As for repercussions, notice they indicated "fear of the United States and its planning of offensive cyber operations". We don't hear a lot about US offensive operations. Maybe they're ongoing but they don't get a lot of press. If that's the case maybe the need more for deterrence purposes. Does anyone have any visibility?
Also, notice they did not mention any concern the FSB would invite them for tea, pay respects to their families, or any other ... imperial entanglements. This says a world about their standing in Russia, whether tolerated, encouraged or some other arrangement.
Russia's policy is to leave cybercrime alone as long as they don't attack Russia.
A hacker group in Russia declaring to only target companies in the USA and Great Britain is like a US group that only targets Iran and China. US agencies probably wouldn't find time in their busy schedules to go after someone targeting Iran either.
You might check out Inside Cyber Warfare by Jeffrey Carr from 2011. It's ancient, predating (AFACT) the rise of ransomware, and technically illiterate, but goes into considerable detail about the Russian cyber-crime/-war (they're the same, really) groups and their relationship to the government.
This is an interesting topic because BM claims to have a moral compass and is only interested in targeting wealth not impacting humans. Let me ask the question: “if companies paid for in-house security professionals competitive with what one might imagine BM pays, would people still choose the grey work?”. I presume in a dichotomy between clearly unethical and ethical, it’s easy for many to choose ethical. But when you add a grey option, it certainly changes things since I imagine most people are ethically grey. Let’s assume what BM is doing is effectively legal in the country where they operate.
This specific activity has a direct contact with the victims, which makes it considerably different from other gray-area activities, where there is a strong disconnection with the victims (in which case, the concept of victim additionally becomes blurrier, e.g. tobacco industry or, uh, banking).
Assuming that one has valid job alternatives (and they definitely have, since they're highly skilled professionals, with an available market), one needs to be have a certain degree of sociopathy in order to be able to do this line of work.
So you’re suggesting they can find better paying and more rewarding work elsewhere and they choose not to do so? That seems very unlikely for a self interested sociopath…
No, i suggest that, with the assumption that they're highly talented individuals with very marketable skills (especially since they're not restricted by geographic borders), and they're trading 100% legal professions with a high reward (say, 200+ k$/year) with a directly violent and basically illegal one, with a very high reward (they could make an order of magnitude more; that's not uncommon for high-calibre spam groups).
Since direct violence is involved, in my opinion this requires a degree of sociopathy.
I'm not sympathetic to spam groups either, but at least their profession doesn't have a direct contact with the victims.
>Moreover, LockBit encrypts the first 256 kb of the file (which is pretty bad from the point of view of cryptographic strength). We, on the other hand, encrypt 1 MB. Essentially, that’s the secret to their speed.
Of course it is because people don't make backups properly if at all.
However, my reply was to someone wanting to pad all of their valuable data with 1MB of fake data so if they were hit with a malware virus it would not actually screw up their data. Nevermind, that 1MB would screw up normal use as the apps would not know how to handle that padded data. But you know, yes, if you totally miss the point of the thread, I could see where thinking the point was the lack of failure of malware.
reminds me of the Bin Laden interview(s) before 9/11, specifically the one with Robert Fisk where Bin Laden was saying he was going to start attacking America
> DS: What do you think about the attacks carried out against Colonial Pipeline’s infrastructure or JBS? Does it make sense to attack such large networks?
> BM: We think that this was a key factor for the closure of REvil and DarkSide, we have forbidden that type of targeting and we see no sense in attacking them.
I imagined more along the lines of them hitting Shell HQ and extorting the execs for millions and millions. Shutting down a corporate office seems a more likely scenario than hitting a multitude of effectively independent franchises.
I feel like giving criminals a platform like this is wrong.
I'm all for reformed criminals giving interviews in the context of what they did being wrong, but this is an interview about how they're getting better at their crimes.
