[toennisforst]

> When [you are infected with ransomware], you can’t get to the data unless you pay a ransom. However this is not guaranteed and you should never pay!

What bothers me about their advice is that it is only correct macroeconomically. For your particular case it could be the best solution to just pay - as even police departments have done before.

It also ignores that it is in cybercriminals' best interest to let you decrypt after you paid: They need their victims to trust them, and they have nothing to gain from keeping the files encrypted after payment.

[Taek]

It's been pointed out in the past that most ransomware services have better customer support than paid services. That's because they stand to gain $XXX from each successful interaction and they stand to lose substantially more if they have a reputation of not returning the data.

[the_duke]

That's just hilariously twisted.

[dwaltrip]

It's such a perfect example of how human systems are molded by underlying incentives.

Of course, the incentives themselves arise within immense cultural and technological contexts. Hopefully one day we see further past the dense fog of complexity. Assuming we aren't adding to it at a faster rate...

[TeMPOraL]

> Of course, the incentives themselves arise within immense cultural and technological contexts.

To twist it even further, note that the shifts of culture and technology are directed by aggregated incentives of people. What a nice and strong feedback loop there. Only shows how little control societies have over where they're going.

[monochromatic]

The market works!

[muyuu]

The invisible hand.

[hrehhf]

In a twisted sort of way, a person could destroy trust that paying the ransom will actually get your data back. Someone could create ransomware that will never decrypt, even after the ransom is paid. Once the victims know the dishonest ransomware is out there, that may ruin the revenue towards the "honest" ransomware.

[3pt14159]

Or better yet, only unlocks after you _haven't_ paid the bitcoin ransom in the allotted time period. If you just decrypt now it's Pascal's wager and the buy-in is $500, so most people buy and worst case scenario the guy who hit you was a dick trying to prove a larger point, but if the cultural narrative is "don't help the criminals / don't negotiate with terrorists!" then it would be rational and societally acceptable not to pay the ransom.

[martey]

> Someone could create ransomware that will never decrypt, even after the ransom is paid.

This already exists: http://arstechnica.com/security/2016/07/posing-as-ransomware...

> "Once it executes it, it pops up a ransom message looking like any other ransomware," Earl Carter, security research engineer at Cisco Talos, told Ars. "But then what happens is it forces a reboot, and it just deletes all the files. It doesn't try to encrypt anything—it just deletes them all."

[djsumdog]

Makes me wonder if it's just buggy or intentional.

[nom]

Considering that the operators must actively keep the backend alive and support the users, it's more likely they abandoned it for whatever reason.

[happy-go-lucky]

In that case, the victims could refuse to pay ransom and the criminals will go out of business.

[JoeAltmaier]

But a virus has zero marginal cost. Even one guy paying and they make money.

[TeMPOraL]

They have to weigh in the risk of getting caught, especially if they piss off enough people. So one paying victim may not be enough for a criminal to go this route.

[majewsky]

They are probably located in a country where it is easy to bribe the policemen, and factor that into their cashflow calculation.

[CM30]

Kind of surprised no one's actually done this. I mean, there has to be at least a few really bored trolls and griefers out there who mess around with people's systems for 'fun' rather than money. I'm sure some teen in an ex soviet state somewhere would find it funny to watch someone have a breakdown when their cash doesn't get them their work back.

Or that some criminal group/mafia would use it to try and 'sink' their rivals. After all, a gang in competition with whoever makes these malware programs would probably love to shut down their revenue from ransomware. With say, their rivals name attached to the cruel hoax.

Still, I suspect something like this will happen at one point.

[david-given]

...it now occurs to me that if, using one of the million or so compromised ad networks, you wrote something would pop up the following message in people's browsers:

"Hi there! Your computer has been infected with a virus which will encrypt one file on your computer at random each day. You can stop this, and decrypt all the files by paying X to bitcoin wallet Y. Don't wait too long, because if you wait too long, we might encrypt some system file and it won't boot any more."

and which did nothing else whatsoever

...then you'd probably actually get some income.

