[1_person]

The proportion of the population that will pay a ransom with a positive expected valuation will never be 0 unless you can guarantee that it is impossible to make a ransom offer which yields a positive expected valuation to the victim.

In effect this means that refusing to pay a ransom with a positive expected valuation subsidizes outcomes for those that do pay the ransom.

[1_person]

or, really, what I mean to say is, there is no way to stop everyone from paying ransoms when we assume they are rational or even pseudo-rational actors, except by making it impossible for them to be presented with the choice of paying a ransom which makes sense to them to pay from their perspective

for example, if someone is going to die based on the information, then we would have to be ready to kill that person anyway to make a point, and apparently have perfect information about everything except how to stop this tragedy from happening, in any case the person being ransomed is essentially morally bound to pay the ransom, with the only difference in the vindictive justice case being the tangentially but not necessarily meaningfully involved party is guaranteed to die, and that doesn't seem like the outcome we're looking for here really

[Thorrez]

>there is no way to stop everyone from paying ransoms when we assume they are rational or even pseudo-rational actors

I guess it depends on what the definition of rational is. Is it rational to give money to charity? People do that all the time because they feel it's the morally right thing to do.

>except by making it impossible for them to be presented with the choice of paying a ransom which makes sense to them to pay from their perspective

Yep, making it illegal to pay the ransom is a good way to stop people from having that choice. If police themselves are paying a ransom, that might make it hard to make it illegal.

>The proportion of the population that will pay a ransom with a positive expected valuation will never be 0 unless...

You don't need to get the proportion to 0 to help people. Reducing the proportion is helpful. If you reduce the amount of people paying (say you convince half the population that it's immoral to pay), the ransomware gangs will be less profitable, and will invest less money in ransomware and thus less people will be attacked.

Some fraction of every ransom paid is reinvested into making better ransomware and attacking more people.

[1_person]

> Yep, making it illegal to pay the ransom is a good way to stop people from having that choice. If police themselves are paying a ransom, that might make it hard to make it illegal.

Ransoming itself is already illegal and yet people still have the choice to do it.

Why would making paying the ransom illegal remove the choice to do it?

> You don't need to get the proportion to 0 to help people. Reducing the proportion is helpful. If you reduce the amount of people paying (say you convince half the population that it's immoral to pay), the ransomware gangs will be less profitable, and will invest less money in ransomware and thus less people will be attacked.

It's something that's trivial to automate which produces positive cash flow, which makes it something approaching a thermodynamic impossibility to prevent from happening.

We made spamming illegal. Most of what is spammed is already illegal. So there's no spam anymore, right?

The policy suggested produces obviously absurd outcomes when applied to plausible scenarios.

It does more harm than good, and is an emotional knee jerk which does not survive rational analysis.

[Thorrez]

>Ransoming itself is already illegal and yet people still have the choice to do it.

You mean the attackers? They're not in the US, so US law doesn't matter to them.

>Why would making paying the ransom illegal remove the choice to do it?

The attackers don't care about the law. For 2 reasons: (1) they live in countries without much enforcement, (2) they use online anonymity tools. Most US businesses care about following the law to a reasonable degree so they don't get in trouble. They are in the US where there is better law enforcement and since they're legitimate businesses with known addresses and employees, they cannot be anonymous.

>It's something that's trivial to automate which produces positive cash flow, which makes it something approaching a thermodynamic impossibility to prevent from happening.

There are many aspects that need human effort. People actively communicating for spear phishing and vishing. Negotiators to negotiate the amount. Customer support to help with payments. Customer support to help with decryption. Constantly updating the malware to avoid new detections from antivirus. Constantly updating the malware to take advantage of new vulnerabilities.

>We made spamming illegal. Most of what is spammed is already illegal. So there's no spam anymore, right?

I never said making ransomware illegal would make it disappear.