> When [you are infected with ransomware], you can’t get to the data unless you pay a ransom. However this is not guaranteed and you should never pay!
What bothers me about their advice is that it is only correct macroeconomically. For your particular case it could be the best solution to just pay - as even police departments have done before.
It also ignores that it is in cybercriminals' best interest to let you decrypt after you paid: They need their victims to trust them, and they have nothing to gain from keeping the files encrypted after payment.
It's been pointed out in the past that most ransomware services have better customer support than paid services. That's because they stand to gain $XXX from each successful interaction and they stand to lose substantially more if they have a reputation of not returning the data.
It's such a perfect example of how human systems are molded by underlying incentives.
Of course, the incentives themselves arise within immense cultural and technological contexts. Hopefully one day we see further past the dense fog of complexity. Assuming we aren't adding to it at a faster rate...
> Of course, the incentives themselves arise within immense cultural and technological contexts.
To twist it even further, note that the shifts of culture and technology are directed by aggregated incentives of people. What a nice and strong feedback loop there. Only shows how little control societies have over where they're going.
In a twisted sort of way, a person could destroy trust that paying the ransom will actually get your data back. Someone could create ransomware that will never decrypt, even after the ransom is paid. Once the victims know the dishonest ransomware is out there, that may ruin the revenue towards the "honest" ransomware.
Or better yet, only unlocks after you _haven't_ paid the bitcoin ransom in the allotted time period. If you just decrypt now it's Pascal's wager and the buy-in is $500, so most people buy and worst case scenario the guy who hit you was a dick trying to prove a larger point, but if the cultural narrative is "don't help the criminals / don't negotiate with terrorists!" then it would be rational and societally acceptable not to pay the ransom.
> "Once it executes it, it pops up a ransom message looking like any other ransomware," Earl Carter, security research engineer at Cisco Talos, told Ars. "But then what happens is it forces a reboot, and it just deletes all the files. It doesn't try to encrypt anything—it just deletes them all."
They have to weigh in the risk of getting caught, especially if they piss off enough people. So one paying victim may not be enough for a criminal to go this route.
Bribing a LEO seems to be a risky business - how risky depends on the conditions. If you're the only one bribing an officer, you'd better ensure you have that consistent cashflow. It's easier if everyone is bribing the police. But still, the moment you interact with law enforcement, you appear on their radar. It's always better to avoid that unless absolutely necessary.
> Due to the nature of the internet and social media there is an ever decreasing chance of flying under the radar.
I disagree with this statement though. I think that Internet as it is now only makes it easier to fly under the radar - simply because people generate such a huge amount of noise that it's barely possible to handle. As long as you don't get too greedy, you can get away with a lot, simply because nobody is going to bother looking for you (hence e.g. spam).
I should clarify that while the simple existence of the Internet doesn't make getting caught more likely, social media at least increases the chance of someone on the related social graph seeing something, and reporting it.
Kind of surprised no one's actually done this. I mean, there has to be at least a few really bored trolls and griefers out there who mess around with people's systems for 'fun' rather than money. I'm sure some teen in an ex soviet state somewhere would find it funny to watch someone have a breakdown when their cash doesn't get them their work back.
Or that some criminal group/mafia would use it to try and 'sink' their rivals. After all, a gang in competition with whoever makes these malware programs would probably love to shut down their revenue from ransomware. With say, their rivals name attached to the cruel hoax.
Still, I suspect something like this will happen at one point.
...it now occurs to me that if, using one of the million or so compromised ad networks, you wrote something would pop up the following message in people's browsers:
"Hi there! Your computer has been infected with a virus which will encrypt one file on your computer at random each day. You can stop this, and decrypt all the files by paying X to bitcoin wallet Y. Don't wait too long, because if you wait too long, we might encrypt some system file and it won't boot any more."
and which did nothing else whatsoever
...then you'd probably actually get some income.
It'd be an interesting (if ethically awful) sociological experiment to find out exactly how much. Returning people's money afterwards, of course.
My neighbour came to me last week to ask for help. Exactly that had happened to him, from of all things a Facebook ad. It was a simple matter of killing the browser, but it had put up a phone number for "support" that he had already called, but which was busy... so I guess they were having a fair amount of success. Wish I'd taken a photo.