Regardless of how easy it might be given security practices, these are crimes, and they are crimes for a reason: they cause damage. Their impact is felt beyond the ransom money paid, it's felt by employees who may be put in terrible positions as their work is held ransom and who might pay up personally to avoid problems at work, it's felt by customers of these companies who end up with higher prices, it's felt by countries as their output is hit. The fact that this "industry" is getting more "professional" does not change the fact that it's harmful. They don't deserve the publicity and attention that this sort of platforming provides them.
I think this is a good thing. It might show potential victims that their opponents are not a bunch of smelly teenagers hopping online after midnight.
These are multi-million (billion?) businesses. There's strategic leadership, target acquisition pipelines, R&D, talent recruitment and coordination with other businesses in the space.
There's every indication that with a little bit of protection money, you can even run your business with no interference from the law, as long as you don't mess around in your own backyard.
You can see from the blog post, that this "company" has done a product-market-fit analysis. They've taken a look at their competitors' work, considered the pros/cons, and decided that they can do better. Since they are a b2b company (hehe) you can be reasonably sure this is not some PR aimed at consumers. I think it reads as a recruitment pitch to their lead generators (read: hackers whom infect other networks for them).
You can see the pitch, it almost reads as a vacancy post:
- We make a lot of money
- We're new to the scene but already have had success
- We only work with the best hackers
- We pay you lots of money to infect a network, if you got what it takes
When groups do this in furtherance of illegal activities, it's called "organized crime". And such groups need to be pursued aggressively because they are corrosive and poisonous to society at large. If they are not actively and aggressively fought, their negative effects seep into broader society and can become entrenched for generations.
One option would be to try to doxx them, either as part of a criminal investigation or via private investigators. I bet these groups would be much less effective if their identities were publicly known. There's a reason they're not public.
What about when your “organized crime” group has a moral compass and isn’t breaking local laws?:
DS: Obviously, there are many talented professionals on your team. Why is it that this talent is aimed at destructive activities? Have you tried legal penetration testing?
BM: We do not deny that business is destructive, but if we look deeper—as a result of these problems new technologies are developed and created. If everything was good everywhere there would be no room for new development.
There is one life and we take everything from it, our business does not harm individuals and is aimed only at companies, and the company always has the ability to pay funds and restore all its data.
We have not been involved in legal pentesting and we believe that this could not bring the proper material reward.
For me the line between organized crime and robin hood is very blurry.
But they're not killing people. They're extorting foreign business which is not explicitly illegal, and in fact encouraged, in certain countries. They even go above and beyond that with self-imposed restrictions against healthcare and infrastructure to try and minimize harm. I'm not saying I like what they're doing, but it seems hard to outright stop when their own country doesn't care. Same with Chinese businesses engaging in fraud with foreign investment firms. It's effectively accepted practice encouraged by their country. The market is the only real punisher. So if these types of activities are effectively allowed because people can play by the rules and engage in them, then as a society or as a company you have to respond rationally. "Well it's illegal where I live" is not really an answer. Thus my question is, "should companies pay security professionals more to combat the economics of these organizations?". People seem to think companies should pay out bug bounties on a scale much closer to what e.g. ZERODIUM would pay for 0 days to fix the economics. I guess I'm just asking if there's an economic "solution" to these ransomware groups in absence of a legal one?
It seems we both agree it's not ethical by our relative standards. But you're not actually responding to my question. I mean hey even killing is justified against foreign actors in the name of war. Doesn't matter. I'm asking whether there's an economic solution because I'd rather not devolve into some form of war.
> That some countries legalize theft of property in other countries does not change the ethics of this at all.
It literally does. Because those people are participating in a society where their actions are not strictly unethical. Their society does not necessarily view them as sociopaths.
Well I should concede it depends on whether your worldview accommodates different ethical frameworks or not. If you are absolutely ethical then all people must adhere to the same ethical standard and you can rightly justify punishment of outsiders.
Even if your worldview doesn't accommodate different ethical frameworks (i.e. I stand behind my own ethical principles, and believe that anyone who disagrees with me is unethical), surely you have to admit that some people will disagree with that stance, will hold their own views that are incompatible with yours, and will call themselves ethical until the cows come home, right?
