BrianKrebsDec 15, 2023

I've grudgingly come around to the notion that there is only one way out of the ransomware problem: Make paying a ransom illegal. This is not very different from laws that make it illegal for US companies to pay bribes to foreign officials.

I really don't see any other way out of this mess. Yes, some victims will unfortunately ignore any laws that say they can't pay, but enforcement probably will not be hard.

What will be difficult are the situations where peoples' lives are at stake in ransomware incidents This sounds callous, but we can't afford to take the short view here anymore, and our other alternatives aren't great either.

I'm quite certain this is an unpopular view, but we have already seen the cost of doing nothing. At least in the interests of congruity for our financial sanctions vs Russia, we should probably make this change sooner rather than later.

Show threadDeweyDec 15, 2023
@briankrebs I can't discuss specifics but I was an observer to two very large companies that were hit in rapid succession with ransomware this year. I learned something I didn't expect. In both cases top executives received threats to their family's safety in a "pay or they die" proposition. Making it illegal to pay the ransom seems like the only choice at that point. Then, helping provide protection to people seems like a direct cost we'll have to deal with.
Show threadBrianKrebs
@DeweyOxberger I really can't argue with your point. I've been saying for a decade now that infosec peeps really really need to up their games in terms of physical security. I will never be so happy to be proven wrong.
Dec 15, 2023 at 1:41amWeb