|
>In the meantime, beyond alerting criminals that ransomware is big business, it will probably also be used as an excuse to pass more CISA-like surveillance laws (which will do absolutely nothing to stop the rise of ransomware). See, I actually don't think that this will change the level of deployment for ransomware. Ransomware has proven its effectiveness from the very first time it hit the web; it's a low cost high return form of malware due to the nature of its operations. Whereas other forms like scareware and annoying malware can often be dealt with, albeit at the cost of time and sometimes money, ransomware has a very clear and tangible cost to the user: their data. For home users, it's somewhat easier to suggest that while the loss of an entire photo directory is tragic, it's not worth the $400. But when you start getting to actual important data, for example, student records, accounting records, large business projects, asking users to take a stand on principle becomes a lot more difficult, especially since in some cases they have a legal obligation to try to remedy the situation. Ransomware is a low risk venture for ne'er-do-wells because it's shooting fish in a barrel. Point your spambot at any major institution and you're bound to get a hit on something that has essential data to that institution. Combine this with the fact that even after decades of home computer hard drive failure and nearly a decade of cloud storage being common place, people are still really bad at backing up their important things. Our reliance on data and our poor (often inability) to mitigate the damage done by dataloss is what will keep ransomware firing, regardless of how many institutions are able to take a public stand against the extortion. The barrier of entry is so low that a failure to collect from victims is virtually meaningless. The attackers are out virtually nothing, and can attack ad-nauseum because they know sooner or later they'll get a hit where the cost of the dataloss far exceeds the cost of the decryption key; and as long as the attackers occasionally make good on the sale of the decryption key, there's always going to be the hope from users that "maybe if we pay we can fix this". A principled stand isn't what is going to be necessary to fix ransonware; major changes in how the public handles its data and in how OSes work with/detect ransomware is going to have to happen first. Until then, anyone who refuses is pretty much just getting a pyrrhic victory; the attackers might not get their payout, but the cost to the victim is far greater. |