But are the police or the FBI going to investigate your ransomware-locked computer when there are thousands of cases of this happening a year? The ransomware is usually running from a script. There is no guy wearing a ski mask on the other end watching the wallet. These groups aren't the same as a sketchy guy on the other side of town with your stolen laptop or phone, ready for the police to find him and recover your goods.
So what option does your average user have when confronted with a situation like this? They could call up the police and report it for statistics sake but the police aren't going to be able to fix the problem nor would they really care (unless you're the mayor or some prominent politician). The bad guy is probably not in the same country and there's no way to identify them anyway. Maybe you could figure out the hacking group but if you knew the actual identities then why aren't you working for Interpol already? Also maybe try using a site like in the link to check if the ransomware is compromised. But most likely, you just have to pay the ransom, get back your stuff, and learn an expensive lesson in how important regular backups, online and offline, can be.
You could just not pay it. The hacking group doesn't get their money but it's not like it cost much to run the attack in the first place. They will have someone's data out there that is much more valuable to the victim that will pay.
I compare this to leaving your bike unattended in a public place. Maybe you did a good job trying to lock it up but the thief hacksawed through your cheap lock. Or maybe you just left it unlocked. Either way, your bike is gone. Maybe buy a much stronger lock or two in the future. In this analogy, you aren't getting your bike back. You just have to spend the cash on a new one, expensive but hey, you need a bike to get to/do your job. You can report it stolen but unless there is some big bust and they find the guy, the thief is going to get away with it. Complaining that someone stole your bike isn't going to solve the issue. It sucks that the thief will profit off your loss but the data/bike is already gone. You aren't getting it back unless you drop the cash on a new bike/decryption key. The lesson is that you are going to either have to never ride a bike again (or use a computer, both unlikely) or you will have to use better security to prevent theft of your valuables.
Crime does pay, a lot. People get away with theft like this all the time and there's not much an individual can do except try harder in the future to defend themselves against theft in the future. Secure your computer better, run backups, don't do dumb stuff (like run unknown software or leave a bike unlocked).
>The ransomware is usually running from a script. There is no guy wearing a ski mask on the other end watching the wallet.
Yes, there is a guy (a bad guy) wearing a ski mask on the other end. If you do this, then you're the bad guy. Then you're a criminal. Not in some abstract way or an analogy, you're actually nearly literally a "bad guy wearing a ski mask" and the reason bad guys do this is to hide their identity while they commit crime, steps which you if you do this also take. It's very black and white.
> These groups aren't the same as a sketchy guy on the other side of town with your stolen laptop or phone, ready for the police to find him and recover your goods.
Yes they are.
> They could call up the police and report it for statistics sake but the police aren't going to be able to fix the problem nor would they really care (unless you're the mayor or some prominent politician). The bad guy is probably not in the same country and there's no way to identify them anyway. Maybe you could figure out the hacking group but if you knew the actual identities then why aren't you working for Interpol already? Also maybe try using a site like in the link to check if the ransomware is compromised. But most likely, you just have to pay the ransom, get back your stuff, and learn an expensive lesson in how important regular backups, online and offline, can be.
This is a very "wild west" mentality - 'there is no rule of law anyway!'. But that isn't quite right, is it? In point of fact the FBI actually does run a site where you can get ransomware keys recovered, it was covered here on HN.
Let's actually look at the wild west. What is the wild west today - California. Can a criminal just walk up to someone who is unarmed and go rob them, like in the 'wild west' days? Do people have to dual with each other and so forth?
No. While there was a period of unlaw (or at least films portray this) it gave way to the rule of law, which is normal and sane. (I could be completely wrong, I don't know any historical information about the wild west, I'm literally going on movies.) Californians walk around unarmed. it's not like in those movies, or in some kind of gang violence warzone.
I can't make extremely nuanced judgments and policy suggestions, I am just saying that you don't have to necessarily accept that there is "nothing that could be done." Laws exist for a reason. Moreover, it takes a high level of sophistication to write programs. If people are funding you to do that by simply meeting your request, you would start thinking of them like your clients (after all, they're paying you!!). If instead they turn you over to the FBI and Interpol, and write you an angry letter that you are a criminal gang member and wtf are you doing, are you really going to get up the next morning, crack open MSVC++ and think about creating your next crime?
I'm not saying this from the point of view of some trigger-happy district attorney. I'm telling you as one HN reader to another that they are way, way on the side of "bad guy in a ski mask", it's not even close to being a judgment call. No, nothing separates them from going down to their local financial district wherever they're located and and stealing someone's laptop. It's exactly the same.
> I compare this to leaving your bike unattended in a public place. Maybe you did a good job trying to lock it up but the thief hacksawed through your cheap lock. Or maybe you just left it unlocked.
