Hacker News new | past | comments | ask | show | jobs | submit login

> Given that we can't eradicate this kind of crime entirely by improving security, I think ransomware is the least bad option in the sense that it punishes the offending company while minimizing the risk of the data being leaked which would hurt the data subjects themselves (the public).

There is nothing to guarantee that attackers will destroy the data and not further exploit it even if you pay them. Improved security isn't going to fix the problem, but we can make it less profitable and make that profit more difficult. If our policy is to pay we're just making it highly profitable with very little effort on the part of the attackers. If we refuse to pay, they will have to pour over our data looking for what may or may not be valuable to anyone, spend time searching for those people who might pay them for it, and then spend time convincing them to pay enough to justify their time/efforts.

We should be refusing to pay and making sure we've got backups of our own stuff so that we'll never have to.




> There is nothing to guarantee that attackers will destroy the data and not further exploit it even if you pay them

Their business model relies on them being honest. If they don't follow through on their promise of destroying the data they'll kill the ransomware market entirely. So far, I haven't heard of major instances where ransomware gangs didn't fulfil their part of the bargain.


> Their business model relies on them being honest.

Truthful at least, "honest" isn't a word I'd use for these types.

> So far, I haven't heard of major instances where ransomware gangs didn't fulfil their part of the bargain.

The point is that you wouldn't. They can't publish the data or publicize its sale, but (if they were willing to invest the time) they could still sell it privately, or use it themselves to further attack/exploit you without you ever being able to trace anything back to them directly. They could wait months or years if they wanted and still find value in it (bait for use in spear-phishing for example).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: