back to article Ransomware payment ban: Wrong idea at the wrong time

A general ban on ransomware payments, as was floated by some this week, sounds like a good idea. Eliminate extortion as a source of criminal income, and the attacks are undoubtedly going to drop.  But unfortunately, it's not going to work — at least not now, and probably not in the foreseeable future — for a number of reasons …

  1. elsergiovolador Silver badge

    Rename

    They'll just change it from "ransom" to "Ransomware removal fee".

    I mean they no longer will have to ask for ransom. Just ensure the name of the ransomware is distinct and when someone Bings for the removal services, it pops up on the first page.

    1. VicMortimer Silver badge
      Holmes

      Re: Rename

      FBI agent: Oh, you paid for a "ransomware removal" to a company you'd never heard of? Paid them in bitcoin? Hang on a minute, let me get my cuffs out.

      It's why payment of ransom has to be a strict liability crime, to remove any plausible deniability.

      1. elsergiovolador Silver badge

        Re: Rename

        Doesn't really have to be like this.

        These can be legal businesses, just like anti-virus companies, just happening to have expertise in ransomware removal. They don't need to have any connection to the groups distributing and creating malware, just like anti-virus companies don't have any connection to the people making viruses.

        wink wink

    2. NightFox

      Re: Rename

      This touches on why legislation banning ransom payment in human kidnap-for-ransom cases has regularly failed to be effective. In those cases it's routine to bring in commercial specialists to do the negotiation with the kidnappers, so you either end up where the intermediary is a legitimate company who effectively just act as an agent to make the ransom payment (e.g. kidnappers demand $1m to release your daughter, you pay company $500k to get your daughter back, they pay kidnappers $250k ransom after negotiation and get your daughter back for you, without you ever knowing a ransom was paid). In parts of South America, kidnappers are so aware that this is how it works that they will adjust their initial ransom demand to allow for this. The second practice is where the kidnappers say "we will only negotiate through Company X", which is just a criminal front connected to the kidnappers. So you pay Company X large amounts of money and they successfully negotiate the release of your daughter without any ransom being paid.

      It's very difficult to stop those things, especially where expertise to negotiate (or get rid of the ransomware) often needs to come from a different country/jurisdiction, and they're both equally applicable to ransomware.

  2. VicMortimer Silver badge
    Mushroom

    Wrong

    This is completely the wrong take.

    There needs to be not just a ban, but a CRIMINAL ban on paying ransomware attackers. It needs to come with actual jail time for CEOs whose companies pay, and it needs to be strict liability, whether they know they paid or not, so that they can't claim plausible deniability.

    The only way ransomware stops is when paying ransom is a crime.

    1. VicMortimer Silver badge

      Hospitals

      Oh, and there should be NO EXCEPTIONS, especially for hospitals.

      For a hospital that's been hit, there should be a requirement that they declare an emergency, and KEEP TREATING PATIENTS. The actual medical devices should not have been on the internet-connected network in the first place, so they should be fine. If not, somebody screwed up badly, but salvage what still works, and KEEP TREATING PATIENTS. SCREW YOUR PRECIOUS BILLING RECORDS, KEEP TREATING PATIENTS. If the pharmacy bot stops working, crowbar it open and have the pharmacist do it manually. The doctors can keep notes on paper for the duration of the emergency.

      And if anybody pays the ransom, they go to jail.

      1. Catkin Silver badge

        Re: Hospitals

        It seems all well and good on the surface to put healthcare professionals in front of a patient and SCREAM AT THEM to DO MEDICINE but the reality is that, outside of emergency care, it can be more harmful than helpful to go plunging in without access to medical histories. Funnily enough, if you take some time to actually read published papers on the impact of ransomware on hospitals, this is exactly how they played it, irregardless of whether payment was made to the ransomware slingers; priority was given to essential treatments and the extra resources needed to deliver these was temporarily allocated from elective work. It's almost as if, in this area, people with knowledge and experience in medicine were employed to direct the response.

        Billing is the least of their concerns, as far as sitting idle to avoid delivering *gasp* free healthcare. Indeed, it is in the interests of a for-profit hospital to keep delivering care because that is the source of their revenue. It's trivial to record treatments given and financially rinse patients later compared to the intricacies of actually delivering that care.

        You seem to have spied a high horse in the profiteering of hospitals but, in this instance, it is actually one of the rocking variety. Populist rhetoric and healthcare don't really mix.

        1. Brad Ackerman

          Re: Hospitals

          Why would a ransomware gang give you the ability to decrypt your data once they've got your money? It happens from time to time, but so does winning after dropping all your money on 00 at the roulette wheel.

          1. Catkin Silver badge

            Re: Hospitals

            >An average of 64.8% of healthcare data was restored after paying the ransom.

            >This is above the average of 60.6% across all industry verticals.

            https://www.hhs.gov/sites/default/files/2022-retrospective-and-2023-look-ahead.pdf

            Please do let me know if you open a casino, I'm feeling lucky.

            Statistics aside, I was more explaining that hospitals do continue to deliver care during a ransomware attack, it's just that their capacity is compromised.

            1. Potemkine! Silver badge

              Re: Hospitals

              4% is significative when the samples number is large enough. And it may just say that hospitals are just a little bit more cautious when dealing with backups... 2 times out of 3.

          2. Prst. V.Jeltz Silver badge

            Re: Hospitals

            Why would a ransomware gang give you the ability to decrypt your data

            Surely the whole cause and effect nature of this article might have given you a clue?

            True there is no way of making them , but why the hell wouldnt they if they want to encourage victims to pay up?

          3. Orv Silver badge

            Re: Hospitals

            These gangs have names and brands, and weirdly enough, reputations. If they don't deliver decryption keys people stop paying them.

        2. Anonymous Coward
          Anonymous Coward

          Re: Hospitals

          True. We -- mid sized hospital lab -- have robust backup systems in case the IT stuff goes away. But

          * Our main instrument is a computer with some analytical hardware as a peripheral (slight exaggeration), and while orders can be manually entered at the computer screen of this computer and either copied manually or printed and then copied this is a source of errors. Normally it gets orders and reports results by way of a dedicated middleware

          * The middleware is connected to a LIS, and does far more than just piping orders and results back and forth. For example, for each of the well over 100 analyses there is at least 2 controls materials analyzed daily, and it checks that they have been run and that the results were acceptable. Also, was that result critical or normal? It flags them appropriatelty

          * The LIS (Laboratory Information System) talks to several different instruments, as well as the records system that the MDs and nurses look at. It gets order from the record system, and delivers results (usually by way of a middleware...)

          Add the blood typing robot that checks blood type before blood is released for a patient, and the system to keep track of donated blood. And the medical imaging folks use a computer to look at the images.

          And we are in a sane country, so no need to bill except for accounting porpoises (external agencies/clinics etc

      2. Anonymous Coward
        Anonymous Coward

        Re: Hospitals

        Ransomware doesn't need access to the internet to be able to jump the gap to a non-internet enabled device...I've seen ransomware jump VLANs before and go down client VPN tunnels. It's just not that simple.

        "And if anybody pays the ransom, they go to jail."

        That won't work. That will just incentivise organisations to not report breaches and keep things hush hush.

        It's not usually the fault of the CEO either...the CEO makes the best decisions he can based on the information presented to him by his underlings...the IT department...who do the best they can with the money they've been allocated in their budget...I would go as far as to say it is vanishingly rare that ransomware infections happen because of IT oversight or CEO fiscal tightness...ransomware happens because company minions are fucking inept when it comes to tech and spotting a potential scam.

        It's usually a dimwit in a middle management role that lets the ransomware in. Bob "I have a fucking masters degree in music" Jones, VP of sales...he's the thick bastard that clicked the attachment...he's the one sweating when he sees that the business "owes £4000 to DHL" because he hasn't a clue what's going on most of the time...an email with that subject is plausible to him, because he has nothing to do with the day to day operations of his department...he's also a nosy bastard, so "Message for the CEO RE: bonuses attached" is unbelievably tempting to him.

        Send all your staff for the same basic training, including the execs, and put the execs in with the minions...no separation based on rank. A pure, level playing field to ensure everyone is up to the same minimum standard...putting the execs in with the minions will force them to be of a higher standard, because they won't want to appear dumber than their underlings...lest they lose their respect or worse, their jobs.

        The number of times I've been asked to help out with basic shit as an IT guy with an exec that is as thick as pigshit is unbelievable. It's even worse when you point it out to them and they quip back..."Well it's what we pay you for!"...no it isn't...I'm there to stop things catching fire, blowing up and to manage your tech to ensure you always keep up with the market and that you're never behind the competition, I'm there to make sure your data is backed up and that you have a recovery plan. It's up to you do your fucking mail merges and print out labels, you dickhead...that's your fucking job.

        I've turned some execs white pointing this out. "I'm so glad we have a decent IT guy, I'd never get this spreadsheet done without you", "I know right, if I had the budget, I'd automate all this, that way neither of us would have to do it and the business could save your salary", "can my job actually be automated?", "oh yes, well most of it, the easy stuff like spreadsheets, mail merges, analytics reports...would be easy".

        1. ChoHag Silver badge

          Re: Hospitals

          "Go away, or I shall replace you with a very small shell script"

          We used to have it on t-shirts. It made up for having to go in to the office.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hospitals

            Indeed...I have a standard boilerplate response for the smart ass that asks why I haven't done it yet... "Average meat is cheaper and more abundant than precious metal".

        2. S4qFBxkFFg

          Re: Hospitals

          "That will just incentivise organisations to not report breaches and keep things hush hush."

          Honest (although admittedly rhetorical) question: how many people need to know about a ransom payment for it to be processed successfully and covertly? Everyone involved would have to keep quiet, and more importantly, be certain everyone else who knows is keeping quiet as well. Throw in immunity for whistleblowers, and I think very few higher-ups would risk it.

          This doesn't even address the fact that the data might not even be recoverable, no matter how much is paid.

          1. Doctor Syntax Silver badge

            Re: Hospitals

            It would also have to be disguised in the accounts. Is the CFO going to risk going to jail to keep the CEO out?

            1. Killfalcon

              Re: Hospitals

              The CFO would be going to jail as well. If the CEO's moving a few million, the CFO's involved.

            2. Anonymous Coward
              Anonymous Coward

              Re: Hospitals

              It wouldn't have to be disguised at all...the ransom payment could be outsourced. "Blackbeard Technology Solutions Limited - £30,000 for cybersecurity services".

              If you ban paying cybersecurity ransoms, it will spawn third party oerseas services to pay them on your behalf, I mean assist with a 24 hour unlocking service...which will fall into a nice legal grey area.

              The result:

              CEO didn't make a decision to pay the ransom, the CEO doesn't have first party knowledge of a decision having been made, no direct contact with the ransomware gang and no direct transaction to the ransomware gang., CEO has zero knowledge of the ransomware gang being paid. Plausible deniability the whole way.

        3. Prst. V.Jeltz Silver badge

          Re: Hospitals

          The number of times I've been asked to help out with basic shit as an IT guy with an exec that is as thick as pigshit is unbelievable. It's even worse when you point it out to them and they quip back..."Well it's what we pay you for!"...no it isn't...I'm there to stop things catching fire, blowing up and to manage your tech to ensure you always keep up with the market and that you're never behind the competition, I'm there to make sure your data is backed up and that you have a recovery plan. It's up to you do your fucking mail merges and print out labels, you dickhead...that's your fucking job.

          The anger is strong in this one.

          Use the force . It surrounds us , binds us . Feel the differing roles and skills of your fellow Jedi and your place in furthering general good.

        4. Kobus Botes
          Boffin

          Re: Hospitals

          ..."ransomware happens because company minions are fucking inept"...

          That was what I (mostly) believed as well, but the problem is a lot more nuanced than that.

          We had a good relationship with a major client and they were on board with most of the recommendations we made in order to mitigate attacks (though they balked at zerp trust networ

          king and having to enter a password in order to retrieve or save documents to the data server). Everyone was aware of being wary of incoming documents and all their Windows machines were set to display file extensions (I still do not understand why MS persists in setting extensions hidden by default, almost forty years after they were first warned about why it was a bad idea (and ample evidence of same)).

          Then one day the admin office was hit by ransomware. They immediately contacted us and we were able to prevent further infections by turning off the switches, et cetera. Further investigation revealed that the CFO had opened the attacking e-mail attachment. I could not understand how she could have done it, as she was very diligent and checked everything for suspect extensions.

          The problem was that the crims had also become very clever at how they targeted their victims.

          In this case, the client had run adverts for some open positions that needed to be filled. Applicants were invited to submit their CV's in MS Word format, and the file had to be named "Joe Bloggs CV - Admin position.doc"

          So, firstly, it was not a phishing attempt, but an expected document and therefore did not ring any alarm bells. Secondly, the file had the correct name - on the face of it. Anotherf clever trick was that the name was actually "Joe Bloggs CV - Admin position.doc .exe", so that the .exe part did not show up in Outlook.

          Lessons were learned, but some of the more stringent mitigations like protected access to files, et cetera were still a step to far, as users do not like entering passwords to access shared drives, printers, et cetera (this was 7 or 8 years ago, so before 2FA).

          As long as companies and users view safety measures as too much effort, too difficult or a waste of time, this problem will remain with us.

          1. sten2012
            Megaphone

            Re: Hospitals

            *Emailing someone an EXE file isn't a sophisticated attack.*

            Bloody hell. Nobody should be letting that through. Step one of managing email.

            It does get nuanced. This is not one of those cases.

            Edit to say: this isn't cutting edge developments in network security either. Or expensive gear to filter and block. 9 years ago it was still the norm.

            1. Prst. V.Jeltz Silver badge

              Re: Hospitals

              Exactly , i was going to suggest that to the angry poster we're replying to .

              He should not have to rely on "barry from accounts" not clicking on an exe

          2. Casca Silver badge

            Re: Hospitals

            Ever heard of applocker?

      3. EricB123 Silver badge

        Re: Hospitals

        Well, at least this suggestion didn't get downvote bombed!

      4. Orv Silver badge

        Re: Hospitals

        Air-gapping devices works great until someone brings in a USB drive. And it pretty much ensures they'll never get updated, so they'll be a nice soft target when that happens.

    2. mmccul

      Re: Wrong

      Already exists for many ransomware gangs. It's under the laws banning providing any funding for or doing business with embargoed organizations, countries, etc. Not all of them, of course, but enough of them are operating from an embargoed country, or have been directly linked to supporting terrorism that existing laws make it very risky to pay out blindly.

      1. VicMortimer Silver badge

        Re: Wrong

        While this is true, it's also too hard to determine quickly, allows for plausible deniability in some cases, and is too often ignored.

        It's stopped some ransom payments, but not nearly enough. The payment of ransom itself needs to be a separate strict liability crime.

    3. cyberdemon Silver badge
      Holmes

      Re: Wrong

      +1

      JLH, Why do you think there should be an exception for critical infrastructure? What happened to "don't negotiate with terrorists" etc?

      If someone is holding critical infrastructure to ransom, and you pay them, what's to stop them from demanding more money, or taking the money and borking the infrastructure anyway? If they even had the means to do so in the first place? Or they could just leak the access to someone else, or plant a logic time bomb, etc etc.

      It's completely daft to pay a ransom. One could argue that the ONLY exception should be where it is paid in such a way where it can a) be used to identify the perps and bring them to justice AND b) can be got back afterwards. E.g. someone has kidnapped your daughter. The correct response is to get the police involved early, and with their permission leave the money in a place where the person coming to collect it can be followed by the police, etc etc. Otherwise they can simply say "Thanks for the dosh, now double it."

      However, when the perps are in another country, how can you be sure of bringing them to justice after paying a ransom? You can't. So there is no reason to pay it.

      In any case, this sort of exception if it is ever valid, needs to be made by the police, not by the board of directors.

