or at least a lack of negative indications that it won’t.

If ransomware gets a reputation of not unlocking on payment, then it degenerates into a virus and you’ll have mainstream news media telling people not to bother paying.

That would be an insta-kill of their business-model. In reality they are very helpful and are known to even accept post-deadline payments etc.

Who are their returning customers? It's strange to refer to literal extortion as a "business model".

In a previous life, I supported a local govt and I had a judge get a different variant of the cryptowall virus 6 times before I took his "work" PC away. His real work PC was controlled by the state and not me, hence the quotes.

That's the type of person who is a repeat offender. He could never tell me how he got the virus, but some recon between email and internet history showed otherwise. He loved clicking on EVERYTHING while "researching" cases. I get the research, but a lot of court cases probably aren't on page 20 of google on some shady half English sites either.

Lots of fun in local government.

/also I just restored from backups each time but they were ready to pay to have "all their data restored."

Reminds me of doing tech support for my father in law the lawyer. Clicked on everything, including tons of porn malware. I fixed and added what security and regular backups I could and never said a word about it. Several re-installs later he put me in his will, worked out well for everyone.

People saving on education and best practices.

That might actually be where these companies are useful.

They can do that to you because there is no benefit to them to decrypting (and a cost/risk that these actions aid in them getting caught).

If a single company handles hundreds of ransoms then not decrypting for them removes a lot of future revenue potential.

Of course they pay them, who actually believes these firms are capable of breaking the encryption? This is digital hostage taking, you pay the hostage takers, you don't try and fight them.

I think there's a case to be made for making ransom payments illegal. Allowing such payments only encourages the development of newer, more sophisticated ransomware.

There needs to be more accountability for Bitcoin, solve btc and you solve a lot of these hacks...

The lack of accountability in btc is considered a feature. The fact that funds can be tracked at all is considered a bug, hence monero and zerocoin etc.

Not just a feature, it's the reason for bitcoins existence.

One of maaaaany.

I'm no bitcoin fanatic but the number of scams out there that involve transferring money into a traditional bank account indicates that accountability doesn't solve anything.

What percentage of ransomware attacks involve direct bank transfers? I'm guessing it's minuscule. Better accountability might not solve anything, but it will certainly reduce the scale of the problem, which is generally the best we can hope for.

umm no... That entire purpose of bitcoin is to remove accountability, to make a digital version of cash that can not be blocked, censored, or regulated by governments or corporations.

See Some people like the idea of freedom

In this case criminals.

Ok, And, criminals use cash as well, would you be infavor of a cashless society?

Somehow I bet you would, with understanding the complete ramifications of such a society

Is this legal?

K&R insurance is legal, so why not?

K&R == kidnap & ransom

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact