We are a small but distributed organisation targeted by ransomware attack some weeks ago having poor luck that an employee noticed that something strange is underway just now in our system and pulled the plug without hesitation or waiting for instructions. Backups saved the day except a few days work of items easy to reproduce - memory is still fresh. We only had I guess less than 30 lost man days of work on efforts and a little downtime - in a mission noncritical period - while ensured (as far as possible) all is good, no malware remained, no spreading to local computers, reviewing practices, etc.
Do take this seriously, we operate on a few millions EUR budget yearly - tightly counted - and still we were worthy for attack in their eyes. Watch out all!
good on your employee who pulled the plug first and asked questions later-- that's the sign of an organization where people aren't afraid to do the right thing. very scary situation.
The answer from Toyota, where this kind of thing (anyone can stop the assembly line if they think there's a problem) originally came from: if the employee reasonably believed there was a problem, they suffer no consequences (and perhaps even get a merit) for pulling the red cord. Because you lose much more money next time there's a real problem, if no-one dares to stop the machine.
This is the correct policy. Many IT security incidents happen because someone’s afraid of raising the alarm.
If an employee opens a phishing attachment or something, they should be able to report it without fear of losing their job so the incident can be contained.
Instead - they are incentivised to say nothing and hope for the best for fear of getting fired.
If yanking the cord on a single system causes losses that are intolerable to the business, the business has serious continuity problems.
It was an employee today, but the cord was going to get yanked anyways. A data center tech who pulled the wrong cable out, a power cut, a backhoe with a taste for fiber, whatever.
So long as the employee was acting as best they could with the information they had, the resultant business implications are really the businesses' fault. Having a system that cannot be recovered is risky. Assuming that system will never die is foolish. Blaming the employee is pointless.
My vote would be to understand why the employee thought it was necessary to shut the system down, and then educate them (and the rest of the department, since it's probably a collective problem) on why it wasn't necessary and what they could have done instead or how they could have known it wasn't an issue.
That employee probably also deserves a couple days off once the system is recovered (delivered in person, by their manager). It sends a message that they're not in trouble, but more importantly, they're likely fried from trying to juggle internalizing their mistake, getting the system back up, and worrying they're going to get fired because _this_ is how the CEO learned their name. They probably shouldn't be near a prod system for a couple of days until they've come down from the adrenaline and had some time to internalize what happened.
Congratulations: you've just created a culture where people are afraid to report potential issues for fear of losing their jobs. Maybe there are some cases where you find that specific individuals end up acting irrationally more often than not, but on the whole, it is better to treat these acts as if they were good faith until proven otherwise.
I’m saddened the sarcasm flew over the heads here. A disappointing reflection of the number of companies that really do act like that now, which was my point.
Don't be sad. I found out several times myself that irony without emotion hints, misses its goal. Otoh When you add the /s hint, it's more like explaining a joke to a listener.
The blackmail part is already illegal, so the criminals wont care one way or another.
It's the victims that would now have two problems: damned if they pay, damned if they dont.
It's not like the criminals will be at any increased risk or effort either. They're criminal operations already doing other criminal stuff, most of the work is automated (via viruses, bots, etc), and they already couldn't take the payments openly (it's not like they used a bank account).
Banning it directly is a bad idea. Much of the same effect can be achieved by punishing companies that pay ransoms (or pay criminals or criminal organizations for similar reasons) by slapping a +300% tax on top of the payment (at least for companies).
If the size of the ransom stays the same, this provides a stronger incentive to keep IT security at a sensible level. Or, if this means criminals have to lower their demands to get paid, then the profitability goes down.
Use the money collected to fund IT security programs (research, awareness and assistance to companies in need of improving security.
Very often the cost of recovery would be much higher than 4 times the ransom.
Just look at the British Library as discussed in the article, not paying the 500K ransom cost them more than 6M so far. And was much more damaging to the public (I know because I tried to register after the ransomware and they simply don't have online registration anymore). They are STILL basically offline more than 6 months after:
> We're continuing to experience a major technology outage as a result of a cyber-attack. Our buildings are open as usual, however, the outage is still affecting our website, online systems and services, as well as some onsite services. This is a temporary website, with limited content outlining the services that are currently available, as well as what's on at the Library.