      1. Andy Non Silver badge

        Re: Wrong

        I fully agree. Maybe there is also a case that critical infrastructure companies, hospitals etc should undergo mandatory security auditing on an ongoing basis too, with penalties of some form for those companies or organisations that are substandard, maybe financial penalties levied at the exec's bonuses or shareholder level to stimulate active effort. Such an approach wouldn't necessarily stop all ransomware attempts as there will always be human error somewhere in the organisation, but it should help somewhat to harden their security and make it more difficult for the miscreants.

        1. ChoHag Silver badge
          Trollface

          Re: Wrong

          > undergo mandatory security auditing on an ongoing basis too, with penalties of some form for those companies or organisations that are substandard

          We have that. We call it ransomware.

      2. Andy Tunnah

        Re: Wrong

        > One could argue that the ONLY exception should be where it is paid in such a way where it can a) be used to identify the perps and bring them to justice AND b) can be got back afterwards.

        You thought of this in the time it took you to write an internet comment, why do you not think someone could equally spend another 5mins to come up with a work around to your work around.

        This is the issue with stuff like this. People think they've come up with some radical idea without realising literally everyone assumes the same thing and literally everyone thinks of a counter to it. And a counter to that. And a counter to..you get the point.

      3. Pascal Monett Silver badge

        Re: What happened to "don't negotiate with terrorists"

        What happened is that it was just a soundbite. The US government has always negociated with terrorists, just never openly.

        That way the electorate can believe that the liberation of hostages was obtained through diplomacy only and the good work of negociators (makes much better TV), when the back-room dealings and many brown envelopes were the actual solution.

    4. Phil O'Sophical Silver badge

      Re: Wrong

      And if the only way to save critical infrastructure is to pay the ransom, the board should authorise that in the full knowledge that fines and jail time are in their future. The alternative being to allow the infrastructure to fail, and be fined and jailed for that instead. Both options might focus their successors' minds on better security.

    5. General Turdgeson

      Re: Wrong

      I get where you're coming from and a big part of me even agrees with you. But paying ransomware attackers, while risky, can sometimes be the only viable option to recover crucial data and prevent further damage, especially in cases where essential services or sensitive information are at stake. Sucks but it's the reality.

      What I would rather see is criminal liability for executives who failed to secure vital systems in the first place. Too often they don't face any personal consequences, thus they don't have the imperative to properly secure their systems.

      1. Richard 12 Silver badge

        Re: Wrong

        If the data was crucial, then you have backups.

        If you don't have backups, then the data was not crucial.

        And paying a ransom marks you as the kind of business that pays a ransom, all but guaranteeing future attacks.

        1. David 132 Silver badge
          Thumb Up

          Re: Wrong

          "It is wrong to put temptation in the path of any nation,

          For fear they should succumb and go astray;

          So when you are requested to pay up or be molested,

          You will find it better policy to say: --

          'We never pay any-one Dane-geld,

          No matter how trifling the cost;

          For the end of that game is oppression and shame,

          And the nation that plays it is lost!' "

        2. Andy Tunnah

          Re: Wrong

          Ah yes the famous rule of "if someone didn't back it up then it couldn't possibly have been important". Because people don't make mistakes or aren't sloppy or just suck.

          1. Flocke Kroes Silver badge

            Re: Mistakes

            Disastrous mistakes can happen without ransomware. Making ransom payment illegal just increases the number of pathways to disaster. There really ought to be plans in place to mitigate the most common types of disaster for critical infrastructure. "Funding people intent on making more trouble" should not be on any list of mitigations.

          2. doublelayer Silver badge

            Re: Wrong

            The fact that someone made a mistake does not mean that we should adjust our laws to let them do whatever they think necessary to recover from their mistake. I have left too late for things before, but that didn't give me permission to treat the public streets as a racetrack to get where I needed to be on time. Making mistakes leads to consequences. Consequences are why you try to avoid mistakes when you can and to have contingencies for when you can't.

        3. General Turdgeson

          Re: Wrong

          In the world of data security, backups are paramount, particularly those that are air-gapped or offsite. Yet, the real-world scenario is far from black and white. Consider a financial firm processing transactions non-stop; their RPOs demand backup solutions that, ironically, might be susceptible to the same ransomware plaguing their primary systems. It's easy to occupy the moral high ground and decry ransom payments from a position of safety. However, the stark reality unfolds differently when faced with dire threats to loved ones or the potential collapse of a business empire painstakingly built over years. Life, unlike old developers' binary thinking, is filled with shades of gray.

          1. Richard 12 Silver badge

            Re: Wrong

            The shades of grey are how much risk, age and restore time you're willing to bear for each type of data.

            Some stuff is merely a bit annoying if it's gone or stolen.

            Some stuff ends the business.

            Most is somewhere in between. It's the job of upper management to decide.

            This is no different to the health and safety of employees and the public, or the risk of damage to the building/stock.

          2. Doctor Syntax Silver badge

            Re: Wrong

            "It's easy to occupy the moral high ground and decry ransom payments from a position of safety."

            The point of a ban is not just to occupy the high moral ground but to make ransomware go away entirely by making it unprofitable. Ultimately, it's to make everyone's position safer.

            1. Michael Wojcik Silver badge

              Re: Wrong

              A ban has no chance of "mak[ing] ransomware go away entirely". None. Zero. It is remarkable that so many are naive enough to believe otherwise.

              1. Anonymous Coward
                Anonymous Coward

                Re: Wrong

                If people actually follow the ban, it certainly does. What's the point of deploying ransomware if you're not going to get paid for it?

        4. Orv Silver badge

          Re: Wrong

          I know of at least one organization that had full backups, but realized that the amount of time it would take to restore the contents of every single computer in their organization from backup would be disastrous. They ended up paying the ransom so they could avoid the prolonged downtime.

          When people verify backups they usually check that they can restore individual machines, but hardly anyone benchmarks a restore and then multiplies it by the number of systems they own...

    6. Andy Tunnah

      Re: Wrong

      Ah yes because criminals are the moral type who will simply give up! God this is all so STUPID.

      Crims won't stop and orgs would way the cost analysis and find someone to go to prison for it.

      (Also how do you even make this illegal ? How can you frame it as a crime to pay to get your own data back under threat of damages to your company ? The idea of it becoming illegal is ridiculous)

      1. Pascal Monett Silver badge

        Re: how do you even make this illegal ?

        You seem to forget that kidnapping ransoms was made illegal to pay, and that worked pretty well.

        If you can "frame it" to make it illegal to pay to get back your child/spouse, then you can damn well frame it to make it illegal to pay for data.

        1. Michael Wojcik Silver badge

          Re: how do you even make this illegal ?

          Citation fucking needed.

      2. Doctor Syntax Silver badge

        Re: Wrong

        "Ah yes because criminals are the moral type who will simply give up! God this is all so STUPID."

        Do you think they're in it for a hobby?

        And how are orgs going to find someone ready to go to prison for paying a ransom? It wouldn't be a case of calling for volunteers from the ranks. It would be defined to be the absolute top tiers of management and preferably the board would be included in that.

      3. doublelayer Silver badge

        Re: Wrong

        "How can you frame it as a crime to pay to get your own data back under threat of damages to your company?"

        Paying money to known criminals? It is already illegal if you replace "criminals" with "terrorists", because you know the money will be put to use committing terrorism which is assumed to be worse than whatever problem you're having. It's pretty easy to make that logical leap, and the law would be compatible with other criminal legislation that already exists. There is no legal obstacle, as far as I know, that would prevent you from passing and enforcing such a law. Therefore, it comes down to whether we, as the voters in democracies, wish to make that a criminal offense or not.

        1. Anonymous Coward
          Anonymous Coward

          Re: Wrong

          Hmm. That makes passing a ban easy - define ransomware as terrorism. Especially for ransomware on critical infrastructure.

    7. Michael Hoffmann Silver badge
      Thumb Up

      Re: Wrong

      That part needs to be captured in the letter of the law as well: no, not the underfunded infosec manager and their team, the *C-level*, the over-bonused crowd where the buck is supposed to stop, if the one that gets to wear orange.

