[iamsohungry]

That's true from a societal perspective, but from the perspective of the victim of ransomware, "just pay the ransom" is even worse advice. Once you have paid the ransom, what incentive does the hacker have to fulfill their end of the bargain? If, for example, a hacker encrypts your hard drive and demands bitcoins as payment, paying the hacker means you're likely out a few bitcoins AND your hard drive is still encrypted.

[stouset]

In this case, I believe both of you are wrong. The ability to blindly conduct ransom en masse changes the calculus.

First, the ransomers have every incentive to actually abide by their promise to decrypt. In essence, they're running a business. Whereas in a kidnapping situation, ransoms are high ransomers tend to stay anonymous, and risk is high, with ransomware the monetary amounts involved are low, the ransomers typically conduct their actions under an established pseudonym, and the risk in upholding their side of the bargain is low. If they were to not hold up their end of the bargain and it became known that "LeetSquad" doesn't actually decrypt data, victims would stop paying. This would be a disaster.

Furthermore, while it's correct that a victim who pays signals their ease of being shaken down, again, the economics of the situation work in the victim's favor. These attacks aren't targeted. Given an effectively endless supply of potentially-paying victims, direct targeting is unnecessary, wasted effort. And again, risk of reputational damage is high. For evidence, look no further than this FBI recommendation!

For further evidence, consider the fact that in practice, these groups overwhelmingly keep their promises and don't appear to specifically re-target previous victims. They even, no joke, have online support staff who will work with you in the event of difficulties unlocking your data!

I had the idea once that one way to combat these groups would be to run a PR and news campaign attempting to convince the general population that ransomware groups will take the money and run, and that they'll just come after you again. Even if it isn't true, a successful campaign might do some serious damage to their profit margins.

[ComodoHacker]

> run a PR and news campaign attempting to convince the general population that ransomware groups will take the money and run

This would be not enough IMO. Creating and spreading malware that takes money and NOT decrypt data will probably do. PR and news will follow. (And give that money to orphans or starving as a self-justification :)

[lkowalcz]

The hacker actually has incentive to fulfill their end of the bargain. If they didn't, the victim might go public with this, and then no one would ever pay the ransom.

The hacker wants to be trustworthy here so that new victims will be more likely to pay the ransom because they believe they will actually get their data back.

[Evolved]

What's stopping a victim from paying the ransom and still going public and asserting that the ransomer didn't decrypt the hard drive which hurts the reputation (ha!) of the ransomer and causes other people not to pay?

This might be one of the smarter moves to make so long as you kept your identity as a victim anonymous so you don't get retargeted by the ransomer.

[3pt14159]

In practice the ransomers do exactly what they offer to do. Most of them are part of one of a very small group of criminal organizations. The Russian mob is making 10s of millions or 100s of millions a year on this. Why would you not fulfil your end of the bargain.