[HN Gopher] University of Utah pays $457k to ransomware gang ___________________________________________________________________ University of Utah pays $457k to ransomware gang Author : jpkoning Score : 124 points Date : 2020-08-21 14:02 UTC (8 hours ago) (HTM) web link (www.zdnet.com) (TXT) w3m dump (www.zdnet.com) | fizixer wrote: | When you pay ransom for physical possession you get your | possession back. | | When you pay ransom for lost data you get a copy of your data | back. The culprits still have the data, but they likely don't | have a use for that data. | | But this is the worst kind of ransom. | | You already have the data, you're paying ransom to make sure the | culprits don't use the data, but the culprits still are in | possession of the data and they can use the data next year, or | two years later, or demand more payment next year. | | What in the world? | [deleted] | parliament32 wrote: | >The culprits still have the data | | It'd be too hard/expensive to exfiltrate the data once it gets | large enough, without much added benefit. They just encrypt it | in-place. | beervirus wrote: | Well it's exactly what happened here. | | > The university said its staff restored from backups; | however, the ransomware gang threatened to release student- | related data online, which, in turn, made university | management re-think their approach towards not paying the | attackers. | | The university is paying them not to release the data, but it | has no way of forcing them to delete it. | sho wrote: | Devil's advocate: ransomware is good. The financial incentives | around it directly encourage this variety of hacking. It's an | involuntary "bug bounty". And IT security becomes something more | than a "nice to have" for these institutions, which it never | would have before. | | $450k? Universities know all about paying to learn. That's cheap, | and they won't make the same mistakes again. | mping wrote: | What about the fact that payed ransoms prove a viable business | model? And I bet hackers can hack faster than unis can secure | themselves | edflsafoiewq wrote: | Crime reduction is good. Therefore crime is also good because | it incentivizes crime reduction. | paulpauper wrote: | murder is good because it discourages people from engaging in | behavior that may cause them to be murdered | AnIdiotOnTheNet wrote: | Actually, depending on the cost of mitigating this sort of | disaster in the future, they may learn the lesson that it is | simply less expensive to pay the ransom. | | The criminals doing these sorts of things are businesses too, | the are unlikely to price themselves out. | ipnon wrote: | Markets in everything: The price of ransomware will reach | equilibrium when the cost of paying the ransom becomes equal | to the cost of paying for cybersecurity. Then we're back to | "to pay or not to pay" once again being a merely | moral/ethical issue. | rubber_duck wrote: | Nonsense, it's not like it's one criminal group behind this | or like these people are building a sustainable business | model. Pay and ignore approach doesn't work at all long term. | sho wrote: | Well, that is a decision every institution needs to make by | themselves, of course. At least now there is a visible price | tag attached, rather than trying to hide behind misuse laws | ("it's ILLEGAL to access our systems in that way!") | downrightmike wrote: | $450k is about tuition for 56 instate or 17 out of state | students. Basically peanuts. The U is $8,048 for Utah residents | and $25,361 for out-of-state students. It has a total | undergraduate enrollment of 24,743 | overeater wrote: | So about a quarter of a percent of their tuition income? | That's pretty massive, considering this is an unexpected | cost. | 0xbkt wrote: | Out of curiosity, are these hackers still demanding ransom money | in Bitcoin, or say any traceable cryptocurrency? | | I remember encountering similar scenarios before and they all | seem to want the money in a Bitcoin address. | | Why not Monero, or an alternative if there is any, which I guess | makes moving the funds around much more stealthily? Please | correct me if I'm wrong. | paulpauper wrote: | no one is getting arrested or caught in spite of the | traceability, unless the hacker is dumb enough to just deposit | the BTC on an exchange immediately. The btc is split up and | sent through mixers and laundered into thousands of tiny pieces | and after a few years or so forgotten by anyone trying to track | it. | kmonsen wrote: | Are they not just hiding in places which don't care about | these kind of things? | eternalban wrote: | > after a few years or so forgotten by anyone trying to track | it. | | Help me with this, as I simply do not understand this | 'forgetting' bit. Are you saying that a police agency, say | FBI, is incapable of writing a (trivial?) program that tracks | the coins, for as long as it takes to close the case? | mihaifm wrote: | All the tiny pieces could be traced in an automated way. It's | probably the lack of regulation that lets exchanges get away | with not implementing better anti-laundering mechanisms. | gnopgnip wrote: | And going after those tiny pieces would involve a lot of | other people who are innocent | [deleted] | colinmhayes wrote: | That's not how tumblers work. There's no way to link the | input and output addresses when you go through a tumbler. | readams wrote: | You could refuse to transact any tumbler output. | jpkoning wrote: | They're still usually asking for bitcoin. | | A few months back REvil/Sodinokibi switched to Monero, but I | think they're the only strain to do so. | voxic11 wrote: | For smaller scale ransomware bitcoin was and still is very | popular because its the easiest crypto to buy and use. So if | your average target is a non-technical home or small business | user bitcoin will net you far better returns. | | Ransomeware still often includes live phone support and other | features targeted at helping victims purchase and send bitcoins | because its still a difficult and unfamiliar task for the | average person. | markkanof wrote: | That's so disturbing. I can't imagine going through a phone | call with "tech support" trying to figure out how to send | bitcoins knowing the whole time that the support person is | the one who is extorting ransom from you. | | It also seems like an opportunity to escalate the scam to the | next level. Go to this site (controlled by the scammer) and | enter your credit card to send bitcoin. Now they have your | credit card too. | colinmhayes wrote: | This is how I feel on the phone with comcast. It's just | business | mensetmanusman wrote: | Just think, they could have paid two engineers to fortify their | systems against such an attack and still saved lots of money. | umvi wrote: | Just think, one of your own unscrupulous employees could be | bribed to infect your own systems to get ransom kickbacks. | lern_too_spel wrote: | How do you know they weren't already paying at least two | engineers to fortify their systems? | sgustard wrote: | How do you know those two engineers aren't $457k richer now? | mensetmanusman wrote: | Hmm. I'm guessing not having backups means they may have been | paying one person but also giving that person way too many | responsibilities such that they couldn't focus on doing a | backup well. | exdsq wrote: | The fact they have backups is litterally at the top of the | article... | mensetmanusman wrote: | Wups! | | I assumed ransomware was always a class of attack wherein | non backed up data was at risk. | | This seems like a failed ransomware attack where the | university just got unencrypted information stolen that | they didn't want released. | ziddoap wrote: | >a class of attack wherein non backed up data was at risk | | Ransomware is just the act of preventing access to data, | with the access being reinstated after paying a fee to | the attacker. Generally accomplished by encryption. | Whether or not the victim has mitigations, backups, etc. | holds no relevance to the class of attack. | | >This seems like a failed ransomware attack | | It's not really a failed ransomware attack. The attack | was successful (they were able to encrypt some data), | followed by successful reinstatement of access to the | data by using backups, followed by successful extortion | by the attacker. | R0b0t1 wrote: | The ransom was paid by an insurance provider, so they were | at least doing something to acquire coverage. | pc86 wrote: | Part of it. They covered the rest. | paulpauper wrote: | probably insurance is cheaper than hiring sec experts | adrr wrote: | Insurance coverage is common. Depending on coverage | amount may require independent audits. | jaclaz wrote: | They did have the backups, the ransomware was paid for | (maybe) not having the stolen data published/sold. | | >The university said its staff restored from backups; | however, the ransomware gang threatened to release student- | related data online, which, in turn, made university | management re-think their approach towards not paying the | attackers. | Klinky wrote: | Even worse, because we can totally trust data can't be | copied or released once an extortionist ransom is paid to | malevolent hackers. I am sure this ransomware gang is on | the up and up and operating in a good faith to honor the | agreement. In a few months we may see "University of Utah | pays another $457k to the same ransomware gang". | AnIdiotOnTheNet wrote: | It is not in the best interest of the ransomware gang to | ignore their part of the bargain. If that second headline | happens, it will be a signal to every one of their future | victims that they will not honor agreements and you're | better off not paying them. | | This is why the vast majority of encryption-based | ransomware puts a lot of effort into ensuring they really | can decrypt your files after you pay them. | doorstar wrote: | Plenty of places have more than two engineers and still paid | ransomware. This is like any other cyber-crime, which is to say | it happens all over, it's not always publicized, and it's very | hard to stop. | | I watched a couple of presentations on security recently and | just felt like we are all in a losing battle. There are always | more bad actors, they get better and better, and they are a lot | more motivated than any security team you can put together. | akeck wrote: | Can one detect a ransomware infection early by watching copy-on- | write snapshots on a file server? | freeopinion wrote: | Not all ransoms are about denying the owner use of their data. | Some ransoms are about publishing copies of the data. | gpm wrote: | You can, the company I work for makes a product that does | exactly that. | | It's very much a last line of defense way of detecting attacks | because it means the attackers are already in and already have | access to whatever workload is being protected. | | https://www.rubrik.com/en/products/polaris-overview/polaris-... | | Disclaimer: I'm just an engineer (not a sales person/pr/...) | and _all_ my comments on HN including this one are entirely my | own views /not the companies views. | AnIdiotOnTheNet wrote: | There are various strategies. One way that is fairly common is | to have canary files that, when modified, trigger alerts and | other automated action (locking out the account that did the | modification, for instance). | bpoyner wrote: | Veeam One can alert you to possible ransomware if there is | simultaneous high write rate and high CPU usage on a VM. | leephillips wrote: | They had backups: good for them. | | But they also had unencrypted, sensitive information sitting on | their networks. | amelius wrote: | It's good to be aware that this entire thing wouldn't have been | possible without Bitcoin. | 7786655 wrote: | The whole point of Bitcoin is that you don't get to decide | whether I can use it. | Forbo wrote: | It's good to be aware that this entire thing wouldn't have been | possible without encryption. | | I'm sorry, I'm not sure I'm seeing what point you're trying to | make. Are you trying to say that Bitcoin is bad? | panpanna wrote: | Bitcoin was sold to me as freedom, from governments, from | banks, etc. | | But now I have come to realize that a completely unregulated | payment system is very dangerous. | | To be clear, Bitcoin is not "bad". Humans are bad and this is | why we can't have nice things. | zelly wrote: | Bitcoin is more regulated and more spied on than most forms | of payment. To turn a large amount of Bitcoin into dollars | in a bank account, you have to go through extreme AML/KYC | checks. I can go to a gas station in California and send | $1000 in cash to someone in Turkey who could receive cash | and walk out a few minutes later. A briefcase full of cash | is not regulated at all and can be used to settle debt or | pay taxes, unlike Bitcoin. The only advantage of Bitcoin is | not requiring the risk of physical presence, which has to | be <1% of all crime. Also, unlike cash, Bitcoin by design | retains a full immutable public ledger. The criminals can | mix their coins, but it'd still be possible (although | computationally expensive) to recreate a chain of | transactions going back to the original ransom. In the | future if Bitcoin is to become used in commerce more, it | should be expected that these dirty transaction outputs | would be worth less than clean ones or not accepted, like | dollar bills cut in half taped together. | rossjudson wrote: | If a chemical plant sets up in an area then pollutes the | environment during the course of business, it is required | to clean up the mess. Known risks are required to have | mitigations ready, and sometimes-expensive procedures | must be followed to ensure safety. | | Bitcoin (and everything like it) is very much at the | "Pollute the environment with whatever the hell I want" | phase of its existence. That should change. | | Bitcoin should be taxed to recover the externalized costs | it imposes -- basically, compensate the victims of | bitcoin-enabled crime. | | Is only a small fraction of bitcoin usage related to | crime? No problem -- the tax will be very low. | 1123581321 wrote: | In what way did you buy into Bitcoin? I don't understand | what choice was presented to you. | | If you're referring to why people like it, those things can | all be true despite criminals also using it. | notsureaboutpg wrote: | Encryption is the only way to achieve a specific goal (hiding | sensitive digital information from other viewers). | | Bitcoin is one of many ways to achieve a specific goal | (transferring money between entities over the internet) and | it has one significant drawback, it is difficult to regulate, | track, etc. | | Governments need to have a good idea of where money is going, | at least they need to know that more than they need to know | what people are saying to each other | Hitton wrote: | You really can't blame them much, they had backups. University | doesn't work like corporate, you have thousands of student who | change every year, do their projects for which they require lot | of access; you can't lock everything dangerous, can't have any | sensible BYOD policy, ... It's really hard to lock up everything | while not limiting students too much. With organization like | this, that sort of incidents is unfortunate but inevitable. | tomashertus wrote: | Public universities and their security budget are highly | underfunded. They can't afford to invest heavily into security. | _wldu wrote: | We sometimes refer to a public university as having a museum- | like security posture. They have to be open to the general | public, have to allow in visitors, yet guard things at the same | time. It's not at all like strict corporate IT security. It's a | fine line to walk. If you've never done this sort of security | work before, it can seem odd and foreign for awhile. | Giorgi wrote: | There is no way those 450k are not being traced right now like a | hell, most likely it was allowed just because investigation said | so, its matter of time now | paulpauper wrote: | This shows how bug bounties are pitifully small and inadequate. | Stop thinking that a $10k reward will prevent hackers. Either | pay-up for sec experts or be prepared to pay-up through extortion | or having your site exploited, and it will cost way more than | 10k. | tlogan wrote: | I do not know anything about bug bounties but I do know that | selling backup solutions is super super hard. | jacquesm wrote: | Actually, this level payment is roughly optimum value | extraction by the parasites at a level that _still_ makes the | company feel like they did the right thing by skimping on their | security. Because if the chance of incidence * damage < the | cost of mitigation then they'll be more than happy to let it | happen again. | | 500K once every 20 years or less beats 50K annually handsomely. | Never mind the fact that once you lose control of your data you | can never be sure you got that control back, that's somebody | else's problem. | | People are not very good at threat modeling, estimating chances | of things happening to them and estimating the damage resulting | from an incident. We collectively are not good at ensuring that | the companies where these things happen get dealt with | properly. | csomar wrote: | These kind of hacks were not possible before Bitcoin and the | trend clearly just started. I don't think it'll be one hack | every 20 years if they don't fix their security. | Nasrudith wrote: | To be pendantic technically they were before and likely | easier (unless they didn't have their records computerized | but universities were early adopters there) but there | wasn't much of a point in doing so. Grade tampering would | be far more likely. | | The black hat hacker "ecosystem" has also professionalized | from doing it for kicks to doing it for the dough. | jacquesm wrote: | Fair point, the frequency will probably go up. Also, they | are now on the records as being (a) not capable of keeping | their stuff secure and (b) willing and able to pay up which | is blood in the water for the sharks. | LunaSea wrote: | Aren't scammers using Apple gift cards? | | Bitcoin isn't the issue here. | | When you have the pressure on the target, you can make the | pay in whatever currency you'd like and there will always | be one. | csomar wrote: | It's much harder to launder $100mn with gift cards. | That's easy with Bitcoin. | xwdv wrote: | No. Because even a sec expert can't guarantee there won't be | some kind of breach. And then what? Pay an expert AND get | ransomed? | | Better to throw it to a free market and let people find bugs | for peanuts. | ausjke wrote: | so many ransomware locking down governments and companies these | days, it's impossible to be 100% secure over internet 24x7, but | how about a decent backup scheme, so that if someone locks down | the data, you can get back online without decrypt that? it | seems to me, as long as you have daily incremental backup in | place, you should have no fear about those ransomwares? | bpfrh wrote: | In this case, they had a backup and restored from that.# | | The attackers also only encrypted about 0,02% of the systems, | but the university paid because the attackers threatened to | make the stolen data public. | beamatronic wrote: | Or have a bulletproof recovery plan | edoceo wrote: | Disk clones to the rescue! | iNate2000 wrote: | They said[1] that they paid to avoid the information release. | A backup won't help with that threat. | | [1] https://attheu.utah.edu/facultystaff/university-of-utah- | upda... | [deleted] | paxys wrote: | Actually it's the exact opposite. Bug bounty programs have | constantly proven to be among the most effective ways of | increasing a company's security, no matter how "pitiful" the | payouts are. The overwhelming majority of people, when they | find an exploit, are going to to do the right thing and report | it, not sell it to the highest bidder. Increasing the bounties | isn't really going to help, considering there's always going to | be a hacker group or government entity willing to pay more. | | Of course the programs aren't going to be a replacement for | real product security teams, but they were never meant to be. | ohazi wrote: | This seems like the market for risk at work. Just as in drug | trafficking, more money tends to go to parties that take on | more risk. In this case, that's the criminals doing the | extorting. So unless the security researcher wants to engage | in illegal activity themselves, they probably aren't going to | get anywhere close to the extortion dollar amount by just | selling their exploit to criminals. At best they'll probably | get something close to a large bug bounty, or maybe a few | times that. | | When setting bug bounty payouts, the company should be | looking at what security researchers are likely to get when | selling an exploit to criminals, not the actual extortion | dollar amount (assuming that most security researchers are | not willing to personally engage in illegal activity | themselves, which appears to be the case). | | However, when evaluating the _value_ that a bug bounty | program brings to the company, they should absolutely | consider these typical extortion amounts. | nordsieck wrote: | > This seems like the market for risk at work. Just as in | drug trafficking, more money tends to go to parties that | take on more risk. In this case, that's the criminals doing | the extorting. So unless the security researcher wants to | engage in illegal activity themselves, they probably aren't | going to get anywhere close to the extortion dollar amount | by just selling their exploit to criminals. At best they'll | probably get something close to a large bug bounty, or | maybe a few times that. | | This doesn't strike me as a very accurate assessment of the | situation. There are already markets where people can buy | and sell exploits: researchers don't have to get their | hands dirty to get paid for their exploits. | ohazi wrote: | You've missed my point. | | I'm saying that the market value of _actually performing | an illegal act of extortion_ is higher than the market | value of a zero-day, either on one of these markets or | via bug bounty. | | I'm arguing that the price is different because of the | risk of getting caught and going to jail, not that there | isn't a market for security researchers to sell exploits | to criminals without otherwise getting their hands dirty. | pitaa wrote: | Plus, by having a bug bounty program, it indicates that | they're going to be reasonable and accepting of outside bug | reports. In the absence of such a program, one can't be sure | that a bug report isn't going to result in angry phone calls | from tech-illiterate people accusing you of hacking them. | | I recently found a compromised server on a university's | network. I wasn't going to cold call them to report it | because I had no idea how Betty answering the phones would | react. Instead, I sent it to an IT contact that I knew | personally. I knew that he didn't have anything at all to do | with this, but that he would know who to get it to. | ponker wrote: | But if the bounties are 20x as high then surely it will draw | more whitehats to the market. A security engineer who is | working at Netflix or Visa making over $200k or whatever will | not work late nights for a $10k bounty but he might for a | $500k bounty. | paxys wrote: | Companies like Google and Facebook have paid up to $50K for | single bug reports. Ultimately the problem is that | regardless of the effort you put in your earnings are | likely going to be $0, due to the sheer amount of | randomization and luck involved, which makes it unlikely | that anyone will leave their full time job for it. | ponker wrote: | I don't think anyone will quit their job for it but it | will influence the decision of "play flight simulator or | hack on targets" | simonh wrote: | In theory yes, but there's going to be serious | diminishing returns. At what point does doubling the | reward no longer double the number of person hours you're | incentivising to work on the problem? At what point does | doubling it increase the effort expended by less than | 10%? Compared to spending that money on your own research | teams, where the Cost/effort your buying is likely to be | much closer to linear. | Veserv wrote: | Actually you are both right. Bug bounty programs are | extremely effective because they find serious vulnerabilities | for vastly less than the damages you would expect if they | were exploited. However, the fact that the bug bounties are | so low indicates that the prevailing security is atrocious. | | To explain, generally speaking a bug bounty is going to the | smaller of: | | 1. Cost of Discovery since that is the amount someone would | be willing to find bugs at otherwise they are losing money on | each bounty they get. | | 2. Cost of Damage (risk-adjusted) since that is the most a | company would be willing to pay. | | The reason for this is that as long as the Cost of Discovery | is lower than the Cost of Damage (up to ROI), it is | reasonable to keep paying the Cost of Discovery since you are | paying less than the risk-adjusted harm. But, there is also | no point paying significantly more than the Cost of Discovery | as long as people keep reporting problems as fast as you can | fix them since there is no real reason to pay to get more | problems than you can fix. So, to first order the bug bounty | for a certain type of problem reflects the cost of discovery | of that type of problem. | | Circling back to the original point, we see problems that can | cause millions in damages getting bug bounties on the order | of $10K. This means that, to first order, million dollar | attacks only cost $10K to execute which results in a crazy | high ROI in the 100s. With an ROI in the 100s, it should be | no wonder that such attacks have been increasing in frequency | given their sheer profitability. The fact that bounties are | so low for such critical problems is a major indictment on | the prevailing level of security in the industry. | giancarlostoro wrote: | > 1. Cost of Discovery since that is the amount someone | would be willing to find bugs at otherwise they are losing | money on each bounty they get. | | This is probably the biggest issue in terms of incentives | to a researcher. You're either finding the bug by accident | or out of curiosity, or you stop short of basically losing | money you would otherwise earn going a paid audit. | gkoberger wrote: | Is this the right way to look at it? | | That's like saying CVS security guards are pitifully small and | inadequate. Yeah, you're right, they aren't going to stop a | proper robbery... but stealing is illegal and shouldn't be | happening either way. Same for hacking. | kiba wrote: | They have security guards? | edoceo wrote: | Many stores do, not just CVS. | a_t48 wrote: | Yeah - come to downtown SF and see. :) | umvi wrote: | Is this because of prop 47? | samatman wrote: | If CVS security guards had to guard against every burglar in | the world, including ones who would just as happily go after | bank vaults, then the situation would be comparable, yes. | | If, that is, the burglars could automatically try and burgle | every commercial establishment and home in existence, | succeeding, with zero effort expended, if the security guards | in question were insufficiently vigilant. | nippoo wrote: | As an idea: crowdsourced bug bounties. If software companies | aren't willing to offer sensible incentives, corporations (who | often have far more money at stake) should fill in the gaps. If | someone built a platform to allow e-commerce/finance/other web | companies to (collectively) fund a $500,000 bug bounty for an | exploitable bug in an SSL library/Linux/Android/STM32/whatever | project they rely on for security, it might encourage many more | white hat hackers to pen-test the platform... | leephillips wrote: | What if it were a federal criminal offense to pay ransom? With | long prison sentences for any individual convicted of | participating in or having knowledge of a payoff? And the | government was serious about tracking down and prosecuting anyone | who did so? Nobody would pay ransom, and, at least in countries | with such a law, these extortion gangs would stop bothering. | colinmhayes wrote: | Then they just wouldn't admit to being attacked. Companies | would still pay ransoms, but we wouldn't know about it. | gruez wrote: | I mean that's like saying "banning insider trading/securities | fraud won't work, because people will still do it". Yeah, | they might, but I find it hard to believe that an executive | is loyal to their company to the extent that they'll risk | year of jail time for it. | eternalban wrote: | Trading is a public act. Cooking the books to hide a | payment by some random corp is orders of magnitude more | obscure than trading in securites. | teachrdan wrote: | If the ransomers are terrorists, then it is a crime to pay | them. This has been a challenge when Americans are kidnapped | overseas and their families wants to pay the ransom but are | warned that doing so is illegal. | kmonsen wrote: | There are fairly easy ways to get around this. Everyone says | they never pay ransoms, but they mostly do. It is not a | ransom, but you hire some cousin to do a not existing project | etc. These things happens in parts of the world where | transparency is not a top priority. | ryandrake wrote: | How does this fool even a semi-competent lawman? "Oh, | officer, I never bought drugs. That's totally illegal. I | just left money in a box that my cousin