Couldn't you do the same thing with less of a human cost by merely telling people about cases where the ransomware was unreliable, and refusing to spread the information that it was reliable?
Or we could be slightly less nefarious and create ransomware that decrypts everyone's stuff after the allotted time but leaves a congratulatory "thank you for not cooperating with criminals" message to the people that didn't pay...
> Or we could be slightly less nefarious and create ransomware that decrypts everyone's stuff after the allotted time but leaves a congratulatory "thank you for not cooperating with criminals" message to the people that didn't pay...
Please don't do this. People (some would call them victims of cyber crime but not me) are EVIL and if they can trace it back to you, they will sue you. Doing this is not a good idea except as a thought experiment.
It is probably obvious to a lot of people but there are still good people out there who believe in the goodness of people so I thought I should spell it out.
I agree, creating malicious software designed to seriously inconvenience people and demand money from them is not a good idea. Never mind being sued, creating and distributing viruses is a felony in most jurisdictions even if it doesn't look like extortion. But on a scale of bad ideas, ransomware that appears to reward you for ignoring it is still a slightly less bad way of encouraging people to ignore ransom demands than ransomware that just punishes everyone
> What bothers me about their advice is that it is only correct macroeconomically.
That's because it's the correct advice. Ransom is a very old business, and experience throughout history shows you should never pay the danegeld[1].
> ignores that it is in cybercriminals' best interest to let you decrypt after you paid
That isn't being ignored. Paying the ransom is short-term thinking. Of course they will let you decrypt. By paying them you establish yourself as an easy/reliable mark that will probably pay again in the future. Paying would only make sense if you could somehow guarantee it was an isolated event.
Not only that, they know people close to you are potential targets as well (e.g. your mail contacts, facebook contacts), because most likely than not they are in the same economical bracket and are just as "savvy" technologically speaking.
You can guarantee that it is an isolated event by backing up your files in the future. I imagine most victims are embarrassed and try to think of it as an expensive lesson.
It doesn't ignore any of the things you said. Yes, it's most likely better for you to pay. This kind of selfish thinking is, like many other kind of selfish thinking, what enables this type of crime in the first place.
Sure the criminals will release your files. Just like with regular, "meatspace" ransom, only a stupid criminal would not release hostages after having their demands met. It's in their best interest to do so. But if people by default don't give in to ransom threats, the whole business model becomes unviable for criminals.
So yeah, this advice is kind of like with vaccination and quarantines - it's not just about you. It's about all of us.
I'd say just like in real life, stupid criminals exist. If criminal A says to criminal B "I'll sell you a solution that encrypts their files and I'll host the decryptor for 5$ a month" I can totally see a dumb criminal B being fully willing to rely on the reputation of ransomware as working to not pay that 5$ a month.
To a certain criminal any effort no matter how miniscule at all in actually providing a way to decrypt the files is useless, and I think with the reputation that's spread about ransomware we're at a point where more scammers will start to piggyback on reputation and stop following through
> For your particular case it could be the best solution to just pay - as even police departments have done before.
It could be the best solution for you to pay - if you don't care that you'll finance the attacks on other people and cause more harm overall.
So yes, from a purely egoistic perspective it makes sense.
The question you should ask is not "is it worth paying xxx for my data?", it's "is it worth paying xxx for my data and destroy the data of someone else?".
One option gives an immediate, personally beneficial effect - "you get your files back".
The other option gives you an immediate, personal loss - "your files are gone" - together with an all but unobservable, mid- to longterm benefit for society.
You can of course hope for the majority to take the second option, but hope is the first step on the path to disappointment.
But your individual case isn't going to affect their behavior. If you wanted to change the situation, not paying simply isn't going far enough. You'd need to coordinate with other potential victims or do something like this website and spread defenses. Without putting effort into organization, your thinking that you've helped others is pure egoism because these schemes only require a few people to pay to be profitable.
Welcome to the real world. It's twisted in exactly this, game-theoretical way.
In case of ransomware, criminals are exploiting the very difficulty of victims to coordinate their actions. They depend on you paying instead of solving it yourself, educating others, or even simply calling the police. In other words, they profit directly off people's short-term, selfish thinking. The advice of defaulting to not paying is sound because if enough people follow it, the whole ransom stops being viable, which makes ransomware attacks stop coming.
The same, by the way, is the tried and true way of dealing with regular, meatspace, "I kidnapped your daughter" ransom cases.
