back to article Formal ban on ransomware payments? Asking orgs nicely to not cough up ain't working

Emsisoft has called for a complete ban on ransom payments following another record-breaking year of digital extortion. Ransomware gangs breached the IT networks of at least 2,207 US hospitals, schools, and government organizations in addition to "thousands" of private-sector businesses last year, the security shop said on …

  1. Lurko

    Not "nearly impossible to enforce"

    Only impossible to enforce 100% of the time. It'd be remarkably difficult for any sizeable attack to be disguised (so everybody knows it's happened), and then to illegally pay a ransom requires execs and finance bods to put their career and/or liberty on the line. After a few imprisonments the message would very quickly get through, added to which the costs and intrusion of the authorities investigation to see if a ransom was paid will be significant.

    Obviously there's countries that won't sign up to these rules so leave them to become the ransomware capitals of the world, but for developed nations it's pretty straightforward, and can be done unilaterally at national or supra-national level (eg as anti-bribery laws often are).

    I suppose the problem is that we currently have the worst collection of inept, out-of-their-depth charlatans leading almost all developed nations.

    1. Gene Cash Silver badge

      Re: Not "nearly impossible to enforce"

      If they're a public company in the US, they'd be required by the SEC to disclose both that they got cracked and that they paid ransom.

      And the SEC is one of the few agencies with teeth, other than the IRS.

      1. cyberdemon Silver badge
        Holmes

        Absolutely should be banned

        Paying a ransom ought to be a criminal offence already.

        Otherwise boards will think "Pay the odd ransom, or actually pull our fingers out of our arses and implement proper security?" Ah, the latter sounds like hard work. Who cares if some of our customer data gets leaked, we'll just pay the crooks to do their next job

        1. Anonymous Coward
          Anonymous Coward

          Re: Absolutely should be banned

          Governments pay ransoms all of the time, and have since there have been governments. Sometimes they trade information for money, and sometimes they trade arms dealers for basketball players.

          1. Richard 12 Silver badge

            Re: Absolutely should be banned

            Governments have a lot of powers that private companies and private citizens don't have.

            Nuclear weapons, for example.

            1. parlei

              Re: Absolutely should be banned

              True. But even the most ardent ransomware haters would think even "tactical" nuclear weapons against ransomware gangs is overkill. I fervently hope.

            2. Anonymous Coward
              Anonymous Coward

              Re: Absolutely should be banned

              I think my boss has a few nuclear weapons in his workshop, next to the power macs, under the car engine.

  2. Spazturtle Silver badge

    Why do we need to ban something that is already illegal? Just enforce the existing laws against funding terrorism and criminal enterprises.

    1. Yorick Hunt Silver badge

      So you're saying ban political contributions?

      1. Will Godfrey Silver badge
        Thumb Up

        Sounds like a good idea to me!

  3. elsergiovolador Silver badge

    Ban

    Why don't they ban poverty or cancer?

    1. Anonymous Coward
      Anonymous Coward

      Re: Ban

      "Why don't they ban poverty or cancer?"

      In the UK we never will, because government's definition is that households are considered to be below the UK poverty line if their income is below 60% of the median household income after housing costs, so unless all households have the same income, there will always be households "in poverty". It's also unadjusted for occupancy, or what people choose to spend their money on.

      Average household income after housing costs is £26k a year, 60% is around £16k a year so my elderly mother falls into the definition of poverty as a non-house-owning widowed pensioner with no material financial assets. But she spends carefully and as a result she's currently holidaying in Australia, having flown there business class. Her winter fuel allowance will certainly have been spent on fuel - aviation fuel.

      Not suggesting that poverty isn't real, merely that without a credible definition it'll never be resolved.

      1. Richard 12 Silver badge

        Re: Ban

        That's not how median works.

        Take 100 people, line them up in salary order. The 50th person is the median.

        Some ONS figures:

        Median household disposable income in the UK was £32,300 in the financial year ending (FYE) 2022, a decrease of 0.6% from FYE 2021.

        "disposable" is rather badly defined at the moment, as it's only tax and doesn't allow for essential fixed cost expenses like housing.

