[jawiggins]

Years ago I attended a conference that had a "fireside chat" with a DoJ official on the topic of these types of ransom payments.

He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.

His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.

Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.

[bijowo1676]

This is the way to go.

Instead of paying ransom, and creating a ransomware criminal industry out of thin air, its better to force companies to recover and restore from backups and remove monetary incentive for crime.

and the executives who failed to carry regular backups obviously should face the music

[jstan65536]

Backups were not Instructure’s problem. Hackers using the threat of exposing private information to extort Instructure’s customers was the problem.

[bijowo1676]

Equifax and other companies routinely leak customers PII and financial information.

the only outcome I got from their incidents is 1 year free "identity protection service" which I didnt use.

Should be a lesson for Instructure to have proper architecture and do not store PII they dont need in their processes.

[dessimus]

At least those are mainly going to be adults. In the case of Instructure, there are many K12 school districts using Canvas as well. They are potentially selling lists of underage children along with where they live, and contact info like email and phone number.

These are going to be people with clean credit histories to exploit, and ideal for using as ghost students.

[Eufrat]

Our PII is leaked all the time. I am fed up with various businesses sending me a free credit monitoring subscription in lieu of actually having proper security controls or damages that incentivize viewing the issue as a serious going concern risk.

Leaks are inevitable, but the current situation is absurd. The liabilities and incentives to do anything about them are virtually nonexistent and security is almost always viewed as a cost.

[rootusrootus]

I’m tired of it being my problem to fix. You should be able to know everything about me and still not be able to get accounts/credit/whatever in my name.

[BobbyTables2]

Was it really a problem? Yes, voluntary release of that info by a school would normally likely be a FERPA violation, but this was a criminal act against a third party.

Infrastructure’s motivations must have lain elsewhere…

[erikerikson]

Does that really shield the schools? HIPAA wouldn't care.

[bijowo1676]

educational LMS should not store real patient health data, so thats the problem of whoever designed that system.

[erikerikson]

The question was whether the same transitive responsibility applies to FERPA, not whether HIPAA data is involved.

[axus]

The criminals have better marketing than the disaster recovery vendors.

[ninjalanternshk]

I still believe in the approach taken by Mel Gibson’s character in “Ransom.”

Offer a reward equal to the ransom amount, to anyone who turns the kidnappers/criminals in to the authorities.

[solumunus]

Good luck when most of the random gangs are in countries that, at best, don’t care about this, and often encourage or support it.

[_vOv_]

If they can restore from backups, then there’s no need to pay the ransom in the first place… Ransomware is designed to silently corrupt your backups.

[varispeed]

Wouldn't that incentivise companies manufacturing media and backup facilities to finance ransomware operators?

[JumpCrisscross]

> Wouldn't that incentivise companies manufacturing media and backup facilities to finance ransomware operators?

No, for the same reason fence manufacturers aren't financing burglers.

[bluGill]

There is enough competition that if word gets out you can move to someone honest. At this size you can't keep a secret.

[hughes]

It may be that the ideal number of ransomware operators is non-zero

[HDBaseT]

Who would of thought paying teenagers millions of dollars in crypto was a good idea?

They'll just use it on more exploits, more nonsense. It's a race to the bottom. Sister group, Lapsus$ (parent group ShinyHunters) has published on their website they will pay for inside access to company networks. The group says they don't want data, they just want an avenue.

This is what happens when we keep paying these criminals millions in hard-to-trace crypto.

I do find it all a bit funny though.

[bawolff]

I suppose it also puts a price on not funding your security department.

[rsstack]

How is it not a violation of AML laws to pay a ransom like this? Surely they didn't verify that the recipient (a criminal) isn't sanctioned or associated with sanctioned organizations.

[cornholio]

Money laundering is the action of obfuscating the origin of criminal proceeds; victims or clients of criminals do not generally commit money laundering, for example buying drugs is not a form of AML violation regardless of the legality of the purchase itself or the fact that the funds will later be laundered by the traffickers.

KYC is a tool to prevent money laundry and it's typically an obligation of financial institutions. Sending money to an anonymous (to you) recipient is generally not a KYC violation if you are not in the money transmitting business and you aren't doing the payment on behalf of someone else.

There are infinite shades of gray in this topic, of course, but I can't see AML being relevant in this particular case.

[dataflow]

I think they mixed up sanctions (and any similar laws w.r.t. legal recipients) with AML laws. The legality of paying sanctioned entities doesn't depend on whether the money was laundered, but they were interested in how people get around the former.

[rsstack]

Thank you! That's basically what I was asking.

[hattmall]

How exactly would this fall into the purview of AML? As far as sanctions go the burden of proof would be on the government to prove the money went to a sanctioned entity and Instructure isn't a bank subject to KYC requirements.

[rsstack]

All my corporate AML training says that not performing some KYC for large payments, directly or through a bank, is a crime in its own even if the recipient isn't sanctioned.

From Claude, maybe it's a little nuanced compared to conservative corporate policies, but doesn't feel very legal: "You can be charged with money laundering (18 USC 1956/1957 in the US, equivalents elsewhere) if you knowingly — or with willful blindness — process proceeds of crime. "I didn't ask" is not a defense if the circumstances were suspicious; deliberately avoiding KYC to preserve deniability is exactly what willful blindness doctrine targets. The recipient doesn't need to be formally sanctioned; the funds just need to be tainted."

