[pdkl95]

    And that is called paying the Dane-geld;
      But we've proved it again and  again,
    That if once you have paid him the Dane-geld
      You never get rid of the Dane.

http://www.poetryloverspage.com/poets/kipling/dane_geld.html

Paying ransom merely teaches the criminal that you're an easy mark that they should demand more ransom from in the future.

[hluska]

First off, that is an excellent comment and again, I love Hacker News. How many communities on the planet will have a Rudyard Kipling poem in their lead comment???

I would have used this stanza as I think it's a little more applicable in this situation:

"We never pay any-one Dane-geld,

   No matter how trifling the cost;

For the end of that game is oppression and shame,

   And the nation that plays it is lost!"

As another commenter said, individuals can prevent themselves from being victimized again by starting a regime of proper backups. It isn't as ideal as arresting the motherfuckers and sentencing them to 25 years in federal prison, but it prevents an individual from being labelled a mark.

On the other hand, when the FBI says 'just pay it', I'd argue that it makes all of North America more vulnerable. The end of this game is oppression and shame, and the nation that plays it is lost.

[Quanticles]

For the cyber-criminals there is little or no per-user cost to implement this attack. The refuse-to-pay strategy works when there is some hope of making their attack not worth their effort. To make it not profitable, you would have to convince such a high percentage of people to not pay that the refuse-to-pay strategy is intractable. Instead, we need to rely on the FBI and other organizations to raise the risk of getting caught.

[hluska]

Very well said - thanks!! :)

[hwstar]

They want you to reinforce the ransomware creator's behaviour, but if you hunt them down and physically punish them yourselves, you'll go to jail. Why does a democratic government exist, and why do I pay taxes to support it? In my opinion, the FBI is the slacker here. We are paying taxes to the government for services which should include hunting down and making examples of the perps so that they think twice about ever writing ransomware again.

[ctdonath]

"If you hunt them down and physically punish them yourselves, you'll go to jail"

The U.S. Constitution actually has provisions for legally doing that. Lobby your congressmen to issue "letters of marque and reprisal", which Congress is authorized to provide precisely for businesses to engage in warlike behavior against pirates et al, which includes the modern form in "ransomware".

[hwstar]

That's a slippery slope which is bound to harm innocent parties. Large corporations would just love to get letters of marque and reprisal, let's hope that it is not authorized by Congress anytime soon.

[nickff]

This all assumes that the FBI's purpose is to go after criminals who are harming the citizenry. I am no longer certain that is the purpose of the police (federal, state, or municipal), given their exceptionally poor record of preventing crime, and finding those responsible for crimes.

[MichaelGG]

Or, paying random teaches yourself to make backups. Cryptolocker is essentially a "get-out-of-data-loss-for-a-small-price" card. Alternatives, like your disk having a fatal error, are not nearly as forgiving.

[icebraining]

But are the criminals in this case targeting specific individuals? You can't teach them you're a good target if they're just firing at random anyway.

[mannykannot]

The 'you' in this case is all of us, collectively. Unfortunately, for the individual victim, paying is usually the best of a set of bad options, even though it is not the best one for us, collectively.

[iamsohungry]

> Unfortunately, for the individual victim, paying is usually the best of a set of bad options

Is it?

From the perspective of the hacker, the hacker's best move is to take the money and simply demand more. There's zero incentive for the hacker to return the victim's data.

This becomes a probablistic situation: the approach I'd take if I were a victim would be to borrow an analogy from poker for the problem of deciding whether to call in order to possibly win a pot. First, I'd determine how much the data is worth to me, and use that to determine my "pot odds":

    pot_odds = ransom / value_of_data

I'd then try to figure out how often hackers actually return the data on a ransom:

    odds_of_data_being_returned ~= times_data_has_been_returned_after_ransom_paid / times_ransom_has_been_paid

At this point, we can decide whether it's a rational choice to pay the ransom:

    if pot_odds < odds_of_data_being_returned:
        pay_the_ransom()

Areas for research: this is a pretty unsophisticated way of determining the odds of the data being returned. I don't have data on how often hackers return data upon being paid the ransom, but I suspect if we gathered data we could get a better probability. For example, one could use linguistic patterns in the hacker's communication to fingerprint different ransomware hackers, and use that to get a probability for each individual hacker. It's likely that some hackers never return the data, and some hackers always return the data, and each of these probabilities has drastically different effects on the outcome of our decision algorithm.

[llamataboot]

Not in the long-term, because then they gain a reputation as someone not to be "trusted". Many of these outfits have their own support forums, make it easy to pay, etc and happily hand your data back over because they make money in volume, not from one particular mark. You gain a reputation as being easy to work with and unlocking data and offering the support to do so, many more people will pay just to get rid of the headache when their computers are locked down.

[iamsohungry]

While I'm sure this is true and some hackers behave based on this idea, there are two issues:

1. "Many of these outfits" is not all: we still need a way to determine whether we should pay a ransom.

2. I'm sure I could manufacture a support forum which shows me to be trustworthy in an afternoon.

[lkowalcz]

For (1), this is the reason the ransom is small. Since "many" are actually trustworthy, it's a small risk to pay the relatively small ransom. (Also, you can verify via bitcoin address if you're dealing with a hacker who is known to give data back.)

For (2), could you also find a way to get the FBI to release a statement saying you are trustworthy?

[spdustin]

The vast majority of the "hackers" never see you signing in and paying the Bitcoin. The systems are automated to the point that paying the ransom triggers a process that results in the browser passing the decryption key back to the client-side malware which then decrypts your file. Electronic software delivery is a much more economical way for these enterprising thugs to be profitable at scale.