        Median disposable income for the poorest fifth of the population decreased by 3.8% to £14,500 in FYE 2022;

        And just to reinterate the gross failure:

        Median disposable income increased by 1.6% to £66,000 for the richest fifth of people

      2. Anonymous Coward
        Anonymous Coward

        Re: Ban

        Another effect of this was, I seem to recall reading, during the 2008 financial crisis (and probably more recently during COVID) the contraction of the economy reduced overall incomes reducing the median income which had the side effect of reducing the number of people deemed to be in poverty (as "fixed" incomes such as minimum wage and benefits didn't reduce)

      3. John H Woods

        Re: Ban

        "the UK poverty line if their income is below 60% of the median household income after housing costs, so unless all households have the same income, there will always be households "in poverty""

        Take the following incomes after housing costs in thousands of pounds per annum: 2, 2, 2, 3, 3, 5, 10, 20, 100. The median is 3. The minimum is 2, which is over 60% of the median.

    2. Flocke Kroes Silver badge

      Re: Ban

      Because making and testing backups is trivial compared to eliminating cancer.

      1. Michael Wojcik Silver badge

        Re: Ban

        There are plenty of ransomware strains which will corrupt at least recent backups as well. It's fallacious to claim that "backups!" is a silver bullet against ransomware.

        And, of course, backups do nothing to help with exfiltration extortion.

        1. General Turdgeson

          Re: Ban

          No cybersecurity professional claims backups or anything is a silver bullet. There is no such thing as silver bullets for securing systems. Information security is an ongoing game of cat and mouse and chess move and countermove.

          That does not change that backups should a critical part of one's DRP and BCP.

    3. IGotOut Silver badge

      Re: Ban

      "Why don't they ban poverty or cancer"

      So if we stop paying cancer it will go away?

      Never thought of that one.

      1. Mike007 Silver badge
        Joke

        Re: Ban

        Cancer is a massive industry that never used to exist before it was invented by Big Medicine!

    4. DS999 Silver badge

      Re: Ban

      How in the world is that equivalent? There used to be no ransomware industry 10 years ago, it started small but some of us could see where it was going and have been suggesting bans on paying ransom for years. Every year the problem gets bigger, and the cost of that ban gets higher, but that cost is still less than the cost of giving criminals an easy way to make money.

      If there was a near universal ban (i.e. so not just the US banning it alone, but all 50 of those countries mentioned simultaneously instituting a ban) then ransomware criminals could no longer make money from it. They'll go back to trying to steal crypto and credit card numbers to make a buck, but it won't be as lucrative as ransomware which will hit bad actors like North Korea especially hard as they are increasingly dependent on it.

      Even if the ban is only 95% complied with, the profits for ransomware would crater and it would no longer be worth the effort for most - because most of them aren't developing anything themselves, they are essentially franchisees like owners of fast food restaurants, who send most of the profits back to the people who developed and packaged the ransomware attack they are using. Ransomware may not disappear completely, but it would become a far smaller problem.

      1. Helcat Silver badge

        Re: Ban

        Ransomware evolved from physical ransoms which have been around for thousands of years, so the 'industry' of ransoms has been around a very long time. So we have practical knowledge of what works and what does not. The only question is: How the hell do we sent the equivalent of special forces in to 'nuke' the ransomware gang's systems without taking down the whole of the network in that area. And... do we care if we 'nuk'e the entire network where the gang is hiding?

        However, as these gangs are sharing code and methods, the easiest way is to get a copy of the code and reverse engineer it so tools can be developed to remove the ransomware. And this is the approach that's being used currently. So companies that pay out to the gangs are wasting money: They should just call in a specialist to clean up their system and harden the system. They don't because it has to go on the books, but paying the ransom can be hidden as 'other expenses'. AKA, don't pay = loss of reputation. Pay = sweep the problem under the carpet.

        Meanwhile, if they'd invested a fraction of that money into installing better security...

      2. Michael Wojcik Silver badge

        Re: Ban

        Even if the ban is only 95% complied with, the profits for ransomware would crater and it would no longer be worth the effort for most

        This simply is not true.

        Most ransomware campaigns today operate on an affiliate model, often as MLM schemes (so multiple tiers of affiliates). Those affiliates are often highly motivated, either because they're desperate for income or because they also enjoy breaking into IT systems, or both. For many, probably most, getting paid 5% of the time would suffice.

        The gangs developing the malware can also live on a 5% rate of return. Their costs are low, and they typically have other income sources.

        Increasingly we'll see a shift to greater automation, with bot armies finding vulnerable targets, installing ransomware, and even conducting negotiations. (That last would be easy to automate today using one of the open-source LLMs.) There are still a lot of human affiliates only because it's an established system that's economically viable, but put any economic pressure on it, and the gangs will create the automation pipelines.