[jawiggins]

Even if it already is, the DoJ can exercise discretion in choosing who to prosecute. There has to be political will to threaten an org who has just suffered from an attack with further consequences if they make a payment.

[spondyl]

Probably not too relevant but off the top of my head, the New Zealand Government's guidance on ransomware payments is that you could technically be fined if you pay a ransom to an entity in a sanctioned country, although it doesn't go into specifics

[nullocator]

Is it illegal to pay kidnappers in the united states? I've never heard of this and I can't seem to find anything that says any such law has actually been passed.

[kenjackson]

It's technically not illegal, but often is. You can't pay terrorist organizations or specially sanctioned orgs. See https://sanctionssearch.ofac.treas.gov

Probably should consult an attorney before paying a ransom (whether for kidnapping or other purposes).

[nathanmills]

Thank goodness that no kidnapping of an American has ever happened since.

[Geof25]

It is illegal to commit a crime. So no crimes will be committed. Duh.

[eviks]

That's the magic of Laws!

[JumpCrisscross]

Hmm, there was once fraud so I guess we should repeal any prohibitions on fraud, huh? Same for murder.

[nathanmills]

Calm down, extremist. There's a difference between someone doing something vs someone paying someone else to stop doing something. If the latter were truly bad then the same should be applied to people handing over their wallet to muggers. The only difference in that scenario and the above is saving yourself vs saving a family member. Would you really deny people the ability to save their loved ones?

[JumpCrisscross]

> then the same should be applied to people handing over their wallet to muggers

Not really. Muggings are both more common and less traumatic than kidnappings. This is reflected in the fact that common and maximum sentences for kidnappings are universally more extreme than those for muggings.

> Would you really deny people the ability to save their loved ones?

...yes. Because it means significantly fewer kidnappings. "Deny people the ability to save their loved ones" is tantamount to "help others to lose their own."

[nathanmills]

And where does ransomware fall on that trauma scale? The maximum sentence is less than mugging after all..

[JumpCrisscross]

> does ransomware fall on that trauma scale?

Idk. That’s a step (sentencing guidelines) after we decide it should be criminalized.

> The maximum sentence is less than mugging after all..

They’re in the same ballpark, 2 to 6 years or so.

[protocolture]

The issue is that anything a hacker can do publicly a state actor can do silently.

Its a boon to both the company and the country when a hacker makes a big public deal out of it. Because they get the chance to repair something before its intentional damaging misuse by a hostile state actor.

The hackers here deserve every cent plus possibly more.

And theres always the problem that the hackers would still get paid, they just wont report the payments making tracking difficult.

[BobbyTables2]

I’ve been wondering this too.

Extortion and terrorism seem similar in many ways except the latter involves physical harm.

I’d asssume a company paying money to terrorists shouldn’t be acceptable.

It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.

Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.

[protocolture]

>It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.

You are paying an extra fee for not testing your own software and infrastructure. It was instead tested by a third party. Be glad it wasn't tested by a nation state actor or someone who wanted to do more harm to your customers than just asking for money.

Ideally they should now secure their infrastructure and take this as a gentle reminder that they should spend more on security.

>Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.

You would hope they would then upgrade the cardboard.

[erikerikson]

When you frame it like that it sounds like the thieves are doing us a favor. Except it should be heavily fined and jailable for the entire executive team and maybe the board too.

[protocolture]

The thieves are doing us a favor.

And yes, the companies executive should be jailed.

[erikerikson]

Except those payments are being passed through, are they not?

[protocolture]

Passed through where and how?

[BrandoElFollito]

This is doubtful.

Americans are more kidnapped globally when we look at a equal distribution of population (i.e. in the same pool in a generic country, Americans are more likely to be kidnapped (according to the James Foley Foundation).

Europeans are more likely targets in Africa due to our presence there (mostly NGOs).

The differences will be statistical, not motivated by a no-pay policy.

[gustavus]

Not that I disagree but it also incentives attackers to steal and resell data to other nefarious actors.

After all a lot of the data companies have isn't their own, it's their customers. They are the ones who suffer because businesses don't bother securing their crap.

[phone_book]

Isn't there still incentive because the data itself is valuable so attacks would continue?

[jawiggins]

Maybe, but it’s harder to profit from it. A firm may be reputationally damaged, but what’s the incentive to cause that damage?

I think the Bloomberg Odd Lots guy wrote a blog post on this: you could attempt to short the stock but a) this leaves a paper trail b) the market might not know about the breach or believe you if you post you’ve done it. IIRC some hackers have tried to tell companies that they are legally required to disclose the breach to their shareholders to force market movements.

[bawolff]

If there was a way to profit from the data that was more than the ransom, wouldn't they just do that instead of asking for a ransome.

Or do both i suppose, just because someone pays a ransome there is no garuntee the hacker destroys the data.

[bluGill]

How much value is in the data. It is embarrassing if some kid gets a D in class, and shouldn't be public - but most of the people who care already know or have ways to find out.

[rafram]

Not sure sanctions are a relevant reason not to pay here. We don’t know where everyone involved with ShinyHunters is located, but those arrested in the past have been American and French.

[bluGill]

Americans and French (and most other "first world") countries will investigate and arrest anyone involved. It doesn't matter if foreigners are the only victim, most countries do not want their citizens involved with this and will send anyone caught to whatever country was affects for criminal prosecution.

Russia, and North Korea are the main names that come up as exceptions, they will protect their own people.