Building my own PC recently after a decade on Linux/macOS made me realize how much more susceptible to ransomware PC users are at a PC cultural level.<p>Literally every program I saw recommended when setting up my environment was available from download sites like FileHippo and Softpedia. Here's the second download link for "AutoHotkey" on google: <a href="https://autohotkey.en.uptodown.com/windows" rel="nofollow">https://autohotkey.en.uptodown.com/windows</a> - wtf is uptodown? They even train you to get used to that classic subdomain spam that malicious websites use. Another example were various driver tweaks/hacks or anything else a gamer or power user might want to do. Always from a shady mirror website that trains you to run .exes from any website that shows up in search.<p>It was a breath of fresh air to get WSL + Debian up and running on Windows so I could rely on apt-get.<p>The Microsoft Store is surprisingly bad, not having anything you're looking for, but plenty of apps that claim to be that thing or would confuse people who don't know any better.<p>Normal users are really being let down from a security standpoint in computing, in general.<p>macOS has similar issues with websites like macupdate.com, but it's slightly farther along with its much more compelling app store library. My girlfriend is a UX professional and the only few apps she uses outside of the app store is Chrome and Sketch. It definitely feels like this approach is moving in the right direction that can satisfy most people and power users as well.<p>And for completeness, I would think a GUI over linux repos like Synaptic is also nice for normal users. I have one not-so-technical friend on Linux Mint where I saw them using whichever GUI to grab packages.
There's an interesting take on this from Grugq:<p><a href="https://gru.gq/2020/10/18/ransomware-prohibition/" rel="nofollow">https://gru.gq/2020/10/18/ransomware-prohibition/</a><p>"The current situation, where there is no criminalisation of payment has created a market place where a number of companies working with insurers are handling the vast majority of ransomware incidents. There are crisis responders who help the companies recover, who arrange a minimal payment, and who get paid by the insurers. This is market governance and it keeps the prices down because there is a sort of gentlemen’s agreement between the gangs and the payment companies. Also, the lack of prohibition means these companies operate in the open and they can share information about pricing etc internally and with each other. (Transparency)<p>The status quo is not the ideal world, but it is far better than the nightmare of ineffective partial prohibition."
This is utterly ridiculous.<p>This will have the effect of reducing the number of cases of ransomware that law enforcement sees. Not by actually reducing the cases, but instead by making it untenable for a victim to notify law enforcement.<p><rant>This is unfettered metric fetishization -- the idea that a problem can be quantified as a metric and when the metric is reduced the problem is reduced. The map is not the territory, you can't just look for your keys where the light is good, the bed of Procrustes, etc. Or maybe it has nothing to do with this and is just a well-intentioned but stupid idea.</rant>
That means, for many victims, that that's it, game over, you go out of business. A lot of ransom money is paid because often as not it is very hard and expensive to ensure not only that a business can recover from such an attack, but also on a timeframe and at a cost that doesn't by itself break it, so a great many can't unless it gets detected and stopped very early. Lots of businesses will pay regardless of a ban and eat the fine, or try to pay clandestinely, diverting resources law enforcement should be using to catch the perpetrators. Not sure this is worth a bit more pressure to catch criminals that probably won't get caught anyway.
The logic here is if there's a big risk to victims from paying they won't pay, and if 99% of victims won't pay, attackers won't attack.<p>It seems to me that logic only works when attacks are expensive. With something like kidnapping, you couldn't possibly kidnap 1000 people in the hopes of getting a single $10,000 ransom payment.<p>But with malware, where launching an attack costs almost nothing? Attacks could still be profitable even if only 1 in 1000 victim pay up.
The us needs to release and update a list of criminal bitcoin accounts. Any bitcoin coming from these accounts should be poisonous and any account ever receiving coins tracked back to that account should be fined plus repay the bitcoin value (receiving stolen property).<p>The scammers can hide, but their bitcoin money can be tracked forever and interacting with the real world in significant sums requires giving up anonymity. It seems very easy for wallets to access a database and alert their user that they're about to purchase tainted bitcoins.
Out of curiosity, how is paying randomware all that much different from handing a mugger your money? And is it also illegal to pay kidnappers? Honest question.
So, now, not only would law enforcement struggle at catching the criminal asking for ransom, they would additionally struggle to enforce the law on the victims
I will probably take some heat for this response but as a Canadian here is how I see this happening. My computer gets hacked. I am a low level target so the Ransomware asks me for something trivial like $1000. Now I have a couple choices. Not pay and not break the law or pay and break the law but get back all my baby pictures. I am going to pay and take the consequences. In Canada we had a guy literally decapitate another man and then cannibalizes the body. He did 7 years. We don’t jail people for things like paying ransom and if we did we slap people on the wrist. This law will have no teeth for some because we watch the revolving door court system where all criminal are given a slap on the wrist. It is only repeat offenders getting anything other then probation. So at worst I would risk a fine or probation. I live in Canada though so we don’t bend over backwards to screw people so my fine would be insignificant compared to the loss of all my baby pictures. Even if the punishment was 5000$ I would still be leaning towards paying to get those baby pictures I haven’t backed up. If the punishment was a week in jail again I am still going to pay we have really nice jails with all sorts of rights when you get there. I guess my point is we need a better way then telling victims they can’t pay. Thankfully I have backed up my pictures and don’t worry about this scenario currently.
The Treasury department diy NOT outlaw ransom payments. They clarified what was already illegal: payments to sanctioned entities is illegal.<p>How this author extrapolates this to "let's put the victim of any kidnap/ransom through hell" is beyond me.
I would think that for less than 400k in random payment, the perpetrators of the attack (and anyone complicit) could be located and permanently removed. That might deter future attackers, unless of course these are government sponsored attacks.
Strange that it is legal currently in the first place. You are basically financing a criminal group. In normal cases that's clearly illegal.<p>How do you even book it in your accounting and taxes? Do the criminals give you an invoice?
I agree with this. When you give a company gross profit (price higher than what it took them to get you the product) you are <i>literally</i> paying for them to spend some of that on getting their next customer.<p>Anyone who is paying a ransom is <i>literally</i> paying a ransomer to do that to someone else. Not in a metaphorical sense. You are literally transferring the ransomer money which the ransomer will literally use to finance the next ransom. They will pay out of pocket for the person doing the next ransom to go and do it. It should be totally illegal to finance this.
Banning ransom payments outright would eliminate the possibility of investigating by blockchain analysis.<p>Implementing a maximum legal payment amount and mandating that all ransomware payments’ TXIDs be reported to law enforcement would be a reasonable compromise in my opinion.
The key here is that you will not be able to use ‘security insurance’ money to pay for ransom. What is happening now is that companies are saying: we do not need backup, let’s just have security insurance (and some minimal backup so that insurance is valid).
Paying anyone on the OFAC list was already illegal. It should be largely impossible to tell if a ransomware operator is on the OFAC list or not.<p>Stop using surveillance coins.<p>You can send a tornado.cash note to the operator.<p>You can send Monero.<p>These are solved problems.
I've had the idea floating around my head for a while that instead of banning the payment, they should tax them.
If you start putting a 500% levy on any business paying a ransom the whole concept becomes a lot less profitable because assuming attackers are not settling for 5x less than what they think businesses would really pay, they'll have to slash the ransoms.
And the government gets a nice funding pot to try and fight them.