    8. Anonymous Coward
      Anonymous Coward

      Re: Wrong

      Having dealt with a quite few ransomware cleanups over the years, I think this might be a bit harsh.

      Paying the ransom, I agree, should be banned...however, jailing the CEO? You can have what you think is the best protection in the world in case of ransomware, but a new strain can appear that pisses on your setup from a great height because it has been designed with all new, unpatched, exploits.

      Ransomware can be a lot more devastating than you think, regardless of your security set up. For example, in one case where I was called in, the ransomware had been dormant for months, which meant every backup for the period of time it was dormant, contained the ransomware, ready to flare up again. It also went further than just encrypting files. It totally wrecked a pair of fully patched Synology NAS devices, they were essentially bricked and the only way to get the data back was to send them off to a data recovery specialist...they weren't even joined to the domain. They were just additional backup devices (there were 4 different kinds of backup going on) with random passwords on them.

      There were several layers of protection in place that could easily handle known versions of ransomware, but this version wasn't known and was therefore impossible to detect. We were completely unable to pinpoint a precise time that the ransomware entered the network, closest we could get was to within 2-3 days and maybe down to about 5 possible candidates through which the virus entered the network.

      You can't always detect ransomware, and the evolving nature of it means you can't always easily recover from it...even if you have backups...and usually the infection has nothing to do with the CEO or how much of a "cheapskate wanker" he might be...it's usually old wrinkly Barbara in accounts.

      What should be a crime is having inadequate technical skills...technical skills of employees must be tested when they're hired and then at least once a year before and after some basic training. You fail the test before the training? No worries, that's what the training is for...fail it after the training though? You're fucking out of there.

      The only way to stop Barbara mindlessly clicking on an "£2,000 overdue invoice from DHL" is to put her job on the line.

      I like to hate on CEOs as much as the next guy, but in the case of ransomware, it seems just a bit unfair. We have to stop coddling people that are shit with tech, it's 2024...a line has to be drawn somewhere...desktop PCs have been a thing now for 40 years...if I had access to a toilet for 40 years yet I still managed to piss on the floor every time and said "ah well, I'm just no good with toilets" and everyone accepted that, it would be fucking weird.

      If I wanted to drive a forklift, I have to take a course and get a cert to ensure I don't accidentally drop a crate on someone and ruin (or even end) their life. Well, Barb's desktop computer can destroy the lives of everyone in the business if she clicks a dodgy attachment...I'd sooner have her drive a forklift without a qualification than a PC.

      If we had a minimum standard for technical skills, doesn't have to be overtly complicated, it can just be general awareness and basic knowledge (like which socket is a USB socket for example), ground level stuff...we'd probably have a lot less ransomware. This needs to be a policy at government level though, not business level...when you leave school and start applying for jobs, you have to be able to answer basic technical questions, demonstrate some basic technical skill (like being able to run Windows Update for example to check for updates, being able to identify and disconnect an ethernet cable / wifi connection if you cock up, to at least isolate your machine) and for fuck sake...accept that "I'm not good with computers" is a bullshit phrase that should be an anachronism in 2024.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wrong

        The only way to stop Barbara mindlessly clicking on an "£2,000 overdue invoice from DHL" is to put her job on the line.

        Yes, assuming she's had appropriate training for her job. If not, then her managers carry the can.

        I like to hate on CEOs as much as the next guy, but in the case of ransomware, it seems just a bit unfair.

        "Fair" doesn't enter into it. The CEO may not be to blame, but (s) he is responsible. The buck stops with them, which is why they get paid what they do.

        1. Doctor Syntax Silver badge

          Re: Wrong

          And while the CEO may not be directly to blame that's where the organisation's culture starts. If the CEO fails to appoint managers who take sufficient interest in security then it's ultimately their fault. However the CEO needs the board's backing so directors must expect to stand alongside the CEO in the dock.

          1. Anonymous Coward
            Anonymous Coward

            Re: Wrong

            I think there is some confusion here between accountability and responsibility. The CEO is accountable not responsible. Responsibility is what you pay people to take off you...aka a job. Accountability is where the buck stops.

            Unless the CEO infects his own business with ransomware, he can't be held responsible but he can be held accountable for the actions of those directly beneath him.

            Responsibility goes down the chain, accountability goes up the chain.

            The janitor is responsible for ensuring the floors of the corridor are clean, but his manager is accountable if the janitor fails in his responsibility.

            The CEO is responsible for ensuring the company mission is being executed and the company is heading in the right direction, the shareholders / board of directors are accountable if he fails. In the case of the company tech position, the CTO is accountable for it and the IT department is responsible for it.

            Neither accountability or responsibility move up or down infinitely.

            How you quantify "blame" is by figuring out why the wheels fell off. Was it an engineering oversight (The people installing the wheels were incompetent)?, was it a financial oversight (bolts were too cheap and not up to the job)? Was it an executive oversight (the engineering was fine, and the bolts were fine, but no QA process was put in place to pick up faults?), was it a managerial oversight (someone was let go and he was able to sabotage the last few wheels he installed because his exit from the company wasn't controlled)?

            It can be just as difficult for a CEO to get a message to go down hill as it is for the dinner lady to get a message to go up hill.

            In my opinion, the buck stops where the financial decisions are made. I don't think there is a CEO on Earth that doesn't want their business to be secure and to run smoothly. The only people in a business that think they're bulletproof that are incentivised to cut corners at any cost are the beancounters and shareholders.

            I think it would be much more appropriate to fire the CFO and take the shares off shareholders (and forbid them holding shares in anything for a period of time, or forever if they appear to be consistently invested in companies that go to shit on their watch).

            You need to spike the financial stakeholders...because firing the CEO and throwing him in jail allows the shareholders etc to clear the decks and keep the status quo. You will never get any improvement.

            "Don't worry guys, the CEO has been ejected and jailed, we're a different business now, honest!"

            However, if you force the investors to surrender their shares and equity, you'll suddenly find that it is in the shareholders interest to ensure the business is solid as well as profitable and therefore less corners will be cut...at the moment shareholders, stakeholders etc have no responsibility or accountability and they tend to sway the decisions made in most businesses.

            It's either that or the board/shareholders should be removed from any executive decision making...especially if their motives are not in line with the interests of the business.

            Nothing would please me more than investors/shareholders/stakeholders getting a kick in the bollocks and a financial scrotum waxing in the event of a major cock up.

            Directors can be struck off if they consistently rub up against the law, however, shareholders can never be struck off no matter how toxic their influence is over the businesses they invest in.

            1. Doctor Syntax Silver badge

              Re: Wrong

              It's not a question of punishing the CEO for letting ransomware in. It's punishing the CEO for paying a ransom. If the ransoms aren't going to get paid where's the motive for demanding them? A CEO who wants to protect their back and the company can ensure he or she is doing their best to run a tight ship although once the message gets through that ransomware's day has gone because there's no benefit to be gained from it then both back and company are better protected anyway.

              "Nothing would please me more than investors/shareholders/stakeholders getting a kick in the bollocks"

              You do realise, don't you, that this might include you via your pension fund?

        2. Lurko

          Re: Wrong

          The only way to stop Barbara mindlessly clicking on an "£2,000 overdue invoice from DHL" is to put her job on the line.

          Transactional jobs such as AP and AR, are not well paid, and often are offshored to even lower skill, lower wage places. There's plenty of pressure to pay invoices (especially when the C-suite have agreed a contract and not gone through the standard ERP channels). It is the job of IT to ensure that "Barbara" cannot cause harm by an innocent or careless act. If IT security is reliant upon people on near minimum wage not clicking on attachments that look exactly like the sort of thing they should be paying attention to, then it's set up to fail.

          1. Anonymous Coward
            Anonymous Coward

            Re: Wrong

            "If IT security is reliant upon people on near minimum wage"

            Whats the payscale of an employee got to do with intelligence and training? Are you saying that all minimum wage people are idiots?

