Last week, I had the honor of speaking to the Lehigh Valley Chapter of the Institute of Internal Auditors. The topic was ransomware. I addressed the debate over outlawing ransom payments in my presentation. Afterwards, a discussion allowed me to further express my view that banning payments is not the solution.

Those advocating for bans often do so from a comfortable distance. Their perspective makes sense if you rely solely on the data—security analysts who never leave the office, academics who stay in classrooms, or law enforcement managers who only see reports.

Those directly engaged in the defense understand the reality. Frontline incident responders and law enforcement have seen the pain on a small business owner’s face as they realize their life’s work is burning. They know their options are limited—no backups, no incident response team, no disaster plan, and no insurance. How can you tell such a person, ‘Don’t pay the ransom”?

Many times, businesses are forced to choose between paying the ransom and shutting down.

So, why is paying the ransom so problematic? Why do some law enforcement and security experts insist that ransom demands should never be paid, even if it seems in the victim’s best interest?

On the surface, paying the ransom rewards criminals for bad behavior.

Deeper down, it sustains the problem. Ransomware operators are like Skinner’s rats—motivated by reward. In the 1930s, psychologist B.F. Skinner explained operant conditioning, where behavior is shaped by rewards and punishments. He demonstrated this with rats in a box—push the lever, get food. The rats quickly learned to associate pressing the lever with a reward.

Similarly, ransomware attackers target innocent organizations in the hope of a payoff. This is a fitting analogy.

Small and medium business owners are caught between a rock and a hard place during a ransomware attack. Unlike large corporations, they often lack dedicated security staff. Sometimes, there’s just someone managing the internet and printers. A security expert? That’s a luxury. Backups? Perhaps an Excel file copied onto a USB that’s lying around.

It’s understandable why a business leader might pay the ransom. Usually, they’re desperate and have no real options—they wouldn’t pay if they could avoid it. But they’re left with no choice.

Banning ransom payments would force some small business owners into criminality since their only option is to pay the ransom or go out of business. No one wants to go out of business.

In July 2025, the UK announced plans to prohibit ransom payments following a public consultation that showed widespread support. The new laws will ban government agencies, schools, hospitals, and critical infrastructure like power and water from paying hackers. Private firms not covered will need to notify the government before paying, so officials can advise or potentially block payments under sanctions. All UK organizations will have 72 hours to report ransomware incidents. While the rules aren’t in effect yet, this marks one of the first nationwide efforts to curb ransom payments.

Could this be the right approach? Perhaps. But I worry it might backfire—making uncovered businesses prime targets or causing victims to seek illegal intermediaries or misreport attacks.

I agree we shouldn’t financially reward cybercriminals. However, ending ransom payments will remain challenging until organizations, especially smaller ones and nonprofits, actively implement proactive ransomware defenses; otherwise, they’ll have no choice but to pay.

The News…

Smurfing is a money laundering technique that involves breaking large sums of illicit money into many smaller transactions to avoid detection by financial institutions. These small, less conspicuous transactions are deposited into different accounts, often by a network of individuals known as “smurfs”. This article explains how to use DuckDB, a high-performance relational database, along with the DuckPGQ extension, to perform graph analysis directly within the database. It explores the use of SQL/PGQ, a graph query language part of the SQL:2023 standard, to detect suspicious financial patterns such as money laundering and smurfing. For hardcore data nerds only. https://duckdb.org/2025/10/22/duckdb-graph-queries-duckpgq

Scammers are impersonating reputable companies to target job seekers, particularly those seeking social media manager positions, through credential phishing scams. The ultimate end is to harvest the victim’s Facebook credentials. https://sublime.security/blog/facebook-credential-phishing-with-job-scams-impersonating-well-known-companies/

In 2025, ransomware attacks on the public sector have persisted, affecting over 196 government entities worldwide. These assaults frequently result in major operational disruptions, financial setbacks, and reputational damage, often employing double-extortion tactics. The United States reports the highest number of confirmed victims, with Canada, the UK, and France also significantly impacted, underscoring the worldwide nature of this threat. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/public-sector-ransomware-attacks-relentlessly-continue/

Malwarebytes describes a Halloween-themed phishing scam that results only in a trick, never a treat. https://www.malwarebytes.com/blog/news/2025/10/home-depot-halloween-phish-gives-users-a-fright-not-a-freebie

You know all those SMS scams you’re getting? Unit 42 discusses an ongoing global smishing campaign attributed to the Smishing Triad, a group operating a large-scale phishing-as-a-service operation. Attackers are impersonating various international services, including government agencies and toll services, to trick victims into revealing sensitive information through deceptive SMS messages. The campaign uses a decentralized infrastructure with thousands of short-lived domains registered through Hong Kong-based registrars and hosted on U.S. cloud services, making detection challenging. https://unit42.paloaltonetworks.com/global-smishing-campaign/

A Maryland man has admitted to his role in a scheme where victims were convinced to hand over cash and gold to couriers posing as federal agents. The victims, many of whom were elderly, were told their bank accounts were compromised and needed to move their money to the U.S. Treasury. Kudos to the Pennsylvania State Police for making an arrest in this case. https://www.pennlive.com/crime/2025/10/maryland-man-admits-to-role-in-15m-multi-state-scam-that-drained-seniors-bank-accounts.html

https://www.macrumors.com/2025/10/25/windows-10-deadline-boosts-mac-sales/

The United States refused to sign the U.N.’s cybercrime treaty, but 70 other nations did. https://therecord.media/us-declines-signing-cybercrime-treaty

DFIR

Construction has begun on the $22 million expansion of the National Computer Forensics Institute in Hoover, Alabama. https://hooversun.com/news/hoover-breaks-ground-on-national-computer-forensics-institut/

Cool Tool

Find traffic cameras in your city. https://trafficvision.live/

Learn the value of those Pokémon cards you have in the shoebox under your bed. https://pokescope.app/

Cool Job

Digital Forensics Specialist, Tennessee Bureau of Investigations. https://tbinewsroom.com/2025/10/22/were-hiring-tbi-digital-forensics-squad-special-agent-criminal-investigator-1/

Senior Manager - Security Operations, Fortis. https://www.fortisgames.com/en-us/careers?gh_src=e0icoal75us&gh_jid=4612749005

Feedback

“Matt, just a heads up, VXVXVXVX started a new blog called Threat Intel Without Borders. Not very original, eh?” BB

Thanks, Bob. Imitation is the sincerest form of flattery.

“I never considered that the words flute and banger would make me spit my coffee.” - TerryO

(See Issue 247 for reference)

Irrelevant

credit: u/ixvst01

Sign Off

Thanks for sticking around. Don’t forget to check out the special edition post from last Friday and see the upcoming one this Friday as we keep exploring the investigative technique of stylometry.

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

cybersecurity cybercrime fraud investigations financial security osint aml