        Once it's extensively automated, it won't matter if the payoff rate is 5% or 0.5% or 0.0005%. It won't matter if it's 0%, or if the cryptocurrency wallets that payments go into have been abandoned. It'll be machines attacking machines, and machines don't give a flying fuck what's legal or whether they get paid.

        1. DS999 Silver badge

          Re: Ban

          They can't automate the development of the exploits and packaging them for use - and when it is fully automated that requires more work to get that right. The time invested in that has to be balanced by what those smart hackers can get pursuing other avenues for income.

          They might make more selling their exploits to the "good guys" for bug bounty money if 95% of their ransom income goes away. Maybe they sell them to the "bad guys" since one would assume shady companies like NSO Group will outbid Apple & Google's bug bounties. Or maybe they shift over to targeted attacks against specific high profile people to directly blackmail them or steal from them (either stealing virtually or stealing physically in concert with old school "on premise" crime rings)

  4. Pascal Monett Silver badge

    "$1.5 million to rectify"

    Sure. All private businesses have that kind of cash on hand and in reserve just for that. Oh, you're counting lost business as well ? And adding stock devaluation ?

    Of course. Anything and everything to sweeten the pot so you can go before the camera with thundering figures and impress everyone.

    Sure, there are intrusions that cost a million or two in equipemt and man-hours to rectify, but I hardly think that that is an average figure.

    Then again, if that's what it takes for businesses to sit up, pay attention and start actually protecting their data and procedures, well, carry on then.

    1. Lurko

      Re: "$1.5 million to rectify"

      The types of organisation mostly will have that sort of cash either in hand, as reserves, or otherwise available, and surely anybody in this forum knows how quickly project costs mount up, especially when time is of the essence and there's no plan?

      They'll need to hire in IT expertise to clean up the mess and rebuild the IT. They'll have to have digital forensics experts to identify the damage and exposure. They'll need to spend money on lawyers or regulatory experts to manage their relationships with investors or public sector overseers (or both). They'll have to spend time and money dealing with customers and business counterparts who want to know what's happened, why it happened, whether they're affected. All the external expertise is going to be at the supplier's premium day rate. They'll have losses where employees are being paid and unable to work, loss of income if they can't process payments, counterparty claims if the organisation can't meet existing commitments etc, for businesses reputational damage and loss of new or existing business.

      1. Helcat Silver badge

        Re: "$1.5 million to rectify"

        The money will be taken from other projects, and from staff bonuses (but not the directors payouts). So it's not really a loss to the company. Hence why they don't bother investing in better security: That would actually cost something!

    2. Doctor Syntax Silver badge

      Re: "$1.5 million to rectify"

      I think you may have missed the point of a ban. If it's illegal, and the ban reasonably well enforced, there's no reward for the attacker and no point in attacking.

      Remember the point of bank robbery? Banks are where the money is. If banks had no money they wouldn't get robbed.

      1. Michael Wojcik Silver badge

        Re: "$1.5 million to rectify"

        This is naive. As with email scams, rewards can be very rare and still sufficient to make the business profitable. And once it's automated, rewards could dry up entirely and we'd still have ransomware attacks.

        So many people seem to be stuck on this Hollywood idea of anorak-wearing basement-dwellers picking targets and creating ornate plans for exploiting them. That's not how the ransomware business works. Many human affiliates will throw in an exploit for the latest vulnerability and let their automated systems scan and attack anything they find. Bot armies will do the same but faster and in greater volume. Maybe they eventually get a payout, maybe they don't; but the cost to the attackers is so very, very low that it doesn't matter.

        And, of course, many of the gangs are state-sponsored, and they'll deploy ransomware just to cause trouble even if it doesn't have a financial return.

  5. Anonymous Coward
    Anonymous Coward

    A modest proposal

    The payment of a ransom shall be a civil offense, provided that the payment and its full amount are declared within seven days to the competent authority, and that a fine of an equivalent amount in fiat currency, not payable out of any insurance payment, whether relating to the ransom or otherwise, is promptly rendered to said authority. Any and all such payments and fines shall be reported as separate line items in annual reports and statutory declarations. Failure to abide by these stipulations in any respect shall be a criminal offense, with the paying entity and those officers approving the payment being liable.

