The blackmail part is already illegal, so the criminals wont care one way or another.
It's the victims that would now have two problems: damned if they pay, damned if they dont.
It's not like the criminals will be at any increased risk or effort either. They're criminal operations already doing other criminal stuff, most of the work is automated (via viruses, bots, etc), and they already couldn't take the payments openly (it's not like they used a bank account).
Banning it directly is a bad idea. Much of the same effect can be achieved by punishing companies that pay ransoms (or pay criminals or criminal organizations for similar reasons) by slapping a +300% tax on top of the payment (at least for companies).
If the size of the ransom stays the same, this provides a stronger incentive to keep IT security at a sensible level. Or, if this means criminals have to lower their demands to get paid, then the profitability goes down.
Use the money collected to fund IT security programs (research, awareness and assistance to companies in need of improving security.
Very often the cost of recovery would be much higher than 4 times the ransom.
Just look at the British Library as discussed in the article, not paying the 500K ransom cost them more than 6M so far. And was much more damaging to the public (I know because I tried to register after the ransomware and they simply don't have online registration anymore). They are STILL basically offline more than 6 months after:
> We're continuing to experience a major technology outage as a result of a cyber-attack. Our buildings are open as usual, however, the outage is still affecting our website, online systems and services, as well as some onsite services. This is a temporary website, with limited content outlining the services that are currently available, as well as what's on at the Library.
You could change that percentage to any amount and it wouldn't change a thing, it will still be cheaper to pay in most cases, and ransomware attackers will just lower the price if it's not. Change the British Library to any privately owned company, and no matter the price it will ALWAYS be better to pay than to be literally out of business for more than half a year (dead at that point).
> You could change that percentage to any amount and it wouldn't change a thing,
So what you're saying is that the criminals could quadruple their demands, and everyone would still pay?
I doubt it works like that. SOME high profile companies would still pay, but in many cases the threat would not justify paying 4x more.
If we assume the criminals do not generally do much research on each company's ability to pay, but just have a more or less even price for everyone, I think it's rather safe to assume that they've tuned the ransoms to a level that more or less optimizes the total payment they receive.
If it's made 4x more expensive to pay, fewer organizations would pay. And those who still pay will provide a lot of funding for efforts to battle this kind of crime.
> and ransomware attackers will just lower the price if it's not
This is at least half the purpose of adding the tax. If the price is lowered significantly, the economic loss for the non-criminal part of society is reduced.
Also, lower revenues means that it will get harder for ransomware groups to "attract talent", meaning there will be fewer threats out there.
Making payments illegal, on the other hand, just pushes the payments under ground. It's going to be about as successful as when they tried to ban alcohol.
> So what you're saying is that the criminals could quadruple their demands, and everyone would still pay?
Maybe, maybe not. Everyone has a different threshold of what they will pay. Everyone has different costs to recover. Nobody really knows the exact cost to recover until they are done, by the time you realize you underestimated the cost of recovery it is too late.
Banning ransoms directly is a good idea. Even if that results in massive losses or even bankruptcies by victims, that is an acceptable consequence to prevent money from flowing to criminal organizations and hostile foreign governments. Sometimes you have to amputate a damaged limb to save the body. Paying a ransom in any circumstance should be a criminal offense.
My "lawful evil" approach to this would be to put the money thus collected in a special fund for counter-intelligence operations targeting people who produce and use ransomware. Collect 1M in ransom, someone else now has 3M to fight you with.
When I was a teenager and started playin D&D (1st ed), there was only Lawful/Neutral/Chaotic. No Good/Evil.
At the time, I tended to see the world primarily as Good vs Evil, so AD&D (2nd ed) seemed like an improvement.
As I got older, I came to realize that what people consider "Evil" is mostly used for people we're in some partisan conflict with.
Like in Israel/Palestine: Each side see the other side as "Evil" and themselves as the "Good Guys".
If anything, the main purpose of allowing ourselves to see some groups or individuals as "Evil" is to dehumanize them in ways that allow us to do "Evil" things to them.
Lawful vs Chaotic makes a lot more sense to me than back then, though. It's the yin/yang dualism that when in balance gives rise to most of the interesting dynamical phenomena.