[hsitz]

"> Unfortunately, for the individual victim, paying is usually the best of a set of bad options

Is it?"

Also, think what would happen if a ransomer failed to give the data back after being paid. The only benefit for the ransomer on that mark is to then say, "No, now I want x-more dollars." What is the mark going to do then, once the ransomer has proven untrustworthy? Give them yet more money?

[iamsohungry]

99% of the time, no, the mark will give them nothing, but it only takes 1% to make it viable.

I do buy the reputation argument when applied on a larger scale, though. I didn't realize that some of these operations were as large as other commenters have pointed out.

[dogma1138]

Most ransomware cases aren't targeted they are opportunistic, ransomware spreads like normal malware rather than some targeted "APT" operation.

And while initially ransomware operators quite "solid" and for lack of a better word "trustworthy" the popularization of it lead to everyone and their mother writing ransomware in hopes to get a quick buck.

In those cases you can't even rely on the encryption being recoverable because the malware it self is utter garbage and the criminals don't care or don't even have the technical skills to operate a full ransom cycle campaign.

It's not uncommon to see even fairly fresh ransomware examples in the wild with dead BC wallet addresses, banned paypal, skrill (and other transaction providers accounts), incorrect routing numbers etc.

This ins't 5-10 years ago where some ransomware would actually give you a voip phone-number/skype/email to call or mail and you would get to speak to some Russian or Malaysian guy give them the money and actually get a key to recover your data.

Sure some ransomware operators still operate that way, some have more sophisticated automated systems with C&C servers but most figured it out that it doesn't matter because they are in it for the quick buck and well if you are going to commit a crime then what not fraud/scam your target in the same swoop.

Ironically this reality lead to the more established organized crime organizations that employ ransomware to generate income to actively fight against the new waves of quick cash ransom scams because they need people to still have some trust in the fact that they can get their data back if they pay.

[cbd1984]

Even firing at random is a better strategy in a target-rich environment compared to an environment where your targets either don't pay out or attempt to fight back.

[tobltobs]

As soon as you pay you will be a specific target for the future.

[CurtMonash]

That poem has evidently been set to music by Leslie Fish. But all I can find is a parody -- https://www.youtube.com/watch?v=BllIODb81Q8

And if you don't get the parody reference -- it's to the classic "You Bash the Balrog".

[CurtMonash]

Actually, I think Mineral Rights is another Fish/Kanefsky parody of the same song.

That one's a reference to a ST:TOS episode.

https://www.youtube.com/watch?v=FPvw0mHbyd0

[monochromatic]

Not really relevant where (1) they're generally not targeting specific individuals, and (2) once you pay the ransom one time, you can mitigate your future risk with backups and other measures.

[iamsohungry]

> (2) once you pay the ransom one time, you can mitigate your future risk with backups and other measures.

This is assuming they bother to give back your data.

[iamsohungry]

That's true from a societal perspective, but from the perspective of the victim of ransomware, "just pay the ransom" is even worse advice. Once you have paid the ransom, what incentive does the hacker have to fulfill their end of the bargain? If, for example, a hacker encrypts your hard drive and demands bitcoins as payment, paying the hacker means you're likely out a few bitcoins AND your hard drive is still encrypted.

[stouset]

In this case, I believe both of you are wrong. The ability to blindly conduct ransom en masse changes the calculus.

First, the ransomers have every incentive to actually abide by their promise to decrypt. In essence, they're running a business. Whereas in a kidnapping situation, ransoms are high ransomers tend to stay anonymous, and risk is high, with ransomware the monetary amounts involved are low, the ransomers typically conduct their actions under an established pseudonym, and the risk in upholding their side of the bargain is low. If they were to not hold up their end of the bargain and it became known that "LeetSquad" doesn't actually decrypt data, victims would stop paying. This would be a disaster.

Furthermore, while it's correct that a victim who pays signals their ease of being shaken down, again, the economics of the situation work in the victim's favor. These attacks aren't targeted. Given an effectively endless supply of potentially-paying victims, direct targeting is unnecessary, wasted effort. And again, risk of reputational damage is high. For evidence, look no further than this FBI recommendation!

For further evidence, consider the fact that in practice, these groups overwhelmingly keep their promises and don't appear to specifically re-target previous victims. They even, no joke, have online support staff who will work with you in the event of difficulties unlocking your data!

I had the idea once that one way to combat these groups would be to run a PR and news campaign attempting to convince the general population that ransomware groups will take the money and run, and that they'll just come after you again. Even if it isn't true, a successful campaign might do some serious damage to their profit margins.

[ComodoHacker]

> run a PR and news campaign attempting to convince the general population that ransomware groups will take the money and run

This would be not enough IMO. Creating and spreading malware that takes money and NOT decrypt data will probably do. PR and news will follow. (And give that money to orphans or starving as a self-justification :)

[lkowalcz]

The hacker actually has incentive to fulfill their end of the bargain. If they didn't, the victim might go public with this, and then no one would ever pay the ransom.

The hacker wants to be trustworthy here so that new victims will be more likely to pay the ransom because they believe they will actually get their data back.

[Evolved]

What's stopping a victim from paying the ransom and still going public and asserting that the ransomer didn't decrypt the hard drive which hurts the reputation (ha!) of the ransomer and causes other people not to pay?

This might be one of the smarter moves to make so long as you kept your identity as a victim anonymous so you don't get retargeted by the ransomer.

[3pt14159]

In practice the ransomers do exactly what they offer to do. Most of them are part of one of a very small group of criminal organizations. The Russian mob is making 10s of millions or 100s of millions a year on this. Why would you not fulfil your end of the bargain.