We're not arguing about whether that's ethical, we're simply pointing out that people like that exist.
You and the parent commenter are no longer arguing about what is and isn't ethical (as you've stated, you both seem to agree), but instead on what to do about the practical reality that society in Russia does see this as ethical, and doesn't give a flying fuck what you or I think.
Now the question becomes, what should we do about that.
This is the same kind of "moral compass" that scammers use to scam senior citizens out of their life citizens. The targets are rich Americans (every American being rich compared to where they live), so does it really matter if they lose several thousand dollars?
They outright admit that they see the targets primarily as money bags, and that they are making the economy better in exactly the same way that breaking windows makes the economy better, and your opinion is that it's ethically blurry?
My ethical framework allows for disagreements on the nature of what is and isn't ethical. It doesn't matter if you and I agree some behavior is unethical. Some other group of people clearly consider their behavior to be in the realm of ethical given their worldview, location, upbringing, etc. So no amount of us whining about how unethical it is really changes anything, does it? I personally consider massive hoarding of wealth unethical... so... from a total harm standpoint... yeah it's kinda grey.
> as long as you don't mess around in your own backyard.
Based on the recent pipeline incident, it seems that these crime groups realize there are other places you'd better not mess around.
Screw with Bank A or Company B ... fine. Screw with infrastructure of a country with a large scale military, control over large chunks of global finance, and so much more ... probably not a good idea.
I don't have metal bars across my windows, should they start targeting my house to force me to add them?
I'm being somewhat facetious, but I want to live in a society where not being hyper focused on all forms of security at all times, and just being _safe_ is an ok way to live your life.
"It's easy so we'll do it" is not a defence of this practice. The only reason the security is needed at all is because of people like this. I'm not saying security isn't important, but being bad at security is not a defence of people who take advantage of that poor security.
The reason security is needed is that we have institutional methods for transferring ransom and paying for the rackets.
The reason that it’s ok to have a shitty $80 lock on your front door or an unprotected window near ground level is that the value for a would be burglar to break in for a crime of opportunity is low. If you’re a well known jeweler or gun collector, you typically take other measures because you may be a target.
Cryptocurrency made computer crimes profitable crimes of opportunity.
> The reason security is needed is that we have institutional methods for transferring ransom and paying for the rackets.
The reason we have child pornography is that people don't need to have their photographs developed by a chemist in a photo lab anymore. The photo lab chemists would've turned them in to the cops.
The type of society you want to live in is utterly irrelevant. Those ransomware gangs exist and there is no way to eliminate them. That is our new reality. Any business leader who is bad at security is incompetent. I wish it didn't have to be that way but whining about it won't accomplish anything.
Employees are being paid by hour, so they wouldn’t care at all. Customers - true, this might cause delays for them, if the company decided not to pay the ransom. It’s still just a delayed cost, though.
> Employees are being paid by hour, so they wouldn’t care at all
Sorry, but that's just not correct. It's always someone's job to clean up this mess, and that falls on individuals. If they have to clean up a stressful mess, they definitely do care. A lot.
I've had to clear up messes in the past, and it severely negatively impacts my mental health. Never, ever think that it's a victimless crime. They might not feel the force of the actual crime itself, but there are most definitely employees out there where the second-order effects on their wellbeing are starkly negative.
Again, for customers, you never know what those second-order effects of the delayed cost would be. I'm not going to whip up slippery slope arguments, but again, you're assuming that customer interactions with companies are all one-sided "I can do this later" kinds of interactions.
We shouldn't hand-wave away bad things because they only impact some faceless "company". Companies are made up of individuals, most of whom don't want to be there, but most definitely care when they're forced to do more work by some bad actor.
Of course it’s always somebody’s job, but that’s it: it’s their job, they are paid by an hour. There is no “more work”, it’s just the planned work will be delayed.
