Companies may be punished for paying ransoms to sanctioned hackers

This is a national security issue — malicious actors based in other nation-states are raiding American companies. It seems that US defense forces are not up to the task of repelling these invaders — yet we&#x27;re expecting individual companies to go up against them??<p>It will be a long, long time before the marketplace evolves sufficient technological measures to guard against state-sanctioned&#x2F;possibly-state-sponsored malicious actors operating with impunity in a lawless environment.

Related article: Could a Ban on Ransom Payments Have Stopped the Colonial Pipeline Attack? <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27196299" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=27196299</a><p>While banning such payments might remove the incentives, that also put a huge burden on the victim and the transition to better cybersecurity should be less disruptive than an outright ban.<p>Another solution that has no harms and only benefit is to require the reporting of every ransom payment. That would give the government the crypto transaction information to conduct taint and attribution analysis. It is currently illegal to knowingly use funds received from kidnapping or ransoms, and this reporting requirement would help the government enforce that.

If the hackers are brave... &quot;Our IT security firm can solve infections of this particular ransomware, but only this one. We charge 20% of what the &#x27;hackers&#x27; demand.&quot;<p>And the solution would be for this security firm to have Russian (allegedly ;-)) friends that deploy the ransomware and give them the decryption key. See, hacked company, you&#x27;re not paying the hackers, you&#x27;re paying IT security experts that are able to recover your data!

So a hacker has your data, and demands money.<p>The government&#x27;s proposal:<p>1. If you pay the hacker, we want money because you paid a hacker.<p>2. If you don&#x27;t pay the hacker, we want money because you leaked your users&#x27; data.<p>The bottom-line is that if you&#x27;re a victim of ransomware, the government joins the hacker, both of them kicking you while you&#x27;re down and demanding money.

People really out here acting like all of Russia is on the sanction list.<p>Its like the head of Sbersbank and a few companies and a few individuals, and that&#x27;s it.<p>There is practically no way for this to be a real rebuttal or conversation. Companies can pay ransoms, intermediaries can pay ransoms. There is no legal quagmire.<p>Why would you accept a pseudonymous cryptocurrency in a country you can&#x27;t even get financial records from the fiat offramps, and use a pseudonym that matched your actual name on the OFAC list? Let alone just not being a person that is on the OFAC list. This is so improbable, the US Treasury can pound sand.

This isn&#x27;t about the companies being hacked; it&#x27;s about the consultants who serve as intermediaries to help pay the ransoms.

Apologies to people from China, Russia, Ukraine and so on on HN ahead of everything else: It would not be a bad idea to get countries that routinely shield bad actors and&#x2F;or active engage in electronic warfare across the net to be blackholed as long as they don&#x27;t cooperate in bringing the perps in these cases to justice.<p>People will get killed because of these actions, if it hasn&#x27;t already happened.<p>Of course that works both ways: the countries on the other side of that divide would have to stop doing the same thing, to each other and to countries on the other side of the divide.<p>It&#x27;s sort of an &#x27;electronic curtain&#x27;, the iron curtain of cold. China already erected one half of such a barrier, the GFW <i>definitely</i> reduces the chances of foreign hackers attacking Chinese infrastructure, it doesn&#x27;t seem to do anything to keep attacks from China out of the rest of the world though.<p>So regardless of the origin of these hackers, I&#x27;m all for a bit more isolation until we&#x27;ve figured out how to deal with this problem, cross border digital crime is going to be (and already is) a real headache.

A very good way to put it: FUD in action.<p><i>We may put you in jail for paying sanctioned criminals, but we will not tell you explicitly what constitutes a sanctioned crime, who those criminals are, or we can pull it right out of thin air</i><p>This way they evade the need to go to the legislature to institute a new class of ban list for them to run.<p>As an any &quot;pull out of thin air&quot; type privilege, it&#x27;s a bad thing

It would be nice if the NSA had spent the last decade or two helping shore up cybersecurity, instead of creating, stockpiling, and accidentally leaking zero days to later get used in ransomware attacks.

This seems like punishing people for being mugged.

I&#x27;m surprised companies don&#x27;t buy insurance against this. I could very easily see insurance companies offering a new product. Pay us $25,000 a year, for a 5 million liability. Or 50,000 a year for a 10 million dollar liability shield etc.<p>Insurance companies can then develop their own methods to better determine premiums for companies based on measures they take.<p>Companies can then decide how much risk to take in choosing not to invest in cyber security for their operations based on the cost of their premiums.<p>If this is an insurance option that currently exists, perhaps more companies will begin paying for it.

Companies would just add the cost of the punishment into the cost of the ransom, re-evaluate the risk, and probably decide to just keep doing what they&#x27;re doing.<p>The problem is not that companies are paying ransoms. The problem is that companies who operate infrastructures of national importance and who collect sensitive data about us are loosing control of said infrastructures and data. If paying ransoms is part of the discussion, we&#x27;re already in a very sorry state. Legal action should be focused first-and-foremost on preventing that loss of control.<p>First we need to decide what is important enough that we should legally require companies to protect it. Certain data or services may require special licenses, depending on scale and importance.<p>Then we need to decide on how to evaluate whether or not the company has provided sufficient protection and what the punishment should be for failing to provide sufficient protection.<p>Then we need to establish an government organization of white-hat hackers who are charged with evaluating the protection measures implemented by companies - much like how a health inspector goes around evaluating the conditions of food service companies.

Companies should be punished harder for outsourcing or lowballing security specialists

I didn&#x27;t see this discussed, so here goes.<p>Why is that sanctioned sometimes means allowed and sometimes means disallowed.<p>You can say, an action was sanctioned, meaning it was approved by someone in power. You can say an action was sanctioned, meaning it was punished, presumably because it wasn&#x27;t approved. And you can say unsanctioned to mean it wasn&#x27;t approved, or to say it wasn&#x27;t punished. What the hell, English?

