Hi Jim, Very nice text from you and you seem to offer good hints on how to stop it long term. The reality is that USA is going in the direct opposing direction that you express. The payment to ransomware gangs is now tax-deductible. "Extorted by ransomware gangs? The payments may be tax-deductible". Published June 21st. https://www.cbsnews.com/news/ransomware-payments-may-be-tax-deductible/ Again from cbsnews. Not sure if we can rely on them to report accurate news? Jean -----Original Message----- From: NANOG <nanog-bounces+jean=ddostest.me@nanog.org> On Behalf Of Jim Sent: June 25, 2021 8:26 AM To: Brandon Svec <bsvec@teamonesolutions.com> Cc: nanog@nanog.org Subject: Re: Can somebody explain these ransomwear attacks? On Thu, Jun 24, 2021 at 5:41 PM Brandon Svec via NANOG <nanog@nanog.org> wrote:
I think a big problem may be that the ransom is actually very cost effective and probably the lowest line item cost in many of these situations where large revenue streams are interrupted and time=money (and maybe also health or life).
Big problem that with organizations' existing Disaster Recovery DR methods -- the time and cost to recovery from any event including downtime will be some amount.. likely a high one, and criminals' ransom demands will presumably be set as high a price as they think they can get -- but still orders of magnitudes less than cost to recover / repair / restore, and the downtime may be less. The ransom price becomes the perceived cost of paying from the perspective of the organizations faced with the decision, But the actual cost to the whole world of them paying a ransom is much higher and will be borne by others (And/or themselves if they are unlucky) in the future, when their having paid the criminals encourages and causes more and more of that nefarious activity. I would call that a regulatory issue regarding commerce and payments not able to be addressed by technology. No matter how much companies can improve your DR process to cost less for a recovery and take less time -- a recovery is bound to still involve some downtime and cost a large enough amount where it will then be possible for motivated criminals to come up with a dollars cost improvement for a ransom that will be less than it. I do wonder for a moment.. about companies paying ransoms: Do they somehow manage to get the crooks' W-9 and verify their identity, as required when an organization makes a payment to any 3rd party -- or do those paying ransoms somehow circumvent the mandatory tax reporting and witholdings, B/c it seems like making a payment to an Unnamed / unidentified / unverifiable party ought to be a crime or make the payor be considered an accomplice in the crooks' evasion of the taxing authority? I always think.. have the governments impose penalties, eg. "If you make a payment for a ransom, then a penalty of $10k plus 10000% the ransom will be due." / Have it be a more-severely penalized crime to send any digital payment for a transaction above X say $1000 without the Proof of Identity and Physical location of all Payees -- make sure it gets enforced strictly against anyone paying a ransom. Make the ransoms not payable without larger repurcussions, and perhaps the crooks will have to find a new profession.
The original thought that it should be handled like standard DR and tighten up security may apply to very small businesses though where they could afford to try to ignore the ransom request and rebuild more securely hoping the criminals will move on and not come back for revenge.
-- -Jim