He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.

His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.

Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.

on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).

the dynamics/economics around ransomware is fascinating.

This is shockingly naive

It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.

This is bullish on Monero[2]. The January pump may have been from a hack as well[3].

Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].

[1] https://www.youtube.com/watch?v=IeTybKL1pM4

[2] https://search.brave.com/search?q=monero+price&rh_type=cc&ra...

[3] https://xcancel.com/zachxbt/status/2012212936735912351

[4] https://archive.ph/4zD7f

[5] https://archive.ph/NYWbJ

I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.

Hmm. I thought all these agencies say NOT to pay a ransom.

Paying a ransom signals 3 things: 1) you are vulnerable to attack 2) you cannot recover from an attack 3) you've got cash

The result is that you get attacked much, much more. You could ask me how I know, but I wouldn't tell you :)

>the deal means that the hackers have returned the compromised data of some 275 million users across more than 8,800 institutions.

Yea sure, they didn't keep the copy of stolen database. You know, criminals are very trustworthy people.

(1a) Multiple have suggested that the US made it illegal to pay kidnapping ransoms. This is a misconception. The US adopted a policy that the government itself would not pay ransoms, but explicitly noted this did not apply to the victims. "The U.S. Department of Justice does not intend to add to families’ pain in such cases by suggesting that they could face criminal prosecution."

(1b) Despite this policy, the US pays ransoms anyways. Usually in the form of prisoner swaps, but in 2023 it released $6 billion in frozen Iranian funds in exchange for the release of 5 hostages[1].

(2) The belief that paying ransoms should be illegal is predicated on the belief that criminals will be less likely to commit the crime if there is no money to be made. This may be true for kidnapping, but that does not mean it would be true for hacking. Kidnapping is a high-stakes, high-commitment crime that requires physical presence and exposes the criminal to significant danger. If the criminal anticipates no reward, the risk-reward calculus skews them away from kidnapping. However, hacking is a low-risk crime. Even if the chance of reward is low, the risk is also low, so hackers are unlikely to be deterred from hacking. Many hackers will do it just for fun or to prove that they can. Moreover, hackers can profit in other ways, for example by selling the data on the black market, or by making use of the data themselves as a nation-state or corporate espionage actor. Hacking will undoubtedly continue as long as things can be hacked, regardless of whether ransoms are ilegal.

(3) Making ransoms illegal pushes the burden onto people who have no real ability to do anything about it. When a company fails to pay ransom, it is the customers who suffer. It does not materially affect the company in any way to have customer data leaked. The market has already shown, overwhelmingly, that it will not punish companies that leak user data. That a company pays a ransom to begin with indicates that they don't actually understand the market and/or have some small shred of a conscience. Rather than making it illegal to pay ransoms, I would rather see penalties for having a data breach in the first place, but once a data breach is assured, companies should be paying ransoms to try to mitigate the damage to their customers.

(4) The idea of trying to solve hacking by making it illegal to pay ransoms is ridiculous on its face. As long as systems are insecure, hackers will exist, so the legal emphasis should be on consequences for data security. The collection of PII that is not essential to providing a service to customers should be discouraged, and there should be real consequences for negligent security. There should be an investigative board similar to those for airline crashes and infrastructure collapse, which examines the circumstances in depth and identifies whether the company is at fault for negligent handling of PII.

[1]https://2021-2025.state.gov/briefings/department-press-brief...

does "yes, I deleted the data" in an email count as digital evidence?

(https://www.instructure.com/incident_update#:~:text=STATUS%2...)

In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.

IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.