The push to ban ransom payments is gaining momentum

Original Article ↗ Hacker News Discussion ↗

Effectiveness of Banning Ransom Payments

  • Supporters argue ransomware is largely profit-driven; removing payout potential should collapse most operations, similar to historic reductions in kidnapping and mob protection rackets.
  • Game-theory framing: a credible, enforced “no payments” rule makes attacks future-worthless, so long‑term volume should fall.
  • Some are willing to accept bankruptcies and large losses as “amputation to save the body,” prioritizing not funding criminal and hostile-state ecosystems.

Critiques, Enforcement, and Perverse Incentives

  • Critics see this as punishing victims and enabling victim‑blaming, given that “perfect” security is impossible.
  • Enforceability is questioned: payments could be hidden via under‑the‑table crypto, shell companies, mislabelled “consulting fees,” or petty cash; tax and audit capacity is limited.
  • Likely side effects: stronger incentives to conceal breaches, avoid law enforcement, and reduce public disclosure and shared learning.
  • Some worry criminals will respond with more brutal tactics or secondary blackmail (“pay us or we’ll report your illegal payment”).

Alternatives to an Absolute Ban

  • Popular proposal: keep payments legal but impose steep fines or special taxes (e.g., 300%) on ransom outflows, using proceeds to fund security or counter‑ransomware operations.
  • Other levers mentioned:
    • Insurance regulators forbidding or tightly constraining ransom coverage.
    • Security regulation/mandates (e.g., strong 2FA for critical or GDPR‑covered data).
    • Software liability and contractual indemnity for security failures.
    • Stricter controls or outright bans on cryptocurrency.

Responsibility, Preparedness, and Culture

  • Many comments stress that numerous high‑profile victims lacked basic controls (MFA, good backups, tested restore procedures), and that “unreasonably vulnerable” businesses shouldn’t be viable.
  • Offline, regularly tested backups and a culture that rewards quickly “pulling the plug” on suspicious activity are repeatedly cited as crucial.
  • Others counter that even security‑conscious organizations and intelligence targets get breached; responsibility boundaries are inherently fuzzy.

State Actors and Ethics

  • Several note that in Russia, North Korea, and some other states, ransomware groups reportedly operate with tacit or explicit approval, limiting traditional law‑enforcement options.
  • Analogies to kidnapping and terrorism bans divide commenters: some endorse consistent refusal to pay even for loved ones; others find this morally unacceptable or context‑dependent.