How do we enforce every other law? If the authorities get wind of someone paying a ransom, they could investigate and then decide to prosecute if they discover that it was highly likely that a ransom payment was made. For the specifics of ransomware payments, for public companies, which line items does that amount get attributed to on the quarterly reports?
And even if you expect that some payments will continue to happen under the table, the payouts would have to be much lower, as there is a limit to how much a business can hide on their balance sheets.
That means less potential profit for ransomware makers, less incentive to make ransomware, and less money to fund ransomware development.
I am not a lawyer and entirely just guessing. I am probably wrong but if people are paying money to organized crime then perhaps it could be interpreted as aiding and abetting organized criminals using corporate funds and thus maybe possibly the government could use the existing Racketeer Influenced and Corrupt Organizations Act (RICO) of 1970. Or maybe not. Maybe a question for lawyers that have litigated RICO cases. Maybe another angle could be proving that said funds were used in the acts of higher crimes that caused serious injury or death. Maybe additionally the SEC could also get involved in publicly traded companies that impact their stock value in the process of paying off organized criminals. I could see both sides of such a case as it could be argued that not paying off the ransom could cause the destruction of the company but the people responsible for putting the company in that position in the first place could probably be held to account. Or worst case maybe this just forces some companies to do more serious due diligence and have real audits vs. check-box audits and if they can't prove they performed their actual fiduciary responsibilities then serious action is taken against the C-Levels and board members?
Seems like a matter of game theory strategy vs. tactics. If everyone were to fight back against muggers, it seems like there would be fewer muggings. But tactically, it might be best for an individual to hand over the wallet.
The companies getting their customers data encrypted are NOT victims. At best they are incompetent and should never have been in business to begin with and most certainly should never have been anywhere near any of their customers data.
Companies have a fiduciary responsibility to protect their customers and investors. If a company is letting phishers trounce all over my data then in a way I am glad that my data became encrypted so that the company can no longer hide the fact they were negligent not only to keep the thugs out but also neglected to properly back up my data. I am more concerned about all the companies that were popped and were able to hide it because they only lost my data to the phishers. Ransomware is exposing the incompetent businesses and embarrassing their leadership as it should. Securing data in an ever growing and large company can be challenging due to internal politics especially if being security focused from day one was not their priority. Backing up data is easy.
The victim fails to be just a victim when they actively contribute funds to a criminal enterprise.
The gunpoint analogy is a poor one; being coerced by physical violence is one thing, being coerced because you lost your files (and don’t have backups) is another. It’s a horse of a different color.
What if people die and lose everything or groups of people get hurt because of the Ransomware? You could also say the person handing a wallet to a criminal is actively contributing and should of kept his money in the bank. The point is that its not always as simple as "backup your files".