picked up, and a | few days later the drugs just appeared there. Totally not, | myself buying drugs, though!" | renewiltord wrote: | Because for drugs, the semi-competent lawman goes after | you. If it's for my child's life, there's no point going | after me. I'd go to prison for life for that. You can't | apply prison as a deterrent, you can't use it to prevent | me from harming others, and honestly, you can relate to | me. | iandev wrote: | > "The university's cyber insurance policy paid part of the | ransom, and the university covered the remainder. No tuition, | grant, donation, state or taxpayer funds were used to pay the | ransom" | | I was looking to dunk on them but it seems that what they did | wasn't entirely unreasonable. The article further states that | they paid to protect student data. | Lionga wrote: | Where did the money come from if not from "tuition, grant, | donation, state or taxpayer funds"? And if they have another | source of funding, this still means the money is missing to | fund things in the future that now they have to use "tuition, | grant, donation, state or taxpayer funds" for. | | They also send a clear message that ransom ware blackmail is a | great business model. I think that is more than enough reason | to dunk on them. | pc86 wrote: | No you don't understand, they didn't use _that_ money, they | used _different_ money! Nevermind that money is fungible. | | Unless they set money in the budget every year for | "Ransomware Insurance Shortfall" this is 100% "tuition, | grant, donation, state or taxpayer funds" at some point in | the chain. | sgeorge96 wrote: | It was partly covered by insurance. | lotsofpulp wrote: | Which came from insurance premiums paid by the | university. | abluecloud wrote: | which was paid for with tuition, grant, donation, state | or taxpayer funds | mywittyname wrote: | Which will continue to pay for the now-increased ongoing | premiums. | edoceo wrote: | Turtles | pc86 wrote: | We're talking about the part that wasn't. | scarmig wrote: | Even the insurance policy that distributed the payout was | ultimately paid for with those funds. | colinmhayes wrote: | Sunk cost | candiodari wrote: | Plus obviously insurance simply means they're using | tuition money to pay for ransoms, but all the time, not | just when they're threatened. | jessaustin wrote: | If they're spending it all the time anyway, why shouldn't | the payment have been made? | freeopinion wrote: | Utah's higher education system has what I think is a very | stupid tuition hierarchy. It seems that tuition is set by the | state legislature and cannot be modified by the individual | school. But schools can set other fees. So they have this | concept of "differential tuition". That is some arbitrary | amount that they choose to charge for a particular class that | is the difference between what tuition would be if they could | control it and the amount mandated by the legislature. | | You may have paid all your tuition and still owe the | university tuition. Got a tuition scholarship from the | university? Better check the fine print. Full-tuition or | half-tuition doesn't necessarily mean what you think it | means. It might only cover one of the definitions of tuition. | Each class can have multiple tuitions of arbitrary amounts | and you have to pay them all; your scholarship does not have | to cover them all. | | Oh, and it is impossible to know how much to budget for a | 15-credit hour semester unless you provide a specific list of | classes taken. | | So, "didn't come from tuition" is an ambiguous statement from | a Utah school. | afrcnc wrote: | From football game ticket sales... duuuh | bagacrap wrote: | school store textbook sales | [deleted] | zucker42 wrote: | I think I'd agree with the end of the article. If the only | reason you're paying them is to prevent a data leak, what's to | stop them from accepting the ransom and still leaking the data? | gowld wrote: | Hacker has a reputation to maintain. | zucker42 wrote: | Except there's not even any claim or confirmation about | which group performed the attack, though one is suspected | according to the article. | Nasrudith wrote: | What is to stop them from acting like a blackmailer and | going back for more later? Technically all they need is for | giving money to "help" short term to maintain their | "reputation". It is a danegelt situation. | frakt0x90 wrote: | I have to say I think ransomware is one of the most interesting | "business" practices. The trustworthiness of the criminals is | huge because if they have a track record of providing the | decryption key, you may as well pay. | | In a logical extreme you could start adding features like "Give | us the info of people you know and for every one we successfully | extract a ransom from we'll give you 10% off your ransom." | | It's interesting to think about at least. | ManBlanket wrote: | You could look at it as an unsolicited security audit of your | system and the ransom as a contractor's fee for a job well | done. | jjeaff wrote: | I think one of the only ways to stop ransomware would be to | setup a team distributing the ransomware, extracting fees from | the victims and then -not- providing the keys. A few high | profile cases of this should be enough to destroy confidence | that paying a random will work. | markkanof wrote: | Couldn't you also just plant some "shills" who claim that | this happened to them and they lost all their data? | russellendicott wrote: | This is brilliant. Destroy the credibility of the criminals. | jacquesm wrote: | By becoming a criminal yourself? The cure seems to be much | worse than the disease. | pests wrote: | And a bunch of people's data. | vkou wrote: | The ransomware guys will wise up, and use different keys to | encrypt different parts of your database. They'll then | request some fraction of the payment, in exchange for | decrypting part of your DB, as proof that they do have