            Where the people factor is concerned with IT security, the IT department has very little (if any control) over who his hired...that's an HR concern. It's the responsibility of the IT guys to communicate to the HR guys that they shouldn't hire people below a certain level of IT competence...it's the bean counters that override the IT checks and balances in this regard. Because higher competence means higher wages. CFO isn't interested in risk, he's only interested in profit margins and running costs, the COO is interested in risk, but the COO doesn't set the budgets...higher up, the shareholders also aren't interested in risk, they're interested in profit and dividends...return on investment that sort of stuff...and since that is their area of interest, they're far more likely to get behind a CFO initiative than a COO, CTO or CEO initiative.

            CEO: That's not part of my vision.

            COO: Could damage the operation.

            CTO: It's risky.

            CFO: But it's 50% cheaper!

            Shareholders: Cheaper you say? Tell us more! Can we get a dividend before the shit hits the fan? Can we save face by firing the COO/CEO/CTO when the shit hits the fan?

            It's not the CEO, IT Department etc etc that is at odds with the business...it's the shareholders. People running the business want it to succeed, shareholders want to dip in and out for a divvy. They don't give a shit long term...as long as they can see profit in the short term, and an exit in the long term...that's all they care about.

            1. Doctor Syntax Silver badge

              Re: Wrong

              At the moment we have a feedback loop.

              1. Ransomware generates profits because businesses pay.

              2.. Businesses pay because they get hit with ransomware and there's nothing stopping them.

              3. That makes ransomware profitable so go to 1.

              That feedback loop needs to be broken. From my past career I'd love to see that done by going after the criminals but in practice the most accessible place to stop it by removing that second term in the 'because' clause in 2. And without ransomware the shareholders get a better deal. You're forgetting that the ransom doesn't get conjured up out of thin air. It's the shareholders' money that gets paid.

      2. OhForF' Silver badge

        Re: Wrong

        The CEO would not go to jail for a ransom attack hitting the company - only for agreeing to pay a ransom. Nobody said the CEO is going to jail when a ransomware attack is sucessfull unless the CEO was aiding it either on purpose or by being grossly negligent (e.g. not having ensured there are backups or not having any disaster recovery plan).

        I am definitely very much opposed to your idea of making inadequate technical skills a crime. As you yourself wrote technical skills of employees must be tested and if they are not up to the minimum skill level for the job after training they can't do that job. If they are still being employed for that job (or no test of skill was done) the problem is not the technically unskilled employee but those that choose them for that particular job. We are back to deciding how for up the company ladder we want consequences to reach, is it the HR bod or the direct supervisor or should the CEO that gets the big bucks for having ultimate responsibility in the company be affected?

        If you have a license to drive a forklift and cause an accident you wouldn't go to jail either unless you did it on purpose or were grossly negligent (e.g. drunk) and the damage would probably paid for by some insurance company. If Barbara from accounting doesn't spot a spear fishing mail with an attachment containing a zero day exploit even after having basic email and IT security training that is not (and should not be) a crime either. Firing those that make their first mistake will not result in improved safety or security.

        Windows updates can easily be enforced by the admins in a corporate environment and thus is IT's job and not something everyone applying for any job should have to know about how to do that.

        Pulling the network plug or even the power supply if you "cock up" is a nice idea and might even mitigate the damage but will usually not happen as infection will most likely not be noticed while working silently in the background. Your advice sounds like your experience with "quite few ransomware cleanups" is running some virus removal tools to get rid of things like the happy99 worm. Unfortunately email attachements are still one of the main sources of infection and even the IT securitry training almost all bigger companies make mandatory doesn't change a thing there.

      3. Dagg Silver badge

        Re: Wrong

        If I wanted to drive a forklift, I have to take a course and get a cert to ensure I don't accidentally drop a crate on someone and ruin (or even end) their life. Well, Barb's desktop computer can destroy the lives of everyone in the business if she clicks a dodgy attachment...I'd sooner have her drive a forklift without a qualification than a PC.

        The big difference is if the forklift driver kills someone and it was determined that they were at fault then they and possibly their manager could end up in prison.

    9. trindflo Silver badge

      Re: Wrong

      The article did make some salient points, but I couldn't escape the feeling I was listening to a lobbyist for the ransomware industry. Aside from hand-wringing and a stern finger-waving, the advice was study groups, or did I miss something?

    10. Dagg Silver badge

      Re: Wrong

      One other possible take on this is about the information that is taken.

      The concept of privacy becomes important. Why the hell does company X require all this personal details about a person? If they need credit card details, for example for a bill payment. Then why the hell should they keep them after the payment is complete.

      It appears that there also need to be laws around what information can be held and for how long. These should be CRIMINAL laws and come with jail time as well.

  3. Andy Non Silver badge

    "Such a ban would need to be universal"

    Disagree with that. There would not need to be any universal ban across the world or involving the UN. If country X bans payments and the miscreants target other countries instead, you can be sure those other countries won't be far behind in individually also enacting bans. The targets across the world will diminish over time with only those remaining who are too recalcitrant for whatever reason to enact bans - but that's their problem to resolve.

    1. VicMortimer Silver badge
      Thumb Up

      Re: "Such a ban would need to be universal"

      Absolutely.

      Ransomware will NEVER be stopped by going after the perpetrators. The only way to stop it is to destroy the possibility of profits, and if that's worldwide, wonderful. But if it's country by country, so be it.

      The place to start is national laws criminalizing payment of ransom. All the better if it goes international, but pretending that you're ever going to get the whole world to agree on anything is an exercise in stupidity.

      No, the time to start making paying ransomware a crime is now, and the place is wherever you are.

      1. General Turdgeson

        Re: "Such a ban would need to be universal"

        You're not wrong. Dry up the well and they will go away.

      2. Anonymous Coward
        Anonymous Coward

        Re: "Such a ban would need to be universal"

        Better yet, put a tax on it.

        Throwing one guy in jail that acted on behalf of a board of directors / shareholders isn't going to stop people paying the ransoms. It's just going to be factored in as an operational risk / cost...and because it's a business expense, it is tax deductable...therefore, if you tax the absolute living fuck out of it you remove the opportunity cost.

        As a CEO, it's not really that much of a threat to have a 2 year suspended sentence over your head after you've had your annual salary of £1m and a multi-million golden parachute.

        As usual though, outright criminalisation will hit smaller businesses and less well off CEOs harder than the big boys.

        The solution is to whack the shareholders, execs etc in the bollocks. Pay a ransom? No salary for you for X months and shareholders get no divvy at the end of the financial year. All of this seized capital gets poured into a new cybersecurity plan, with the funds held by an external third party and released upon request only for the purpose that it has been seized for, that is reviewed monthly for at least a year to ensure it is implemented...the reviews don't stop until a minimum standard is reached. Payouts don't begin again until a minimum standard has been reached and all the seized capital is spent.

        If you give the shareholders, board members and execs sore balls for an extended period, they will take notice.

        If you jail people, they will pay out "golden parachutes" and call it a sabbatical. Money that should be spent on fortifying cybersecurity measures goes to the lawyers defending some wanker in court trying to get his sentence down / thrown out.

        1. Doctor Syntax Silver badge

          Re: "Such a ban would need to be universal"

          No suspended sentences for the CEO. Actual jail time. And why should the CEO be doing it on behalf of the directors. The directors can share the cell. As to shareholders - just whose money do you think is being used to pay ransoms? It's the shareholders. And as far too many seem to forget the shareholders are ultimately the holders of pensions, private and corporate, and of life insurance policies etc. They're you and me. We are the victims in these crimes.

          And don't lose track of the fact that the object isn't really to strengthen the corporate defences although that would be a useful side effect, nor to punish CEOs or boards for being hit. It's to cut off ransomware by stopping it being worthwhile for the perpetrators.

    2. elsergiovolador Silver badge

      Re: "Such a ban would need to be universal"

      They don't have to solely target the countries that don't have the ban.