It'd be an interesting (if ethically awful) sociological experiment to find out exactly how much. Returning people's money afterwards, of course.

[3chelon]

My neighbour came to me last week to ask for help. Exactly that had happened to him, from of all things a Facebook ad. It was a simple matter of killing the browser, but it had put up a phone number for "support" that he had already called, but which was busy... so I guess they were having a fair amount of success. Wish I'd taken a photo.

[majewsky]

Of course. cough :)

[rictic]

Couldn't you do the same thing with less of a human cost by merely telling people about cases where the ransomware was unreliable, and refusing to spread the information that it was reliable?

[notahacker]

Or we could be slightly less nefarious and create ransomware that decrypts everyone's stuff after the allotted time but leaves a congratulatory "thank you for not cooperating with criminals" message to the people that didn't pay...

[pooper]

> Or we could be slightly less nefarious and create ransomware that decrypts everyone's stuff after the allotted time but leaves a congratulatory "thank you for not cooperating with criminals" message to the people that didn't pay...

Please don't do this. People (some would call them victims of cyber crime but not me) are EVIL and if they can trace it back to you, they will sue you. Doing this is not a good idea except as a thought experiment.

It is probably obvious to a lot of people but there are still good people out there who believe in the goodness of people so I thought I should spell it out.

[notahacker]

I agree, creating malicious software designed to seriously inconvenience people and demand money from them is not a good idea. Never mind being sued, creating and distributing viruses is a felony in most jurisdictions even if it doesn't look like extortion. But on a scale of bad ideas, ransomware that appears to reward you for ignoring it is still a slightly less bad way of encouraging people to ignore ransom demands than ransomware that just punishes everyone

[pdkl95]

> What bothers me about their advice is that it is only correct macroeconomically.

That's because it's the correct advice. Ransom is a very old business, and experience throughout history shows you should never pay the danegeld[1].

> ignores that it is in cybercriminals' best interest to let you decrypt after you paid

That isn't being ignored. Paying the ransom is short-term thinking. Of course they will let you decrypt. By paying them you establish yourself as an easy/reliable mark that will probably pay again in the future. Paying would only make sense if you could somehow guarantee it was an isolated event.

[1] http://www.poetryloverspage.com/poets/kipling/dane_geld.html

[notgood]

Not only that, they know people close to you are potential targets as well (e.g. your mail contacts, facebook contacts), because most likely than not they are in the same economical bracket and are just as "savvy" technologically speaking.

[woah]

You can guarantee that it is an isolated event by backing up your files in the future. I imagine most victims are embarrassed and try to think of it as an expensive lesson.

[TeMPOraL]

It doesn't ignore any of the things you said. Yes, it's most likely better for you to pay. This kind of selfish thinking is, like many other kind of selfish thinking, what enables this type of crime in the first place.

Sure the criminals will release your files. Just like with regular, "meatspace" ransom, only a stupid criminal would not release hostages after having their demands met. It's in their best interest to do so. But if people by default don't give in to ransom threats, the whole business model becomes unviable for criminals.

So yeah, this advice is kind of like with vaccination and quarantines - it's not just about you. It's about all of us.

[BoorishBears]

I'd say just like in real life, stupid criminals exist. If criminal A says to criminal B "I'll sell you a solution that encrypts their files and I'll host the decryptor for 5$ a month" I can totally see a dumb criminal B being fully willing to rely on the reputation of ransomware as working to not pay that 5$ a month.

To a certain criminal any effort no matter how miniscule at all in actually providing a way to decrypt the files is useless, and I think with the reputation that's spread about ransomware we're at a point where more scammers will start to piggyback on reputation and stop following through

[ThrustVectoring]

It's better for you not to pay, because it means that you're the sort of person who isn't worth trying to extort.

[hannob]

> For your particular case it could be the best solution to just pay - as even police departments have done before.

It could be the best solution for you to pay - if you don't care that you'll finance the attacks on other people and cause more harm overall.