keys. | HanayamaTriplet wrote: | There was a story published by ProPublica[1] reporting on this | sort of progression from the side of people negotiating to pay | the ransoms. Here's a small excerpt, but I think the whole | thing is worth a read: Storfer learned quickly | never to use the term "hacking." Instead, he would assume his | correspondent "thinks they're a businessman," Storfer said. | "I'd say: 'Look, we can't afford this [ransom] at this time. Do | you mind providing your product [recovery key] at a lower | rate?' And it worked," he said. "They're doing a job where | everyone hates them, so feeling like they were respected made | them work with us. I like to think empathy goes a long way." | The rapport sometimes reaped discounts. "We were able to get a | $5,000 ransom lessened to $3,000 because they knew we could | deliver it exactly when we said we were going to get it to | them," Storfer said. | | [1]: https://features.propublica.org/ransomware/ransomware- | attack... | gowld wrote: | Reads like someone bragging about being incompetent. I'm sure | the foreign language native attackers who call themselves | "Evil Corp" would respond to "non-business" negotiations as | well. They don't want your data deleted, they want money. | chillacy wrote: | Reminds me of some of the stories in Never Split The | Difference, where the author was a hostage negotiator for the | FBI who would reduce ransoms (on human hostages) from | millions to in one case, a few thousand. He relayed a similar | reasoning, at the end of the day they want to get paid and a | dead person is worth $0 (and potentially the swat team coming | in). | gowld wrote: | I don't think many admins would respond to a security breach by | taking bribes to break more laws. But maybe they would, and | help us clear out these incompetents. | e40 wrote: | Or even insiders helping ransom businesses infect a company | with money. Seems unlikely, but not impossible, especially if | the ransomware folks can find and make a significant offer to | the insider. | | I would think the biggest impediment to insiders doing this | would be how to successfully hide and use the money, if it was | a lot. | _Nat_ wrote: | If that became a big business model, then we might start | getting meta-criminals: | | 1. They infect a major institution with ransomware. | | 2. They demand, and successfully receive, a major ransom. | | 3. They DON'T immediately release the key, despite the ransom | being paid. Instead, they issue an open demand for ransoms to | be paid to a random Bitcoin address from other major ransomware | groups. | | 4. The meta-ransomers only release the key to the original | victim if they receive sufficient ransoms from other ransomers. | | The meta-criminals would essentially be ransoming the | credibility of ransomers. If the ransomers don't pay up, then | the meta-ransomers will chip away at their credibility. | jtsiskin wrote: | This doesn't work because a ransomware group could just sign | their message. I wouldn't be surprised if they do already | to11mtm wrote: | That doesn't sound like it would work amazingly well. | | First thought is that the 'meta-ransomers' would probably | only get one or two shots at such an action working before | the major groups make some sort of statement (and even | perhaps provide some sort of way to 'authenticate' that it an | attack is from one of of the more 'trustworthy' ransomware | groups.) | | Second thought is that it would have to be a gutsy group of | rogue actors or group of rogue actors. A lot of these | underground folks still know each other one way or another | and this would probably be considered a big 'f--- you' to the | rest of the community. Bridges would be burned, unspoken | agreements in the sphere may be violated. You could even see | the ransomers quickly turn their efforts to exposing the | meta-ransomers. | | On the other hand, it could become an 'arms race' as the meta | and non-meta ransomers start trying to shut each other's | ransomware down | jacquesm wrote: | You've got a partner now. | vmception wrote: | Wish one of these was publicly traded onchain. We almost have | the level of privacy necessary to own the shares anonymously | and distribute profits adequately too. | | I think you could do it by issueing the shares as a zkAsset | using AZTEC, and any ransom paid in btc could be transposed to | renBTC on Ethereum, deposited into zkSYNC and distributed to | all shareholders proportionately in the zkSYNC, that | distribution transaction wouldn't be recorded onchain (although | maybe zkSYNC has some ability to monitor transactions) and | shareholders can withdraw their dividend at their own will. | | But otherwise they can just convert the BTC to XMR first, and | reintegrate that however they want. | api wrote: | They paid 457k for not having backups. | lern_too_spel wrote: | They had backups. They paid $457k for a pinky promise not to | release private data. | dmd wrote: | To be fair, it's a pinky promise where the attackers know | that if they _ever_ break one of these promises, nobody will | _ever_ pay them a dime again. | lern_too_spel wrote: | They can make it a monthly subscription to get recurring | revenue. | lotsofpulp wrote: | RaaS. | notahacker wrote: | tbh that's not necessarily the case since the attackers are | anonymous. It's just they don't actually have much | incentive to release the records once they've collected | their blackmail money. | c22 wrote: | They can just change their name next time. | frank2 wrote: | It is not its own reputation that this particular attacker | is able to defend, it is the reputation of _anonymous_ | attackers in general, which depends mostly on how other | attackers behave, not how this particular attacker behaves. | | So the incentive to keep its promise is only weak. | ttymck wrote: | So, we can only assume that, if we follow the money far | enough, we would almost surely