You could change that percentage to any amount and it wouldn't change a thing, it will still be cheaper to pay in most cases, and ransomware attackers will just lower the price if it's not. Change the British Library to any privately owned company, and no matter the price it will ALWAYS be better to pay than to be literally out of business for more than half a year (dead at that point).
> You could change that percentage to any amount and it wouldn't change a thing,
So what you're saying is that the criminals could quadruple their demands, and everyone would still pay?
I doubt it works like that. SOME high profile companies would still pay, but in many cases the threat would not justify paying 4x more.
If we assume the criminals do not generally do much research on each company's ability to pay, but just have a more or less even price for everyone, I think it's rather safe to assume that they've tuned the ransoms to a level that more or less optimizes the total payment they receive.
If it's made 4x more expensive to pay, fewer organizations would pay. And those who still pay will provide a lot of funding for efforts to battle this kind of crime.
> and ransomware attackers will just lower the price if it's not
This is at least half the purpose of adding the tax. If the price is lowered significantly, the economic loss for the non-criminal part of society is reduced.
Also, lower revenues means that it will get harder for ransomware groups to "attract talent", meaning there will be fewer threats out there.
Making payments illegal, on the other hand, just pushes the payments under ground. It's going to be about as successful as when they tried to ban alcohol.
> So what you're saying is that the criminals could quadruple their demands, and everyone would still pay?
Maybe, maybe not. Everyone has a different threshold of what they will pay. Everyone has different costs to recover. Nobody really knows the exact cost to recover until they are done, by the time you realize you underestimated the cost of recovery it is too late.
Banning ransoms directly is a good idea. Even if that results in massive losses or even bankruptcies by victims, that is an acceptable consequence to prevent money from flowing to criminal organizations and hostile foreign governments. Sometimes you have to amputate a damaged limb to save the body. Paying a ransom in any circumstance should be a criminal offense.
My "lawful evil" approach to this would be to put the money thus collected in a special fund for counter-intelligence operations targeting people who produce and use ransomware. Collect 1M in ransom, someone else now has 3M to fight you with.
When I was a teenager and started playin D&D (1st ed), there was only Lawful/Neutral/Chaotic. No Good/Evil.
At the time, I tended to see the world primarily as Good vs Evil, so AD&D (2nd ed) seemed like an improvement.
As I got older, I came to realize that what people consider "Evil" is mostly used for people we're in some partisan conflict with.
Like in Israel/Palestine: Each side see the other side as "Evil" and themselves as the "Good Guys".
If anything, the main purpose of allowing ourselves to see some groups or individuals as "Evil" is to dehumanize them in ways that allow us to do "Evil" things to them.
Lawful vs Chaotic makes a lot more sense to me than back then, though. It's the yin/yang dualism that when in balance gives rise to most of the interesting dynamical phenomena.
The lead prosecutor at Nuremberg described evil as “lack of empathy” which I think is just about the best possible definition available to human beings.
And just to spell it out: Fewer payout means fewer resources to spend on further operations. So I would absolutely think that the criminals care if there is an actual ban.
Of course the cost of an operation is beyond marginal. The cost of maintaining a team capable of executing sophiasticated ransomware attacks is far from trivial. Especially since the operation is illegal, money need to be laundered, interpersonal tensions in cybercrime happen. Less payouts mean less money for the criminals and is absolutely a problem for them.
This is not a company where you automate people out of job and CEO gets all the profit. Organised crime groups share profits among themselves, and the profit is by far the main motivator for all of them.
You're not competing against the hackers doing nothing, you're competing against them targeting some other country or just changing jobs. You don't have to get the payouts to $0, just low enough that it's not worth doing.
This would basically remove the prospect of million dollar payouts; it probably removes the prospect of payouts in the hundreds of thousands. Any company with the money to make those kinds of payouts is likely to have reporting requirements that make it very hard or impossible to hide.
Payments in the tens of thousands could maybe be hidden or targeted at small enough businesses that they don't have to report what happened to their money, but is it even worth it at that point? We're talking people with at least some level of technical ability; do they really want to piss off the FBI/NSA/European equivalents for tens of thousands of dollars? I sure wouldn't.