I've seen this happen more than once, where IT spells out the risks and recommends tighter security practices, more security hardware/software, more backups and redundancy, a bigger security team so they're not just running around fighting fires all the time and have some resources to improve security, etc, but these requests are denied because there's not enough budget for them or they're too inconvenient (as security is almost always a tradeoff against convenience).
Then there's a security incident and suddenly money materializes out of nowhere and they'll pay whatever it takes to get back online, making the security and IT teams work nights and weekends until the incident is resolved.
At the same time, security look like incompetent idiots for letting the incident happen in the first place, with everyone conveniently forgetting that multiple requests to tighten security were denied.. and many other people in the company don't even know about what happened, but consider the security team to have screwed up.
So security often wind up looking like idiots, though it's not their fault. Or maybe there really was a screwup by someone who's no longer with the company. Dealing with gigantic legacy systems and endless complexity that no one fully understands is common.
When the security incident blows over, those security budgets shrink again and the importance of security dwindles as other parts of the business take precedence, until the cycle repeats again and again.
Or security really is taken seriously at some companies, and then the security teams are often seen as the "no men", and widely despised because they stand in the way of getting work done.
These reasons and more is why I don't like to work in a security role. Let someone else take the blame.
The lost productivity and general _stress_ due to well-intentioned but ultimately counterproductive software being introduced by IT after a ransomware attack was the last straw for at least two highly qualified engineers I know personally. They left their employer after that. Being blocked from doing your job is highly stressful for people who are motivated by the utility of their work to society, a description which I believe fit these engineers. This is an example of direct human cost - the transformation of a desirable, fulfilling job to one less so.
Now, sure, the IT dept in question could have handled this a little better. Maybe. But the presence of these advanced threats forced IT's hand here.
Because the employer isn’t fixing the problem they’re deploying bandaids that are known not to work. I wouldn't want to work like that either and companies need to learn how to effectively secure software. What if companies paid like BM probably pays? I bet most people would do the work in a less grey fashion. But companies don’t value security so this is the result.
I'm not sure we're going to get much further here if you're arguing on the dichotomy of checked out employees punching a clock vs exploitation by the employer.
Suffice to say, this crap has impact on real people, in the real world. To imply it's just some neutral action doesn't reflect the reality we live in.
Not only this, but ransomware companies are even more nakedly in pursuit of profit than most non-ransomware companies. It's hard to imagine any ethical framework regarding capitalism etc. which would enable a favourable view of ransomware companies.
I think making companies and the industry more aware that their bug bounties are undervalued is important. It raises the bug bounties and creates more opportunities.
This is an approach of like "okay lets just ignore your rational for not doing that and give the hackers a platform until you change"
There's a difference between educating and warning people about attacks, and having the attackers do that themselves. I'm not saying we shouldn't talk about these things, we absolutely should! It just shouldn't be by interviewing and glamorising those committing the crimes.
I share your concern that people will see this as cool or glamorous. But isn't it also helpful for people to try to understand the perspective of the attackers, for example because they might
* become better able to defend themselves
* become better motivated to defend themselves
* better understand how to deter these attackers
* become more motivated to seek action from government or vendors to deter these attackers
* have a more informed debate about the ransomware industry or organized crime as a whole
...?
Edit: for example, things that I had heard that were confirmed for me by this interview include that the Russian government is consciously tolerant of this activity (maybe someone could find ways to change that!?), that organized crime fears being caught or attacked by NSA, that ransomware attackers are very sensitive to their reputation and public image, that you can probably count on them to keep their side of their illicit bargains, and that they are especially motivated by money rather than ideology. All of those seem like pretty interesting ideas that might be hard to confirm quite as well in other ways.
Considering the huge environmental damage created by e.g. oil companies (and many others), one could say the same about them?
The only difference is what these people do is illegal while what the companies do is not: the damage, though, is arguably on the same scale, if not lower for ransomware attacks depending on which infrastructure is attacked.
I personally take moral issue with oil companies, but society as a whole has not decided that they are deserving of punishment, so I save my actions for campaigning, lobbying, and supporting groups that are pushing for change.
On the other hand, society has decided, via law making, that ransomware attacks are deserving of punishment.
