[HN Gopher] University of Utah pays $457k to ransomware gang
___________________________________________________________________
University of Utah pays $457k to ransomware gang
Author : jpkoning
Score : 124 points
Date : 2020-08-21 14:02 UTC (8 hours ago)
(HTM) web link (www.zdnet.com)
(TXT) w3m dump (www.zdnet.com)
| fizixer wrote:
| When you pay ransom for physical possession you get your
| possession back.
|
| When you pay ransom for lost data you get a copy of your data
| back. The culprits still have the data, but they likely don't
| have a use for that data.
|
| But this is the worst kind of ransom.
|
| You already have the data, you're paying ransom to make sure the
| culprits don't use the data, but the culprits still are in
| possession of the data and they can use the data next year, or
| two years later, or demand more payment next year.
|
| What in the world?
| [deleted]
| parliament32 wrote:
| >The culprits still have the data
|
| It'd be too hard/expensive to exfiltrate the data once it gets
| large enough, without much added benefit. They just encrypt it
| in-place.
| beervirus wrote:
| Well it's exactly what happened here.
|
| > The university said its staff restored from backups;
| however, the ransomware gang threatened to release student-
| related data online, which, in turn, made university
| management re-think their approach towards not paying the
| attackers.
|
| The university is paying them not to release the data, but it
| has no way of forcing them to delete it.
| sho wrote:
| Devil's advocate: ransomware is good. The financial incentives
| around it directly encourage this variety of hacking. It's an
| involuntary "bug bounty". And IT security becomes something more
| than a "nice to have" for these institutions, which it never
| would have before.
|
| $450k? Universities know all about paying to learn. That's cheap,
| and they won't make the same mistakes again.
| mping wrote:
| What about the fact that payed ransoms prove a viable business
| model? And I bet hackers can hack faster than unis can secure
| themselves
| edflsafoiewq wrote:
| Crime reduction is good. Therefore crime is also good because
| it incentivizes crime reduction.
| paulpauper wrote:
| murder is good because it discourages people from engaging in
| behavior that may cause them to be murdered
| AnIdiotOnTheNet wrote:
| Actually, depending on the cost of mitigating this sort of
| disaster in the future, they may learn the lesson that it is
| simply less expensive to pay the ransom.
|
| The criminals doing these sorts of things are businesses too,
| the are unlikely to price themselves out.
| ipnon wrote:
| Markets in everything: The price of ransomware will reach
| equilibrium when the cost of paying the ransom becomes equal
| to the cost of paying for cybersecurity. Then we're back to
| "to pay or not to pay" once again being a merely
| moral/ethical issue.
| rubber_duck wrote:
| Nonsense, it's not like it's one criminal group behind this
| or like these people are building a sustainable business
| model. Pay and ignore approach doesn't work at all long term.
| sho wrote:
| Well, that is a decision every institution needs to make by
| themselves, of course. At least now there is a visible price
| tag attached, rather than trying to hide behind misuse laws
| ("it's ILLEGAL to access our systems in that way!")
| downrightmike wrote:
| $450k is about tuition for 56 instate or 17 out of state
| students. Basically peanuts. The U is $8,048 for Utah residents
| and $25,361 for out-of-state students. It has a total
| undergraduate enrollment of 24,743
| overeater wrote:
| So about a quarter of a percent of their tuition income?
| That's pretty massive, considering this is an unexpected
| cost.
| 0xbkt wrote:
| Out of curiosity, are these hackers still demanding ransom money
| in Bitcoin, or say any traceable cryptocurrency?
|
| I remember encountering similar scenarios before and they all
| seem to want the money in a Bitcoin address.
|
| Why not Monero, or an alternative if there is any, which I guess
| makes moving the funds around much more stealthily? Please
| correct me if I'm wrong.
| paulpauper wrote:
| no one is getting arrested or caught in spite of the
| traceability, unless the hacker is dumb enough to just deposit
| the BTC on an exchange immediately. The btc is split up and
| sent through mixers and laundered into thousands of tiny pieces
| and after a few years or so forgotten by anyone trying to track
| it.
| kmonsen wrote:
| Are they not just hiding in places which don't care about
| these kind of things?
| eternalban wrote:
| > after a few years or so forgotten by anyone trying to track
| it.
|
| Help me with this, as I simply do not understand this
| 'forgetting' bit. Are you saying that a police agency, say
| FBI, is incapable of writing a (trivial?) program that tracks
| the coins, for as long as it takes to close the case?
