Adam Shostack  Mar 19, 2024

Banning ransomware payments is an incredibly attractive idea.

Proponents need to explain why it’s going to work any better than bans on buying drugs. Why will two “willing” participants not going to find a way? What do we gain by adding criminal penalties to victims trying to recover their businesses?

Show threadAdam Shostack  

I think the two major arguments that people are making are (:thread:)

  • It's easier to ban large payments than small
  • Insurers can be banned from paying.

    • (reply 1/3)

    Mar 19, 2024 at 3:03pmWeb
    Show threadAdam Shostack  Mar 19, 2024
  • But yes, there will be some effect from making it illegal. Some victims will decide not to pay. But today, breach reporting is mandatory, and we hear numbers from 1 in 7 breaches being reported (Gartner) to 1 in 2. I think it's reasonable to expect laws about ransomeware payments would also be broken by something between half and 6/7ths of victims.

    • Stopping companies from moving money is hard. They have departments focused on this. There will be fronts set up, ranging from Joe's Cybersecurity Startup which just happens to land a big customer whose in trouble down to smaller ones. We can throw a great deal of sand into the financial gears of society that will just make this more frustrating for victims.

    If the victim thinks paying is the best route they have, and the criminals want to get the money, they'll find a way. Being credulous, naive, impatient, or foolish as you respond is very difficult to prove.

    Show threadAdam Shostack  Mar 19, 2024

    2- insurers can be banned from paying. Yes, this is attractive, but insurers pay to help victims of other crimes. Insurers discuss the risk of "moral hazard" where knowing that someone else will pay leads to people being lazy about securing their property against theft. (For example.)

    Ransomware is different from theft in that it's harder to see where someone was negligent. So while interesting and thought provoking, I'm unconvinced.

    (Reply 3/3)

    Show thread🐀 ␆Mar 19, 2024

    @adamshostack

    I think this depends on how the actual prohibition is written. If there's no real chance of individual liability, then sure, some companies are gonna choose illegality as a DR plan. But ask yourself this - if ransomware payments were banned in a "material support to terrorists" or "OFAC++ violation" manner, how high would compliance be? Pretty high, I think. Again, not opining on the general welfare result here.