[countrpt]

Are… you really suggesting that the real problem here is not criminal extortion but that the payment approach isn’t safe enough to ensure their criminal associates get paid, and that this is what the feds should help improve?

[buffington]

I'm not invested enough to do the napkin math, but I wonder what costs more: ignoring security and paying the ransom, or investing in the right strategy to prevent being held ransom. If I consider my own experience in tech for the past few decades, I have to think it could go either way. (This says nothing of the damage releases of private data can do, which of course makes investing in the right strategy the correct thing to do, no matter the cost.)

[autoexec]

From a cost perspective it'd be easy to be tempted into thinking you can play the odds and come out ahead. It's not like getting infected with ransomware is something that happens all the time.

Fortunately not being negligent when it comes to security does a lot more than just protect you from ransomware extortionists. It can make it possible to easily recover data after all kinds of incidents (human error, software bugs, hardware failures, fires/floods, etc) and also help keep you protected from other types of viruses/malware, malicious employees, corporate espionage, whistleblowers, and anyone else who would take your data and then actually use it instead of just demanding payment to make it go away. It can also prevent the reputational harm a company can suffer by having a data breach go public.

Good security is one of those things that could easily save a company way more than it costs them, but the costs are immediate and non-trivial and companies seem to love to cut corners even when they know it'll screw them down the road because they're pathologically short-sighted and it's hard to brag about doing something that didn't have an immediate and obvious impact on their next quarter's bottom line