| mihaifm wrote:
| All the tiny pieces could be traced in an automated way. It's
| probably the lack of regulation that lets exchanges get away
| with not implementing better anti-laundering mechanisms.
| gnopgnip wrote:
| And going after those tiny pieces would involve a lot of
| other people who are innocent
| [deleted]
| colinmhayes wrote:
| That's not how tumblers work. There's no way to link the
| input and output addresses when you go through a tumbler.
| readams wrote:
| You could refuse to transact any tumbler output.
| jpkoning wrote:
| They're still usually asking for bitcoin.
|
| A few months back REvil/Sodinokibi switched to Monero, but I
| think they're the only strain to do so.
| voxic11 wrote:
| For smaller scale ransomware bitcoin was and still is very
| popular because its the easiest crypto to buy and use. So if
| your average target is a non-technical home or small business
| user bitcoin will net you far better returns.
|
| Ransomeware still often includes live phone support and other
| features targeted at helping victims purchase and send bitcoins
| because its still a difficult and unfamiliar task for the
| average person.
| markkanof wrote:
| That's so disturbing. I can't imagine going through a phone
| call with "tech support" trying to figure out how to send
| bitcoins knowing the whole time that the support person is
| the one who is extorting ransom from you.
|
| It also seems like an opportunity to escalate the scam to the
| next level. Go to this site (controlled by the scammer) and
| enter your credit card to send bitcoin. Now they have your
| credit card too.
| colinmhayes wrote:
| This is how I feel on the phone with comcast. It's just
| business
| mensetmanusman wrote:
| Just think, they could have paid two engineers to fortify their
| systems against such an attack and still saved lots of money.
| umvi wrote:
| Just think, one of your own unscrupulous employees could be
| bribed to infect your own systems to get ransom kickbacks.
| lern_too_spel wrote:
| How do you know they weren't already paying at least two
| engineers to fortify their systems?
| sgustard wrote:
| How do you know those two engineers aren't $457k richer now?
| mensetmanusman wrote:
| Hmm. I'm guessing not having backups means they may have been
| paying one person but also giving that person way too many
| responsibilities such that they couldn't focus on doing a
| backup well.
| exdsq wrote:
| The fact they have backups is litterally at the top of the
| article...
| mensetmanusman wrote:
| Wups!
|
| I assumed ransomware was always a class of attack wherein
| non backed up data was at risk.
|
| This seems like a failed ransomware attack where the
| university just got unencrypted information stolen that
| they didn't want released.
| ziddoap wrote:
| >a class of attack wherein non backed up data was at risk
|
| Ransomware is just the act of preventing access to data,
| with the access being reinstated after paying a fee to
| the attacker. Generally accomplished by encryption.
| Whether or not the victim has mitigations, backups, etc.
| holds no relevance to the class of attack.
|
| >This seems like a failed ransomware attack
|
| It's not really a failed ransomware attack. The attack
| was successful (they were able to encrypt some data),
| followed by successful reinstatement of access to the
| data by using backups, followed by successful extortion
| by the attacker.
| R0b0t1 wrote:
| The ransom was paid by an insurance provider, so they were
| at least doing something to acquire coverage.
| pc86 wrote:
| Part of it. They covered the rest.
| paulpauper wrote:
| probably insurance is cheaper than hiring sec experts
| adrr wrote:
| Insurance coverage is common. Depending on coverage
| amount may require independent audits.
| jaclaz wrote:
| They did have the backups, the ransomware was paid for
| (maybe) not having the stolen data published/sold.
|
| >The university said its staff restored from backups;
| however, the ransomware gang threatened to release student-
| related data online, which, in turn, made university
| management re-think their approach towards not paying the
| attackers.
| Klinky wrote:
| Even worse, because we can totally trust data can't be
| copied or released once an extortionist ransom is paid to
| malevolent hackers. I am sure this ransomware gang is on
| the up and up and operating in a good faith to honor the
| agreement. In a few months we may see "University of Utah
| pays another $457k to the same ransomware gang".
| AnIdiotOnTheNet wrote:
| It is not in the best interest of the ransomware gang to
| ignore their part of the bargain. If that second headline
| happens, it will be a signal to every one of their future
| victims that they will not honor agreements and you're
| better off not paying them.
|
| This is why the vast majority of encryption-based
| ransomware puts a lot of effort into ensuring they really
| can decrypt your files after you pay them.
