Originally published at: http://boingboing.net/2017/06/28/human-shields.html
…
Interesting. Highly defensible, I’m sure, both legally and ethically. But also a pretty strong action for an almost entirely disinterested third party to take with other people’s files.
Especially since blocking the e-mail does nothing to block the payment channel, and it’s pretty unlikely that 100% of the infected who’d have been willing to pay will see this random company’s tweet. So I suppose there’ll be at least a few people who send their money into a void because of this.
#firstworldcorporateethicaldilemmas, I guess.
They only shut down the key retrieval path, not the payment path.
Users can still pay to the bitcoin wallet, they just can’t request the unlock key.
This is a HUGE difference from what the post describes.
It’s not fundamentally any better though, is it?
I’m calling it that the email provider gets a lawsuit from a company that lost critical data and would have decided to pay the ransom. I’m not sure I agree with that, just wouldn’t be surprised in the least if it happens. Anything to do with ransomware is awful really.
Ideally this sort of action could poke a big hole in the “business model” of ransomware. If they can’t get paid no sense developing. That said I doubt it’ll be much of a deterrent for future attacks.
I would expect that most people won’t know the key retrieval path will be shutdown so the ransomware authors will still get paid. I think that’s way worse than what the article is (incorrectly) indicating: the authors not being paid.
If payments don’t result in getting files unlocked then security advisors will make the default response to ransomware “Don’t pay, you won’t get your files back and you’ll be out money.” Folks will still get screwed over though. My understanding was most ransomware attackers understand that unlocking files after getting paid is good for their so-called business up till this point.
How?
There is no contract between the victim and the email provider. Any contract is between the provider and the account holder and I am sure that there is a clause allowing the provider to suspend accounts if the TOS are violated. There is in any case no guarantee of delivery of email.
Advice is never, ever to pay the ransom, on the basis of Kipling’s verse:
“I tell you again and again
That once you have paid him the Danegeld, you never get rid of the Dane.”
The ethical counterpoint is that, while third parties are deciding what happen to your files, they’re also protecting other third parties’ files by signaling to potential ransomware hackers that this isn’t a viable business model. Utilitarianism in action.
It just seems to me that some lawyer would try it. More as a “your companies actions caused us to lose [some large amount of money]” than contract related. Also an email provider is an easier target than the ransomware attacker. I hope it wouldn’t hold up in court.
Edit: Oh and I agree that we shouldn’t pay. I just figure some folks with no backup would opt to pay rather than risk losing their livelihood because of critical data to their business is lost.
But are they signalling that, or are they just signalling their non-complicity as a corporate entity? Making it so that ransom hackers have to run their own mail servers may eliminate scriptkiddies from the high seas, but not many actual pirates…
Even if they are, the result is the same: the hacker loses his ability to collect the ransom, disincentivizing future ransomware attacks. Such an attack is pointless if you know you’ll be prevented from collecting the ransom before you can collect any of it (discounting the nihilists who just want to watch the world burn, who I believe number fewer than we think).
True enough, but it’s been suggested that ransomware attacks are on the rise because they’re simple enough for someone even less competent than a script kiddie to implement. Shutting down the ransom email address at least raises the barrier to entry, meaning those criminals enticed by the ease of making money will stop engaging in ransomware attacks.
Negligence, perhaps?
I was trying to think how that might work but it still seems to have the problem that an email provider has no contractual obligation to deliver an email, and even a paid email service works only on a “best effort” basis due to the nature of the protocol. If there’s any negligence it’s by the criminal.
But I guess the victim could sue the criminal for failing to supply the key via a reliable method of delivery.
Negligence doesn’t require a contractual relationship, just a duty of care; you can be negligent toward complete strangers. A criminal who engages in an intentional act, by definition, can’t be negligent. I agree negligence is a long shot, but it’s not categorically dismissable.
Wouldn’t all the law enforcement want that account to still be working? So they can trace who’s using it?
It sounds like it’s not actually ransomware, so this action ultimately does no additional harm:
https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b
2016 Petya modifies the disk in a way where it can actually revert its changes. Whereas, 2017 Petya does permanent and irreversible damages to the disk.
On the left, we can see the current version of Petya clearly got rewritten to be a wiper and not a actual ransomware.
Oh sure. It immediately strikes me as the sort of perfect endlessly debatable, soon-to-be-appearing-in-philosophy-classes-worldwide matter that lends itself to a million different persuasive arguments. Personally I doubt there’s a stance I could take that I couldn’t be argued out of.
Glad it wasn’t my choice to make.
two words: server logs.