I don't see why a company would pay a ransom to protect their customers from identity theft -- the losses are public, while the costs to them are a very small number of customers that read about this, think they're likely to lose the data again, didn't already lose their data in this leak, remember this story at the time of purchase, and value that more than things like ticket time or ticket price. I don't think the hackers should be making any money this way.
That's the official stance, but if it really mattered they'd pay.
And there's of course paths to pay without losing face, like hiring a negociator or a recovery firm that acts like a bridge for the money[0]. We came to accept that companies don't act ethically and will only maximize profit, yet the narrative is still stuck on that weird assumption they care about the future of society regarding ransomware.
Tragedy of the commons. It's irrelevant to the extorted company whether or not it becomes more common in the future, they have a much bigger problem now.
The reason they didn't pay is because they conducted a cost benefit analysis and decided it's not worth it to them.
> It's irrelevant to the extorted company whether or not it becomes more common in the future, they have a much bigger problem now.
No, it's not irrelevant because that future might be tomorrow. The criminals remain in possession of the data whether they get paid or not, that is, the extortion can be restarted the next day (or hour) after payment.
There's no way to trust an anonymous group you know nothing about, be it to keep their word or to keep your data safe from individual members or splintering groups.
That would be part of the cost benefit analysis. And you would be surprised how "trustworthy" these ransomware groups are. Probably because publishing the data is a hassle they would rather do without, and finding actual buyers for such data is hard (corporations don't tend to have black budgets).
No, whenever they decide not to pay it's because they made the decision to absorb the damage rather than pay criminals who may or not be sanctioned (and that fact may later emerge) creating additional liability. So you know that when they pay the damage would have been very great indeed. In this instance the damage is likely minor or more likely, off-sourced.
Nobody is not going to pay because that will be better for the collective to let the ransomware industry die. They may however choose to publicly state that as the reason.
The current groups, sure, but the existence of a functioning market tends to bring in more participants. Or to put it another way, there are plenty of smart people in the world who found themselves born in a less-than-ideal country and are willing to solve their problems through crime.
The only sustainable solution is to make crime no longer pay. Nothing else will work.
The other solution is making those “less than ideal” countries have more attractive legal economic opportunities so that crime isn’t an attractive alternative.
The only reason these persist is because companies pay out and they can receive it in untraceable crypto currency in countries that are nearly to prosecute them in.
You make it sound like a simplistic game with set rules. There will be myriads of other reasons to breach companies, and even strictly sticking to the money part, doing ransom/extortion can have secondary and tertiary effects worth enough to do it even if the ransom fails.
If you look at it as a market, the victim is only one actor among many.
I think ransom is also a bit of a misnomer that the hackers deliberately use to frame the transaction in a more positive light.
I mean, it's just extortion. Nothing is being ransomed, you don't get something back and you can't really secure something already lost. It suffers from the same problems as other forms of extortion, namely that you can't really trust the other party to do what you want and really they have no incentive to do so.
And the best part? The ransomware startup can now mark the income as MRR extending to infinity, thereby significantly increasing the startup's valuation! If you want to learn more about B2B sales, hit that like button and click on this .exe file to subscribe for more updates.
but the parent post's point still stands - extortion (or ransom) requires something important to be held. If the private data of customers is not actually important, it cannot be used as a threat in the extortion.
We have public agencies like the police that are paid for by the tax-payers for securing property. Are there similar agencies who are incentivized to stop these situations. During the pipeline breaches several years back, I recall aggressive action to disrupt the money-trail.
To the extent these situation are as illegal as property theft, public agencies tasked with law enforcement, like the police, are in the same position to secure your data as they are to secure your property, no?
It’s even more dystopian than that. In Australia itself, Qantas is the only carrier between many cities. So if you decide to not book Qantas, you’re potentially driving across the Outback.
