Adam Shostack  

Banning ransomware payments is an incredibly attractive idea.

Proponents need to explain why it’s going to work any better than bans on buying drugs. Why will two “willing” participants not going to find a way? What do we gain by adding criminal penalties to victims trying to recover their businesses?

Mar 19, 2024 at 1:49amWeb
Show threadAdam Shostack  Mar 19, 2024

I think the two major arguments that people are making are (:thread:)

  • It's easier to ban large payments than small
  • Insurers can be banned from paying.

    • (reply 1/3)

    Show threadAdam Shostack  Mar 19, 2024
  • But yes, there will be some effect from making it illegal. Some victims will decide not to pay. But today, breach reporting is mandatory, and we hear numbers from 1 in 7 breaches being reported (Gartner) to 1 in 2. I think it's reasonable to expect laws about ransomeware payments would also be broken by something between half and 6/7ths of victims.

    • Stopping companies from moving money is hard. They have departments focused on this. There will be fronts set up, ranging from Joe's Cybersecurity Startup which just happens to land a big customer whose in trouble down to smaller ones. We can throw a great deal of sand into the financial gears of society that will just make this more frustrating for victims.

    If the victim thinks paying is the best route they have, and the criminals want to get the money, they'll find a way. Being credulous, naive, impatient, or foolish as you respond is very difficult to prove.

    Show threadAdam Shostack  Mar 19, 2024

    2- insurers can be banned from paying. Yes, this is attractive, but insurers pay to help victims of other crimes. Insurers discuss the risk of "moral hazard" where knowing that someone else will pay leads to people being lazy about securing their property against theft. (For example.)

    Ransomware is different from theft in that it's harder to see where someone was negligent. So while interesting and thought provoking, I'm unconvinced.

    (Reply 3/3)

    Show thread🐀 ␆Mar 19, 2024

    @adamshostack

    I think this depends on how the actual prohibition is written. If there's no real chance of individual liability, then sure, some companies are gonna choose illegality as a DR plan. But ask yourself this - if ransomware payments were banned in a "material support to terrorists" or "OFAC++ violation" manner, how high would compliance be? Pretty high, I think. Again, not opining on the general welfare result here.

    Show threadEl Jefe "Mar 19, 2024
    @adamshostack it's always easy to pay for the next fix when there's no consequence.
    Show threadEl Jefe "Mar 19, 2024
    @adamshostack I would be satisfied if cyber insurance providers treated ransomware payouts in the same manner as medical insurance providers approve & cover out of network prescriptions and procedures on pre-existing conditions.
    Show threadBrian ClarkMar 19, 2024
    @adamshostack I support a partial ban. Make it so governmental entities cannot pay. It's a good start and ransomware operators might actually stop hitting governments and focus on private sector entities instead as they'll have a better chance of getting paid.
    Show threadMatt PalmerMar 19, 2024
    @adamshostack @hacks4pancakes what do you mean? Prohibition always* works great!
    Show threadDiogenes PontifxMar 19, 2024
    @adamshostack Can someone explain to me why it wouldn’t be more effective to make payment effectively impossible by banning cryptocurrency? Stopping ransomware would be just one of the benefits.
    Show thread⁂Krafty⁂ #NoKingsMar 19, 2024
    @dpontifex @adamshostack please tell me you're not genuinely in support of banning cryptocurrency.
    Show threadDiogenes PontifxMar 19, 2024
    @tkk13909 I realize there may be practical difficulties. Are there any downsides? After 16 years, the primary use case seems to be ransomware payments, followed closely by money laundering, narcotics, greenhouse gases and Ponzi schemes. What have I missed?
    Show thread⁂Krafty⁂ #NoKingsMar 19, 2024

    @dpontifex oh I don't know... Maybe the fact that paper money is being phased out and the only private payment system left would be cryptocurrency.

    A lot of your argument simply stems from the idea that if a system is mostly used by criminals, it should be banned. This argument could easily be applied to the Tor network which several countries have tried. You wanna guess what the state of freedom is in those countries?

    Show thread⁂Krafty⁂ #NoKingsMar 19, 2024
    @dpontifex Any system that provides complete anonymity will inevitably be used by criminals but is also crucial to maintain a proper and free democracy.
    Show threadInterpipes 💙Mar 19, 2024

    @adamshostack @hacks4pancakes well, while 2/3 people can palm a $100 to transact a drug deal on the street, ransomware payments involve many more ppl - an insurer and/or vastly more money which one person at a corporation tends not to trivially be able to send without accounts asking questions.

    The hope wld be make paying much less attractive in the hope it might lead to money being invested up front or at least less self delusion of having “secured” the data.

