26 comments

[ 3.2 ms ] story [ 75.7 ms ] thread
How in the world would we enforce this?
If somebody pays a ransomware payment, the government could seize their computers and encrypt their data until they pay a fine.
I like it. We could call it a ransom, maybe.
That just sounds like taxes with extra steps.
I am not a lawyer and entirely just guessing. I am probably wrong but if people are paying money to organized crime then perhaps it could be interpreted as aiding and abetting organized criminals using corporate funds and thus maybe possibly the government could use the existing Racketeer Influenced and Corrupt Organizations Act (RICO) of 1970. Or maybe not. Maybe a question for lawyers that have litigated RICO cases. Maybe another angle could be proving that said funds were used in the acts of higher crimes that caused serious injury or death. Maybe additionally the SEC could also get involved in publicly traded companies that impact their stock value in the process of paying off organized criminals. I could see both sides of such a case as it could be argued that not paying off the ransom could cause the destruction of the company but the people responsible for putting the company in that position in the first place could probably be held to account. Or worst case maybe this just forces some companies to do more serious due diligence and have real audits vs. check-box audits and if they can't prove they performed their actual fiduciary responsibilities then serious action is taken against the C-Levels and board members?
Nothing like blaming the victim. What's next arresting people for handing over their wallet at gunpoint?
The victim fails to be just a victim when they actively contribute funds to a criminal enterprise.

The gunpoint analogy is a poor one; being coerced by physical violence is one thing, being coerced because you lost your files (and don’t have backups) is another. It’s a horse of a different color.

What if people die and lose everything or groups of people get hurt because of the Ransomware? You could also say the person handing a wallet to a criminal is actively contributing and should of kept his money in the bank. The point is that its not always as simple as "backup your files".
Seems like a matter of game theory strategy vs. tactics. If everyone were to fight back against muggers, it seems like there would be fewer muggings. But tactically, it might be best for an individual to hand over the wallet.
Sure. And it would be nuts to start trying to incentivize fighting back by prosecuting people who don't.
(comment deleted)
Nothing like blaming the victim.

The companies getting their customers data encrypted are NOT victims. At best they are incompetent and should never have been in business to begin with and most certainly should never have been anywhere near any of their customers data.

Companies have a fiduciary responsibility to protect their customers and investors. If a company is letting phishers trounce all over my data then in a way I am glad that my data became encrypted so that the company can no longer hide the fact they were negligent not only to keep the thugs out but also neglected to properly back up my data. I am more concerned about all the companies that were popped and were able to hide it because they only lost my data to the phishers. Ransomware is exposing the incompetent businesses and embarrassing their leadership as it should. Securing data in an ever growing and large company can be challenging due to internal politics especially if being security focused from day one was not their priority. Backing up data is easy.

How do we enforce every other law? If the authorities get wind of someone paying a ransom, they could investigate and then decide to prosecute if they discover that it was highly likely that a ransom payment was made. For the specifics of ransomware payments, for public companies, which line items does that amount get attributed to on the quarterly reports?
And even if you expect that some payments will continue to happen under the table, the payouts would have to be much lower, as there is a limit to how much a business can hide on their balance sheets.

That means less potential profit for ransomware makers, less incentive to make ransomware, and less money to fund ransomware development.

Enforce it at the cyber insurance provider level, if you pay out a ransom for a client you risk losing your insurance license.
LLike they would care about their victims facing legal consequences. If they don't pay, nuts to them. If they pay, I get money.
Yes, obviously they don't care about the legal consequences for the victim. The goal is to make them think they won't ever get paid due to the threat of legal consequences on victim, and therefore they wouldn't bother doing ransom in the first place (which is pretty unrealistic imo).
Why is this unrealistic?

The victims won't pay because they don't want to go to jail. If no one pays—or even if people pay much smaller amounts that are possible to hide—there isn't an incentive to launch ransomware.

It is unrealistic because as long as just enough victims pay to make it worthwhile, the bad guys will keep doing it.

My assumption is that the cost to find victims and make the request is low enough and that number folks that will still pay regardless of the law is high enough to make it it worthwhile for the bad guys.

Best case, it lowers the profit margin for the bad guys. Meanwhile, the victims face being punished even worse.

Businesses won't pay if their executives think it may cause them to go to jail.
It just comes down to the cost-benefit for the bad guys. As long as it is profitable it won't stop.

Yes, many big businesses may stop paying since the executives don't want to go to jail. Realistically if they are that big they can probably come up with a legal argument to justify the payment though within the mess of exceptions that would have to exist if this became a thing.

In the end the bad guys are just going to adjust to target smaller companies that would be under the radar for being caught paying.

In the end it doesn't really matter what the dynamics of it end up being. If it pays off to ransom, it will still happen, and I think there will always be a way to make it pay off for quite a while.

The only real solution is better security that makes it unprofitable to even attempt to breach a company that makes a random possible.

Threatening legal consequences for the victim is a very sideways way to go about achieving the goal of deterring the bad guys.

This would never work. The assumption is that the bad guys would stop doing ransoms because they think they won't ever get paid since the victim would face legal consequences if they paid. The problem is the assumption that finding a victim for a ransom request is a more expensive task than the potential payoff in the in the long-run. As long as the ransoms are still a net win for the bad guys in the end, it won't stop.
The assumption is that victims will be less likely to payout, increasing the cost of attacks for criminals since they'll need to expend resources on an attack with a lower chance of payout.

Ransoms are not a net win when victims don't payout.

Yes, it is all based on assumptions of the dynamics of the cost/benefit calculations of the ransoming-business which I am not familiar with.

I did not see anything in the article that took that into account. I fear the lawmakers may not familiar with those dynamics either.

My personal assumption is that the cost is very low for the bad guys.

This may make a dent in their profit margin. But is that really worth it for the position we'd be putting victims in?

If my assumption is correct, it just going to shift the ransoms to those victims more willing pay without being caught and I'm not sure that is the a desired outcome (or maybe it is). The big companies may be targeted less if they don't pay, but is that really solving the problem?

I feel the argument this article lays out fails to account for the fact that the data most likely has value for the attacker outside of the organization being ransomed. Banning ransomware payments will only force the attacker to utilize other revenue generating avenues instead. Maybe it’s selling PII to other people directly, maybe its selling trade secrets to a competitor or the highest bidder or maybe its just outright using the stolen data for personal gain (think stolen CC numbers) or maybe they just resort to straight up blackmail of each individual person. It maybe easy to get a quick lump sum payment from an organization, but I don’t think its much harder for them to target the individuals of the data they collected.