With so many differing opinions it's hard to please everyone. I'm in favour of having a range of voices that I might not agree with represented in media, but criminals advertising their crimes and talking about how they're getting better at doing it feels like it's fairly clearly past a line.
Following that logic nurses delivering babies are also on the same level considering they're supporting the growth of the human race (which causes all the environmental damage)...
That's of course a possible interpretation if you want to stretch everything to the extreme. OP thinks it's dangerous to publish a blog post with such an interview because it gives a platform to people who cause damage.
I'm just pointing out that oil companies have caused way more damage than this guy and they have had a massive platform for decades, why shouldn't we stop giving them a platform as well?
As much as I loathe our response towards global warming. This comment shows why equivalence should not be taken lightly and how absurd the result can be.
How about holding people for ransom that is equivalent for sure, how about killing people? Well oil industry eventually ends up killing some people.
Let’s put a stop to oil industry before we deal with the kidnappers and killers!!
> Let’s put a stop to oil industry before we deal with the kidnappers and killers!!
Nobody said there has to be a priority. Why can't we stop both?
Moreover OP comments was not talking about stopping them, but about giving these people a platform.
Despite the damage done by oil companies they are still allowed to spend billions of dollars in marketing, lobbying, etc... Resulting in a much bigger, legalized, platform, while still causing way more damage than ransomware "companies".
It's the sad double standard that most companies have: Look, I pollute half the planet and I don't give a shit about investing in new technology, I just want my ARR of 100 million, and I'm willing to lie with cheap marketing ...
But ransomware It's clearly a priority, we can't risk being attacked if we didn't do anything illegal, that's morally wrong, and I'm a very moral person.
How stupid people are on our planet, billionaire people are really very stupid people ... Put a scientific researcher and an entrepreneur to debate on any subject and that's when you realize that most "entrepreneurs" have the coefficient of a 5-year-old child.
why do we never see Elon Musk debate with researchers if he has as much intelligence as he says (the techno king)? It must be so as not to make a fool of himself on television (or youtube)
Whataboutism. Let’s respond by bringing up a completely unrelated topic to justify the actions of criminal organizations.
These are organized crime activities akin to cartel kidnappings, Somalia Pirates, mob extortion, and kidnapping tourists for ransom. 21st century pirates/mobsters.
How long until ransomware becomes extortion or protection schemes? Pay us a yearly fee and we’ll not hack you and if someone does hack you we’ll hack them back.
Nobody is justifying anything, I'm just saying that if it's wrong to give these people a platform, why is it ok to give it to oil companies? The latter have caused way more damage than a random ransomware group.
Can you point out where I justified the actions of these criminal organizations (as parent said)? It's funny that the comment labeling mine as whataboutism is factually incorrect about what I said.
It's easy to reply by labeling anything you don't agree with as whataboutism, because you don't have to go into the merit of the discussion. You don't have to articulate a reply, you don't need to reason about it.
I made a pretty simple analogy, and the only one who actually replied with something sensible was OP, which I appreciate.
Everyone else just tried to find logical fallacies (like now we need to stop nurses from giving birth) or just discredit the argument but without providing any meaningful reason.
Most of the damage oil companies are making is legal. At the moment fracking is legal but IMHO it’s very damaging. Undersea oil drilling is legal but there are many accidents. Shipping oil is legal but there are a lot of accidents that cause massive environmental problems.
Ransomeware is never legal and organized crime is not legal in the West. They should not have a voice at all and should be treated like the criminal organizations they are.
There's an elephant in this room and its name is ethics.
When I was a mainframe programmer at IBM, one of they first things they taught us was how to stop the processor of a System/370 machine. If you can do that, ladies and gentlemen, you can bring down Bank of America, the US Army, the Social Security Administration, etc. So everyone there knew how to be a "black hat" hacker if we wanted to.
Was there money to be made in that? Surely. More money than IBM ever paid anyone! But the reason neither I nor any of my colleagues would ever dream of using our skills to hurt people is that last part of the sentence: it hurts people.
