Other threads on this:

Unauthorized Access to Fujifilm Servers - https://news.ycombinator.com/item?id=27384084 - June 2021 (26 comments)

Ransomware – Unauthorized access to Fujifilm servers - https://news.ycombinator.com/item?id=27375401 - June 2021 (46 comments)

Fujifilm shuts down network after suspected ransomware attack - https://news.ycombinator.com/item?id=27373455 - June 2021 (52 comments)

I feel like ransomware attacks will lead us down a road to most corporate computers acting as terminals and defense focused on internal systems general users have limited interfaces with. Email/browsing will be on your PC that can just be wiped if there is an issue and work will be done through VDI systems. I know there will still be attack vectors, but right now too many employees can compromise entire networks by clinking the wrong link.

I sympathize a lot with infrastructure and security teams at large(r) companies. They are constantly up against the opportunity cost of which security threats to fix first with the limited resources those teams often have. This is accompanied with needing to gracefully manage the political ripples of locking down systems that might disrupt other departments/business processes that were not initially designed with security in mind. I’ve seen firsthand the hot-headed director/VP who was hired on day one, who yells the loudest that they won’t make their sales target or some initiative is slowing their teams down, and crucial infra projects are delayed despite a well-articulated risk and threat assessment aiming to protect the company. All the while, the security experts in the room have their own jobs and teams they are trying to protect and not make the wrong move (and maybe get a ransomware attack) and get the whole team fired in the heat of the aftermath.

With more and more folks wanting to work from home, this further complicates the extant balancing act of how to securely give systems access to remote employees.

Does anyone have any thoughts about the prospect of a law that makes it illegal to pay ransomware ransoms in general, across government and private industry? I wonder if such a law could be written without loopholes or ambiguity about data recovery.

Would that actually law accomplish anything? Victims of these crimes already get punished in that they are paying ransoms. I doubt that increasing the penalty would provide additional disincentive, these are already awful situations.

But let's assume that this law would be effective. Would it do a net good to the world? Maybe, if ransomware attacks stop. But in the meantime, we'd probably see some innocent people's data being released, and the downstream societal effects from the destruction that occurs.

If a company that holds my private information is hit by a ransomware attack that threatens to release my data, I'd rather they pay it.

More likely, it will lead to a governmental crackdown on cryptocurrency. If it were illegal for people to hold digital assets and impossible to exchange them for fiat currency except on black markets, cryptocurrency would lose pretty much all value and make ransomware worthless.

For the record, I think this would be a bad idea, but it’s exactly the sort of governmental overreaction I’ve come to expect. I’ve sold off most of my cryptocurrency as a result of this latest spate of ransomware attacks, waiting for this shoe to drop.

How is it an overreaction? It seems like its main purpose is to avoid government restrictions on importing money, but what it actually does is to destroy our environment so we can pay ransoms and build an asset bubble. I’d expect nations to react to threats to their security, especially for things that don’t offer any social benefit like cryptocoins.

"A more successful approach would be eliminating the ability for anyone in the world to extort money anonymously from companies. Because without the motivation, the blackmailers have no reason to blackmail you. "

While I agree in principal, that is quite a lofty goal. What are some of the ways you would suggest eliminating that ability?

Ban cryptocurrency in the US. The crypto market would immediately tank. Other western companies would likely follow suit. US sanctions can be issued against exchanges, if desired. Obviously cryptocurrency could still continue in this scenario, but transferring money from USD to crypto would be much more difficult. And the value of coins would be so low and probably continuing to fall that it wouldn’t be as appealing a means of ransom.

That's not apples to apples, necessarily.

Ransom requires a response to incentivize further crime. You don't get paid, it's not an option.

Unless you don't need the funds, and it's used to terrorize desirable targets. Then you have a much better case.

So the question is, which are we facing?

Ship 2 pounds of gold to a county that will happily accept bribes to not care and then we'll email you the keys to decrypt your network, otherwise we'll sell the data.

If that were the outcome of said legislation, it would make the barrier to entry for executing a ransomware attack much, much higher than it is today. Wouldn’t that be a successful outcome?

I don't think the barrier to entry is higher. You're just asking for them to send something physical, you don't have to do any extra work. I'm making an assumption that a lot of the current problems with ransomware originate from criminal gangs in countries that already look the other way. Maybe that is a poor assumption. A company could be less likely to mail cash instead of clicking a button though.

The barrier to entry is higher because the criminals need to be set up to anonymously receive an international shipment of physical currency/commodity. Apart from overcoming the logistical complexity of sending such a package (e.g. customs), the criminals would have to bribe the right officials to anonymize their physical address, which while not impossible is definitely a much higher barrier to entry than asking for cryptocurrency to be sent to some crypto wallet address, which any script kiddie can do.