[CoastalCoder]

It seems obvious to me that the only real solution is to penalize the payment of ransoms. For the same reasons one doesn't negotiate with terrorists.

Is there some reason to believe that this isn't the best approach? And if not, then any theories as to why it hasn't been enacted?

[entuno]

It's one of those ideas that sounds nice in theory, but doesn't survive contact with the real world. In the same way that many people would say that you shouldn't negotiate with terrorists or kidnappers; but if it's their loved one who's being held and tortured they'll very quickly change their mind.

Getting to a world where no one pays ransoms and the ransomware groups give up and go away would be the ideal, and we'd all love to get there. But outlawing paying ransoms basically sacrificing everyone who gets ransomwared in the meantime until we get to that state for the greater good.

And where companies get hit, they'll try hard to find ways around that, because the alternative may well be shutting down the business. But if something like a hospital gets hit, are governments really going to be able to stand behind the "you can't pay a ransom" policy when that could directly lead to deaths?

[naniwaduni]

If you make it expensive enough to pay ransoms outright, throwing money at security starts looking more appealing.

A ban on paying ransoms isn't the right tool for this. Fine them, punitively, with a portion set aside to incentivize whistleblowing.

[entuno]

Financial costs won't solve the problem for companies, because they're hard to enforce. You'd be weighting up the cost of dealing with the fallout of getting hacked against the cost of paying the random and the chance that you might get caught and fined. If that former cost is existential for the business, then it'd always be worth paying and taking the risk.

The only real way around that would personal consequences for the owners/directors of the company - "get caught paying a ransom and the whole board goes to jail" would certainly discourage people. And also provide a wonderful opportunity for blackmail when people did.

Not to mention all the problems of fining public sector organisations, and how counter-productive that usually is.

[nradov]

That's fine, those are acceptable casualties. Make paying any sort of ransom a criminal offense.

[qzw]

You know what's an even more acceptable casualty that would greatly reduce ransomware? Cryptocurrencies.

[itishappy]

Sounds impossible to enforce.

The penalty for not paying is often catastrophic. The penalty for paying will have to be similarly impactful.

[nradov]

Right, make the penalty for paying a ransom catastrophic. Very few employees will risk a criminal conviction and years in federal prison just to protect their employer.

[HeWhoLurksLate]

It's all fun and games until it's your livelihood at stake, and then it makes a lot more sense to acquiesce, lick your wounds, and keep your business alive.

Getting hacked is no fun, but companies don't deserve to die because something in their tech stack was vulnerable.

[nradov]

Nah, those companies deserve to die. Let them fail. Creative destruction.

[HeWhoLurksLate]

I respectfully disagree - I do agree that the natural financial death of a company probably shouldn't result in bailouts, but if I as a company get breached because my fully-updated, follows-best-practices Windows Domain got hacked because of a vulnerability in Microsoft's stuff? That's hardly fair.

Shouldn't I be able to sue Microsoft for financial relief?

[nradov]

That is an acceptable outcome. Life isn't fair. Companies fail all the time for a variety of unfair reasons. This will force customers to demand that Microsoft and other software vendors improve their own security practices and/or indemnify customers for damages from breaches. You can sue Microsoft for financial relief if they breach your contract.

[Tangurena2]

I work in the state government space. Many targets/victims of ransomware are small/local government agencies and the ransom demands are greater than their annual budgets. Not every agency is big enough to have someone (bored) come in on Sunday, notice stuff getting encrypted and then run in to the server room and hit the big red button like Virginia's legislature in 2021[0].

Many ransoms are far more than the victim can actually pay. Not all ransom payments result in a decryption key that actually works.

Notes:

0 - https://www.nbcnews.com/politics/politics-news/officials-vir...

[nradov]

Most local governments lack the scale and budget to competently maintain their own IT infrastructure. It's not just security but everything. They should outsource the infrastructure layer to a large contractor, or possibly to the state government.

[acdha]

Contracting IT services at that level overpays by a whole number multiple for worse results because the government doesn’t have the in-house expertise to tell when the contractor is doing something wrong. (This is one reason why many construction projects go over budget: someone saved by laying off the engineers, so they pay 2-3x more for contractor A to oversee contractor B, guaranteeing 3+ party disputes for every problem)

What does work better is outsourcing an entire function: if you pay Gmail for email services, you know exactly how much it will cost per user and have an SLA for problems which they can’t blame on you.

[ArcHound]

I don't think you can enforce such a rule. I think it's a good approach too.

Another issue is that not paying up and risking restore from underfunded ops dept. might be more expensive than paying up AND making a selected executive look bad. And we can't have that, can we.

[wongarsu]

It would make the ransomware statistic go down without actually stopping crime. Any company that considers paying the ransom would have a strong incentive to never report the security incident to avoid being punished for ransom payments

[entuno]

Plus it gives the ransomware gangs a whole new angle they can use.

So, remember how you illegally paid us a ransom a few months ago? Unless you want to go to prison, then you better...

We're already seeing this against companies who pay ransoms and fail to report the breaches when they're legally required to - but it would be much worse if it's against individuals who are criminally liable.

[nradov]

Make employees criminally liable for making ransom payments, along with whistleblower protections. Very few employees will risk going to prison to protect their employer. You can always get another job.

[ArcHound]

I don't think this helps anybody. There will always be some poor soul taking the blame for the crimes of the higher ups. And what exactly the crime would be? Using company money to pay an unspecified third party? Also pretty hard to enforce.

[nradov]

It should be a crime to knowingly transfer money to criminals for any reason. And it wouldn't not hard to enforce: offer bounties to whistleblowers who turn in their colleagues.

[bigfatkitten]

It likely is in many places, under laws relating to dealing with proceeds of crime, but I’m not aware of any prosecutions having ever been made on this basis.

[finghin]

Agreed - it’s not that it’s a bad point but it would be an ineffective rule which is usually an excuse to forgo other more effective (usually more expensive) options

[TeMPOraL]

Unfortunately the actual solution will probably have to mirror real world, which means balkanizing the Internet to clarify legal jurisdiction, maybe some international police task force to aid with cross-border investigation, but ultimately it all hinges on whether and how much the countries with most nuclear aircraft carriers are willing to pressure other countries to take this seriously.

[cucumber3732842]

All that does is make the problem more expensive by whatever cut the middle men who will pop up take and however much the overhead of the obfuscation is. It might reduce payments at the margin, but probably not enough to be worth the cost.

[bogwog]

> penalize the payment of ransoms

If you mean ban all crypto currencies, then you're correct.