| doorstar wrote:
| Plenty of places have more than two engineers and still paid
| ransomware. This is like any other cyber-crime, which is to say
| it happens all over, it's not always publicized, and it's very
| hard to stop.
|
| I watched a couple of presentations on security recently and
| just felt like we are all in a losing battle. There are always
| more bad actors, they get better and better, and they are a lot
| more motivated than any security team you can put together.
| akeck wrote:
| Can one detect a ransomware infection early by watching copy-on-
| write snapshots on a file server?
| freeopinion wrote:
| Not all ransoms are about denying the owner use of their data.
| Some ransoms are about publishing copies of the data.
| gpm wrote:
| You can, the company I work for makes a product that does
| exactly that.
|
| It's very much a last line of defense way of detecting attacks
| because it means the attackers are already in and already have
| access to whatever workload is being protected.
|
| https://www.rubrik.com/en/products/polaris-overview/polaris-...
|
| Disclaimer: I'm just an engineer (not a sales person/pr/...)
| and _all_ my comments on HN including this one are entirely my
| own views /not the companies views.
| AnIdiotOnTheNet wrote:
| There are various strategies. One way that is fairly common is
| to have canary files that, when modified, trigger alerts and
| other automated action (locking out the account that did the
| modification, for instance).
| bpoyner wrote:
| Veeam One can alert you to possible ransomware if there is
| simultaneous high write rate and high CPU usage on a VM.
| leephillips wrote:
| They had backups: good for them.
|
| But they also had unencrypted, sensitive information sitting on
| their networks.
| amelius wrote:
| It's good to be aware that this entire thing wouldn't have been
| possible without Bitcoin.
| 7786655 wrote:
| The whole point of Bitcoin is that you don't get to decide
| whether I can use it.
| Forbo wrote:
| It's good to be aware that this entire thing wouldn't have been
| possible without encryption.
|
| I'm sorry, I'm not sure I'm seeing what point you're trying to
| make. Are you trying to say that Bitcoin is bad?
| panpanna wrote:
| Bitcoin was sold to me as freedom, from governments, from
| banks, etc.
|
| But now I have come to realize that a completely unregulated
| payment system is very dangerous.
|
| To be clear, Bitcoin is not "bad". Humans are bad and this is
| why we can't have nice things.
| zelly wrote:
| Bitcoin is more regulated and more spied on than most forms
| of payment. To turn a large amount of Bitcoin into dollars
| in a bank account, you have to go through extreme AML/KYC
| checks. I can go to a gas station in California and send
| $1000 in cash to someone in Turkey who could receive cash
| and walk out a few minutes later. A briefcase full of cash
| is not regulated at all and can be used to settle debt or
| pay taxes, unlike Bitcoin. The only advantage of Bitcoin is
| not requiring the risk of physical presence, which has to
| be <1% of all crime. Also, unlike cash, Bitcoin by design
| retains a full immutable public ledger. The criminals can
| mix their coins, but it'd still be possible (although
| computationally expensive) to recreate a chain of
| transactions going back to the original ransom. In the
| future if Bitcoin is to become used in commerce more, it
| should be expected that these dirty transaction outputs
| would be worth less than clean ones or not accepted, like
| dollar bills cut in half taped together.
| rossjudson wrote:
| If a chemical plant sets up in an area then pollutes the
| environment during the course of business, it is required
| to clean up the mess. Known risks are required to have
| mitigations ready, and sometimes-expensive procedures
| must be followed to ensure safety.
|
| Bitcoin (and everything like it) is very much at the
| "Pollute the environment with whatever the hell I want"
| phase of its existence. That should change.
|
| Bitcoin should be taxed to recover the externalized costs
| it imposes -- basically, compensate the victims of
| bitcoin-enabled crime.
|
| Is only a small fraction of bitcoin usage related to
| crime? No problem -- the tax will be very low.
| 1123581321 wrote:
| In what way did you buy into Bitcoin? I don't understand
| what choice was presented to you.
|
| If you're referring to why people like it, those things can
| all be true despite criminals also using it.
| notsureaboutpg wrote:
| Encryption is the only way to achieve a specific goal (hiding
| sensitive digital information from other viewers).
|
| Bitcoin is one of many ways to achieve a specific goal
| (transferring money between entities over the internet) and
| it has one significant drawback, it is difficult to regulate,
| track, etc.
|
| Governments need to have a good idea of where money is going,
| at least they need to know that more than they need to know
| what people are saying to each other
| Hitton wrote:
| You really can't blame them much, they had backups. University
| doesn't work like corporate, you have thousands of student who
| change every year, do their projects for which they require lot
| of access; you can't lock everything dangerous, can't have any
| sensible BYOD policy, ... It's really hard to lock up everything
| while not limiting students too much. With organization like
| this, that sort of incidents is unfortunate but inevitable.
| tomashertus wrote:
| Public universities and their security budget are highly
| underfunded. They can't afford to invest heavily into security.
| _wldu wrote:
| We sometimes refer to a public university as having a museum-
| like security posture. They have to be open to the general
| public, have to allow in visitors, yet guard things at the same
| time. It's not at all like strict corporate IT security. It's a
| fine line to walk. If you've never done this sort of security
| work before, it can seem odd and foreign for awhile.
| Giorgi wrote:
| There is no way those 450k are not being traced right now like a
| hell, most likely it was allowed just because investigation said
| so, its matter of time now
| paulpauper wrote:
| This shows how bug bounties are pitifully small and inadequate.
| Stop thinking that a $10k reward will prevent hackers. Either
| pay-up for sec experts or be prepared to pay-up through extortion
| or having your site exploited, and it will cost way more than
| 10k.
| tlogan wrote:
| I do not know anything about bug bounties but I do know that
| selling backup solutions is super super hard.
| jacquesm wrote:
| Actually, this level payment is roughly optimum value
| extraction by the parasites at a level that _still_ makes the
| company feel like they did the right thing by skimping on their
| security. Because if the chance of incidence * damage < the
| cost of mitigation then they'll be more than happy to let it
| happen again.
|
| 500K once every 20 years or less beats 50K annually handsomely.
| Never mind the fact that once you lose control of your data you
| can never be sure you got that control back, that's somebody
| else's problem.
|
| People are not very good at threat modeling, estimating chances
| of things happening to them and estimating the damage resulting
| from an incident. We collectively are not good at ensuring that
| the companies where these things happen get dealt with
| properly.
| csomar wrote:
| These kind of hacks were not possible before Bitcoin and the
| trend clearly just started. I don't think it'll be one hack
| every 20 years if they don't fix their security.
| Nasrudith wrote:
| To be pendantic technically they were before and likely
| easier (unless they didn't have their records computerized
| but universities were early adopters there) but there
| wasn't much of a point in doing so. Grade tampering would
| be far more likely.
|
| The black hat hacker "ecosystem" has also professionalized
| from doing it for kicks to doing it for the dough.
| jacquesm wrote:
| Fair point, the frequency will probably go up. Also, they
| are now on the records as being (a) not capable of keeping
| their stuff secure and (b) willing and able to pay up which
| is blood in the water for the sharks.
| LunaSea wrote:
| Aren't scammers using Apple gift cards?
|
| Bitcoin isn't the issue here.
|
| When you have the pressure on the target, you can make the
| pay in whatever currency you'd like and there will always
| be one.
| csomar wrote:
| It's much harder to launder $100mn with gift cards.
| That's easy with Bitcoin.
| xwdv wrote:
| No. Because even a sec expert can't guarantee there won't be
| some kind of breach. And then what? Pay an expert AND get
| ransomed?
|
| Better to throw it to a free market and let people find bugs
| for peanuts.
| ausjke wrote:
| so many ransomware locking down governments and companies these
| days, it's impossible to be 100% secure over internet 24x7, but
| how about a decent backup scheme, so that if someone locks down
| the data, you can get back online without decrypt that? it
| seems to me, as long as you have daily incremental backup in
| place, you should have no fear about those ransomwares?
| bpfrh wrote:
| In this case, they had a backup and restored from that.#
|
| The attackers also only encrypted about 0,02% of the systems,
| but the university paid because the attackers threatened to
| make the stolen data public.
| beamatronic wrote:
| Or have a bulletproof recovery plan
| edoceo wrote:
| Disk clones to the rescue!
| iNate2000 wrote:
| They said[1] that they paid to avoid the information release.
| A backup won't help with that threat.
|
| [1] https://attheu.utah.edu/facultystaff/university-of-utah-
| upda...
| [deleted]
| paxys wrote:
| Actually it's the exact opposite. Bug bounty programs have
| constantly proven to be among the most effective ways of
| increasing a company's security, no matter how "pitiful" the
| payouts are. The overwhelming majority of people, when they
| find an exploit, are going to to do the right thing and report
| it, not sell it to the highest bidder. Increasing the bounties
| isn't really going to help, considering there's always going to
| be a hacker group or government entity willing to pay more.
|
| Of course the programs aren't going to be a replacement for
| real product security teams, but they were never meant to be.
| ohazi wrote:
| This seems like the market for risk at work. Just as in drug
| trafficking, more money tends to go to parties that take on
| more risk. In this case, that's the criminals doing the
| extorting. So unless the security researcher wants to engage
| in illegal activity themselves, they probably aren't going to
| get anywhere close to the extortion dollar amount by just
| selling their exploit to criminals. At best they'll probably
| get something close to a large bug bounty, or maybe a few
| times that.
|
| When setting bug bounty payouts, the company should be
| looking at what security researchers are likely to get when
| selling an exploit to criminals, not the actual extortion
| dollar amount (assuming that most security researchers are
| not willing to personally engage in illegal activity
| themselves, which appears to be the case).
|
| However, when evaluating the _value_ that a bug bounty
| program brings to the company, they should absolutely
| consider these typical extortion amounts.
| nordsieck wrote:
| > This seems like the market for risk at work. Just as in
| drug trafficking, more money tends to go to parties that
| take on more risk. In this case, that's the criminals doing
| the extorting. So unless the security researcher wants to
| engage in illegal activity themselves, they probably aren't
| going to get anywhere close to the extortion dollar amount
| by just selling their exploit to criminals. At best they'll
| probably get something close to a large bug bounty, or
| maybe a few times that.
|
| This doesn't strike me as a very accurate assessment of the
| situation. There are already markets where people can buy
| and sell exploits: researchers don't have to get their
| hands dirty to get paid for their exploits.
| ohazi wrote:
| You've missed my point.
|
| I'm saying that the market value of _actually performing
| an illegal act of extortion_ is higher than the market
| value of a zero-day, either on one of these markets or
| via bug bounty.
|
| I'm arguing that the price is different because of the
| risk of getting caught and going to jail, not that there
| isn't a market for security researchers to sell exploits
| to criminals without otherwise getting their hands dirty.
| pitaa wrote:
| Plus, by having a bug bounty program, it indicates that
| they're going to be reasonable and accepting of outside bug
| reports. In the absence of such a program, one can't be sure
| that a bug report isn't going to result in angry phone calls
| from tech-illiterate people accusing you of hacking them.
|
| I recently found a compromised server on a university's
| network. I wasn't going to cold call them to report it
| because I had no idea how Betty answering the phones would
| react. Instead, I sent it to an IT contact that I knew
| personally. I knew that he didn't have anything at all to do
| with this, but that he would know who to get it to.
| ponker wrote:
| But if the bounties are 20x as high then surely it will draw
| more whitehats to the market. A security engineer who is
| working at Netflix or Visa making over $200k or whatever will
| not work late nights for a $10k bounty but he might for a
| $500k bounty.
| paxys wrote:
| Companies like Google and Facebook have paid up to $50K for
| single bug reports. Ultimately the problem is that
| regardless of the effort you put in your earnings are
| likely going to be $0, due to the sheer amount of
| randomization and luck involved, which makes it unlikely
| that anyone will leave their full time job for it.
| ponker wrote:
| I don't think anyone will quit their job for it but it
| will influence the decision of "play flight simulator or
| hack on targets"
| simonh wrote:
| In theory yes, but there's going to be serious
| diminishing returns. At what point does doubling the
| reward no longer double the number of person hours you're
| incentivising to work on the problem? At what point does
| doubling it increase the effort expended by less than
| 10%? Compared to spending that money on your own research
| teams, where the Cost/effort your buying is likely to be
| much closer to linear.
| Veserv wrote:
| Actually you are both right. Bug bounty programs are
| extremely effective because they find serious vulnerabilities
| for vastly less than the damages you would expect if they
| were exploited. However, the fact that the bug bounties are
| so low indicates that the prevailing security is atrocious.
|
| To explain, generally speaking a bug bounty is going to the
| smaller of:
|
| 1. Cost of Discovery since that is the amount someone would
| be willing to find bugs at otherwise they are losing money on
| each bounty they get.
|
| 2. Cost of Damage (risk-adjusted) since that is the most a
| company would be willing to pay.
|
| The reason for this is that as long as the Cost of Discovery
| is lower than the Cost of Damage (up to ROI), it is
| reasonable to keep paying the Cost of Discovery since you are
| paying less than the risk-adjusted harm. But, there is also
| no point paying significantly more than the Cost of Discovery
| as long as people keep reporting problems as fast as you can
| fix them since there is no real reason to pay to get more
| problems than you can fix. So, to first order the bug bounty
| for a certain type of problem reflects the cost of discovery
| of that type of problem.
|
| Circling back to the original point, we see problems that can
| cause millions in damages getting bug bounties on the order
| of $10K. This means that, to first order, million dollar
| attacks only cost $10K to execute which results in a crazy
| high ROI in the 100s. With an ROI in the 100s, it should be
| no wonder that such attacks have been increasing in frequency
| given their sheer profitability. The fact that bounties are
| so low for such critical problems is a major indictment on
| the prevailing level of security in the industry.
| giancarlostoro wrote:
| > 1. Cost of Discovery since that is the amount someone
| would be willing to find bugs at otherwise they are losing
| money on each bounty they get.
|
| This is probably the biggest issue in terms of incentives
| to a researcher. You're either finding the bug by accident
| or out of curiosity, or you stop short of basically losing
| money you would otherwise earn going a paid audit.
| gkoberger wrote:
| Is this the right way to look at it?
|
| That's like saying CVS security guards are pitifully small and
| inadequate. Yeah, you're right, they aren't going to stop a
| proper robbery... but stealing is illegal and shouldn't be
| happening either way. Same for hacking.
| kiba wrote:
| They have security guards?
| edoceo wrote:
| Many stores do, not just CVS.
| a_t48 wrote:
| Yeah - come to downtown SF and see. :)
| umvi wrote:
| Is this because of prop 47?
| samatman wrote:
| If CVS security guards had to guard against every burglar in
| the world, including ones who would just as happily go after
| bank vaults, then the situation would be comparable, yes.
|
| If, that is, the burglars could automatically try and burgle
| every commercial establishment and home in existence,
| succeeding, with zero effort expended, if the security guards
| in question were insufficiently vigilant.
| nippoo wrote:
| As an idea: crowdsourced bug bounties. If software companies
| aren't willing to offer sensible incentives, corporations (who
| often have far more money at stake) should fill in the gaps. If
| someone built a platform to allow e-commerce/finance/other web
| companies to (collectively) fund a $500,000 bug bounty for an
| exploitable bug in an SSL library/Linux/Android/STM32/whatever
| project they rely on for security, it might encourage many more
| white hat hackers to pen-test the platform...
| leephillips wrote:
| What if it were a federal criminal offense to pay ransom? With
| long prison sentences for any individual convicted of
| participating in or having knowledge of a payoff? And the
| government was serious about tracking down and prosecuting anyone
| who did so? Nobody would pay ransom, and, at least in countries
| with such a law, these extortion gangs would stop bothering.
| colinmhayes wrote:
| Then they just wouldn't admit to being attacked. Companies
| would still pay ransoms, but we wouldn't know about it.
| gruez wrote:
| I mean that's like saying "banning insider trading/securities
| fraud won't work, because people will still do it". Yeah,
| they might, but I find it hard to believe that an executive
| is loyal to their company to the extent that they'll risk
| year of jail time for it.
| eternalban wrote:
| Trading is a public act. Cooking the books to hide a
| payment by some random corp is orders of magnitude more
| obscure than trading in securites.
| teachrdan wrote:
| If the ransomers are terrorists, then it is a crime to pay
| them. This has been a challenge when Americans are kidnapped
| overseas and their families wants to pay the ransom but are
| warned that doing so is illegal.
| kmonsen wrote:
| There are fairly easy ways to get around this. Everyone says
| they never pay ransoms, but they mostly do. It is not a
| ransom, but you hire some cousin to do a not existing project
| etc. These things happens in parts of the world where
| transparency is not a top priority.
| ryandrake wrote:
| How does this fool even a semi-competent lawman? "Oh,
| officer, I never bought drugs. That's totally illegal. I
| just left money in a box that my cousin picked up, and a
| few days later the drugs just appeared there. Totally not,
| myself buying drugs, though!"
| renewiltord wrote:
| Because for drugs, the semi-competent lawman goes after
| you. If it's for my child's life, there's no point going
| after me. I'd go to prison for life for that. You can't
| apply prison as a deterrent, you can't use it to prevent
| me from harming others, and honestly, you can relate to
| me.
| iandev wrote:
| > "The university's cyber insurance policy paid part of the
| ransom, and the university covered the remainder. No tuition,
| grant, donation, state or taxpayer funds were used to pay the
| ransom"
|
| I was looking to dunk on them but it seems that what they did
| wasn't entirely unreasonable. The article further states that
| they paid to protect student data.
| Lionga wrote:
| Where did the money come from if not from "tuition, grant,
| donation, state or taxpayer funds"? And if they have another
| source of funding, this still means the money is missing to
| fund things in the future that now they have to use "tuition,
| grant, donation, state or taxpayer funds" for.
|
| They also send a clear message that ransom ware blackmail is a
| great business model. I think that is more than enough reason
| to dunk on them.
| pc86 wrote:
| No you don't understand, they didn't use _that_ money, they
| used _different_ money! Nevermind that money is fungible.
|
| Unless they set money in the budget every year for
| "Ransomware Insurance Shortfall" this is 100% "tuition,
| grant, donation, state or taxpayer funds" at some point in
| the chain.
| sgeorge96 wrote:
| It was partly covered by insurance.
| lotsofpulp wrote:
| Which came from insurance premiums paid by the
| university.
| abluecloud wrote:
| which was paid for with tuition, grant, donation, state
| or taxpayer funds
| mywittyname wrote:
| Which will continue to pay for the now-increased ongoing
| premiums.
| edoceo wrote:
| Turtles
| pc86 wrote:
| We're talking about the part that wasn't.
| scarmig wrote:
| Even the insurance policy that distributed the payout was
| ultimately paid for with those funds.
| colinmhayes wrote:
| Sunk cost
| candiodari wrote:
| Plus obviously insurance simply means they're using
| tuition money to pay for ransoms, but all the time, not
| just when they're threatened.
| jessaustin wrote:
| If they're spending it all the time anyway, why shouldn't
| the payment have been made?
| freeopinion wrote:
| Utah's higher education system has what I think is a very
| stupid tuition hierarchy. It seems that tuition is set by the
| state legislature and cannot be modified by the individual
| school. But schools can set other fees. So they have this
| concept of "differential tuition". That is some arbitrary
| amount that they choose to charge for a particular class that
| is the difference between what tuition would be if they could
| control it and the amount mandated by the legislature.
|
| You may have paid all your tuition and still owe the
| university tuition. Got a tuition scholarship from the
| university? Better check the fine print. Full-tuition or
| half-tuition doesn't necessarily mean what you think it
| means. It might only cover one of the definitions of tuition.
| Each class can have multiple tuitions of arbitrary amounts
| and you have to pay them all; your scholarship does not have
| to cover them all.
|
| Oh, and it is impossible to know how much to budget for a
| 15-credit hour semester unless you provide a specific list of
| classes taken.
|
| So, "didn't come from tuition" is an ambiguous statement from
| a Utah school.
| afrcnc wrote:
| From football game ticket sales... duuuh
| bagacrap wrote:
| school store textbook sales
| [deleted]
| zucker42 wrote:
| I think I'd agree with the end of the article. If the only
| reason you're paying them is to prevent a data leak, what's to
| stop them from accepting the ransom and still leaking the data?
| gowld wrote:
| Hacker has a reputation to maintain.
| zucker42 wrote:
| Except there's not even any claim or confirmation about
| which group performed the attack, though one is suspected
| according to the article.
| Nasrudith wrote:
| What is to stop them from acting like a blackmailer and
| going back for more later? Technically all they need is for
| giving money to "help" short term to maintain their
| "reputation". It is a danegelt situation.
| frakt0x90 wrote:
| I have to say I think ransomware is one of the most interesting
| "business" practices. The trustworthiness of the criminals is
| huge because if they have a track record of providing the
| decryption key, you may as well pay.
|
| In a logical extreme you could start adding features like "Give
| us the info of people you know and for every one we successfully
| extract a ransom from we'll give you 10% off your ransom."
|
| It's interesting to think about at least.
| ManBlanket wrote:
| You could look at it as an unsolicited security audit of your
| system and the ransom as a contractor's fee for a job well
| done.
| jjeaff wrote:
| I think one of the only ways to stop ransomware would be to
| setup a team distributing the ransomware, extracting fees from
| the victims and then -not- providing the keys. A few high
| profile cases of this should be enough to destroy confidence
| that paying a random will work.
| markkanof wrote:
| Couldn't you also just plant some "shills" who claim that
| this happened to them and they lost all their data?
| russellendicott wrote:
| This is brilliant. Destroy the credibility of the criminals.
| jacquesm wrote:
| By becoming a criminal yourself? The cure seems to be much
| worse than the disease.
| pests wrote:
| And a bunch of people's data.
