We are a small but distributed organisation targeted by ransomware attack some weeks ago having poor luck that an employee noticed that something strange is underway just now in our system and pulled the plug without hesitation or waiting for instructions. Backups saved the day except a few days work of items easy to reproduce - memory is still fresh. We only had I guess less than 30 lost man days of work on efforts and a little downtime - in a mission noncritical period - while ensured (as far as possible) all is good, no malware remained, no spreading to local computers, reviewing practices, etc.

Do take this seriously, we operate on a few millions EUR budget yearly - tightly counted - and still we were worthy for attack in their eyes. Watch out all!

The blackmail part is already illegal, so the criminals wont care one way or another.

It's the victims that would now have two problems: damned if they pay, damned if they dont.

It's not like the criminals will be at any increased risk or effort either. They're criminal operations already doing other criminal stuff, most of the work is automated (via viruses, bots, etc), and they already couldn't take the payments openly (it's not like they used a bank account).

For my MSc in Cyber Risk strategy & governance my final dissertation was built on the parallelism of Italy's ban on payment of ransoms for kindnappings and the current ransomware trend. It's difficult to take solid conclusions, the measure could be effective in disrupting some financially motivated attackers but, given the current landscape, I guess the threat actors could shift more towards extorting end users where the ban will be more difficult to enforce. Ransomware rely heavly on financial incentives, for a company it comes down to cost but the same holds as well for threat actors, they try to go after the bigest whales they can get away with. Insurances may be loopholes, in Italy at the time they were banned as well.

Good. as someone who works in cybersecurity, I think hackers should get $0 from the victim, possibly get caught by police, and I think companies that get hacked should have to sit with their actions and DO BETTER for their customers.

Does banning ransom payments really work? It just seems to create a service industry to pay on ransomed’s behalf.

I've seen enough reports of ransomware gangs failing to return their victims files even when they do pay up, that it's probably best to consider those files irrevocably lost and not pay.

Does anybody wonder if these attacks aren't performing a public good in the long run by hardening our tech infrastructure in the West? It seems like hostilities with Russia, China, et al are likely to just get worse over time, and the long term high threat environment that these gangs have created for Western companies and utilities could give them a comparative advantage over time. That is assuming the same attacks aren't happening in China, Russia, North Korea, Iran, etc.

Better to just ban cryptocurrency. Or impose the same controls that other banking systems have to obey. That will cut off the flow of funds.

It shouldn't be banned. Just add a +300% tax to it, while keeping it legal. (Banning will just lead to under-the-table payments).

While this looks at face value like it's just making things worse, in fact it cuts the profits by 75% for any criminal trying to optimize the ransom demanded.

Then use the tax collected to fund IT security research or something.

Banning ransoms worked, mostly, for terrorism. That has to be backed up by a sizable intelligence effort to find and fix the attackers, and a military effort to take them out.

I'm ignorant but I've never understood why people actually pay the ransom. Aren't the attackers anonymous? What stops them from asking for another $Y after they get their $X, and not actually removing the ransomware? There's not much incentive for the attackers to actually do what they say after you pay them, right?

I remember how surprised I was when ransomware really took off, that victims would pay and actually get their data back. Sure, it makes sense, that criminals benefit in the long run if they truly return the data, but I was surprised that the criminals were actually that farsighted.

To me that suggests that rational economic forces really are at work and as a result, banning payments would cut back on ransomware attacks.

This is very similar to having a "we don't negotiate with bad guys" policy, which is common at least as rhetoric if not in fact.

I'm just waiting till the first customer of some shady contract binding them to a greedy software company would use that to declare a payment as illegal and therefore that they cannot make it. Would be funny news like "XYZ says it cant pay oracle, declares it a ransom payment" :D

It's kind of crazy to me that large companies are even able to make large, anonymous, unbudgeted, essentially cash payments (with no paper trail) at all.

I agree with the push for the ban to remove incentives but I do wonder about consistency. These days it seems the world is compromising and “negotiating with terrorists” all the time. For example look at how Hamas is being handled, for taking all those hostages and still holding onto them months later. Are these situations different?

having worked in a large company hit by the first wave of wannacry ransomware (https://news.ycombinator.com/item?id=14326555), i am doubtful that most companies can just ignore the disruption in business during an attack. not every company can go analogue while dealing with an attack like mgm.

in a balance sheet, paying the ransom is just catching up to inadequate budgeting for systematic security efforts. while the person at the end will always be the weakest link, so much more can be done to avoid most attacks.

maybe everyone going back to thin client like windows 365 would finally put this to end.

This ban is only ethical if the law authority does this job to stop criminals. Otherwise we end up in the same place as street crime: illegal to defend yourself, but also unprotected the authority that finds it easier deploy violence against victims than criminals.

What is the difference between a computer ransom and a human kidnapping and ransoming situation? If I’m not allowed to pay ransom to save my business, does it means I should be also not allowed to pay ransom to save my loved ones?

Why ban? Force insurance companies to work -- actually insure -- and they'll have to start doing proactive work to keep in business.

Are we trying to get a free working market or what??

It would seem the unintended consequences of such a policy would be to ensure every cyber breach is kept entirely secret (so that ransom payments could be made discreetly), and not notifying law enforcement, software vendors, security researchers, or the customers. And then without any disclosure or collaboration, every company is on its own island, no collective learning, making it trivial for attackers to re-use the same exploit again and again.

Ismorgandoctrinelegalformyitnetwork.com is not registered, but it might be after hearing of a ban.

Make software companies liable if it's their bugs that lead to a compromise.

Is this becoming an "issue" because NK is raking it in ?

Yes, financing cyberterrorism should be forbidden.

100% the blame is to be put on crypto

If you are unable to go after the criminal, you go after the victim.

So now the hackers can ask for ransom and then, if you pay, threaten to tell people you paid the ransom afterwards.

Double money

How about a push to mandate 2fa for any entity holding data covered by GDPR or at the very least medical records.

The United health care exploit was a password compromise as was the British library.

The EPA just released a report saying 70% of the water infrastructure has laughable vulnerabilities like default passwords: https://www.newsweek.com/drinking-water-warning-issued-natio...

> Ransomware is a profit-driven enterprise. If it is made unprofitable, most attacks will quickly stop.

This is conjecture presented as fact.

Here is an alternative conjecture: what if ransomware is mainly a sociopathically-driven enterprise, with a side interest in profit? Or what if a good chunk of it is?

How many ransomware perpetrators have we captured, and subjected to psychological study, to be able to confidently say what ransomware is or is not?

[flagged]

Ban Insurance Companies buying back the stolen artworks. Or, demand they are destroyed on recovery.

I thought ransomware was a crime already? What would banning a crime do?

Once companies are held accountable for the weapons and whatever else the money they paid in ransom gets spent on, things will finally change. Until then, we use the word "victim" with too much lenience. The secondary victims, the ones getting bombed, or the ones that will be targeted and threatened with the nukes that just got paid for with the ransom money, shouldn't be left out of the equation as they have been thus far.

I'm sure some people don't like that way of thinking, but where else do you think one spends $22mil per "victim"? $30 billion a year buys a lot more than fancy clothes and yachts.