find this "gang" is connected | to one or more administrators at the institution. | panpanna wrote: | Oh wonderful. | | Now we will see more of these types of attacks. | gowld wrote: | The data was leaked. They didn't "pay ransom to stop leaks". | bluecalm wrote: | At this point the government agency should perform some of those | attacks, extort the money, make it public and then delete the | data so the victim is out of data and the money. | | Paying ransoms is terrible for the world. We will have more | attacks on more targets. There needs to be heavy incentive to not | pay. | renewiltord wrote: | ^ things that will get you instantly unelected | folmar wrote: | No one was up to admitting it happened in the first place. | caddie wrote: | Why would a university have so much cash laying around? Oh yeah, | it's in the business of making money with a side effect of MAYBE | educating people. SO DAMN WRONG. Time to hit the RESET button in | the higher education system in USA. | trillic wrote: | U of Utah has an operating budget of nearly $5 Billion so | having a couple hundred grand in cash isn't exactly a lot. | apta wrote: | Aren't public universities much cheaper than private ones? | werber wrote: | For the most part, that's true for in state tuition but the | costs up if you're out of state or international to the point | they can rival many private institutions. | ocdtrekkie wrote: | The article states the ransom was paid by an insurance | provider. Cyber insurance is actually not uncommon these days, | and is presumably a normal part of their annual budget. | pc86 wrote: | Part, not all. They did have to pay a portion. | jaclaz wrote: | Yes, I often wonder about two things: | | 1) How much is the actual insurance rate for such a | guarantee? | | 2) Which kinds of checks the insurance provider makes on the | security of the setup, I mean in a much more common car theft | case the insurance provider requires that the user has not | left the keys in the car and that the car was locked | (evidently balancing the risk against the "normal" provisions | the car manufacturer has implemented and on "correct standard | procedures" by the final user). | eli wrote: | Both questions are related and the answer is "it really | depends." Small business cyber insurance can be a few | thousand dollars a year. I'm sure you can get a better rate | (and at some scale it probably becomes almost required) to | have pen tests and third-party audits and formal | certifications. | jaclaz wrote: | Thanks, I know that "it depends", but a few thousands a | year is just a (vague) number, as well as how much small | is the small business is to be agreed upon and - very | likely - small businesses are "easy wins" for insurance | companies, not because they have better security, but | rather because they are very unlikely probable targets. | | I wondered about what would be rates (order of magnitude) | and on what they would be calculated. | | To give you an example, AFAIK if you were to get | insurance, so called "Contractors All Risk" for a | building project, you could expect anything between 0.7 | and 1.5 % of the value of the project, on average around | 1.1-1.2 % over the usual 5-6 years of duration, with the | lower end about (relatively) low risk projects (roads | without particularly complex contructions and normal | houses) and the higher end on (relatively) high risk ones | (roads with bridges, tunnels, skyscrapers). | | These can be negotiated a bit, based on experience on | past projects, internal safety and quality assurance | procedures, but the order of magnitude remains in that | range, but in case of an accident/claim, not entirely | unlike the car theft example, but much more complex, you | need to prove that you followed all safety and employment | regulations, respected building codes, that machinery was | efficient, etc.. | | In the case of IT, rates for a given firm/institution | would depend on the invoicing or on the amount of | personal data? | | I mean, you can make 1,000,000 US$/year with 10,000 | customers (personal data) at 100 US$ each/year or with 50 | customers at 20,000 US$ each/year. | | And what kind of "good practice" would you need to prove | (if any)? | eli wrote: | I'm sure it depends on revenue, the amount of personal | data, and the nature of the business. I don't know how | the rates are calculated but I've helped fill out the | paperwork on a few applications and it's not dissimilar | to what you might have to go through to become an | approved technology partner with a Fortune 100 company. | Do you have a disaster recovery policy? If so, when was | it last tested? Do you get pen tests? What was the result | of the last one? Are there any open items? Describe the | technical access controls around customer data. Describe | the physical security measures in place around your | servers and IT infrastructure. | | Keep in mind that you don't need to necessarily "prove" | things that can be checked later. The insurance company | is happy to take your word that there's no PCI card data | on your network and cash your premiums. If there is and | it gets stolen in a hack they simply won't pay out. | colejohnson66 wrote: | While I agree with you, is half a million dollars really that | much money for a university to have? Not to mention that U of U | is _not_ private; they're publicly funded by the state. | marcinzm wrote: | Like any entity that wishes to not fail miserably at the next | recession universities have cash reserves and investments. It'd | be rather stupid of them not to since their income can be | impacted by outside events ( _cough_ covid _cough_ ) and they | wish to survive long term (more so than corporations). To that | same effect donations go into an endowment which allows for | stable long term income to be generated. ___________________________________________________________________ (page generated 2020-08-21 23:00 UTC)