If this doesn't reduce the likelihood of ramsomware (because it's low effort to just send and see what happens) then it's only a problem for the victims
Is that really the case? I was under the impression those organizations have specialized people, some write the software, some do the hacking, some the social engineering etc. Once there is much less money this kind of system would probably fall apart?
Don't be so cynical, they do have such thinking (at least sometimes - like all other humans they have blind spots). They also have advisors who have such thinking. There are 532 people in congress, each who has several advisors, plus all the other officials in the FBI, CIA, NSA, military who have easy access to congress, dozens of lobbyists - it only takes one to have an idea and tell congress (though don't always agree and of course congress will not always do what they want). That is the US, every other country has different setups, but they will have something similar.
This is absurd. There are better ways to do that other than punishing victims...
Do you think we should do similar for theft? Should it be illegal for a store assistant to hand over money to armed robbers, because theoretically if less people handed over money there might be less armed robberies?
And I disagree with what you're saying anyway. I doubt this would stop ransomeware. I think if anything this would just push ransomware to become even more cruel so that they increase the likelihood of their victims choosing to break the law over not giving the ransomware owners what they want.
True, in any case, it will give the victims a stronger incentive to not involve the police and to cover up the fact that they were being blackmailed in the first place... Once they've paid the ransom, there will be no incentive to pursue the blackmailer.
You are dead wrong from a dynamic game-theoretic perspective:
A credible commitment to ban ransom-paying means that future ransomware attacks will get zero value for the attackers (beyond whatever they can get out of stolen data I guess).
The optimal short term response of the ransomware attackers is to push as hard as possible to make such a ban non-credible, through appeals to emotion like this one.
The optimal long term response for the rest of us is to pass a law banning ransomware payments, make a few high profile examples of those who violate it, and then watch the ransomware epidemic die off, much the same way that kidnapping for ransom died off 50 years ago.
> It's the victims that would now have two problems: damned if they pay, damned if they dont.
The "victims". Most of those victims have only themselves to blame. They are more often than not quite public and successful companies that couldn't are less about security. They get hacked, pay out transom money and don't change a thing.
The hack “was preventable and should never have occurred,” says a report released Tuesday by the US Cyber Safety Review Board (CSRB), a group of government and private cybersecurity experts led by the Department of Homeland Security.
>The "victims". Most of those victims have only themselves to blame. They are more often than not quite public and successful companies that couldn't are less about security.
Given that even top intelligence targets we read about being hacked, I seriously doubt it's just about getting some better security mentality.
For my MSc in Cyber Risk strategy & governance my final dissertation was built on the parallelism of Italy's ban on payment of ransoms for kindnappings and the current ransomware trend. It's difficult to take solid conclusions, the measure could be effective in disrupting some financially motivated attackers but, given the current landscape, I guess the threat actors could shift more towards extorting end users where the ban will be more difficult to enforce. Ransomware rely heavly on financial incentives, for a company it comes down to cost but the same holds as well for threat actors, they try to go after the bigest whales they can get away with. Insurances may be loopholes, in Italy at the time they were banned as well.
So what’s interesting is only a few years ago, ransomware such as CryptoLocker largely targeted individuals home machines as opposed to companies. Companies being hit was rarer.
The ransom would be a few hundred dollars.
Things got rather interesting after WannaCry and NotPetya - some underground markets/sites banned discussion of ransomware for a while, a lot of groups went quiet.
Then it came back with almost exclusively targeting of enterprise/companies for big payoffs instead of a shitload of small payoffs.
Good. as someone who works in cybersecurity, I think hackers should get $0 from the victim, possibly get caught by police, and I think companies that get hacked should have to sit with their actions and DO BETTER for their customers.
Yep. Make it a crime to pay ransoms. No data is worth enabling and enriching criminals. Have tested backups stored offsite. If you fail at that, then you fail at business and deserve to go out of business.
For Ransomware, Backups need to be offline, not necessarily offsite. I.e. there needs to be no possibility of the hackers corrupting or deleting the backups too.
I worked with a financial Customer in the late 90s who, quarterly, sent a backup to an independent party for restore of the data into a freshly created application environment. They verified the backup with reproduction of key reports and random spot checks of data. It was impressive.