    Show threadAndrew 🌻 Brandt 🐇Mar 19, 2024
    @adamshostack Personally I don't think there should be a ban on payments. But I strongly believe there should be a ban on *insurance payouts* in cases of ransomware where a postmortem review finds easily-fixed problems that were negligently not addressed led to the incident taking place. Society should not be socializing the cost of large corporations' inadequate resourcing of security operations budget. It costs everyone more for insurance every time a huge payout has to be made.
    Show threadDominic WhiteMar 19, 2024
    @threatresearch @adamshostack a bit of a tangent, but I really struggle with defining “negligent” in cyber. Given hacking is looking for the place someone messed up - and relies on the complexity of modern networks/systems hiding some screwups - any compromise can potentially be called negligent.
    Show threadWilMar 19, 2024
    @threatresearch @adamshostack I have seen loss adjusters be much more rigorous post event than they were 10 years ago. They are much more likely to review what a policy holder claimed they did in terms of controls when they got coverage and if that wasn’t true refuse to payout.
    Show threadAlun JonesMar 19, 2024
    @threatresearch @adamshostack that creates an incentive to hide details of an attack.
    Show threadAdam Shostack  Mar 19, 2024
    @ftp_alun @threatresearch You've misspelled "Another" :)
    Show threadAlun JonesMar 19, 2024
    @threatresearch @adamshostack of course, we know insurers are always keen to pay out in instances where they could otherwise blame the victim...
    Show thread1010GregMar 19, 2024
    @adamshostack By that logic, what's the point of trying to place economic sanctions on entities considered, amongst other possibilities, enemies of the state? It's likely a lot easier to trace large payments than to track down someone dropping $100 on weed or whatever. When one side of a transaction is essentially untouchable, other solutions should be considered.
    Show threadPeter DodemontMar 19, 2024
    @adamshostack This seems like a flawed comparison. An individual's risk appetite is significantly different from a business's.
    If there is no point banning things, why are there rules on money laundering or payments to terrorists or other sanctioned entities.
    I biggest potential issue I see is this will create some form of underground market. I hope they balance the ban with incentives to disclose issues so we can get a much better picture of the overall state.
    Show threadLes SizemoreMar 19, 2024
    @PeterDodemont @adamshostack a bounty system could be a start. Dox the ransomer for a bonus.
    Show threadN3r0Mar 19, 2024
    @adamshostack it increases the costs.
    So the breakEven for a working IT and usable Backups is reaxhed faster.
    Show threadEvelyn  Mar 19, 2024
    @adamshostack Any organization with a robust risk management function will not be paying ransom.
    Show threadPlacMar 19, 2024
    @adamshostack Not everybody can pay 10 US$ millions on black money to hackers. If insurance can't pay it (it will be illegal), it just must come from own funds. This will be on the books and can be audited (pubic companies require regular auditing).
    Forbidding ramsonware payments should divert money to better IT security, more priority to best IT practices and destroy most of the ramsonware market. So yes, I'm pro ban.
    Show threaddaveyk00Mar 19, 2024
    @placandeker @adamshostack wouldn't it be to "recovery specialists" for decryption services, who ultimately forward the money sans fees to the ransomware orgs?
    Show threadPlacMar 19, 2024
    @daveyk00 @adamshostack Fiscal engineering needs time and planning. It also can be traced and brings responsibility to management. It is not the same to pay pocket money in a dark alley than buying a million US$ equivalent in Bitcoin. If they don't manage to plan a Netscaler update during normal operations, I doubt they will plan how to hide illegal payments while managing a crisis.
    Show threadMatt Hardy 3.11 for WorkgroupsMar 19, 2024
    @adamshostack I wouldn't argue that criminalising an activity doesn't reduce it. The fact that it doesn't eliminate it is specious. The reason I support decriminalisation for drugs and prostitution it that there are victims up and down the value chain. Replacing criminal enterprise with regulated industry provides an opportunity to reduce the harm to these victims. Translating to cyber, regulation makes sense before compromise, not so sure where it fits, after.
    Show threadBlargMar 19, 2024
    @adamshostack I would like it to be illegal for insurance companies to pay ransoms. The market is giant and lucrative because of the amount of money flowing in via these companies. Threat actors playbook involve finding the cyber insurance policy after the initial access and extorting them for the amount of coverage in the policy. The cost to pay a ransom is distributed to everyone who buys cyber insurance in the form of the six figure insurance premiums everyone pays up front. This model is creating massive financial incentives for cybercrime that didn't exist anywhere near this scale until cyber insurance made it possible for every business to be a multi million dollar jackpot for hackers.
    Show threadcynicalsecurity Mar 19, 2024

    @adamshostack it is a knee-jerk reaction because a Las Vegas casino, which knows something about odds perhaps unsurprisingly, decided to pay and get back into business for 1/2 the price of those who refused to pay… so they want that missing 1/2 to level the playing field.

    @brianhonan

    Show thread🐀 ␆Mar 19, 2024

    @adamshostack

    My off-the-top answer to your first question is that for victims who are routinely audited (public companies and municipalities, say) it will be difficult to bury the payments. I have no opinion on whether this ban on ransom payments will actually reduce harm over time - that's a very different matter.

    Show threadAdam Shostack  Mar 19, 2024
    @walshman23 "Adam's Ransomware recovery startup!" We magically fix your ransomware problems with our patent-pending snake oil!
    Show threadRaven667Mar 19, 2024
    @adamshostack Whatever policy is implemented it needs to reduce the incentives for criminal ransomware gangs to attack when the victims are within our jurisdiction and the attackers are not. Trying to cut off their income is one way, at least try and make our infrastructure a less attractive target, even if it is still vulnerable. In a better world we'd be able to hold the gangs accountable and increase their cost, but they are protected by their governments inaction or incompetence.
    Show threadDan TurnerMar 19, 2024
    @adamshostack I have no specific insight, but @patio11 might? I think they've written about deputizing the financial system to defacto enforce laws before, which may be relevant.
    Show threadAdam Shostack  Mar 19, 2024
    @dan_turner Did you mean to say @patio11 (I’m getting no match but at least it was blue in my client)
    Show threadDan TurnerMar 19, 2024

    @adamshostack I think that's their Twitter handle, they write https://www.bitsaboutmoney.com/

    Their other site has a list of other contact methods, but I don't see Mastodon: https://www.kalzumeus.com/standing-invitation/

    Bits about Money (@patio11)

    Biweekly newsletter about intersection of tech and finance. Deep dives into the plumbing that moves money and the businesses that build those pipes.

    Bits about Money
    Show threadAdam Shostack  Mar 19, 2024
    @dan_turner Some good stuff there thanks