In the case of corporate, it is often not despair but incompetence and lack of consequences: CEO will get their yearly bonus if the ransom is paid. If the ransom is not paid, the information might leak out that the company lacks good cybersecurity practices and there will be a new CEO.
Or even worse, like shareholder or regulator action, see SolarWinds
Note that in the EU under GDRP companies are still liable for privacy violations and related fines if ransomware attackers gain access to your personal details, random or no random (a hack is enough).
I think ransomware is not really like drugs or hostages.
For drugs, there’s some inherent desire for some people to consume them. Maybe they harm society a bit (in the sense that they might destroy the people that take them), but the main cost for the rest of us is that they fund criminal enterprises because they are illegal. People want drugs, if they could buy them at CVS I suspect they would.
Ransomware is already illegal, we don’t create a new criminal enterprise by making it illegal to do business with them, we just make it harder.
Also, lots go the biggest ransomware gets have been big institutional entities where everything is documented. People just buy drugs in small amounts and consume them, two parties, neither of whom wants to get caught, minimal paper trail. Basically impossible to ban.
For physical hostages—people are desperate to get their friends and family back, and so they’ll go to desperate measures to pay. For ransomware, it is usually an economic decision, nobody’s life is at risk (other than when, like, a hospital is hit). Increasing the cost increases the chance the decision will go the other way. And increases the incentives to keep IT defenses up to date. (I know you didn’t bring up the hostage analogy, I think it is worth noting that the desperation you point to here is really an artifact of the tangent we’re on from the analogy leading us astray).
We're not talking about desperate drug addicts here. The threat of criminal prosecution and being sent to federal prison is a pretty effective deterrent for most people. Especially the corporate officers who would ultimately have to authorize any ransomware payment. They won't take that risk to help their employer.
Upwards. Second order effects of schemes like prohibition are much worse than the original problems.
It's also not quite analogous to the ransomware prohibition, because it's more akin to a prisoner's dilemma, and there's no inherent desire to pay ransomware criminals in the human psyche like there is to alter consciousness.
> Second order effects of schemes like prohibition are much worse than the original problems.
There are loads of countries that have illegalized alcohol and not devolved into levels of organized crime that the US did. Specifically, nearly every Muslim nation on earth. I feel this one example is way overplayed by advocates of legalization
Well, I guess if you think ruin or death is a valid consequence for fairly low stakes "crimes", you can implement pretty much any regime you like, assuming you've got enough boots and knives.
It is acceptable for you, since you won't suffer the consequences, the burden of damage isn't on you.
It is similar to consuming drugs: when people buy meth they're helping the drug dealers. But they just can't help it, they're desperate.
Despair is above reason. Laws are useless to stop desperate actions.