The lead prosecutor at Nuremberg described evil as “lack of empathy” which I think is just about the best possible definition available to human beings.
And just to spell it out: Fewer payout means fewer resources to spend on further operations. So I would absolutely think that the criminals care if there is an actual ban.
Of course the cost of an operation is beyond marginal. The cost of maintaining a team capable of executing sophiasticated ransomware attacks is far from trivial. Especially since the operation is illegal, money need to be laundered, interpersonal tensions in cybercrime happen. Less payouts mean less money for the criminals and is absolutely a problem for them.
This is not a company where you automate people out of job and CEO gets all the profit. Organised crime groups share profits among themselves, and the profit is by far the main motivator for all of them.
You're not competing against the hackers doing nothing, you're competing against them targeting some other country or just changing jobs. You don't have to get the payouts to $0, just low enough that it's not worth doing.
This would basically remove the prospect of million dollar payouts; it probably removes the prospect of payouts in the hundreds of thousands. Any company with the money to make those kinds of payouts is likely to have reporting requirements that make it very hard or impossible to hide.
Payments in the tens of thousands could maybe be hidden or targeted at small enough businesses that they don't have to report what happened to their money, but is it even worth it at that point? We're talking people with at least some level of technical ability; do they really want to piss off the FBI/NSA/European equivalents for tens of thousands of dollars? I sure wouldn't.
If this doesn't reduce the likelihood of ramsomware (because it's low effort to just send and see what happens) then it's only a problem for the victims
Is that really the case? I was under the impression those organizations have specialized people, some write the software, some do the hacking, some the social engineering etc. Once there is much less money this kind of system would probably fall apart?
Don't be so cynical, they do have such thinking (at least sometimes - like all other humans they have blind spots). They also have advisors who have such thinking. There are 532 people in congress, each who has several advisors, plus all the other officials in the FBI, CIA, NSA, military who have easy access to congress, dozens of lobbyists - it only takes one to have an idea and tell congress (though don't always agree and of course congress will not always do what they want). That is the US, every other country has different setups, but they will have something similar.
This is absurd. There are better ways to do that other than punishing victims...
Do you think we should do similar for theft? Should it be illegal for a store assistant to hand over money to armed robbers, because theoretically if less people handed over money there might be less armed robberies?
And I disagree with what you're saying anyway. I doubt this would stop ransomeware. I think if anything this would just push ransomware to become even more cruel so that they increase the likelihood of their victims choosing to break the law over not giving the ransomware owners what they want.
True, in any case, it will give the victims a stronger incentive to not involve the police and to cover up the fact that they were being blackmailed in the first place... Once they've paid the ransom, there will be no incentive to pursue the blackmailer.
You are dead wrong from a dynamic game-theoretic perspective:
A credible commitment to ban ransom-paying means that future ransomware attacks will get zero value for the attackers (beyond whatever they can get out of stolen data I guess).
The optimal short term response of the ransomware attackers is to push as hard as possible to make such a ban non-credible, through appeals to emotion like this one.
The optimal long term response for the rest of us is to pass a law banning ransomware payments, make a few high profile examples of those who violate it, and then watch the ransomware epidemic die off, much the same way that kidnapping for ransom died off 50 years ago.
> It's the victims that would now have two problems: damned if they pay, damned if they dont.
The "victims". Most of those victims have only themselves to blame. They are more often than not quite public and successful companies that couldn't are less about security. They get hacked, pay out transom money and don't change a thing.
The hack “was preventable and should never have occurred,” says a report released Tuesday by the US Cyber Safety Review Board (CSRB), a group of government and private cybersecurity experts led by the Department of Homeland Security.
>The "victims". Most of those victims have only themselves to blame. They are more often than not quite public and successful companies that couldn't are less about security.
Given that even top intelligence targets we read about being hacked, I seriously doubt it's just about getting some better security mentality.
It's the victims that would now have two problems: damned if they pay, damned if they dont.
It's not like the criminals will be at any increased risk or effort either. They're criminal operations already doing other criminal stuff, most of the work is automated (via viruses, bots, etc), and they already couldn't take the payments openly (it's not like they used a bank account).