So yes, from a purely egoistic perspective it makes sense.

The question you should ask is not "is it worth paying xxx for my data?", it's "is it worth paying xxx for my data and destroy the data of someone else?".

[mioelnir]

One option gives an immediate, personally beneficial effect - "you get your files back".

The other option gives you an immediate, personal loss - "your files are gone" - together with an all but unobservable, mid- to longterm benefit for society.

You can of course hope for the majority to take the second option, but hope is the first step on the path to disappointment.

[ewzimm]

But your individual case isn't going to affect their behavior. If you wanted to change the situation, not paying simply isn't going far enough. You'd need to coordinate with other potential victims or do something like this website and spread defenses. Without putting effort into organization, your thinking that you've helped others is pure egoism because these schemes only require a few people to pay to be profitable.

[TeMPOraL]

Welcome to the real world. It's twisted in exactly this, game-theoretical way.

In case of ransomware, criminals are exploiting the very difficulty of victims to coordinate their actions. They depend on you paying instead of solving it yourself, educating others, or even simply calling the police. In other words, they profit directly off people's short-term, selfish thinking. The advice of defaulting to not paying is sound because if enough people follow it, the whole ransom stops being viable, which makes ransomware attacks stop coming.

The same, by the way, is the tried and true way of dealing with regular, meatspace, "I kidnapped your daughter" ransom cases.

[wpietri]

> But your individual case isn't going to affect their behavior.

It isn't going to affect them much. But as anybody who runs a business knows, the difference between loss and profit generally hinges on a number of sensitive factors. Note, for example, that drug dealing pays so poorly that many drug dealers live with their moms:

http://articles.latimes.com/2005/apr/24/opinion/oe-dubner24

Refusing to pay on your own doesn't help other people much, but it still helps.

[happy-go-lucky]

That's a convincing argument.

[reddytowns]

That assumes that others people even do exist, and how do you know that? You could be in a computer simulation of some kind.

[makeapoint]

They don't need anyone to trust them and they have nothing to gain from decrypting your files.

They may be a 14 year old kid who ran some kit that somebody else made. If they collect $50 from 25 people, they will be stoked.

Or they may be a sophisticated criminal organization that want to built long term viability.

It's impossible to know which it is. But it is guaranteed that they are criminal and inherently untrustworthy. It is also guaranteed that any money you pay will finance the next wave of more sophisticated malware.

So, no, you cannot trust them to do good. You can trust them to do bad. Now, make your microeconimic choice.

[tgarma1234]

That problem comes up with collective action all the time. Workers rights in developing countries for example... if all of the workers banded together to resist their employer's unfair treatment then... blah blah blah.. but in reality average people are awful at joining together to create a change that results in a greater good. When people are isolated and feel the impact of some injustice, they tend to give up fairly quickly without any thought given to what would be best for the greater good. That's my experience of life anyway. Rationality doesn't work very well in abstracted problems that involve reasoning about how you should suffer in this moment for the greater good of everyone suffering such moments. So the scammers are smart to make the cost of cooperating fairly low in a lot of cases. It's definitely easier to pay up than to try to make a federal case out of it. And honestly your inconvenience is not going to cause the wheels of law enforcement to spin fast to figure out which international gang is targeting you. If you don't pay you probably won't ever get anything back and law enforcement won't do anything about it. So really what's the point of personal heroics here other than rational arguments about what the right move would be from a game theoretic point of view? Just pay and move on.

[logicallee]

This comment contains a policy suggestion. I want it to become law in the United States and elsewhere.

I can't quite use the word "literally" but I almost can so I'll do so anyway: if you pay a ransom, you are literally paying for your party to attack someone else. And you are actually literally (not metaphorically) funding their next attack.

Paying a ransom should be a criminal act that is twenty times worse than asking for one. It should be illegal for the exact same reason that possession of stolen goods is illegal.

On a microeconomic level it might make sense for you personally to buy stolen goods off the street: the existence of the laws making you a criminal if you do no longer makes this true.

