| ▲ | entuno 5 hours ago |
| It's one of those ideas that sounds nice in theory, but doesn't survive contact with the real world. In the same way that many people would say that you shouldn't negotiate with terrorists or kidnappers; but if it's their loved one who's being held and tortured they'll very quickly change their mind. Getting to a world where no one pays ransoms and the ransomware groups give up and go away would be the ideal, and we'd all love to get there. But outlawing paying ransoms basically sacrificing everyone who gets ransomwared in the meantime until we get to that state for the greater good. And where companies get hit, they'll try hard to find ways around that, because the alternative may well be shutting down the business. But if something like a hospital gets hit, are governments really going to be able to stand behind the "you can't pay a ransom" policy when that could directly lead to deaths? |
|
| ▲ | naniwaduni 2 hours ago | parent | next [-] |
| If you make it expensive enough to pay ransoms outright, throwing money at security starts looking more appealing. A ban on paying ransoms isn't the right tool for this. Fine them, punitively, with a portion set aside to incentivize whistleblowing. |
| |
| ▲ | entuno an hour ago | parent | next [-] | | Financial costs won't solve the problem for companies, because they're hard to enforce. You'd be weighting up the cost of dealing with the fallout of getting hacked against the cost of paying the random and the chance that you might get caught and fined. If that former cost is existential for the business, then it'd always be worth paying and taking the risk. The only real way around that would personal consequences for the owners/directors of the company - "get caught paying a ransom and the whole board goes to jail" would certainly discourage people. And also provide a wonderful opportunity for blackmail when people did. Not to mention all the problems of fining public sector organisations, and how counter-productive that usually is. | |
| ▲ | flipped an hour ago | parent | prev [-] | | [dead] |
|
|
| ▲ | nradov 3 hours ago | parent | prev [-] |
| That's fine, those are acceptable casualties. Make paying any sort of ransom a criminal offense. |
| |
| ▲ | itishappy an hour ago | parent | next [-] | | Sounds impossible to enforce. The penalty for not paying is often catastrophic. The penalty for paying will have to be similarly impactful. | | |
| ▲ | nradov an hour ago | parent [-] | | Right, make the penalty for paying a ransom catastrophic. Very few employees will risk a criminal conviction and years in federal prison just to protect their employer. |
| |
| ▲ | HeWhoLurksLate an hour ago | parent | prev | next [-] | | It's all fun and games until it's your livelihood at stake, and then it makes a lot more sense to acquiesce, lick your wounds, and keep your business alive. Getting hacked is no fun, but companies don't deserve to die because something in their tech stack was vulnerable. | | |
| ▲ | nradov 44 minutes ago | parent [-] | | Nah, those companies deserve to die. Let them fail. Creative destruction. | | |
| ▲ | HeWhoLurksLate 13 minutes ago | parent [-] | | I respectfully disagree - I do agree that the natural financial death of a company probably shouldn't result in bailouts, but if I as a company get breached because my fully-updated, follows-best-practices Windows Domain got hacked because of a vulnerability in Microsoft's stuff? That's hardly fair. Shouldn't I be able to sue Microsoft for financial relief? |
|
| |
| ▲ | qzw 2 hours ago | parent | prev [-] | | You know what's an even more acceptable casualty that would greatly reduce ransomware? Cryptocurrencies. | | |
|