That's proper backup verification. At a minimum, restore to nearline temp storage. Ideally, backup and verify against hot storage SAN or FS volume snapshots.
For absolutely business-critical data, I would consider using multiple backup approaches and/or vendors. Shout out to Tarsnap as vital here that every commercial enterprise should use for essential customer, contract, and accounting data.
How would these companies survive if their systems caught fire, or had some kind of programmatic major data corruption, these companies that "can't survive" without paying the ransom perhaps needed to die, their management doesn't value business continuity.
> I think hackers should get $0 from the victim, possibly get caught by police
The problem is, a lot of bad actors in cyberspace aren't individuals any more - Russia, China, Iran and North Korea have groups backed or outright created by the governments. There is no way to hold them accountable, three of these countries have nuclear weapons and one is only a few weeks away from building one should they decide to go for it [1]. Other cybercriminals like scam callcenters in India and Turkey have been found to bribe local governments to turn a blind eye or to warn against enforcement by federal authorities.
The only way to hold them accountable is to cut the countries off from the global communications networks so they can't do any more damage until they show credible efforts and successes in being better netizens, but we don't want to do that for a variety of "realpolitik" reasons either.
> and I think companies that get hacked should have to sit with their actions and DO BETTER for their customers.
EU GDPR has made some effort there, but in the end all software has security-critical bugs and there is only so much one can do to prevent getting hacked.
The difference is that - Stuxnet aside - Western nations (including Israel) do not run cyber extortion schemes against random individuals and companies.
They do run intel campaigns against targets or sell the tools to run such campaigns, but so does every somewhat developed nation in this world. Intelligence operations are older than the Bible, they have been a part of civilizations ever since civilizations existed as a concept.
It’s not always buggy software; ransomware affiliates have been known to bribe company insiders to install malicious software on the network. The insider gets some cut of the eventual ransom. Works great on disgruntled employees or entry-level people.
Fundamentally the financial incentive needs to be stopped in order to curb ransomware activities.
Making it a criminal offense for a corporate officer to authorize a ransom payment would mostly eliminate the financial incentive. Very few employees will risk going to federal prison to protect their employer. Especially for publicly traded companies, large expenses are audited and difficult to hide.
Legalized them, the FBI has to pay them for you, you have to give them 3x the cost of the payment. 1x to payment. 1x to finding people who committed the crime 1x to pay off everyone impacted.
Increasing the cost of not being secure is the only way the problem will be addressed.
How far do we take that? Adding layers and layers of security isn’t free, and it’s often at the expense of productivity, and if taken far enough, the profitability and viability of a business.
What’s the right percentage of the economy to sacrifice to (maybe) stop one kind of crime?
Businesses are less willing to comply with the mob when the government is swinging a bigger stick. And payments/criminal rewards get pressured down when it’s blatantly illegal
How could it realistically be enforced? Never mind whether it does what we want, can we even perform the action?
Imagine that we send anyone who orders that ransom payment be made, or those who conduct payment are all sentenced to death by boiling them feet first in oil. Imagine that no judge or jury shies away from the punishment. Then imagine that there are 1 million of these crimes per year within the United States. How many people are executed? 15? 600? Unless the government's doing ransom audits monthly, how the hell will they ever catch such people? Whistleblowers are safe even if they don't whistleblow, they're not on the hook for punishment. And they're not seeing something so unethical they feel morally compelled to act. Just coworkers who are trying to keep the company from falling apart (potentially even saving the whistleblower's job too).
The criminals might try to leverage this by using it as further blackmail material, but that doesn't work in game theory. The individuals are relatively poor, so they can't be milked individually, and the business can't afford ongoing, indefinite ransom... changes the equation into the "definitely not worth it" category. If the individuals could afford it (in the strict sense), then they will refuse orders to covertly make payment, because then they are on the hook personally... so the criminals are going after the small fish and losing the big.
In the corporate sphere, this is way easier to investigate than most other forms of corporate crime.
Investigating price fixing or discrimination is hard, because it happens over a protracted period, and you have to show a pattern, and everything is open to interpretation, etc. But this? There are two distinctive events that are basically impossible to hide: The disruption and the payment.