      Surely business can set up a subsidiary (or set up different structure that creates sufficient legal separation) in the country that doesn't ban ransom payments. Call it security division or something and it will be up to them how to deal with ransomware. If all other avenues, but to pay up are not viable, then they will pay.

      What is going to do, it will hurt SMEs that can't setup anything like this.

      1. Lurko

        Re: "Such a ban would need to be universal"

        Surely business can set up a subsidiary (or set up different structure that creates sufficient legal separation) in the country that doesn't ban ransom payments. Call it security division or something and it will be up to them how to deal with ransomware.

        Nope, easily dealt with - many Western countries ban companies from paying bribes in foreign countries. The UK Bribery Act 2010* for example has extra-terratorial reach, meaning that any company with a UK presence is in scope, the bribery doesn't need to take place on or from UK soil, and in addition to the offence of paying bribes, it is an offence for a director or officer to consent to bribery or know about it and fail to act ("connivance"), as is failure to prevent bribery by associated persons on the company's behalf.

        So it would be very easy to put in place a ransom ban that UK companies (and any company with business in the UK) cannot pay ransoms anywhere without breaking UK law, nor can they allow ransoms to be paid on their behalf. If done in the same way as the Bribery Act, it would also have the interesting dimension of making (eg) US companies with a UK presence whose US operations paid a ransom guilty of a UK offence.

        *See Pinsent Mason's excellent coverage if you're interested:

        https://www.pinsentmasons.com/out-law/guides/the-uk-bribery-act-2010-principles-offences-and-penalties

        1. Doctor Syntax Silver badge

          Re: "Such a ban would need to be universal"

          And just bolt on an extra year or two jail time for trying it on.

        2. elsergiovolador Silver badge

          Re: "Such a ban would need to be universal"

          The UK Bribery Act is a dead law. Corruption in the UK is essentially legal.

          If done in the same way as the Bribery Act, it would also have the interesting dimension of making (eg) US companies with a UK presence whose US operations paid a ransom guilty of a UK offence.

          ...and then you woke up.

          Pipe dream, my friend. These bans will be easy to get around by big corporations. Not so much by SMEs.

      2. Martin M

        Re: "Such a ban would need to be universal"

        “Surely business can set up a subsidiary (or set up different structure that creates sufficient legal separation) in the country that doesn't ban ransom payments”

        Except that sounds quite a lot like money laundering to me. Not sure I’d want to risk establishing the legal precedent if I were an exec accustomed to staying away from home in rather better rooms than a cell.

        1. elsergiovolador Silver badge

          Re: "Such a ban would need to be universal"

          To you it can sound however you want. But for big business it will sound however the brown envelopes want it to sound.

          1. doublelayer Silver badge

            Re: "Such a ban would need to be universal"

            If you want the logic to say that big business can do whatever it wants because it has ultimate power over everything, then let's just accept that. It's wrong and self-defeating, but we don't even have to argue about that to resolve this question. If the biggest businesses are beyond our ability to control them, then we still have the power to influence what everyone else can do, and that power is still big. So, whether we are powerless or not to regulate the actions of the largest companies (we are not), we can still make an impact by regulating what smaller ones and government-controlled entities as mentioned in the article, can do.

    3. DS999 Silver badge

      Re: "Such a ban would need to be universal"

      As long as the major economies all agree and hold to a ban with no exceptions the ransomware industry would disappear. The profitability just needs to be reduced to the point where the exploits being used can be more effectively monetized in a different way. Perhaps by selling the exploits they find, ideally to tech companies for bug bounties but realistically scumbags like NSO Group would outbid Apple/Google. That's not great but it is way better than hospitals being held for ransom.

    4. Andy Tunnah

      Re: "Such a ban would need to be universal"

      The UN has no legal jurisdiction.

  4. Anonymous Coward
    IT Angle

    The best defense is to avoid becoming a victim ö

    Secure your networks now .. Implement all those basic hygiene measures .. use strong passwords and data encryption, implement zero-trust access, network segmentation and multi-factor authentication, install software updates and backup regularly.

    Your average business doesn't have the time, money or expertise to implement such a thing. The computers are used as they came, fresh out of the box.

    1. depicus

      Re: The best defense is to avoid becoming a victim ö

      Then if they go out of business tough luck, serves them right, and the companies that do have DR plans can and will survive. None of this is rocket science to defence and mitigate against and for a lot of companies that's my data they are playing fast and loose with so if they have no IT plans then be it on their own head.

    2. elsergiovolador Silver badge

      Re: The best defense is to avoid becoming a victim ö

      Your average business doesn't have the time, money or expertise to implement such a thing.

      Especially when they have starving shareholders to feed. It's really a tough choice - buy another yacht or hire a competent security team.

    3. Doctor Syntax Silver badge

      Re: The best defense is to avoid becoming a victim ö

      "The computers are used as they came, fresh out of the box."

      Then the quality of what come out of the box will need to be better. Not that that helps too much as the knob controls the monitor will still be a weak link

    4. Gene Cash Silver badge

      Re: The best defense is to avoid becoming a victim ö

      > Your average business doesn't have the time, money or expertise to implement such a thing

      Bull. Shit. Securing your computers on the internet in this day and age is no different than knowing how to drive your delivery van.

      If you can't drive your van, hire someone to do it. If you can't afford gas/maintenance/licensing, then you shouldn't be in business.

      "Can't be arsed" is not a valid defense.

      It's no different than putting your cash in a safe or the bank at the end of the day. If you don't, do you really expect people to cry tears when someone takes it?

    5. ChoHag Silver badge

      Re: The best defense is to avoid becoming a victim ö

      The time and money will be spent. The question is only who it will be spent with.

  5. AndrueC Silver badge
    Stop

    Rubbish. It's like all ransoms - if no-one paid no-one would bother. Every time a ransom is paid it's encouraging the perpetrators to continue.

    1. Richard 12 Silver badge
      Headmaster

      Paying ransoms only ever made sense in actual war, as it encourages the enemy to attempt to keep captured knights relatively safe instead of simply killing them.

      Eventually people started to realise that enlightened self-interest requires you to keep captives safe so the other side keeps your captured soldiers safe, and ransoms became obsolete - replaced by captive exchanges.

  6. druck Silver badge

    Dont ban paying ransoms, ban Crypto

    Companies should be able to pay ransoms, but crypto currencies should be illegal. The company can leave $20m in used bills in a suitcase under a bridge on the interstate, and the ransomware criminals can come over from Russia (other shitholes exist) and collect it - lets just see how well that works out for them.

    1. elsergiovolador Silver badge

      Re: Dont ban paying ransoms, ban Crypto

      That's how ransomware used to work before crypto.

      This is not a new thing.

      US company hit by ransomware would have to send a guy to Germany and make them leave cash somewhere under a certain bin close to a certain bridge in some small town. Then they would get a letter in the post where to pick up the password to unlock. The letter would be sent from France if the guy who picked up the money got to their safe house undisturbed. The password would be written using permanent marker at a bus stop in a village in Moldova.

    2. djnapkin

      Re: Dont ban paying ransoms, ban Crypto

      Much as I hate the waste incurred and so many other things about crypto, banning it won't stop ransomware.

      If anonymity was critical, the gangs would be demanding payment in Monero, which is effectively untraceable.

      Yet they quite happily ask for Bitcoin which is quite traceable.

      If you're in Russia or a part of the CCP, you're untouchable.

      1. druck Silver badge

        Re: Dont ban paying ransoms, ban Crypto

        But that's the point, they would have to leave Russia or Moldova to collect, or spend a considerable amount setting up an international money laundering operation similar to that used by the drugs trade, which is beyond your average ransomware affiliate operator.

  7. JimC

    Another approach

    Might be to consider an attack on critical infrastructure a national emergency, and have government level resources to help for organisations to recover. Given sufficient resources recovery from ransomware attacks in a reasonable space of time ought not be too difficult, but of course your average hospital, power company, whatever hasn't got any such capability, nor the money to buy iit in. Maybe there should be recovery capability at national level. We consider police and defence to be national priorities to be funded out of taxation, is it time to consider whether ransomware recovery should be similarly funded?