> But your individual case isn't going to affect their behavior.
It isn't going to affect them much. But as anybody who runs a business knows, the difference between loss and profit generally hinges on a number of sensitive factors. Note, for example, that drug dealing pays so poorly that many drug dealers live with their moms:
They don't need anyone to trust them and they have nothing to gain from decrypting your files.
They may be a 14 year old kid who ran some kit that somebody else made. If they collect $50 from 25 people, they will be stoked.
Or they may be a sophisticated criminal organization that want to built long term viability.
It's impossible to know which it is. But it is guaranteed that they are criminal and inherently untrustworthy. It is also guaranteed that any money you pay will finance the next wave of more sophisticated malware.
So, no, you cannot trust them to do good. You can trust them to do bad. Now, make your microeconimic choice.
That problem comes up with collective action all the time. Workers rights in developing countries for example... if all of the workers banded together to resist their employer's unfair treatment then... blah blah blah.. but in reality average people are awful at joining together to create a change that results in a greater good. When people are isolated and feel the impact of some injustice, they tend to give up fairly quickly without any thought given to what would be best for the greater good. That's my experience of life anyway. Rationality doesn't work very well in abstracted problems that involve reasoning about how you should suffer in this moment for the greater good of everyone suffering such moments. So the scammers are smart to make the cost of cooperating fairly low in a lot of cases. It's definitely easier to pay up than to try to make a federal case out of it. And honestly your inconvenience is not going to cause the wheels of law enforcement to spin fast to figure out which international gang is targeting you. If you don't pay you probably won't ever get anything back and law enforcement won't do anything about it. So really what's the point of personal heroics here other than rational arguments about what the right move would be from a game theoretic point of view? Just pay and move on.
This comment contains a policy suggestion. I want it to become law in the United States and elsewhere.
I can't quite use the word "literally" but I almost can so I'll do so anyway: if you pay a ransom, you are literally paying for your party to attack someone else. And you are actually literally (not metaphorically) funding their next attack.
Paying a ransom should be a criminal act that is twenty times worse than asking for one. It should be illegal for the exact same reason that possession of stolen goods is illegal.
On a microeconomic level it might make sense for you personally to buy stolen goods off the street: the existence of the laws making you a criminal if you do no longer makes this true.
If you drive a car you are literally contributing to global warming. If you pay taxes you are literally funding bombs and missiles. If you download big files you are literally taking bandwidth away from your neighbors.
You are not drawing any policy conclusions from your statements.
You state that "if you drive a car you are literally contributing to global warming" which implies the policy statement "if it is illegal to drive a car, contribution to global warming decreases" and use this to imply it's not a rational argument to make it illegal to drive cars.
To your great surprise, I will now state that it is actually already illegal to drive cars, and it actually does have the exact effect that you say is not a rational conclusion:
Today, today, it is literally illegal to drive a car....which doesn't meet EPA standards! As a direct effect, people do not buy and drive cars which fail emissions standards.
So, yes, the exact policy suggestion that you don't go quite as far as to argue for actually is being enforced and actually demonstrably has the exact effect that you (only imply) doesn't happen.
Since you don't even imply any policy conclusions for the other two points I can't address them, I have no idea why you would mention them.
(If the government made it illegal to collect or pay taxes, obviously its tax base would evaporate overnight, this goes without saying, nobody would illegally pay money to the government out of civic duty despite its now being illegal to do so.)
None of those are hyperbolic, they are just true facts. Understanding the macroeconomic demand you are participating in isn't hyperbolic.
Buying elephant tusks promotes the killing of elephants, regardless of where they came from because the demand you created supports a price in favor of bad actors as well.
Anyone down voting this should read Thomas Schilling's Strategy of Conflict. At one point in time in England it was punishable by death to pay ransom to pirates.
This is a good and important point. However is data ransom this kind of duress?
In a sense, paying a ransom is taking the law into your own hands -- rather than say to the FBI, "criminals have asked me for ransom" you are interacting with the criminals directly.
On a literal level you are literally transferring cold hard cash to them.
You make a good argument for why the policy suggestion I made is not a good idea, but I am not entirely convinced by it. As a rule it is not a good idea to engage in vigilante behavior.
Lawmakers and judges would have to use their discretion here and come up with quite nuanced laws.