Attacks on individuals are another matter, yes that's hard to enforce. But then, on the average, I don't think individuals actually benefit from paying this kind of ransom. It just tags you as a mark for further abuse. So maybe most people will accept that paying ransoms is just not something you do.
> There are two distinctive events that are basically impossible to hide: The disruption and the payment.
These seem easy to hide. Sure, it incentivizes quick payment, rather than dragging it out for a week. But for 99.9% of employees, this is "the computer network was down, but IT fixed it quickly". For the 0.1% of employees who understand or suspect it was ransomware... thank god corporate got it fixed before 80% of employees were laid off.
The economic losses from thoroughly investigating all widespread network outages (including many not ransomware), seems to outweigh any benefit this could have in (eventually) discouraging ransomware. Just the other day they were talking about how Pixar lost a whole movie but for a copy on some remote worker's machine... in a world where ransomware payments were criminalized, that sounds an awful lot to me as if it might've been one. How many months would they spend combing through log files trying to rule it out? How much does that cost a company like Pixar when they're trying to meet deadlines?
I'm hesitant to point this out, but I've seen shit like this my entire career (thankfully, none of them ransomware). I still have a career, thankfully, which indicates I was only tangentially associated with such incidents. But they're common. There have been big Atlassian, Amazon, and Google incidents as HN headlines within the last 2 years... and whatever explanations they gave, clearly those were just coverups for ransomware payments (or at least people could reasonably suspect that, were it criminalized).
This still seems unenforceable to me in any practical way. But I guess if we're going the totalitarian police state which ruins the economy route, there is some slight wiggle room.
The tax authorities care what you list as an expense. If you aren’t a public company and don’t try to write it off as an expense/loss, they don’t care.
Fifty state insurance commissioners could make this more or less happen overnight, except to the extent firms are using something other than cyber coverage to pay ransoms.
In my eyes, this would do almost as much to improve cybersecurity as liability in tort for insecure software.
Most companies aren't going to unfuck their entire IT infrastructure which was just encrypted and then turned off? I mean, sure, if the only computer affected is the cafeteria cash register system, they shrug it off and reinstall. But more than a few of these attacks have absolutely crippled the victims, to the point that it would take months/years to roll out a scrubbed system, and even then data is irrevocably lost.
A one-time under the table purchase from some dark web bitcoin broker doesn't seem like that big of a deal. It's not the sort of book-cooking that tends to get noticed.
I've seen enough reports of ransomware gangs failing to return their victims files even when they do pay up, that it's probably best to consider those files irrevocably lost and not pay.
Does anybody wonder if these attacks aren't performing a public good in the long run by hardening our tech infrastructure in the West? It seems like hostilities with Russia, China, et al are likely to just get worse over time, and the long term high threat environment that these gangs have created for Western companies and utilities could give them a comparative advantage over time. That is assuming the same attacks aren't happening in China, Russia, North Korea, Iran, etc.
It shouldn't be banned. Just add a +300% tax to it, while keeping it legal. (Banning will just lead to under-the-table payments).
While this looks at face value like it's just making things worse, in fact it cuts the profits by 75% for any criminal trying to optimize the ransom demanded.
Then use the tax collected to fund IT security research or something.
Banning ransoms worked, mostly, for terrorism.
That has to be backed up by a sizable intelligence effort to find and fix the attackers, and a military effort to take them out.
That worked because the terrorism in question was Islamist - neither Russia, China nor Iran have any desire in having such groups grow powerful enough to be a threat to their interests, so it was in their interest to cooperate enough with the Western nations to quash the threat.
I think kidnapping for ransom is not a only a terrorism activity. Yes there are many cases of that but the majority will be related more with organized crime which usually enrich in weak and unstable government. There is correlation between terrorists activity and unstable countries but that is not always cause and effect relation. I.e you will find high statistics of kidnapping for ransom in Latin amaerica and even Mexico due to organized crime networks.
There are variety of ways kidnapping for ransom works (including cyper attacks here but also something like human trafficking activities...etc [1])
So there are many actions taken to address those. They are not just confined into the islamists category.
