[hrehhf]

In a twisted sort of way, a person could destroy trust that paying the ransom will actually get your data back. Someone could create ransomware that will never decrypt, even after the ransom is paid. Once the victims know the dishonest ransomware is out there, that may ruin the revenue towards the "honest" ransomware.

[3pt14159]

Or better yet, only unlocks after you _haven't_ paid the bitcoin ransom in the allotted time period. If you just decrypt now it's Pascal's wager and the buy-in is $500, so most people buy and worst case scenario the guy who hit you was a dick trying to prove a larger point, but if the cultural narrative is "don't help the criminals / don't negotiate with terrorists!" then it would be rational and societally acceptable not to pay the ransom.

[martey]

> Someone could create ransomware that will never decrypt, even after the ransom is paid.

This already exists: http://arstechnica.com/security/2016/07/posing-as-ransomware...

> "Once it executes it, it pops up a ransom message looking like any other ransomware," Earl Carter, security research engineer at Cisco Talos, told Ars. "But then what happens is it forces a reboot, and it just deletes all the files. It doesn't try to encrypt anything—it just deletes them all."

[djsumdog]

Makes me wonder if it's just buggy or intentional.

[nom]

Considering that the operators must actively keep the backend alive and support the users, it's more likely they abandoned it for whatever reason.

[happy-go-lucky]

In that case, the victims could refuse to pay ransom and the criminals will go out of business.

[JoeAltmaier]

But a virus has zero marginal cost. Even one guy paying and they make money.

[TeMPOraL]

They have to weigh in the risk of getting caught, especially if they piss off enough people. So one paying victim may not be enough for a criminal to go this route.

[majewsky]

They are probably located in a country where it is easy to bribe the policemen, and factor that into their cashflow calculation.

[jasonm23]

It really depends on how much noise/attention they attract.

Bribing one policeman or a department, or a national level LE body, and so on?

Due to the nature of the internet and social media there is an ever decreasing chance of flying under the radar.

Even if a country's entire infrastructure is corrupt, you would still have to deal with a never ending list of 'beaks to wet'.

[EdHominem]

That's actually a bigger risk.

If there's no police protection for the victims there's also little police protection for the criminal.

If I were a ransomware scammer I'd rather be caught and jailed than killed by irate victims or competing criminals.

[CM30]

Kind of surprised no one's actually done this. I mean, there has to be at least a few really bored trolls and griefers out there who mess around with people's systems for 'fun' rather than money. I'm sure some teen in an ex soviet state somewhere would find it funny to watch someone have a breakdown when their cash doesn't get them their work back.

Or that some criminal group/mafia would use it to try and 'sink' their rivals. After all, a gang in competition with whoever makes these malware programs would probably love to shut down their revenue from ransomware. With say, their rivals name attached to the cruel hoax.

Still, I suspect something like this will happen at one point.

[david-given]

...it now occurs to me that if, using one of the million or so compromised ad networks, you wrote something would pop up the following message in people's browsers:

"Hi there! Your computer has been infected with a virus which will encrypt one file on your computer at random each day. You can stop this, and decrypt all the files by paying X to bitcoin wallet Y. Don't wait too long, because if you wait too long, we might encrypt some system file and it won't boot any more."

and which did nothing else whatsoever

...then you'd probably actually get some income.

It'd be an interesting (if ethically awful) sociological experiment to find out exactly how much. Returning people's money afterwards, of course.

[3chelon]

My neighbour came to me last week to ask for help. Exactly that had happened to him, from of all things a Facebook ad. It was a simple matter of killing the browser, but it had put up a phone number for "support" that he had already called, but which was busy... so I guess they were having a fair amount of success. Wish I'd taken a photo.

[majewsky]

Of course. cough :)

[rictic]

Couldn't you do the same thing with less of a human cost by merely telling people about cases where the ransomware was unreliable, and refusing to spread the information that it was reliable?

[notahacker]

Or we could be slightly less nefarious and create ransomware that decrypts everyone's stuff after the allotted time but leaves a congratulatory "thank you for not cooperating with criminals" message to the people that didn't pay...

[pooper]

> Or we could be slightly less nefarious and create ransomware that decrypts everyone's stuff after the allotted time but leaves a congratulatory "thank you for not cooperating with criminals" message to the people that didn't pay...

Please don't do this. People (some would call them victims of cyber crime but not me) are EVIL and if they can trace it back to you, they will sue you. Doing this is not a good idea except as a thought experiment.

It is probably obvious to a lot of people but there are still good people out there who believe in the goodness of people so I thought I should spell it out.

[notahacker]

I agree, creating malicious software designed to seriously inconvenience people and demand money from them is not a good idea. Never mind being sued, creating and distributing viruses is a felony in most jurisdictions even if it doesn't look like extortion. But on a scale of bad ideas, ransomware that appears to reward you for ignoring it is still a slightly less bad way of encouraging people to ignore ransom demands than ransomware that just punishes everyone