I was on Twitter the other day and saw someone suggest that we could fix people paying ransoms by making it illegal for them to do so.
I was a bit flippant with my response. The person making the argument appears to be a serious security professional acting in good faith, and my response was below my standard for civil discourse. Apologies @VickerySec.
Do you know how to stop ransomware?— Chris Vickery (@VickerySec) April 3, 2021
Make it highly illegal to pay a ransom. Consider the files deleted.
Do not allow large payments of money to criminals, as it guarantees and aids future harm to others. We frown on that.
Ransomware would disappear in a month. This is easy.
A lot of what I reacted to was the notion that this would be easy. “Disappear in a month”, he said. That’s hyperbole but I should have ignored it and focused on the argument.
The part that most people latched on to, including me, was the notion that making something illegal can stop it from happening. As many pointed out, history has taught us that this doesn’t work many times. The war on drugs. Alcohol prohibition. The list goes on.
But what that leaves out is where it does work. It’s illegal to sell your kidneys and other body parts, for example. Unless I’m unaware of something, we don’t have a serious problem with poor people—at least in the west—selling their kidneys to buy a house or a car.
I think it’s safe to say that more people would do it, and markets would emerge overnight, if it were to be made legal again. So that’s an example of where making something illegal does work.
But that’s not even the real discussion here. That’s the red herring. The real discussion isn’t about a direct transaction that benefits the seller, like buying alcohol or selling a kidney.
The real discussion is about making it illegal for the victim to do something after being attacked—with the hope that by doing so it will stop future attacks for others. The difference seems minor, but it isn’t. In the first case above, the person selling their kidney or buying alcohol is doing so because they want something directly from it. It’s a positive transaction for them.
With ransoms, people pay to undo a negative that’s already occurred. So it’s not that someone wanted to pay a ransom in the first place, whereas they did want the alcohol in the first place.
So when I and others say things like:
Or maybe…making things illegal doesn’t stop people from doing them.
…that’s not quite correct. It’s more nuanced.
So let’s look at the strongest form of his argument. Or as Alessandro Vernet captured…
Don't you think that making paying a ransom illegal would highly reduce the likelihood that a local city government, or hospital, ever pays one?— Alessandro Vernet (@avernet) April 7, 2021
This is a great question, and I responded in the affirmative.
Anyway, after thinking about this for a day I think I’ve dialed in on what’s really bothering me about it.
It’s not so much that people find a way to do illegal things—which is the bandwagon everyone jumped on—but more of a question of economic incentives and externalities. So here’s my main question:
Assuming the ban worked.
What do these malicious actors do with the access they have when they’re no longer allowed to monetize it directly?
I can tell you one thing I’m terrified of—now that it popped into my head—which is a new market where state actors buy access from cybercriminals.
So they just show up, prove their access, and get paid as much or more than a ransom because China and Russia are willing to pay for that access for either espionage or disruption capabilities.
So they just start vacuuming up the access—essentially using the ransomware gangs as their initial access layer of the operation.
That’s scary as hell.
Of course, the other option that makes the outlawing of ransom payments illegal rather unlikely is that stuff just starts getting shut down. Our schools go dark. Our city governments. Our universities. Our small and medium businesses.
Like tens of thousands of them.
I don’t think people realize how much of our infrastructure is running right now because people are paying ransoms.
Oh, and what Army is going to do the enforcement?
Assuming people actually did stop paying them because it was illegal to do so, and stuff started getting shut down, I don’t imagine we’d have the courage to hold the line. I think that policy would get reversed—or become non-enforced—very quickly.
- Sorry for being froggy; it was a real argument from a real security person.
- The illegality argument (like prohibition) doesn’t capture the situation fully.
- The ransomware gangs would still sell their achievement; the question is to who?
- We have to start worrying more about this “Access Marketplace” now, even when it’s still legal to pay ransoms. There’s no guarantee this isn’t happening just because the other is happening at the same time.