That can do some good in the long term. It will eventually get operating system vendors to enforce much stricter security measures by default that perhaps they wouldn't have considered otherwise or anytime soon, because they would "break legacy code" or whatever.
It's also good that this is coming at a time before the rise of self-driving cars. Because the vast majority of car makers seem to know nothing about security, yet are eagerly jumping head first into always-connected, self-updating and digital-first self-driving cars. I'm guessing people are going to raise hell when ransomware arrives for their cars. And I think the car makers will be "shocked" (shocked, I tell you), that this will be happening, and will say something dumb like "Nobody could have ever predicted this! - it's why we never implemented good security in the first place."
However, because the OS/hardware vendors are only going to be dragged kicking and screaming into implementing stricter security measures, it's going to be a while before stricter security arrives.
In the meantime, beyond alerting criminals that ransomware is big business, it will probably also be used as an excuse to pass more CISA-like surveillance laws (which will do absolutely nothing to stop the rise of ransomware).
It could also be used as yet another excuse to end strong crypto (because obviously ransomware uses crypo). But of course, it's not like the Russian or Chinese criminals doing this are going to care that the US has a ban on strong crypto. So yet again a solution that does nothing to stop the rise of ransomware, but would still make it much worse for all of us, and it could even be a step back in the fight against ransomware.
>In the meantime, beyond alerting criminals that ransomware is big business, it will probably also be used as an excuse to pass more CISA-like surveillance laws (which will do absolutely nothing to stop the rise of ransomware).
See, I actually don't think that this will change the level of deployment for ransomware. Ransomware has proven its effectiveness from the very first time it hit the web; it's a low cost high return form of malware due to the nature of its operations. Whereas other forms like scareware and annoying malware can often be dealt with, albeit at the cost of time and sometimes money, ransomware has a very clear and tangible cost to the user: their data. For home users, it's somewhat easier to suggest that while the loss of an entire photo directory is tragic, it's not worth the $400. But when you start getting to actual important data, for example, student records, accounting records, large business projects, asking users to take a stand on principle becomes a lot more difficult, especially since in some cases they have a legal obligation to try to remedy the situation.
Ransomware is a low risk venture for ne'er-do-wells because it's shooting fish in a barrel. Point your spambot at any major institution and you're bound to get a hit on something that has essential data to that institution. Combine this with the fact that even after decades of home computer hard drive failure and nearly a decade of cloud storage being common place, people are still really bad at backing up their important things.
Our reliance on data and our poor (often inability) to mitigate the damage done by dataloss is what will keep ransomware firing, regardless of how many institutions are able to take a public stand against the extortion. The barrier of entry is so low that a failure to collect from victims is virtually meaningless. The attackers are out virtually nothing, and can attack ad-nauseum because they know sooner or later they'll get a hit where the cost of the dataloss far exceeds the cost of the decryption key; and as long as the attackers occasionally make good on the sale of the decryption key, there's always going to be the hope from users that "maybe if we pay we can fix this".
A principled stand isn't what is going to be necessary to fix ransonware; major changes in how the public handles its data and in how OSes work with/detect ransomware is going to have to happen first. Until then, anyone who refuses is pretty much just getting a pyrrhic victory; the attackers might not get their payout, but the cost to the victim is far greater.
It's also good that this is coming at a time before the rise of self-driving cars. Because the vast majority of car makers seem to know nothing about security, yet are eagerly jumping head first into always-connected, self-updating and digital-first self-driving cars. I'm guessing people are going to raise hell when ransomware arrives for their cars. And I think the car makers will be "shocked" (shocked, I tell you), that this will be happening, and will say something dumb like "Nobody could have ever predicted this! - it's why we never implemented good security in the first place."
However, because the OS/hardware vendors are only going to be dragged kicking and screaming into implementing stricter security measures, it's going to be a while before stricter security arrives.
In the meantime, beyond alerting criminals that ransomware is big business, it will probably also be used as an excuse to pass more CISA-like surveillance laws (which will do absolutely nothing to stop the rise of ransomware).
It could also be used as yet another excuse to end strong crypto (because obviously ransomware uses crypo). But of course, it's not like the Russian or Chinese criminals doing this are going to care that the US has a ban on strong crypto. So yet again a solution that does nothing to stop the rise of ransomware, but would still make it much worse for all of us, and it could even be a step back in the fight against ransomware.