    1. Tom66

      Re: A modest proposal

      It needs to be a criminal penalty. If you just say that paying a ransom carries a financial penalty of a similar level, then it doesn't really make any difference. The payments will still happen. Perhaps they will reduce a little bit but probably not that much. A criminal penalty which involves sanctions against those who enabled the payment (executives, financial controllers, heck even the head of IT if they are part of the decision chain) would stop ransomware payments in their track pretty quickly. Most large organisations are periodically audited, so such payments could be detected with good enough hit rates to strongly discourage their payment.

      1. VicMortimer Silver badge
        Thumb Up

        Re: A modest proposal

        Yep, civil offense won't work, it needs to be criminal, and it needs to carry jail time. It doesn't have to be much jail time, maybe even just 30 days, because CEOs really aren't going to want to go to jail at all. But it needs to be there.

        A civil penalty will just be "the cost of doing business" and won't change anything.

      2. DS999 Silver badge

        Re: A modest proposal

        Making it a criminal penalty won't work, because corporations have such diffuse responsibility. The CEO will claim "I knew nothing about this, I just asked my CIO to solve the problem". The CIO will hand down the responsibility, and so forth. The actual people paying the ransom will be overseas contractors in a country that won't extradite, and the finance person who wired the cash to buy the crypto used to pay the ransom will say he was told it was for some other purpose.

        Just make the fine 20x the ransom, and "but we didn't know that expense we approved that went toward ransom" is not an excuse. If anyone pays ransom on your behalf (including an insurance company) then you are liable for the 20x fine. And insurance companies that do it should pay 200x - once you kill the ransomware insurance industry you have fixed a good portion of the problem because more and more companies are including ransomware in their insurance policies!

        1. VicMortimer Silver badge

          Re: A modest proposal

          Nope, make it criminal and strict liability for the CEO. If the ransom was paid, the CEO goes to jail, doesn't matter if they knew or not, doesn't matter if a contractor paid it, CEO is liable. If the CEO didn't know, then it's still their fault because they should have known and should have had a company policy in place to prevent it.

          It won't take many CEOs being locked up before it stops.

          1. Doctor Syntax Silver badge

            Re: A modest proposal

            Even more effective - CEO and directors.

        2. katrinab Silver badge
          Megaphone

          Re: A modest proposal

          Some actually has to make the payment, and someone has to approve the payment file.

          1. Michael Wojcik Silver badge

            Re: A modest proposal

            Yes, and businesses have never figured out how to hide the misuse of funds. Particularly where cryptocurrency is involved.

    2. Anonymous Coward
      Anonymous Coward

      Re: A modest proposal

      Agreed, except change "of an equivalent amount" to "of ten times the amount". Make the fine considerably more money than the criminals get. Pretty soon, either the criminals aren't getting much money out of it because they had to dramatically decrease the ransom payments so the companies can afford it (in which case, increase the fine), or companies will realize it's cheaper to have proper security than to pay the ransom+fine (which is the end goal).

      But paying a ransom/extortion payment without publicly declaring it (not just to "the competent authority", but PUBLICLY) should be a criminal offense.

  6. Fred Daggy Silver badge
    Trollface

    Can't we just re-download our data from the NSA ... ?

    Can't we just re-download our data from the NSA? I mean, they have a copy anyway.

    It would do away with ransomware payments overnight.

    1. IGotOut Silver badge

      Re: Can't we just re-download our data from the NSA ... ?

      No, because that would mean contacting the Chinese, as the NSA are using Cisco gear and it's to slow to actually get the data throughput they need.

  7. Anonymous Coward
    Anonymous Coward

    What we need is more innovation ;)

    What we need is more innovation, that'll cure the ransomware infestation. That or make the manufacturer of the Operating System responsible for the defects in the said OS.

    ClippyAI: It looks like you need a product liability lawyer /s

    1. Doctor Syntax Silver badge

      Re: What we need is more innovation ;)

      The weakest link tends to be human.

      1. Anonymous Coward
        Anonymous Coward

        Re: What we need is more innovation ;)

        You appear to have misspelled Microsoft, I’ve never heard of them being referred to as “user”

  8. Ace2 Silver badge

    A simpler solution…

    We could just ban bitcoin. Would be much simpler to enforce. Ransomware would vanish overnight.

    1. VicMortimer Silver badge

      Re: A simpler solution…

      I'm not saying we shouldn't ban bitcoin. But they'd just switch to something else.