Yeah but the threshold for Western governments to engage in foreign, local stuff is very high. It's almost exclusively
- some country or its exiled representatives directly ask for aid , e.g. against narco empires, but it's nowhere near a given that we react (e.g. Haiti, who has been begging for help for years now)
- it threatens international shipping safety on popular trade routes, e.g. the Houthis in Yemen or Somalian pirates... and it's funny that the shipping co's complaining the loudest until military intervention comes are the ones who refuse to fly their ships under Western flags.
- islamists threatening to spread their terrorism to other countries
And that's it. Our general publics aren't very happy any more to spend trillions of dollars on oil grab operations or even on desperately needed support such as in Ukraine.
I'm ignorant but I've never understood why people actually pay the ransom. Aren't the attackers anonymous? What stops them from asking for another $Y after they get their $X, and not actually removing the ransomware? There's not much incentive for the attackers to actually do what they say after you pay them, right?
These attackers have made it clear they will release your data. They have done that many many times exactly because they know the target needs to believe they will release it. They even have customer support to help the targets recover everything.
As crazy as it sounds, having a reputation to honor the unlocking of data is a great way to get other victims to pay. However, I'd be more suspicious of promises of data deletion.
This is exactly it. And it's a much broader principle than just ransoms. Any organization/group that live outside of an established legal system depends on being seen as honorable if they want to have any relationships with other organizations/groups.
This applies to criminal groups (and individuals), clans in places like Afghanistan or Somalia and even to whole countries when dealing with each other.
Essentially, such groups are playing repeated games of Prisoner's Dilemma. They need to be seen as playing a tit-for-tat strategy. If they are known for playing always-defect (or always-cooperate), other "players" will (if rational) play always-defect against them.
This means they need to be honorable in that they keep their promises. But if someone disrespects them, they also must be predictable vengeful.
The difference between regular business and organized crime is more that of a degree than that of a kind. Criminals may have less respect for law, greater risk tolerance, and go to greater extremes to acquire their customers, but at the end of the day, if they want people to pay them, they need to be known to deliver.
I remember how surprised I was when ransomware really took off, that victims would pay and actually get their data back. Sure, it makes sense, that criminals benefit in the long run if they truly return the data, but I was surprised that the criminals were actually that farsighted.
To me that suggests that rational economic forces really are at work and as a result, banning payments would cut back on ransomware attacks.
This is very similar to having a "we don't negotiate with bad guys" policy, which is common at least as rhetoric if not in fact.
I'm just waiting till the first customer of some shady contract binding them to a greedy software company would use that to declare a payment as illegal and therefore that they cannot make it. Would be funny news like "XYZ says it cant pay oracle, declares it a ransom payment" :D
It's kind of crazy to me that large companies are even able to make large, anonymous, unbudgeted, essentially cash payments (with no paper trail) at all.
There is a paper trail in the large business - it just ends when the cash leaves the door as the payment is done by things like bitcoin. Though note the bitcoin isn't as anonymous as the the other side thinks and the FBI has managed to trace bitcoin at times, and they can mark some coins as tainted and so the evil actors have bitcoin that cannot be used, but this is still much more difficult that the large company which has careful records.
I agree with the push for the ban to remove incentives but I do wonder about consistency. These days it seems the world is compromising and “negotiating with terrorists” all the time. For example look at how Hamas is being handled, for taking all those hostages and still holding onto them months later. Are these situations different?
Not really - there are no good options. Hamas kidnapped a bunch of people and Isreal's response to get back at Hamas is called a genocide for good reason - a lot of innocent people are dead as collateral damage. (or at least seemingly innocent, some of them support Hamas maybe). I have yet to see anyone suggest of a way to handle terrorists that doesn't result in more innocent victims in some form.
having worked in a large company hit by the first wave of wannacry ransomware (https://news.ycombinator.com/item?id=14326555), i am doubtful that most companies can just ignore the disruption in business during an attack. not every company can go analogue while dealing with an attack like mgm.
in a balance sheet, paying the ransom is just catching up to inadequate budgeting for systematic security efforts. while the person at the end will always be the weakest link, so much more can be done to avoid most attacks.
maybe everyone going back to thin client like windows 365 would finally put this to end.
This ban is only ethical if the law authority does this job to stop criminals. Otherwise we end up in the same place as street crime: illegal to defend yourself, but also unprotected the authority that finds it easier deploy violence against victims than criminals.
