Coincidentally and Interestingly, again, I was reading an old thread from 2015 titled - ProtonMail pays $6k ransom, gets taken out by DDoS anyway
The top comment says -
"NEVER EVER PAY RANSOM MONEY. Please. Even if your business will suffer it will suffer a lot more if you do pay since now it is known you'll cave. Also: you are making the problem larger for others."
The top response to that comment says -
"From their blog: https://protonmaildotcom.wordpress.com/ At around 2PM, the attackers began directly attacking the infrastructure of our upstream providers and the datacenter itself. The coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes. This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.
At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it taking into the consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom. "
Full thread here -
Most hackers actually keep their promises if paid the ransom, nowadays.
It sounds perverse but the incentives require it: if payment didn't bring resolution, no one would pay. As a result, all of the big gangs avoid scamming.
That was the state of play in 2015 as well. In the absence of a claim from the group otherwise, I wouldn't be surprised if they simply couldn't get it to stop (on a technical level.)
Way back when, it was a pretty common screwup to accidentally saturate the nodes you were packeting from. So then your C&C couldn't get them to respond, either. Oops.
>Most hackers actually keep their promises if paid the ransom, nowadays.
I don't think that's actually true, or at least is certainly cannot be taken for granted. Instead, it appears ransom has followed more of the path of Silicon Valley VCs:
.It sounds perverse but the incentives require it: if payment didn't bring resolution, no one would pay. As a result, all of the big gangs avoid scamming.
What you're describing is the expected Game Theory outcome over long periods in an iterated game. This works as long as the payment amount is towards the <salary> side of the potential payment spectrum, where each payment may well be decent money for the work the ransomers put in but not so much that they don't need new ransoms. The problem comes if/when the absolute amount of payment moves from "salary" to the "Exit"/"Retirement" side of the spectrum, ie, heads into what VC would call "Unicorn" status. At some level of money it reaches the point where the ransomers need never work again in their lives, it's enough money to get out of the risky business and live off of it indefinitely. It's now no longer an iterated game but a single game, and in single games defection can be rewarded. It no longer matters if reputation is burned, on the contrary it might be the moment to cash all accumulated rep in.
I think in general, both on the bright and dark sides, this sort of "phase change" in a given market space is worth trying to keep an eye out for because it can result in significantly changed behavior "out of nowhere" that can head in ugly directions very fast.
Yeah, this business is based on actually delivering the promise.
The point is that by paying you incentivize it and make it worthwhile not that the hackers keep promises.
That makes sense. They should pay, then.
Seems like there is an achilles heel for this business model: A "good guy" could start hacking companies, demand ransom while pretending to be one of the gangs, and then deliberately continuing the attack after the ransom is paid. Precisely to destroy this business model. The gangs would be fuming but there would be nothing they could do? Apart from trying to track down the "good guy" or introducing some sort of (cryptography based or whatever) proof-system that a hack was made by them?
This is an interesting thought. I'm waiting to see responses to it.
> "NEVER EVER PAY RANSOM MONEY. Please. Even if your business will suffer it will suffer a lot more if you do pay since now it is known you'll cave. Also: you are making the problem larger for others."
These days, companies try to mitigate the reputational harm associated with paying the ransom by instead paying security firms that "specialize in ransomware recovery" and claim to have "proprietary trade secret means of decrypting their clients' files". These firms always just happen to charge more than the cost of the ransom for their services. They then provide a non-itemized receipt, and both parties walk away happy and without having to admit to anything. Here's a good article on this practice if you're interested. https://features.propublica.org/ransomware/ransomware-attack...