    1. Anonymous Coward
      Anonymous Coward

      Oh yes

      I operate critical infrastructure for the UK

      But I didn't secure my network and i got completely pwned :'( and my customers' data is all over the internets

      Give me some taxpayer's dosh. I surely won't just pocket it!

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh yes

        So the trick is not to give the victims money to "spend on recovery", but to provide the experts to help them do it. The victim never gets a penny, but they do get some help out of the hole they've dug.

        Each use of such assistance would be documented in a very thorough, very public report. If their security was in good shape, but got hit with an actually-sophisticated attack, that'll show in the report. If the report says "a 12-year-old could have hacked this company", the share price will reflect it.

    2. Flocke Kroes Silver badge

      Re: Cutting corners

      Every possible corner that can be cut comes with the excuse "I have to or my prices go up compared to my competitors".

      This is why we have regulations: competitors cannot cut the corners either.

      This is why we have import taxes: If a foreign competitor can legally cut a corner then they lose the advantage to import taxes.

      1. Martin M

        Re: Cutting corners

        The cost of (forced) assistance should be recovered by issuing equity at the valuation the company would otherwise attract at that point in time (e.g. likely near zero). Shareholders get soaked, but not as badly as if they company had collapsed, and the taxpayer often makes a healthy profit. Exec options go to zero.

        Cyber insurance - now that’s an area fraught with moral hazard.

  8. CountCadaver Silver badge
    Mushroom

    class ransomware as a weapon of mass destruction?

    I wonder how keen the russian/north Korean/iranian govt would be to accommodate this crap if us govt made it very very clear that they would class any ransomware attacks from then on as "use of a weapon of mass destruction" no different to a chemical, biological or nuclear weapon - as in making the culprit state eligible for retaliation up to and including a.nuclear response....make it clear it's no idle threat and see who is brave or stupid enough to try and test the theory....

    The "warning shot" in terms of Russia might be a) giving the Ukrainians anything military they want b) levelling the kirch bridge - like literally destroy the thing so none of it is left c) create a new artificial reef by sending the black sea fleet to Davy Jones locker

    With the accompanying message - next country who wants to test this theory gets their capital turned into a radioactive parking lot

    1. Flocke Kroes Silver badge

      Re: class ransomware as a weapon of mass destruction?

      I like the idea but attribution is hard. On top of that, if I am pissed off with a country I could take a holiday there to target US critical infrastructure.

      1. ChoHag Silver badge
        Joke

        Re: class ransomware as a weapon of mass destruction?

        There's no precedent that the US would overreact with force against a rumour of a report that someone called their mum a rude word.

        For our friends of Uncle Sam -->

    2. Pascal Monett Silver badge
      Stop

      Re: class ransomware as a weapon of mass destruction?

      "make it clear it's no idle threat"

      Oh great. How do you do that ? You nuke North Korea to show that you're serious ?

      Please.

      Nobody is nuking anyone. It's bad, whatever the reason.

      Keep nukes out of this, the waters are muddy enough as is.

    3. doublelayer Silver badge

      Re: class ransomware as a weapon of mass destruction?

      Sure, that will work great.

      US: Excuse me Mr. Putin, but we detected some criminals operating from your country infecting hospitals with ransomware. We have a small missile pointed at Moscow and another one targeted at Volgograd, where we're pretty sure these guys are. We're about to kill two million of your citizens. What do you say?

      Putin: One moment please.

      ...

      Putin: I have thirty missiles ready to fire at thirty of your cities. I will kill fifteen million of your citizens. What do you say?

      US: I have a hundred missiles. Thirty million citizens.

      Putin: Five hundred missiles. Too many citizens to count.

      US: Most of the missiles. Your country will not exist.

      Putin: All our missiles. Your country and those of your allies won't exist.

      The concept of mutually assured destruction is not new. You would do well to learn it.

      1. Casca Silver badge

        Re: class ransomware as a weapon of mass destruction?

        lmao, like putler have any missiles that actually work...

        1. doublelayer Silver badge

          Re: class ransomware as a weapon of mass destruction?

          Do you want that tested over your house? Are you really planning your international policy on Russia being unwilling or unable to maintain some nuclear weapons to back up the frequent threats, weapons they already had? I'm sure the Russian arsenal is less modern and well-maintained than the American or British ones, but an old nuclear weapon can still kill a lot of people. The reason that nuclear powers usually have a strong line against any use of nuclear weapons is that even one detonation can be catastrophic. Unless you seriously believe that Russia somehow managed to break every nuclear weapon they've ever had, you need to take their ability to use them into account when planning actions against them, which means that nuking them yourself is a really risky thing to do.

          But let's assume it's not Russia. It's the People's Republic of Alphia which doesn't have any nuclear weapons. They can't get any meaningful revenge if you decide to attack them. Are you satisfied dropping a nuclear weapon on them when criminals operate from them and they don't do something about it? That will result in thousands to millions of innocent Alphians who didn't do that dying. It will probably cause people in Alphia's neighbors to die as well. It will certainly cause complete chaos in the region. It will likely cause a lot of Alphians to hate your country, so expect some Alphian terrorist movements trying to make you pay. Is that something you're comfortable doing, both from a moral and a pragmatic point of view?

  9. HuBo
    Black Helicopters

    SAVAK's Ghorbanifar

    It's generally best to keep all options on the table (open) in my mind, as solidly argued in this article. Ollie North's scheme to funnel some (excess) ransom funds to a friendly (to conservatives) rebel group, on advice of a double-agent, would be an example of where such payments were deemed useful by a major government, in the past. I could imagine similarly complex utility for more liberal governments as well, in some multifaceted strategic engagement that needs to remain hush-hush.

  10. Paul Hovnanian Silver badge

    Attack the toolchain

    Most of the ransomware gangs don't actually write their own software. They buy or even rent it (for a slice of the take) from developers offering it on the dark web. First, go after the developers. It'll take the FBI/GCHQ some time to establish a reputation for their operations. But take down the ransomware code. Second, write some of your own. With a few holes and watermarks in it. Surely the NSA has some encryption software that they can contribute which is back-doored. Giving victim organizations an easy "recover" button. And if even a rumor leaks out that _some_ of these packages will rat out the using gangs, that might slow it's distribution down considerably. Kind of a modern day Project Eldest Son.

    1. General Turdgeson

      Re: Attack the toolchain

      The FBI has done something like that already. They made a "super private" communications app released it on the dark web, in reality it was pure spyware, They've used it already to make some arrests.

      1. Doctor Syntax Silver badge

        Re: Attack the toolchain

        Then some local prosecutor shoots his mouth off to the press for a bit of self-publicity pulling the rug out from under the whole scheme. Or somebody who was appointed to a job that should have had better vetting tips off her boy-friends criminal mates.

        1. Paul Hovnanian Silver badge

          Re: Attack the toolchain

          "Then some local prosecutor shoots his mouth off to the press"

          That could work too. FBI creates a legend for a ransomware group. Big news when they hit some hospital or other victim. A few months later, a big deal is made when the SWAT team takes them down and the survivors are seen tossed in prison for long terms (all fake of course). Then it's leaked on the dark net that they used the tool set written by DevX (a real ransomware developer). Which turned out to be full of back doors and telemetry to law enforcement.

          Prosecutor, FBI and others are all heros. "Victim" was really in on it and lost nothing. DevX reputation is ruined and perhaps a few other customers decide to take care of the rats. Job done.

          The problem with law enforcement is that they always think in terms of building valid cases. Intelligence/counterintelligence agencies are often happy if they can shut a hostile operation down. Even if it means the bad guys do each other in before a court case is ever built.

          1. ChoHag Silver badge

            Re: Attack the toolchain

            The problem with law enforcement is that the way they do their enforcing is dictated by the law?

            I don't have a problem with that.

  11. Apprentice Human

    WTF

    All the comments seem to base on implantation issues, and sometimes mention the moral imperative.

    Just on a moral standpoint nobody should pay. Should you pay the bully in school?