I have some issue with the headline - the article discusses &quot;facilitating&quot; so it may in fact target money-transfer firms and banks.<p>That said, if these laws can target the victims of ransomware, this sounds self-defeating. Not only will companies continue to get hacked (as nowhere do I see any meaningful help in preventing &quot;cybercrimes&quot; or shoring up cybersecurity), but now there will be incentive to <i>not</i> report that a crime took place at all.<p>Put another way, if I have been a victim of ransomware and the only way to recover the data is to pay the ransom - should I :<p>A) report the crime and hope I can recover the data some other way?<p>B) pay the ransom, and report the crime and then suffer more fines<p>C) pay the ransom and tell nobody, allowing the crime to go unreported, but forgoing the risk of further punishment from the government<p>There is probably a way to help companies and maybe a national cybersecurity initiative may be of use here, but blaming&#x2F;punishing then victim is not the way. Maybe preventing the payments is reasonable, but even then, it seems that prevention of the crime itself is the best medicine (as it is in most cases).

Can we all take a moment to appreciate the ridiculous picture of the &quot;hackers&quot; without desks at the top of the article?

There’s probably a hell of a market opportunity for stagnant businesses to introduce the malware to themselves, ransom themselves, pay themselves, collect the insurance then launder the cryptocurrency.

I&#x27;m kind of on the fence here. I see the logic behind it but in many cases incidents will simply be swept under the rug and users will never find out that their data has been compromised.

Monero is often accepted (such as in the pipeline situation). It is an interesting usecase that the company could try to pay privately to avoid legal action themselves.

Another idea would be to require breaches to be made public.<p>And of course, the government coordinating with good companies a series of best practices and models, and working with MS, even Linux versions to help get the message out and implement good policy.<p>Like a &#x27;tiered strategy&#x27; for home, small biz., mid biz. and &#x27;high touch enterprise&#x27;.<p>Basically some kind of &#x27;board&#x27; that exist to help train, coordinate and communicate the things that need to be done.

The miners can easily stop this, and they will if the users suggest even a tiny bit of infungible preference. I’m not sure that government can control this, although I’m sure they will try, but some authority may be needed to coordinate information sharing between victims and validators.<p>Not even the most die-hard freedom fighters will side with the dishonest and violent. Cryptocurrency will be the worst thing that ever happened to them.

If the USG isn&#x27;t able to provide protection against ransomware attacks, what other choice is there? This is going to be a hard sell - especially when the USG continues to pay ransoms themselves. Oh they may call it other nonsense like &quot;humanitarian aid&quot; to try and save face, but they&#x27;re ransoms. I&#x27;m not in favor of kicking the victim when they&#x27;re down.

I wonder, if you could insure your business against ransomware attacks so that instead of paying out you just file a claim for whatever losses, then maybe you could concoct a scheme for insurance fraud by having hackers ransomware your business out and collecting the insurance money. Basically a 21st century version of burning down your business for insurance money.

There&#x27;s pretty much no way to know if a bitcoin address belongs to someone from a sanctioned country or otherwise sanctioned, right?<p>So this effectively makes paying ransomware an activity with very high legal risk.<p>It will be interesting to see how that all plays out. It&#x27;s hard to imagine the regulators didn&#x27;t think of this... I wonder what they are thinking exactly.

Maybe this new wave of ransomwares and the attention it&#x27;s getting will finally force IT on a more quality driven path. Right now I see a lot of projects with small budgets sent to fast lane to finish asap, security be damn. Or project with big budget wasted on middle men paying scraps to interns sold as experts.

I think things should be more basic. Just make HACCP laws. No need to wait until people die from food poisoning.<p>[000] - <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Hazard_analysis_and_critical_control_points" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Hazard_analysis_and_critical_c...</a>

This looks like it could work, however what about the cases where people decide to pay, and end up in cahoots with the gang in order to keep them both out of trouble?

And since you don&#x27;t really know for sure if a hacker is sanctioned or not, you&#x27;re at risk if you pay any ransom.<p>Not quite a ban, but a disincentive to make a deal, for sure.

If a sanctioned individual holds you up at gunpoint and asks for your money, is it illegal to give it to them?

So, basically when a company pays a ransom they’ll also have to pay a tax. Lovely.

Good. Paying off a ransomware hacker should be illegal.

I&#x27;ve had a stance on this for awhile that paying ransoms to hackers is no different than cooperating with terrorists. Like others have mentioned here, this is a national security issue. CMV.

Interesting use of an auto-antonym in a headline.

What about unsanctioned hackers?

Ban cryptocurrencies. Cryptocurrencies are all negative externalities with few societal benefits.

then what are companies supposed to do then. in hindsight it is easy to find what went wrong, but hackers are always coming up with new tricks.

So they now have to pay the ransom twice?

Companies should be punished for choosing windows for mission critical applications. Everyone knows by now that windows is just for games and malware.

It’s like Spectre all over again. Just as many of the CPU performance gains of the last 25 years turned out to be based on taking insecure shortcuts, perhaps we will find many of the economic gains of the information economy are founded on similarly insecure practices.<p>Maybe handling data at scale is unaffordable for most businesses, who rely on those shortcuts, and wouldn’t be profitable if they had to hire competent infosec staff.

I still like my idea of keeping it legal to pay the ransom, but you have to pay an equal amount as a fine&#x2F;fee to the government. Deter the bad guys by driving the market price up (so in effect, the bad guys will collect less money because they can&#x27;t ask for as much), and incentivize prevention (i.e. making systems more secure) by making it more costly to address after the fact.<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23659729" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23659729</a>