      No, paying ransom needs to be a criminal offense. It's easy enough to detect that a public corporation has paid and jail the executives.

      1. druck Silver badge
        Megaphone

        Re: A simpler solution…

        Not just bitcoin, ban any crypto currency.

        Apart from a massive investment bubble for the hard of thinking, the only real use for it is to transfer the proceeds of crime to other countries.

        1. Brad Ackerman
          Mushroom

          Re: A simpler solution…

          Existing sanctions would be more than adequate when combined with requiring affirmative identification of the recipient of cryptocurrency transfers and correcting any lack of whistleblower commission. If you can identify the recipient and it’s a sanctioned entity, the transfer has to be blocked. If you lie about it and the US takes an interest, say hello to several years of prison1 for everyone who signed off on that transaction; and probably several more people who didn’t directly participate, but commit misprision by deleting communications about it.

          The odds of any cryptocurrency industry surviving a regime with that level of AML enforcement border on nonexistent; but if cryptocurrency can find a legal use2 and environmental concerns are addressed with a carbon tax, it should be allowed to continue existing.

          1 Conspiracy to fund a sanctioned entity is a big-boy federal offence, so state parole policies do not apply. You serve the sentence you get, and by “several years” I'm assuming your C-suite has no previous record and the gratuity paid to attackers isn’t more than a megabuck. More money is more jail, possibly getting into double-digit years — not that it’s likely to happen more than once with a 10% whistleblower commission.

          2 Stranger things have happened.

      2. Anonymous Coward
        Anonymous Coward

        Re: A simpler solution…

        A global CBDC or global CBDC network would prevent all illegal transactions and criminals hiding their ill gotten gains. Normal cash offers a dangerous amount of privacy because it doesn't inherently track users.

        1. Ace2 Silver badge

          Re: A simpler solution…

          No, normal cash offers an ideal amount of privacy.

          You’re not going to be able to pay $2M to someone in Moldova with $20 bills, due to the weight. But that’s a feature not a bug.

          1. Anonymous Coward
            Anonymous Coward

            Re: A simpler solution…

            $2M in 100s would weigh 20kg. The bigger issue is that there's no way to know where the money comes from. With CBDCs, the exact chain of currency is instantly auditable and the only people allowed to pay in are registered traders and businesses who risk their business over participating in crime. Even if they used gold or diamonds, it would be instantly traceable who accepted them into the system and they better have records of why they were fooled if they don't want to lose everything.

          2. katrinab Silver badge
            Mushroom

            Re: A simpler solution…

            The problem is more that you need an address to send the bills to, and once you have the address, you could send something else there instead of the bills.

          3. Clarecats

            Re: A simpler solution…

            This relates to the puzzlingly high issuance of €500 notes in the EU, given that reputable firms do not settle their accounts in €500 notes. Now discontinued issuance, but still legal tender.

            Statista:

            Value of euro banknotes in circulation 2013-2021, by denomination

            Sep 12, 2023

            The amount of cash in circulation in the Eurozone has increased in the last eight years for all currency denominations, except for 500 euro bills. The total of fifty euro bills amounted to 684.2 billion euros in 2021, by far the highest total for any bill. The 500 euro bills summed to around 186.7 billion euros, though they have not been issued by most Eurozone central banks since January 2019.

            https://www.statista.com/statistics/254201/euro-banknotes-value-by-denomination/

            1. Korev Silver badge

              Re: A simpler solution…

              Here in Switzerland we have 1000CHF notes and you can get them from normal cash machines. And yes, I've used them.

              1. X5-332960073452
                Pint

                Re: A simpler solution…

                For info - 1 Pound sterling equals 1.08 Swiss Franc (4th Jan 24)

          4. General Turdgeson

            Re: A simpler solution…

            You really think governments can't track movement of cash? You really think moving $2 million or 2€ million in cash and governments wouldn't notice, especially overseas? People overestimate the privacy they think using cash offers.

    2. katrinab Silver badge
      Trollface

      Re: A simpler solution…

      Ban the holding of any bitcoins that have ever been used to pay a ransom.

      1. Clarecats

        Re: A simpler solution…

        There is apparently a service called bitcoin mixing - several people provide bitcoins, the service scrambles them all up and takes 10% off the top before returning coins randomly to holders. The only evident use for this is criminal money laundering. Should be made illegal and any coins so mixed should be liable to seizure.

  9. naive

    What about ordinary policing but then in an effective manner

    As we all know, the legal system in the West is like mushroom growth, it thrives on manure and gets totally grumpy when someone starts mopping it up in an effective manner.

    Most of these hackers sit in countries where a few 100K goes a long way to eternally deny them internet access.

    Maybe Big-Tech can as a service to their customers found a management company in Belarus, enabling them to effectively do waste disposal without nosy DA's getting in their way.

  10. Anonymous Coward
    Anonymous Coward

    pain for pain

    The best way to reduce ransomware is to live stream grilling a few of the scumbags.

    1. Anonymous Coward
      Anonymous Coward

      Re: pain for pain

      Not certain. A few times going all in on the retaliation have supposedly worked, but it also builds up a pool of extremely disgruntled next of kin. Ask Israel how well well their though on terrorists tactics have worked.

      But of course, Putin could stop most of the RU origin gangs in weeks if the FSB heavies got the order to create an "cooperative and understanding environment". But as long as it is extremely profitable someone is going to do it, be it criminals or state level criminals (North Korea...)

  11. Anonymous Coward
    Anonymous Coward

    Ban Microsoft Windows and ransomware would reduce by about 90%. That’s not realistic either though.

    Companies could take very simple steps to start with. All internal company email should be text only, no fancy HTML or embedded nonsense. Why do you need a big fancy logo in your signature? Or embedded tables or images?

    If you’re paying for something like SharePoint or one drive then use it and don’t attach files to emails. Don’t send clickable links either, make users copy and paste to the browser. It’ll be much easier to spot suspicious emails then. If you receive an email from “HR” with an attachment and the email is not in plain text, discard it. A clickable link? Discard. Company policy states text only emails. Any links will be sent in plain text and need copied to the browser manually. You used to be able to force email clients to send and receive plain text emails. I would hope you still can.

    You could ask external partners, clients, customers, etc to only send plain text emails in return. Harder to enforce of course but if they want to protect themselves too they might do it.

    Disable macros and other “automation” stuff in all Microsoft and similar documents. You shouldn’t be using Word or Excel to do fancy stuff that requires programming/scripting knowledge. If it’s a company requirement then get a dev to create a formal web form or application for doing this stuff. Spreadsheets are not databases or data logs.

    Instead of trying to ban paying ransomware, make some basic changes to prevent ransomware in the first place. I don’t understand this contestant whack-a-mole approach of introducing new features that then open up gaping holes in security that need to be protected against. Yes, you can send an email that’s basically an interactive web page, but why do you want to? Why do you want to preview a word document in an email client? Why do you want to paste a table from a spreadsheet in to an email? Just attach the spreadsheet or preferably a non clickable link to it on SharePoint/OneDrive.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ban Microsoft Windows

      "Ban Microsoft Windows and ransomware would reduce by about 90%."

      No, it wouldn't. Simply because it's naive to believe that the very same people who decided putting the business on Microsoft software would suddenly develop a basic understanding of the IT landscape and IT security, and implement any non-Microsoft solution in anything other than a completely haphazard and insecure way.

      Also, just because Microsoft is shit doesn't mean it's the only purveyor of shit software, so a product/manufacturer specific ban would be silly.

      Criminal penalties for paying ransom payments is the only penalty that has actual teeth.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ban Microsoft Windows

        Most of the "haters" here dont understand how ransomware actually works.

        It uses legitimate cryptogrphic alogrythms to encrypt data. ( If it were me I would use an ECDH derived AES key meaning I only need the vicims public key to recreate the encryption key and smite the victims private key upon encryption)

        The encryption key is deleted from the local system and stored on a C&C server.

        Message displayed to user "give us crypto or we delete our copy of the key also!"

        Guess what else supports legitimate cryptography? Every modern operating system! I have no actual proof but I would suspect most ransomware uses OpenSSL or BouncyCastle or some other open source crypto library as developing your own is hard, porting it to Linux would probably take a day but its just not worth the effort as most people / businesses that can afford to pay the ransoms use Windows.