That last sentence was really uncalled-for. I think you don't really understand that I was discussing an economic argument.
Regarding putting a cramp in your style - how about if a thief has stolen your phone with valuable something on it that isn't anywhere else, but you have an application that tells you where the phone is and you own a shotgun. Can you go and get your phone back by force if in your calculation it has a higher chance of actually solving your immediate problem, than involving the police? Why or why not? It's your phone. The thief knows what he did. The thief knows that it's yours.
I am not saying that there is no argument on your side of letting people take care of issues directly with criminals (whether by force or transferring ransoms), but there are important arguments on the other side as well. It's certainly not so clear-cut that you can start ending with petty insults (and please check your reply to be substantive if you reply to this.)
But are the police or the FBI going to investigate your ransomware-locked computer when there are thousands of cases of this happening a year? The ransomware is usually running from a script. There is no guy wearing a ski mask on the other end watching the wallet. These groups aren't the same as a sketchy guy on the other side of town with your stolen laptop or phone, ready for the police to find him and recover your goods.
So what option does your average user have when confronted with a situation like this? They could call up the police and report it for statistics sake but the police aren't going to be able to fix the problem nor would they really care (unless you're the mayor or some prominent politician). The bad guy is probably not in the same country and there's no way to identify them anyway. Maybe you could figure out the hacking group but if you knew the actual identities then why aren't you working for Interpol already? Also maybe try using a site like in the link to check if the ransomware is compromised. But most likely, you just have to pay the ransom, get back your stuff, and learn an expensive lesson in how important regular backups, online and offline, can be.
You could just not pay it. The hacking group doesn't get their money but it's not like it cost much to run the attack in the first place. They will have someone's data out there that is much more valuable to the victim that will pay.
I compare this to leaving your bike unattended in a public place. Maybe you did a good job trying to lock it up but the thief hacksawed through your cheap lock. Or maybe you just left it unlocked. Either way, your bike is gone. Maybe buy a much stronger lock or two in the future. In this analogy, you aren't getting your bike back. You just have to spend the cash on a new one, expensive but hey, you need a bike to get to/do your job. You can report it stolen but unless there is some big bust and they find the guy, the thief is going to get away with it. Complaining that someone stole your bike isn't going to solve the issue. It sucks that the thief will profit off your loss but the data/bike is already gone. You aren't getting it back unless you drop the cash on a new bike/decryption key. The lesson is that you are going to either have to never ride a bike again (or use a computer, both unlikely) or you will have to use better security to prevent theft of your valuables.
Crime does pay, a lot. People get away with theft like this all the time and there's not much an individual can do except try harder in the future to defend themselves against theft in the future. Secure your computer better, run backups, don't do dumb stuff (like run unknown software or leave a bike unlocked).
>The ransomware is usually running from a script. There is no guy wearing a ski mask on the other end watching the wallet.
Yes, there is a guy (a bad guy) wearing a ski mask on the other end. If you do this, then you're the bad guy. Then you're a criminal. Not in some abstract way or an analogy, you're actually nearly literally a "bad guy wearing a ski mask" and the reason bad guys do this is to hide their identity while they commit crime, steps which you if you do this also take. It's very black and white.
> These groups aren't the same as a sketchy guy on the other side of town with your stolen laptop or phone, ready for the police to find him and recover your goods.
Yes they are.
> They could call up the police and report it for statistics sake but the police aren't going to be able to fix the problem nor would they really care (unless you're the mayor or some prominent politician). The bad guy is probably not in the same country and there's no way to identify them anyway. Maybe you could figure out the hacking group but if you knew the actual identities then why aren't you working for Interpol already? Also maybe try using a site like in the link to check if the ransomware is compromised. But most likely, you just have to pay the ransom, get back your stuff, and learn an expensive lesson in how important regular backups, online and offline, can be.
This is a very "wild west" mentality - 'there is no rule of law anyway!'. But that isn't quite right, is it? In point of fact the FBI actually does run a site where you can get ransomware keys recovered, it was covered here on HN.
Let's actually look at the wild west. What is the wild west today - California. Can a criminal just walk up to someone who is unarmed and go rob them, like in the 'wild west' days? Do people have to dual with each other and so forth?