  12. Anonymous Coward
    Anonymous Coward

    Security, they’ve heard of it

    But too few are prepared for it’s true cost.

    1. Flocke Kroes Silver badge

      Re: Security, they’ve heard of it

      I think there is a (false) perception that paying a ransom every month is cheaper than being one step more secure than the next guy.

  13. Pascal Monett Silver badge
    Thumb Down

    "Such a ban would need to be universal"

    No, it wouldn't. And there is no reason to not do the right thing simply because your neighbor won't do it when you do.

    That level of reasoning means that it's useless to implement electric cars, since not every country is doing it. It means that it is useless to promote renewable energy sources since some countries are not.

    Not an excuse. Banning the payment of ransomware means that countries that don't will be targeted. Their problem, and they'll get around to a ban when they see how effective it is.

    Not a reason to not do it.

  14. Anonymous Coward
    Anonymous Coward

    While I tend to agree that payments shouldn't be made, I'm not sure it would stop these activities. I expect there are plenty of opportunities to make money by infiltrating large companies' systems - we already know about selling stolen information but how about betting on share price movements once you have access and are about to wreak havoc? If ransomware can cause $100m damage to MGM Casinos, plus whatever reputational damage then I would think there's money to be made knowing that's coming.

    1. Doctor Syntax Silver badge

      That requires serious money upfront to make the bet with a possible risk of a loss if it doesn't work out.

      1. M.V. Lipvig Silver badge

        You don't understand the criminal mind. What's important to them is what they get, not whether it was cost effective or even any sort of x/y ratio.

        - Ransomware Attackers Cost $Corp Umpteen Million Monetary Unit!

        - Cool, I made 50 whatevers! Beer's on me this weekend!

    2. doublelayer Silver badge

      It won't destroy cybercrime, but it would weaken it. Anyone could have set up an insider trading scheme based on causing sabotage any time in the past. However, it's much more difficult to implement correctly. You may not know, for example, how much damage your sabotage will do or when it will become known. If your attack occurs in July but they don't announce financial results until September, you don't know how bad it will look then and there's a chance your trading either fails or, more likely, produces a really tiny profit for a carefully-planned attack. If we could destroy ransomware entirely and only be left with things like that, that would be an improvement. I won't pretend that banning payment of ransoms would completely kill ransomware, as I'm sure there would still be some people willing to circumvent the ban rather than incur the consequences, but it would be helpful.

      1. Anonymous Coward
        Anonymous Coward

        Unfortunately some companies are engaged in a sorta-legal version of that very thing. For instance, Gotham City Research's business model is to prepare a report about how bad a company is, short that company's stock, then release the report. Never mind that often the report contents are untrue or highly exaggerated; a one-day drop in the stock price means they make enough profit to target some other company. (How this isn't considered illegal market manipulation is beyond me, but it typically isn't.)

  15. Anonymous Coward
    Anonymous Coward

    How about a bounty?

    Maybe I've missed it, but why not simply have bounties for the turning in and conviction of any ransomware operators?

    1. General Turdgeson

      Re: How about a bounty?

      Sounds good! You're gonna front the cash for the bounties?

    2. doublelayer Silver badge

      Re: How about a bounty?

      They do that. For example, from this paper alone:

      US offers $10m for info on DarkSide ransomware gang chiefs

      US puts a $10m bounty on Hive while Russia shuts down access

      US offers $15m for help catching Conti ransomware gang

      If you have lots of cash to spend on that, you can keep doing it. I'm not sure the rewards promised in any of those have actually been paid, and I don't know how many useful leads they got from having those programs, but it is a tool and the US, at least, has been using it on occasion.

  16. Paul 87

    Makes you wonder if we shouldn't re-assess the global nature of the Internet and remove certain countries from it entirely.

    Sure, spies and the like can try and get around this, work from other states etc. but would a country really risk being cut off by hosting such people voluntarily?

    1. doublelayer Silver badge

      It depends what you have to do to get cut off. If it's really difficult, effectively making yourself a pariah to everybody, then it won't matter. The only country that's achieved that is North Korea, and basically nothing comes from their tiny address space. All their attacks come from other countries' addresses, most of that launched from Chinese proxies (as the first link in a chain to more proxies), and some also committed by people operating from a different country already. If it's really easy to get a country blocked from the internet, what makes you so sure that the one you're in won't get blocked for some reason? Russia may have burned a lot of its bridges with European countries and close allies, but they've got plenty of links with other countries, especially including India and China. How would we ban Russia from the internet if India and China were voting on their side and could easily proxy as much traffic as they needed to. Would we try to ban those two as well for not complying with our ban? The decisions required to implement that and trying to decide who should have the power to make them is a very difficult task.

  17. Anonymous Coward
    Anonymous Coward

    Death before surrender!

    Yes, ban payments even if people are going to die as a result. In fact, blow up the hospital if it pays.

    Because that's the only law that will get the crooks to stop trying.

    It's like "mutually assured destruction" in nuclear war: you have to be credibly mad to get taken seriously. Like Putin.

  18. Anonymous Coward
    Anonymous Coward

    If the encryption of data is the result of a software exploit, regardless if a patch is available, then the owners of the shitcode should be the ones paying.

    That’s my hot take

    That’ll be Microsoft screwed then…

    1. doublelayer Silver badge

      That will result in a lot of debates about what counts as a result of. If I can find another factor, would that cancel out the "result of" part? For example, you had to enter your password, but then a software exploit allowed it to gain more control after that. Can the software writers argue that they're not at fault because nothing could have happened had you not entered the password? It will also mean debating the definition of "exploit". One that permits installation or elevation is clear enough, but those are often less common than something less clear, such as malware watching user actions and stealing credentials, which could theoretically be prevented with different system design but in practice wouldn't on any platform. If Microsoft points out that, had this been Linux, the malware would have had the same ability to conduct monitoring, who is at fault then?

      If you want to assign blame to someone, you will often find that the blame goes to a very large set of different people, often including people you don't want to see blamed.

  19. Steven Guenther

    Serious crimes deserve serious punishment

    If you mess up critical systems, and cause serious harm or death, you can get the death penalty.

    Allow for extra national rendition for these criminals. Hire Blackwater to dice them up.

    Kill a few and others will get the message. "Dyin ain't no way to make a livin"

  20. M.V. Lipvig Silver badge

    Do you know what makes more sense?

    Dedicated lines for critical infrastructure. It can't be held ransom if the cybernappers©®™ can't gain access to begin with. The internet may be convenient, but even encrypted data is not secure when it can be intercepted and accessed remotely through whatever means. Private networks on dedicated circuits is the way forward for critical infrastructure, with no public internet connections allowed.

  21. Prefect_42
    Pint

    Nuance & facts avoid this article.

    -Banning already exists for sanctioned by OFAC groups. Consequences depend upon intent, knowledge, amount, risk level of payee/RW group, etc.

    -They won't "simply pivot". LockBit, e.g., avoids mortal danger situations & requires that of their affiliates.

    -Mortal danger is because it makes it terrorism. Bans will force these groups to either minimize tactics, or become terrorists; will allow much greater inter-agency inter-govt law enf. action in pursuit.

    -2023 top groups Lockbit, ALPHV, CLOP, 8base

    -ALPHV recently upleveled promises of standard threats/extortion to young children, and any target other than law enforcement (nuclear, lifegiving care, etc). This makes them terrorists, and if nation-state backed or activated, is war crimes and consequential within international government groups of G7, G20, etc.

    -The Exceptions will be needed: and will fall under required LE support. Also, any "simply pivoted to" industry will have already been more shored up, as once banned, we'll know they're the targets, and will have more enacted support and resources to threat surfaces.

    -Deferred Damages: Ransoms exist mostly as companies minimally secure data. They have a responsibility in all this. KNOWING they cannot pay will force their hand to make an effort. A significant majority of hacks are just pathetic cybersecurity; the company isn't harmed, the humans whose data is stolen are harmed.

    This article is badly informed, reactive opinion, an F minus.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like