Submitted by giuliomagnifico t3_yvweup in technology
Fun_Ad_9878 t1_iwgnj30 wrote
I kind of think that this is irrelevant. I have been part of two ransomware attacks and in both cases the only way to pay was bitcoin. I strongly discourage any form of paying ransomware attackers but those that do pay will not be stopped by any law.
blargmehargg t1_iwhgvfy wrote
Eh, the finances of public companies can make payments like this harder to hide.
I’m also against ever paying these ransoms, and if they’re going to make a law preventing it I think it should only apply to companies of a certain size (and there are various ways to draw that line.) This would allow small businesses who could be entirely crippled to the point they cease to operate to make their own decisions there (though I still think its an awful idea to comply.)
badillustrations t1_iwhfe1c wrote
> those that do pay will not be stopped by any law.
Can you explain this to me? Are you saying because it's in bitcoin the government can't stop the transfer?
reykjabitch t1_iwhkskz wrote
The point is that the government doesn't know what is vs. what is not a ransomware payment, and has no way of knowing, so what's the point of making it illegal.
badillustrations t1_iwhte0v wrote
Are you saying because it won't automatically be disclosed, why bother to make it illegal? Aren't most laws not automatically detectable by authorities so they open an investigation?
comegetsumFUCKing t1_iwhqoqp wrote
no, the person you’re replying to has it correct. Tell me, what is hard to define about a ransomware attack? You get hacked, the data is locked and you have to pay a ransom to unlock it.
quettil t1_iwn2b3i wrote
The company would have to buy the bitcoin, and then you have proof.
Alan_Smithee_ t1_iwhtvxt wrote
How would they police it?
Fun_Ad_9878 t1_iwhyby7 wrote
Yes that is what I am saying. The premise of any law is that it can be enforced. It's true that bitcoin wallets are public info and many of their owners are known. Yet the only real way to enforce is with blocking bank accounts and banning certain types of credit card vendors much like gambling houses do. The only way to enforce ransomware payments would then be whistleblowers. I got news for you. Unlike license violations where the company pressures it's workers to break the law and the employee has no benefit, in the case of ransomware payments the employees are usually at fault and will be in no hurry to have their name out there since they likely suggested to pay it in the first place to cover up their mistakes.
​
Another issue is the size of the transfer. I have never paid for ransomware (so I don't know the price) but if the ransom is say less than 10k USD then it can be hidden in such ways but if it gets to be more then really there will be no way to hide it. This is where terrorists get stuck imo. Of course terrorists already have their money in bitcoin so it's likely less of an issue.
badillustrations t1_iwhzfxc wrote
> I got news for you. Unlike license violations where the company pressures it's workers to break the law and the employee has no benefit, in the case of ransomware payments the employees are usually at fault
I guess I don't understand this assumption. There are equivalents of SOX compliance across many countries and that everyone in a compliance team would be totally cool signing off on illegal activity is a little strange to assume.
I think bitcoin is a little secondary to this conversation. Someone could convert X dollars to bitcoin and it's hard to track, but just taking X dollars out of an account needs to be accounted for just as if someone took it out to cash.
Fun_Ad_9878 t1_iwi0g27 wrote
>I think bitcoin is a little secondary to this conversation. Someone could convert X dollars to bitcoin and it's hard to track, but just taking X dollars out of an account needs to be accounted for just as if someone took it out to cash.
The expense could easily be itemized as a security expense. Data recovery expense. If they really wanted to get creative then they could list it as any old expense like employee's party or who knows what else. If a receipt is a problem then they can just pay said employee a bonus and he could convert it. There are plenty of ways. If the payment is done in conventional ways then it can be stopped usually.
LeastDescription4 t1_iwibztw wrote
In an unrelated note, do you know how invasive ASIC can be? Their "proactive surveillance" is fun.
Basically any financial company is well aware of the level of scrutiny behind stuff like this, so I wouldn't be surprised to see another government agency being given similar controls/access. Probably the OIAC I guess considering they already do the mandatory data breach reporting stuff.
DasKapitalist t1_iwi2ly9 wrote
>There are equivalents of SOX compliance across many countries and that everyone in a compliance team would be totally cool signing off on illegal activity is a little strange to assume.
Every USA-based company which does business internationally and "complies" with the FCPA laughs as your optimism. Bribing people in third world to do their job (or to "protect" your business from "accidents") is both illegal and ubiquitous. It's the sort of thing you'd see categorized as "consulting expenses, "travel and entertainment expense", or "risk mitigation expense".
For ransomeware, they'd probably just label it "data recovery expense" or "penetration testing expense" if the accountant had a sense of humor.
quettil t1_iwn211b wrote
You can buy people from buying bitcoin.
Viewing a single comment thread. View all comments