If it is criminal, then sending it risks their job, future employment, and freedom. Not sending it means they are simply following the law like everyone else. Nobody gets fired for doing what everyone else must do.
It is not about spending vast amount of taxpayer dollars on prosecution. Likely just one will send a message. But stopping the payments will help everyone, to the tune of hundreds of billions of dollars. Otherwise our tax dollars goes to fighting ransomware in ways that are not effective. This is actually better for the taxpayer.
Keep in mind, many of these 'companies' actually provide critical infrastructure to citizens: clean water, electricity, Internet, gas, transportation, food supplies, etc. Impacts to them translate to great impacts to all citizens.
Criminalizing the payments creates a forcing function for business to better protect themselves while it greatly undermines the motivation for attackers, thereby reducing the number of attacks. It is an effective and efficient way of reducing the risks of ransomware.
I guess that's where we disagree. I don't believe it would be efficient or effective...and it punishes the wrong people.
It is not intended to punish anyone but the criminals. Enacting this would greatly reduce all Ransomware, helping protect all potential victims.
Something similar was done for Privacy. EU made it illegal to collect and sell users data without their consent. A grace period was given for companies to properly adapt. The same can be done with outlawing the paying of ransoms.
You are comparing apples to oranges, or maybe even skyscrapers. A company can (for example) pay $1 million ransom to save $10 million in costs. Now the same government that cannot catch the criminals doing this want to say, no, you can't save that $10 million. Sounds a lot like punishing the victim to me. What does that have to do with violating my privacy? In that case the person having their privacy violated is the victim to the extent there is one.
Even if laws were enacted against paying ransom, I doubt such laws would involve jail time. Who would you jail when a corporation pays the ransom anyway? How would you prove who paid the ransom when it is paid via a crypto, especially one with strong privacy features? Neither the attackers or victims would be motivated to tell anyone what is going on. Attacks would still occur, ransoms would still be paid, you would just stop hearing about it in the news because those involved would keep it quiet. Seems like there is very little risk to those paying the ransom, at least in terms of being caught by the government. Assuming the law did not involve jail time, then a company would have to weigh the likelihood of being caught and the likely fine against the cost of paying the ransom and against the cost to the company if they don't pay the ransom. Most companies paying ransoms are doing so because it is saving them a massive amount of money.
Assuming such a law somehow managed to be effective (which again, is where we disagree...i don't believe it would be effective...at least not effective enough), it would still punish victims unless it was 100% effective.
In the long term I think this will become less of an issue without punishing the victims because companies will enact better procedures to prevent such attacks and better procedures for recovering from them without the need to resort to ransom.
They are a victim right up to the point that they provide material support for attackers who will harm others. Paying the ransom hurts others.
The good news, is if everyone stops paying then ransomware disappears and the risks go down significantly for everyone!
No law will stop EVERYONE from paying ransom. In my opinion such laws would be ineffective and in reality wouldn't stop ransom from being paid. Again, how would one go about proving a company paid ransom, especially if paid in an anonymous manner? Such laws could even be counterproductive. It's better for companies to be able to freely admit to it to give law enforcement a chance in hell of tracking the money. There are kidnappings for ransom too. Unless the penalty is death, families will pay the ransom if they are able. Honestly, it isn't THAT hard for a company to have a plan in place to recover from such an attack in a manner cheaper and safer than paying ransom. Let company's learn their lesson and figure this out and let law enforcement go after the attackers. Company's can mitigate their own risk.
Providing material support is not what harms others. The attackers are what harm others and should be the target of law enforcement. You could use the same argument for paying taxes. Unless you think paying taxes never harms others.
If we don't move strategically, this gets MUCH worse. Did you know that for a while Kidnapping was the second largest contributor to GDP for the country of Columbia (after cocaine distribution). It was because more and more ransoms were paid. The problem skyrocketed! We want to avoid that with ransomware.
I am doing a video series on Ransomware. Here is the first vid that talks about impacts:
Would like your thoughts. (this is a good discussion by the way!)
So in Columbia, did they solve the problem my making paying ransom illegal? That's a rhetorical question as that is not how the problem was solved. So what is the point of the comparison? To show you don't need laws to prevent paying ransom to solve the problem? In that case, I agree!
I agree with what needs to be accomplished, I just disagree punishing victims is a valid and reasonable way to get there. Unlike failed states, there are reasonable technical solutions to preventing and recovering from ransomware attacks that can significantly limit their effectiveness. Companies will adapt and ransomware will decline over time. Maybe not today or tomorrow or next year, but in the not too distant future. Remember when some new virus was in the news every day? Especially in the Windows 95/98 days... Operating systems became more secure and anti-virus software got better. The same will happen with ransomware.
I've only skimmed the video so far but I'm not contesting that ransomware is a problem. I'm just contesting your proposed solution. I might contest some of the numbers presented in that video though. 75,000 attacks daily I believe. That the ransom amounts only fall in the range of 200,000 and up I don't believe. In fact, i know otherwise so I'm not sure where those arbitrary numbers came from...maybe it was referring to attacks only on corporations and not on individuals? And the cost of ransomware in 2031 is unknowable but I would be willing to bet that technical solutions, education and improved procedures would keep it well below the amount stated in the video by then. While it can be more complicated that it sounds, all companies and individuals really have to do to mitigate such attacks is to keep frequent backups of important data. Restoring from a recent backup has to be cheaper than paying a ransom and waiting (hopefully) for decryption.
You still haven't explained how government would be able to enforce such laws given both the victim and the attacker would be disinclined to let government know about it. Or, if you want to extend such laws to kidnappings, why on earth you think people would pay attention to such laws when trying to save their loved ones.
Your examples as far as "material support to the enemy" are off base. People aren't paying ransoms to commit treason, they are doing it to save their company, irreplaceable data, loved ones, or whatever it is they are trying to save. If the government considers these people "the enemy" then I suggest they destroy the enemy. Not their victims. Which is very well what such laws might do. By this logic, if a thief had me at gunpoint and I gave him money then I would go to jail and i should have just let him kill me instead. After all, giving him the money is "giving material support to the enemy".
If the law by itself prevents such attacks, then the point is moot. No one would ever have to break the law because they wouldn't be attacked. If they are attacked, then clearly such a law did not help them and in fact potentially causes great harm if obeyed.
Oh, and apparently paying ransom is already illegal according to https://cisomag.eccouncil.org/paying-ransom-is-now-illegal-u-s-dept-of-treasury-warns/ and https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
Has it helped?