[sameboat632746]

I think criminal penalties is too much. I think at some point paying ransom is better than not paying, for example, in case of attacks on hospitals. People can literally die.

What needs to happen is that when an organization that skips IT security practices, it should have large monetary penalties and its executives held responsible, no golden parachutes for them. You can imagine any factory where they don't practice OSHA safety guidelines will get in major trouble.

[kortilla]

> in case of attacks on hospitals. People can literally die.

Setting aside the appeal to emotion, there are a couple of things to unpack. In real-world ransom kidnappings, life and death was always at stake and the government still errs on the side of not paying.

Second, you presume ransomware authors are prepared to commit murder. If a hospital cannot legally pay, the only thing to gain by shutting it down is murder.

[ls612]

Kidnapping for ransom is basically a dead enterprise in the US because of laws essentially forbidding the paying of ransom. Your appeal to emotion is exactly the sort of thing that ransomware gangs want people to hear because its how they make money. In the long run though its a terrible idea.

[FDSGSG]

>Kidnapping for ransom is basically a dead enterprise in the US because of laws essentially forbidding the paying of ransom.

This is bullshit. US laws do not prohibit ransom payments except to sanctioned and/or designated entities which tend to not operate within the US.