No. While there was a period of unlaw (or at least films portray this) it gave way to the rule of law, which is normal and sane. (I could be completely wrong, I don't know any historical information about the wild west, I'm literally going on movies.) Californians walk around unarmed. it's not like in those movies, or in some kind of gang violence warzone.
I can't make extremely nuanced judgments and policy suggestions, I am just saying that you don't have to necessarily accept that there is "nothing that could be done." Laws exist for a reason. Moreover, it takes a high level of sophistication to write programs. If people are funding you to do that by simply meeting your request, you would start thinking of them like your clients (after all, they're paying you!!). If instead they turn you over to the FBI and Interpol, and write you an angry letter that you are a criminal gang member and wtf are you doing, are you really going to get up the next morning, crack open MSVC++ and think about creating your next crime?
I'm not saying this from the point of view of some trigger-happy district attorney. I'm telling you as one HN reader to another that they are way, way on the side of "bad guy in a ski mask", it's not even close to being a judgment call. No, nothing separates them from going down to their local financial district wherever they're located and and stealing someone's laptop. It's exactly the same.
> I compare this to leaving your bike unattended in a public place. Maybe you did a good job trying to lock it up but the thief hacksawed through your cheap lock. Or maybe you just left it unlocked.
First of all, I'd like to acknowledge that analogies including this one are incredibly useful in law when it comes time to make policy decisions, and sometimes can capture many real-world consequences. I don't want to sound like I have the answer to whether your way of thinking is correct or incorrect or what it is missing.
I would like you to consider a couple of effects: "crimes of opportunity" -- is there a difference (as someone else pointed out in this thread or another one) between leaving a laptop in the front seat of a car and locking it, and doing the same thing but throwing a coat over it? Clearly in terms of legal consequences there may not be much difference, if someone smashes open a car window and takes a laptop it's similar. But for the purposes of the analogy, you may want to consider "crimes of opportunity" in your thinking. My personal impression is that writing or using ransomware isn't nearly in the same boat - you don't accidentally use highly valuable programming skills to create ransomware; you don't accidentally take extremely sophisticated and detailed steps to hide from Interpol, the FBI, and others, and perform ransomware attacks, in a context in which most of the Internet is well agreed that governments are able to exercise certain deeply embedded back doors in many extraordinary cases -- what I mean is that the guy in the ski mask doesn't "happen to have" a ski mask on, they would have to take extraordinarily detailed steps to perform their crimes. It's a criminal thing.
>Crime does pay, a lot. People get away with theft like this all the time and there's not much an individual can do except try harder in the future to defend themselves against theft in the future. Secure your computer better, run backups, don't do dumb stuff (like run unknown software or leave a bike unlocked).
I don't understand why you don't also consider the role in law enforcement agencies and their actions. The Internet isn't exactly a lawless place. Law enforcement, which includes international cooperation among many governments (Interpol being one example of this), has sophisticated tools. These are undermined by any victims funding the crime.
I mentioned above the programmer firing up MSVC++ and writing their next ransomware project. Would you do it? Probably not.
But for many programmers, the calculus would change -- immensely -- if the question is, can a criminal get you to do for $80,000. If you divide that by 1,000 victims, that is just $80. So the question is, "Would you do it for $80,000, given moftz's world view that you're not some guy in a ski mask, and there's no international law anyway" OR "Would you do it for $80,000, given that many of your users will refer you to international law enforcement, and send you angry letters about the kind of criminal scum that you're acting as, and your country and others will stop you and you will have to defend yourself criminally. because you are a criminal."
That is a different equation entirely. If we accept the worldview you argued for, this creates the former, very dangerous and wild-west, and horrific scenario -- if we accept the latter scenario, few programmers would be motivated to act so unethically.
It's our choice as people of the world what kind of world we want to live in. Absent rule of law, "might makes right", but that's why there are laws everywhere and most people aren't affected by them, until they get into the kind of criminal behavior that we're discussing now.
It's a very clear line. It's not even close to requiring any interpretation.
The suggestion that people need to "protect their stuff" -- when as a matter of the state of the art this is actually pretty much literally impossible -- muddies of the issue.
What bothers me about their advice is that it is only correct macroeconomically. For your particular case it could be the best solution to just pay - as even police departments have done before.
It also ignores that it is in cybercriminals' best interest to let you decrypt after you paid: They need their victims to trust them, and they have nothing to gain from keeping the files encrypted after payment.