So Kreb's comments and a bunch of others so far talk about "don't trust criminals" and "no honor amongst thieves" etc, but putting aside the atrocious moral angle musing on this a bit I think there's a broader point that applies to legal communities as well, which might be something along the lines of:
>Beware the change from an ITERATED prisoner's dilemma game to a SINGLE game.
Or perhaps alternatively to remember the difference between a "salary" and an "exit". Particularly when there is a long history of iteration people have gotten used to. The interesting HN discussion that comes most immediately to mind was last year's implosion of Silicon Valley Bank and the Stratechery article [0] about it. Classic game theory points to major differences in any ecosystem where the players are playing iterated vs single games. Iterated games encourage thinking about the longer term health of the overall ecosystem, not burning bridges, etc. The optimal strategy isn't pure defection but more cooperate+punishment.
However, the ransomware ecosystem, like the startup ecosystem, seems to have followed an arc from small to large where the amounts of money start to pass an inflection point where they hit "set for life with a single payday" amounts. Ie, groups can chase "unicorns", hit one, and then at least from a pure economic standpoint potentially burn all bridges and reputation and be done forever. That in turn pushes towards short term thinking and extracting maximum value as fast as possible even at the cost of future returns.
It being a black market certainly accelerates this further, because a lot of traditional controls to help push more towards iteration (from information symmetry to flat out physically coercive criminal punishment). But at least in terms of idle hot take contemplation, it seems to me there are parallels in a lot of different industries through history.
So yeah don't pay ransomware anyway due to it funding a host of evils, encouraging more, governments should punish companies that do etc. But from a pure cold realpolitik standpoint it's perhaps also worth thinking about what the person on the other side can do afterwards. If a company is effectively paying them a "salary" class money, as if it was a $1000/hour pen tester, so a 100 hours of work attack is $100k, they may be more likely to be treating it as a "job" where they'll be doing it again and again. Which is bad here, but also perhaps more reliable, they have reputational skin in the game and an interest in the "health of the ransom ecosystem". But if the company is paying them "founder exit" class money, tens of millions of dollars, the odds of someone being ready to take the money and run, and having the amounts needed to make that possibly work, are probably going to be higher?
>Beware the change from an ITERATED prisoner's dilemma game to a SINGLE game.
Or perhaps alternatively to remember the difference between a "salary" and an "exit". Particularly when there is a long history of iteration people have gotten used to. The interesting HN discussion that comes most immediately to mind was last year's implosion of Silicon Valley Bank and the Stratechery article [0] about it. Classic game theory points to major differences in any ecosystem where the players are playing iterated vs single games. Iterated games encourage thinking about the longer term health of the overall ecosystem, not burning bridges, etc. The optimal strategy isn't pure defection but more cooperate+punishment.
However, the ransomware ecosystem, like the startup ecosystem, seems to have followed an arc from small to large where the amounts of money start to pass an inflection point where they hit "set for life with a single payday" amounts. Ie, groups can chase "unicorns", hit one, and then at least from a pure economic standpoint potentially burn all bridges and reputation and be done forever. That in turn pushes towards short term thinking and extracting maximum value as fast as possible even at the cost of future returns.
It being a black market certainly accelerates this further, because a lot of traditional controls to help push more towards iteration (from information symmetry to flat out physically coercive criminal punishment). But at least in terms of idle hot take contemplation, it seems to me there are parallels in a lot of different industries through history.
So yeah don't pay ransomware anyway due to it funding a host of evils, encouraging more, governments should punish companies that do etc. But from a pure cold realpolitik standpoint it's perhaps also worth thinking about what the person on the other side can do afterwards. If a company is effectively paying them a "salary" class money, as if it was a $1000/hour pen tester, so a 100 hours of work attack is $100k, they may be more likely to be treating it as a "job" where they'll be doing it again and again. Which is bad here, but also perhaps more reliable, they have reputational skin in the game and an interest in the "health of the ransom ecosystem". But if the company is paying them "founder exit" class money, tens of millions of dollars, the odds of someone being ready to take the money and run, and having the amounts needed to make that possibly work, are probably going to be higher?
Anyway just interesting to think about a bit.
----
0: https://stratechery.com/2023/the-death-of-silicon-valley-ban...