First of all, I'd like to acknowledge that analogies including this one are incredibly useful in law when it comes time to make policy decisions, and sometimes can capture many real-world consequences. I don't want to sound like I have the answer to whether your way of thinking is correct or incorrect or what it is missing.
I would like you to consider a couple of effects: "crimes of opportunity" -- is there a difference (as someone else pointed out in this thread or another one) between leaving a laptop in the front seat of a car and locking it, and doing the same thing but throwing a coat over it? Clearly in terms of legal consequences there may not be much difference, if someone smashes open a car window and takes a laptop it's similar. But for the purposes of the analogy, you may want to consider "crimes of opportunity" in your thinking. My personal impression is that writing or using ransomware isn't nearly in the same boat - you don't accidentally use highly valuable programming skills to create ransomware; you don't accidentally take extremely sophisticated and detailed steps to hide from Interpol, the FBI, and others, and perform ransomware attacks, in a context in which most of the Internet is well agreed that governments are able to exercise certain deeply embedded back doors in many extraordinary cases -- what I mean is that the guy in the ski mask doesn't "happen to have" a ski mask on, they would have to take extraordinarily detailed steps to perform their crimes. It's a criminal thing.
>Crime does pay, a lot. People get away with theft like this all the time and there's not much an individual can do except try harder in the future to defend themselves against theft in the future. Secure your computer better, run backups, don't do dumb stuff (like run unknown software or leave a bike unlocked).
I don't understand why you don't also consider the role in law enforcement agencies and their actions. The Internet isn't exactly a lawless place. Law enforcement, which includes international cooperation among many governments (Interpol being one example of this), has sophisticated tools. These are undermined by any victims funding the crime.
I mentioned above the programmer firing up MSVC++ and writing their next ransomware project. Would you do it? Probably not.
But for many programmers, the calculus would change -- immensely -- if the question is, can a criminal get you to do for $80,000. If you divide that by 1,000 victims, that is just $80. So the question is, "Would you do it for $80,000, given moftz's world view that you're not some guy in a ski mask, and there's no international law anyway" OR "Would you do it for $80,000, given that many of your users will refer you to international law enforcement, and send you angry letters about the kind of criminal scum that you're acting as, and your country and others will stop you and you will have to defend yourself criminally. because you are a criminal."
That is a different equation entirely. If we accept the worldview you argued for, this creates the former, very dangerous and wild-west, and horrific scenario -- if we accept the latter scenario, few programmers would be motivated to act so unethically.
It's our choice as people of the world what kind of world we want to live in. Absent rule of law, "might makes right", but that's why there are laws everywhere and most people aren't affected by them, until they get into the kind of criminal behavior that we're discussing now.
It's a very clear line. It's not even close to requiring any interpretation.
The suggestion that people need to "protect their stuff" -- when as a matter of the state of the art this is actually pretty much literally impossible -- muddies of the issue.
So what option does your average user have when confronted with a situation like this? They could call up the police and report it for statistics sake but the police aren't going to be able to fix the problem nor would they really care (unless you're the mayor or some prominent politician). The bad guy is probably not in the same country and there's no way to identify them anyway. Maybe you could figure out the hacking group but if you knew the actual identities then why aren't you working for Interpol already? Also maybe try using a site like in the link to check if the ransomware is compromised. But most likely, you just have to pay the ransom, get back your stuff, and learn an expensive lesson in how important regular backups, online and offline, can be.
You could just not pay it. The hacking group doesn't get their money but it's not like it cost much to run the attack in the first place. They will have someone's data out there that is much more valuable to the victim that will pay.
I compare this to leaving your bike unattended in a public place. Maybe you did a good job trying to lock it up but the thief hacksawed through your cheap lock. Or maybe you just left it unlocked. Either way, your bike is gone. Maybe buy a much stronger lock or two in the future. In this analogy, you aren't getting your bike back. You just have to spend the cash on a new one, expensive but hey, you need a bike to get to/do your job. You can report it stolen but unless there is some big bust and they find the guy, the thief is going to get away with it. Complaining that someone stole your bike isn't going to solve the issue. It sucks that the thief will profit off your loss but the data/bike is already gone. You aren't getting it back unless you drop the cash on a new bike/decryption key. The lesson is that you are going to either have to never ride a bike again (or use a computer, both unlikely) or you will have to use better security to prevent theft of your valuables.
Crime does pay, a lot. People get away with theft like this all the time and there's not much an individual can do except try harder in the future to defend themselves against theft in the future. Secure your computer better, run backups, don't do dumb stuff (like run unknown software or leave a bike unlocked).