[stdbrouw]

If you drive a car you are literally contributing to global warming. If you pay taxes you are literally funding bombs and missiles. If you download big files you are literally taking bandwidth away from your neighbors.

Hyperbole does not a rational argument make.

[logicallee]

You are not drawing any policy conclusions from your statements.

You state that "if you drive a car you are literally contributing to global warming" which implies the policy statement "if it is illegal to drive a car, contribution to global warming decreases" and use this to imply it's not a rational argument to make it illegal to drive cars.

To your great surprise, I will now state that it is actually already illegal to drive cars, and it actually does have the exact effect that you say is not a rational conclusion:

http://www.dmv.org/articles/what-to-do-if-your-car-fails-an-...

Today, today, it is literally illegal to drive a car....which doesn't meet EPA standards! As a direct effect, people do not buy and drive cars which fail emissions standards.

So, yes, the exact policy suggestion that you don't go quite as far as to argue for actually is being enforced and actually demonstrably has the exact effect that you (only imply) doesn't happen.

Since you don't even imply any policy conclusions for the other two points I can't address them, I have no idea why you would mention them.

(If the government made it illegal to collect or pay taxes, obviously its tax base would evaporate overnight, this goes without saying, nobody would illegally pay money to the government out of civic duty despite its now being illegal to do so.)

[hueving]

None of those are hyperbolic, they are just true facts. Understanding the macroeconomic demand you are participating in isn't hyperbolic.

Buying elephant tusks promotes the killing of elephants, regardless of where they came from because the demand you created supports a price in favor of bad actors as well.

[bubo_bubo]

Knowingly buying stolen goods is illegal because they are still not yours even if you 'bought' them.

Paying a ransom to get your own property back because it is yours is not even in the same ballpark.

[logicallee]

we'll agree to disagree on whether it's in the same ballpark. I see the difference you point out, sure.

[tgb]

Anyone down voting this should read Thomas Schilling's Strategy of Conflict. At one point in time in England it was punishable by death to pay ransom to pirates.

[21]

Yet the modern world decided to go back on that.

The principle being that you are not (as) responsible for what you do under duress.

[tgb]

The point of such a law is not to punish ransom payers but to make it so that they never are asked for ransom in the first place.

[logicallee]

This is a good and important point. However is data ransom this kind of duress?

In a sense, paying a ransom is taking the law into your own hands -- rather than say to the FBI, "criminals have asked me for ransom" you are interacting with the criminals directly.

On a literal level you are literally transferring cold hard cash to them.

You make a good argument for why the policy suggestion I made is not a good idea, but I am not entirely convinced by it. As a rule it is not a good idea to engage in vigilante behavior.

Lawmakers and judges would have to use their discretion here and come up with quite nuanced laws.

[bubo_bubo]

Yes, it's duress. I'm sure you having 10 years of your life locked up in an encrypted vault would put a cramp in your style.

>transferring cold hard cash to them

So? If I go to the 7-11 and buy a soda, and the cashier has been skimming the till, I am transferring cold hard cash to a thief.

The difference you keep skipping over is mens rea and I suggest you read up on it before you sound more foolish than you already are.

[logicallee]

That last sentence was really uncalled-for. I think you don't really understand that I was discussing an economic argument.

Regarding putting a cramp in your style - how about if a thief has stolen your phone with valuable something on it that isn't anywhere else, but you have an application that tells you where the phone is and you own a shotgun. Can you go and get your phone back by force if in your calculation it has a higher chance of actually solving your immediate problem, than involving the police? Why or why not? It's your phone. The thief knows what he did. The thief knows that it's yours.

I am not saying that there is no argument on your side of letting people take care of issues directly with criminals (whether by force or transferring ransoms), but there are important arguments on the other side as well. It's certainly not so clear-cut that you can start ending with petty insults (and please check your reply to be substantive if you reply to this.)

[user5994461]

I think the fear is that they would ask for more money and/or they'd repeat the ransom again later.