Yes, IBM did some awful stuff from helping Nazis to keeping apartheid alive in South Africa (over employee objections while I was there), but overall, the "corporation" provided valuable goods and services to real people who had to slog on in real jobs every day to get the world's real work done.
Oil companies are in the same boat. The world runs on oil and some ransomware attacks aren't going to change that. The idea that terrorism (and black hat hacking is absolutely a form of terrorism) is a useful way to change corporate behavior is so ill-informed that it's pathetic.
When asked about taking a "white hat" approach and selling legal pen testing (or even PTaaS), these developers declined saying they probably couldn't monetize their skills at the same level that way.
Well, I say, too effin' bad. If everyone optimizes solely for himself, there will be no one left. It's appalling to me that criminal organizations now recruit, have price lists, and get PR placement. These people and their products (and their communication channels) need to be turned off ASAP for everyone else's sanity and self-preservation.
They are self-admitted criminals. They admit to be in a destructive industry to line their own pockets. The only reason they are selective in their targets is because critical targets will increase the chances of them being caught.
Ah ok. When reading the article, I don't get the impression that they try to frame themselves as somewhat ethical, I think that may be an interpretation by some of us here.
> These people and their products (and their communication channels) need to be turned off ASAP for everyone else's sanity and self-preservation
But they can't be because enough people don't share your worldview. Do you believe private communication is a human right? Well then you can't stop them communicating either. How would we achieve a world where these products and services could be universally banned immediately?
You are right, the problem is ethics. The problem is that it's not universally criminal to attack other countries' wealth.
If it came out that this group ran their infrastructure on IBM cloud, and you still worked at IBM, what would you do? It seems you think that the generation of wealth for IBM's shareholders is more important stopping genocide therefore it's okay to be complicit. So you seem to have some general notion of ethical total harm.
> The idea that terrorism (and black hat hacking is absolutely a form of terrorism) is a useful way to change corporate behavior is so ill-informed that it's pathetic.
It does change behavior, though, whether you like it or not.
Private communication, even for business, is a human right. I was not suggesting that some authoritarian arm "shut them off," but rather that a profusion of businesses and individuals simply chose to ignore them. Death by recission.
It's also one's right to choose to be in an ethical business or not. I've rejected many customers and employers because I didn't want to help in their aims.
I was among the people who protested IBM's continued involvement in apartheid and it did end before I left. Companies can chose to "not be evil" or they can just say that.
And yes, sadly, everything changes human behavior. What I was going for is that ethics is a practical phenomenon as well as nice one for other people. I still believe that more can be accomplished through volunteerism (including volunteer agreements about money and work rather than coercive ones) than through violence. Perhaps that's naive or hopeful but I hope a few of us persist in keeping the idea alive.
Terrorists, cartels, and criminals of all shapes and kinds are often interviewed.
As to the bigger question of “why”?
It gives us a unique insight into a strata of society most of us are not privy to, opening our minds to new ideas.
Correction: this is free advertising for criminals _actively looking to recruit associates to assist them in committing crimes_, and helps them commit crime.
Don't upvote "Weapons Smuggling, Inc. (YC21) is hiring a coordination specialist for EMEA operations"
I find myself puzzled by organizations like these. Let's say they do not attack infrastructure or other critical services, and only leech off huge companies.
Are you really intending to condone illegal activity? Just because their targeting "wealthy" companies? That is like condoning a mugger because he is working in a rich neighborhood and not targeting the impoverished.
I was looking for a solid argument, since I am not able to provide one. So far there are none presented here either.
Are we really going to justify this just by "it is against the law"? So many things are against the law, so many ancient laws demonstrate the inability of humans to create the absolute corpus of ethical behaviours™.
The Kantian categorical imperative goes something like, "act as if the basis of your actions would be made universal law." What happens if everyone conducts denial of service and ransom attacks against anyone they perceive as a legitimate target?
The fact is that these particular situations are much more complex than a false dichotomy of "good" and "evil" corporations, or "large" and "small" corporations.
