[no_protocol]

Has a ransomware or botnet perpetrator been convicted of a crime in any country?

Morris was convicted under CFAA, it's surprising to me that it isn't a "regular" thing to hear about another hacker getting convicted on a daily basis. What are the reasons this doesn't happen? I understand they can hide their identity, etc., but are there even active investigations? Is there a single biggest reason why, like not being able to prove which person caused something to happen?

I don't really like real world analogies for computer systems, but if there was a big line of people in masks knocking at my door and trying 100s of different keys in the lock, 24/7, I'd probably seek some legal remedy rather than just getting more locks.

[paulmd]

It's really hard to track down the perpetrator unless they make a mistake. Even if you tracked the perpetrator down, there is a very good chance they are in Eastern Europe or some other country/region that will not prosecute or extradite them.

So basically it's almost certainly a waste of time for law enforcement and they mostly don't bother. If they did, we would see command/control moved inside Tor and it would become even more difficult to track (AFAIK this already happens in the more sophisticated botnets).

The appropriate analogy is probably something like fake check scams. Illegal, but difficult to trace and likely to lead to a dead end.

[no_protocol]

> The appropriate analogy is probably something like fake check scams. Illegal, but difficult to trace and likely to lead to a dead end.

Oops, I actually jumped topics for the final paragraph and was making an analogy about scanners trying random passwords on a known port, or similar.

[paulmd]

Well - and this goes for ransomware too - if you are smart then you aren't doing the portscanning or mailing from your personal PC. It's coming from compromised PCs or IoT devices in a botnet. So tracking down the perpetrator still involves finding the well-concealed owner of a botnet.

As a mitigation strategy you can certainly perform filtering and rate-limiting at a firewall, or even blacklisting certain IPs. I'm pretty sure there are already collectively-maintained blacklists of badly-behaved machines/devices. But you're really just taking some compromised PCs off the net, not going after the perpetrator.

[johntb86]

Some do, see http://arstechnica.com/uncategorized/2006/08/7601/ , but it's hard for US authorities to find and prosecute someone in a place like Chine.