What is the difference between a computer ransom and a human kidnapping and ransoming situation? If I’m not allowed to pay ransom to save my business, does it means I should be also not allowed to pay ransom to save my loved ones?
Yes, and this was done a long time ago in places. While your kid might end up killed when the kidnapper realizes they can't get money from you, the criminals won't bother kidnapping again since there is no money in it and so overall society is much better - sorry that it was your kid that was killed.
The rules are complex here. If your kid really is kidnapped ask the FBI (or local equivalent). Often they can pay a random on your behalf - with money they have means to trace. Sometimes if your life is in danger you can pay a bribe - but be sure to report to the FBI (or local equivalent) as soon as you are safe.
The insurance company-driven model for industry specific safety improvement that worked so well for fire safety and auto safety has proven impossible because of three factors:
1. Cryptocurrency allows for unimaginably huge untraceable ransom payments that Amazon gift cards did not support,
2. No liability in tort for insecure software, and
3. Lack of computer security regulation (e.g., your car must have a seatbelt and ABS but your software can be arbitrarily bad without being prohibited).
It would seem the unintended consequences of such a policy would be to ensure every cyber breach is kept entirely secret (so that ransom payments could be made discreetly), and not notifying law enforcement, software vendors, security researchers, or the customers. And then without any disclosure or collaboration, every company is on its own island, no collective learning, making it trivial for attackers to re-use the same exploit again and again.
> It would seem the unintended consequences of such a policy would be to ensure every cyber breach is kept entirely secret (so that ransom payments could be made discreetly)
It will show up somewhere in the tax filings. There's no such thing as discreet payments unless it's in such small amounts that it comes from petty cash.
And since the ransomers are demanding payment in crypocurrency, it's even easier to spot for the clear majority of victims.
> It will show up somewhere in the tax filings. There's no such thing as discreet payments unless it's in such small amounts that it comes from petty cash.
Create a shell company in some remote tax haven with lax disclosure laws, have them pay the ransom, and close the shell company afterwards. Companies are already good at dodging taxes this way.
> Create a shell company in some remote tax haven with lax disclosure laws, have them pay the ransom, and close the shell company afterwards. Companies are already good at dodging taxes this way.
That only works for hiding income, not hiding expenses.
You create a shell company in Malta (for example). Now how do you get $$$ into that company so that it can pay the ransom?
Okay, so you assign your payment to $MALTA-COMPANY the line-item of 'consulting fees'. It only takes a few companies to do this before the tax authorities are wise to it.
After all, even for relatively tiny amounts companies still have to perform KYC on customers!.
Think about it this way: if it was that easy to hide expenses from authorities, embezzlement schemes would be a lot simpler than they are now.
> Okay, so you assign your payment to $MALTA-COMPANY the line-item of 'consulting fees'. It only takes a few companies to do this before the tax authorities are wise to it.
Tax authorities already don't give a fuck about where a company shifts its money to. As long as there's a proper entry in the books, at least. There are schemes involving up to six different legal entities [1]. A measly million dollars or two is a minor rounding error for a multibillion dollar company.
> Think about it this way: if it was that easy to hide expenses from authorities, embezzlement schemes would be a lot simpler than they are now.
Embezzlement is easier the higher the embezzler is in the command chain. When the CFO orders something to happen - say, a monetary transfer or the creation of a shell company - it will usually be executed without question by the lower levels. Maybe, given the rise of impersonation attacks, the underlings will follow protocol and call the CFO back to verify that it is really the CFO ordering that thing, but that's it.
It depends on how illegal "illegal" it is, too. Illegal doesn't mean criminal, and even then, companies do plenty of things that are normally criminal and they get away with a small fine.
It isn't just the IRS, every large company hires independent auditors to go through the books and report anything "funny", they generally are required to report illegal findings to the police along with reporting legal things that are against the companies interest.
Independent auditors check to see if a company's accounting is following GAAP accounting standards (so that a statement can be put in the SEC filings). They don't comb through each payment in detail (corporations can have millions of them each year). And if they find things, they tell the company to fix it or report any deviation from GAAP standards.
But much of it is dependent on good faith of the company along with some spot checking to see if their accounting processes line up with what they said they do.