Take any organization you think is "worthy" of being attacked in this manner, and consider all of the implications of such an attack. Think about the people inside the organization, and those outside of the organization that benefit from that its continued operations.
I think it's fair to say the public opinion of oil companies is fairly low; however, arguably the biggest impact of the Colonial Pipeline attack was not on the executives running the company, but on the end customers of gas stations unable to fuel their vehicles due to the shortage (whether truly real or created by panic). I would argue that everyday workers unable to get to work or to the store to buy food is more important than a few executives not getting their bonuses or having their shares lose value.
This isn't to say that these corporations are above all reproach and should be allowed to continued operating in whatever way they see fit simply because they have employees and customers are relying on them. But it's also the wrong mindset to think that it's OK to attack corporations in this way just because they "deserve it" in some way.
If I heard news that Jeff Bezos bank account was hacked and $50 million dollars were stolen, I don't think I would even bat an eye. When I hear of ransomware shutting down hospital computers I'm furious and want to see these clowns rot in jail. There's clearly a spectrum here of where it starts becoming a heinous act.
The global median household wealth is about $7,500. The median income is around $10,000. To much of the world (making some assumptions based on your presence here on HN), you have more in common with Jeff than you do with much of the world; they might take the same attitude to you.
It's possible the only reason we would disgree if the rest of the world took this attitude is our own greed.
To me what's more obviously wrong whether I'm rich or poor is leaking personal info on employees, HR correspondence etc. I don't know whether this group would since they say it hasn't got that far yet but other groups have.
Extortion, mugging, burglary etc are worse than the "perfect theft" where you move some numbers from one account to another.
I wonder if the people involved believe their own spin that "your boss is the one at fault, would rather you suffer than pay"
Bit of an advocatus diaboli, but… Crimes are crimes because they hurt people. Here we’re talking about just lowering company’s profits; same thing happens naturally due to market forces and nobody complains.
We can have a discussion about ethics and utility if it's a starving person stealing from Jeff Bezos, but these ransomware firms are large-scale organizations just like the companies they're stealing from.
Sure, but it still doesn’t mean the money somehow “loose their value”. It’s just a money transfer between companies; a financial transaction, just a one that’s unlawful.
That's good. I wonder if they'd extort the company that manages the building I live in. If they did the most likely negative outcomes are that I'll receive worse service and pay more for my service charge. That's not too bad for me, but I have vulnerable neighbours for whom that may be a significant problem.
There is so much collateral damaged created by this sort of attack against any company of sufficient size. It's easy to wave your hand and say they're a rich company they can afford it, but no company exists in isolation, they're all part of economies, and ultimately it's real people somewhere who take the damage.
If a robber steals one grain of rice from each person in a town, was anyone harmed? If you think not, then what if a thousand robbers do the same?
Leeching off of companies is kind of like stealing a grain of rice from everyone. The company's costs increase and the price eventually makes its way back to the consumer.
Another way to think about it is the total amount of labor needed for the world to operate as it does. In a world that has no ransomware, the labor needed is X. In a world with ransomware it is X + cost of building ransomware + cost of dealing with ransomware.
> Leeching off of companies is kind of like stealing a grain of rice from everyone.
I'm sure the criminals console themselves by thinking about it that way, but as someone who had to use an emergency room and was denied other services during the month+ Scripps was down (during a global pandemic, no less), it was easy to see how ransomware attacks can directly hurt an enormous number of employees and customers.
To clarify my point, even if leeching off companies is like stealing a grain of rice from each person, it is still wrong.
My point was that ransomware is wrong even in an idealized abstract scenario where it only targets non-critical companies.
Thanks for providing your experience. It drive home that in practice it is much more like beating and robbing many people than it is like stealing just a single grain of rice from them.
Also, notice they did not mention any concern the FSB would invite them for tea, pay respects to their families, or any other ... imperial entanglements. This says a world about their standing in Russia, whether tolerated, encouraged or some other arrangement.