        Microsoft are shit in some things, yes but I would argue that if <Insert OS Name Here> were as widespread as Windows ,being applied to the same multitude of different hardware combinations, having the same ammount of applicaitons being written for it etc. then we would see a lot more issues with <Insert OS Name Here> and a lot more attacks / malware developed for those platforms. Malware and Intrusion are a business, there has to be a cost / benefit analysis. Would I rather invest months of work writing Malware for the Amiga or Windows 11? Which one is more likely to give me quick ROI? Sure the Amiga stuff wont be detected or remediated (probably ever) but theres only 100 people in the world using one so the chances of any money are slim to none! Look at the rise in recent (15 years) malware for Apple products, before the iPhone generation Mac / IOS based malware was basically onn existant because... why bother whern its only the odd graphic designer or music creator that has a Mac?

        <sarcasm> Now if we were to bake in back doors or ban all cryptography, that would work right? </sarcasm>

        I dont have the answer but I sure as hell know banning Windows is just a silly suggestion, Im no M$ lover but lets be realistic!

  12. Anonymous Coward
    Anonymous Coward

    Piano wire

    Cheap and effective.

  13. trindflo Silver badge

    Are we supposed to say this part out loud?

    The majority of that problem is that there is a free and potentially anonymous internet. The majority of western countries want it that way. Totalitarian regimes do not want anyone to be anonymous on the internet, but are forced to put up with it because of commerce.

  14. Lee D Silver badge

    You don't need a law.

    It's money-laundering.

    If you're paying thousands upon thousands to someone who won't identify themselves as the other party in the transaction - money laundering.

    I had this at a previous workplace - and discovered there are companies willing to take a percentage and pay the ransom for you (with zero guarantees, etc.) and I pointed out that that's money-laundering and I would report it if that happened, either directly or indirectly.

    Strangely, the idea was dropped rather hastily at that point.

  15. anthonyhegedus Silver badge

    Encourage software companies to make more robust software

    I can't see how this would work apart from discouraging software companies from making shit software.

    Take a random example, say... Microsoft. They implement 2FA for all their 365 accounts now as a default, but it's full of inconsistencies and bugs. Every day, I talk to people who've gone around in circles trying to get simple things such as email working on their phones. It takes you to the authenticator app, which asks you to log in, but that requires authentication, so you have to go to a website... on your phone, log in again, get a code, go into the authenticator and then round back again. The whole process is complicated, and often doesn't work. Every time someone buys a new phone, the backup/restore doesn't copy any data from their Microsoft authenticator app, so we need to reset it. That's buried in a menu seven layers deep in the Partner Centre, under "Entra ID"). And forcing it to work with people who haven't got a smartphone is fiendishly complicated.

    I'm saying that this sort of security stuff should be front and centre in any admin system for 365, and it should be a smooth, painless experience for the user. It's neither of these things. Companies like Microsoft need to focus on making this process enviably simple and free of bugs rather than spend money on fiddling around with their useless start menu (which they haven't been able to get right since Windows 8). This is the point. Users are confused about getting security right, which is how these ransomware things happen. Users are so frustrated with anything to do with security that they'll blindly follow any security advice for fear of getting stuck in some nightmare "you can't continue till you do so-and-so" scenario.

    So definitely, we need to find some way of putting more responsibility on software companies to make their systems more secure, and make them easy to keep secure.

    1. General Turdgeson

      Re: Encourage software companies to make more robust software

      I agree, and we also need to address the human element. Statistics I've read vary but the lowest value I found is 60% of incidents were caused by unintentional actions of employees, and I am including C-level and down.

  16. Anonymous Coward
    Anonymous Coward

    Consider your processes and why on earth are they that vulnerable in the first place. Do you have working fallbacks? Paper processes that can fill in gaps? Critical systems should never be short changed (they inevitably are) of course.

    In the UK at least, listen to and act on the recommendations of the NCSC.

    And last but by no means least, create the entry and mid level jobs to develop the workforce we need to work in this space; because gawd knows there is nowhere near enough capability to go around compared to demand.

  17. Randall Shimizu

    Cyber insurance

    Requiring companies to have cyber insurance that covers ransomware seems like a good option. The issue would be getting companies to comply with security standards for insurance companies..This insurance requirement would be limited to publicly listed companies and ones that are above a certain size. The other companies would be those that are deemed to becritical infrastructure

  18. Anonymous Coward
    Anonymous Coward

    The easy target that wouldn't hurt any productive companies would be to ban US banks from transacting or investing in crypto, and to ban US companies and citizens from buying or selling crypto overseas,

    1. NiceCuppaTea

      From a sequence of 34 random numbers and letters how do you know its a domestic payment?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like