And plenty of companies who have been found to commit fraud have gotten the "thumbs up" during their "independent audit". It gives you a sense as to how cursory their audits are.
The software company would argue that the lawbreaking hacker was a supervening cause, while the consumer would argue the criminal was foreseeable. In the case of security software, the consumer might have a point. In practice such a claim is not usually successful.
Customers are already able to insist that software vendors indemnify them for security risks as a condition of purchase. No new laws are needed for this.
> Ransomware is a profit-driven enterprise. If it is made unprofitable, most attacks will quickly stop.
This is conjecture presented as fact.
Here is an alternative conjecture: what if ransomware is mainly a sociopathically-driven enterprise, with a side interest in profit? Or what if a good chunk of it is?
How many ransomware perpetrators have we captured, and subjected to psychological study, to be able to confidently say what ransomware is or is not?
It seems reasonable to suggest that the number of profit-driven ransomware endeavors and the number of for-fun ransomware endeavors can both be non-zero and contain some overlap and some non-overlap. Therefore it seems that to make it unprofitable would at least eliminate the former reason which under all by the worst case scenario where those numbers are perfectly equal and overlapping would result in fewer ransomware endeavors.
To say we shouldn't do X because it doesn't perfectly eliminate/solve Y is akin to saying we should do nothing because by that standard, we'll never do anything about Y.
I don't see how banning payments would inherently create more opportunity for ransomware attacks. Assuming that the operators are already attacking as much as they can (why wouldn't they be - its more profit that way since its business after all) the only way to maintain profitability with lower per-attack yields would be to ask for more ransom per-attack which would likely drive the yields down even further.
There is likely an element of sociopathy involved as it requires a particular lack of empathy towards secondary victims. But the same can be said for most career criminals, and most crimes do indeed stop when you remove the profit motivation.
Your own conjecture that ransomware authors are somehow a special breed is the one that needs backing.
Sure, that’s how viruses used to work. They would just delete / corrupt your data.
It was a small-time operation, some pissed off mid with an axe to grind. Now it’s either a nation-state with a political agenda or organised criminals doing it for the money.
If you're a foreigner you're not violating US laws by selling your fraudulent securities. If you sell to a US citizen you aught to stay away from places with extradition treaties.
None of this is new or invalidated by magic coins in my computer.
It is illegal in most countries, but if you live in Russia, or North Korea not only is it legal it is encouraged by the government if you target "western" countries. Iran, China and India have also been accused of allowing ransomware (and likely other countries would allow it - but we have strong evidence of Russia and North Korea).
What this means is it is legal for some people and they can target you. Which now leaves the problem of what should "western" countries do about this? The options are limited. Either it is CIA activities - but this assumes they have spies in place and risks given them up and so it is very limited; or it is a military invasion (of a major nuclear power!). There is diplomatic pressure of course, but there doesn't appear to be anything that can do about this. If you have a good idea I'm sure governments will be interested - but in general smart people have already been thinking about this so odds are you just don't understand why your idea is bad.
Once companies are held accountable for the weapons and whatever else the money they paid in ransom gets spent on, things will finally change. Until then, we use the word "victim" with too much lenience. The secondary victims, the ones getting bombed, or the ones that will be targeted and threatened with the nukes that just got paid for with the ransom money, shouldn't be left out of the equation as they have been thus far.
I'm sure some people don't like that way of thinking, but where else do you think one spends $22mil per "victim"? $30 billion a year buys a lot more than fancy clothes and yachts.
Let’s be realistic about this. A company can’t pay a ransom if they don’t have customers. Life sentences for all customers of businesses is the only effective path.
And the death penalty for the engineer who didn’t patch a vulnerability or the software developer who wrote the buggy code. That will teach them! Judge Hindsight is ready to punish the victims.
Hacks happen. Where starts or ends someone’s responsibility? Where stops the buck? Can we really expect that every layer in an organization is always fully aware of security and security risks, even unknown vulnerabilities? Security practices change over time. Not so long ago 12 character passwords were considered safe, 2FA didn’t exist, …
I don’t think that harsher punishments and victim blaming is the way to go.
Do take this seriously, we operate on a few millions EUR budget yearly - tightly counted - and still we were worthy for attack in their eyes. Watch out all!