Email your congressman/woman: Paying extortion fees cybercriminals should be illegal - and severely so. With the stroke of a pen, a law making the practice illegal would immediately allow every institution and corporation in America to say, "We cannot pay your fee no matter how hard you press us, as we would face jail time if we did so."
Would gangs still try to extort people? Of course. But large institutions would no longer be a target, because their internal controls would prevent the payment of extortion fees. Small organizations might still pay fees, but the potential take for gangs would be reduced remarkably.
I think this is an interesting direction, but I wonder is there a successful precedent for something like this? Perhaps some government somewhere in the world has already tried this? And if not for hacking, data theft/encryption, maybe there are analogues like (and this is a stretch) large organizations that have managed to continue operating in regions where kidnapping for ransom is common?
There's quite a lot of literature on the US and UK's no-concessions policies on kidnapping. Here's one example [1]. A few quotes:
> Despite the U.S. no-concessions policy, U.S. citizens continue to top the list of nationalities kidnapped by terrorists. This may be explained by the prominent role and perceived influence of the United States and the ubiquity of U.S. citizens around the world. Nationals of the United Kingdom, which also has a no-concessions policy, are second on the list.
> While a no-concessions policy may not deter kidnappings, it may affect the treatment of hostages in captivity and determine their ultimate fate. According to a 2015 study published by West Point, Americans held hostage by jihadist groups are nearly four times as likely to be murdered as other Western hostages (Loertscher and Milton, 2015). The no-concessions policy may be only part of the reason. Another factor would be the jihadists’ intense hostility toward the United States.
> While the U.S. no-concessions policy has not deterred
kidnappings, there is some evidence that political concessions and ransom payments appear to encourage further kidnappings and escalating demands.
> And although it did not produce any demonstrable decline
in kidnappings of U.S. citizens, a 2016 study published in the European Journal of Political Economy argues that, without the no-concessions policy, there would have been even more kidnappings of U.S. nationals (Brandt, George, and Sandler, 2016).
My take: Arguably, part of the reason the policy has not been successful in preventing kidnappings is that most of Europe does pay ransoms, and Europeans versus Americans are not always easily distinguishable. Even if the policy hasn't directly stopped kidnappings, it probably has stopped them indirectly, by avoiding funding kidnapping organizations. Europe has spent hundreds of millions of dollars in ransoms to terrorist organization, and Qatar allegedly paid close to a billion dollars in ransom. This has to fund further efforts.
Additional literature on the topic[0]. The finding is that any payment at all is sufficient for the operation to continue. This makes sense for ransomware was well since the marginal cost of hacking additional targets is effectively zero.
The major ransomware operations are targeted and the hackers do research the victims. They use spear phishing, so they need to know their victim. Unless the ban is universal and consistent so that hackers can modify their behaviour before they hack a target, there is no point in doing it. The US treasury announcement about not paying ransoms is just such a pointless terrible idea.
The problem is the intermediate timeline ... maybe some time window to limit the amount and then lower it slowly. This way the momentum from existing malware doesn't hurt one specific university or group.
Costs are zero. The ransomware platform runs as a server somewhere, and whether they get one ransom payment or 1000 their costs are the same. The gangs that do the hacking operate on commission, they attempt to phish multiple targets (hundreds, more?) at a time. Again, the cost of one payment is sufficient to justify the entire endeavour.
As long as even one victim will pay, then there is no incentive to stop hacking.
Costs are low but not zero. If they were zero then all exploitable ransomware opportunities would already have been exploited. When vulnerabilities are discovered the researchers have the option to publish for reputation, disclose for bounty, or market the vulnerability to criminals or intelligence organizations. If vulnerabilities are sufficiently hard to monetize for criminals then they'll be more likely to get routed somewhere else.
“We do not negotiate with terrorists” sounds like a great line but isn’t always practical in reality. If many people’s lives were on the line because of this hack, it would be difficult to justify not paying the fairly small ransom.
Would gangs still try to extort people? Of course. But large institutions would no longer be a target, because their internal controls would prevent the payment of extortion fees. Small organizations might still pay fees, but the potential take for gangs would be reduced remarkably.