| vkou wrote:
| The ransomware guys will wise up, and use different keys to
| encrypt different parts of your database. They'll then
| request some fraction of the payment, in exchange for
| decrypting part of your DB, as proof that they do have keys.
| HanayamaTriplet wrote:
| There was a story published by ProPublica[1] reporting on this
| sort of progression from the side of people negotiating to pay
| the ransoms. Here's a small excerpt, but I think the whole
| thing is worth a read: Storfer learned quickly
| never to use the term "hacking." Instead, he would assume his
| correspondent "thinks they're a businessman," Storfer said.
| "I'd say: 'Look, we can't afford this [ransom] at this time. Do
| you mind providing your product [recovery key] at a lower
| rate?' And it worked," he said. "They're doing a job where
| everyone hates them, so feeling like they were respected made
| them work with us. I like to think empathy goes a long way."
| The rapport sometimes reaped discounts. "We were able to get a
| $5,000 ransom lessened to $3,000 because they knew we could
| deliver it exactly when we said we were going to get it to
| them," Storfer said.
|
| [1]: https://features.propublica.org/ransomware/ransomware-
| attack...
| gowld wrote:
| Reads like someone bragging about being incompetent. I'm sure
| the foreign language native attackers who call themselves
| "Evil Corp" would respond to "non-business" negotiations as
| well. They don't want your data deleted, they want money.
| chillacy wrote:
| Reminds me of some of the stories in Never Split The
| Difference, where the author was a hostage negotiator for the
| FBI who would reduce ransoms (on human hostages) from
| millions to in one case, a few thousand. He relayed a similar
| reasoning, at the end of the day they want to get paid and a
| dead person is worth $0 (and potentially the swat team coming
| in).
| gowld wrote:
| I don't think many admins would respond to a security breach by
| taking bribes to break more laws. But maybe they would, and
| help us clear out these incompetents.
| e40 wrote:
| Or even insiders helping ransom businesses infect a company
| with money. Seems unlikely, but not impossible, especially if
| the ransomware folks can find and make a significant offer to
| the insider.
|
| I would think the biggest impediment to insiders doing this
| would be how to successfully hide and use the money, if it was
| a lot.
| _Nat_ wrote:
| If that became a big business model, then we might start
| getting meta-criminals:
|
| 1. They infect a major institution with ransomware.
|
| 2. They demand, and successfully receive, a major ransom.
|
| 3. They DON'T immediately release the key, despite the ransom
| being paid. Instead, they issue an open demand for ransoms to
| be paid to a random Bitcoin address from other major ransomware
| groups.
|
| 4. The meta-ransomers only release the key to the original
| victim if they receive sufficient ransoms from other ransomers.
|
| The meta-criminals would essentially be ransoming the
| credibility of ransomers. If the ransomers don't pay up, then
| the meta-ransomers will chip away at their credibility.
| jtsiskin wrote:
| This doesn't work because a ransomware group could just sign
| their message. I wouldn't be surprised if they do already
| to11mtm wrote:
| That doesn't sound like it would work amazingly well.
|
| First thought is that the 'meta-ransomers' would probably
| only get one or two shots at such an action working before
| the major groups make some sort of statement (and even
| perhaps provide some sort of way to 'authenticate' that it an
| attack is from one of of the more 'trustworthy' ransomware
| groups.)
|
| Second thought is that it would have to be a gutsy group of
| rogue actors or group of rogue actors. A lot of these
| underground folks still know each other one way or another
| and this would probably be considered a big 'f--- you' to the
| rest of the community. Bridges would be burned, unspoken
| agreements in the sphere may be violated. You could even see
| the ransomers quickly turn their efforts to exposing the
| meta-ransomers.
|
| On the other hand, it could become an 'arms race' as the meta
| and non-meta ransomers start trying to shut each other's
| ransomware down
| jacquesm wrote:
| You've got a partner now.
| vmception wrote:
| Wish one of these was publicly traded onchain. We almost have
| the level of privacy necessary to own the shares anonymously
| and distribute profits adequately too.
|
| I think you could do it by issueing the shares as a zkAsset
| using AZTEC, and any ransom paid in btc could be transposed to
| renBTC on Ethereum, deposited into zkSYNC and distributed to
| all shareholders proportionately in the zkSYNC, that
| distribution transaction wouldn't be recorded onchain (although
| maybe zkSYNC has some ability to monitor transactions) and
| shareholders can withdraw their dividend at their own will.
|
| But otherwise they can just convert the BTC to XMR first, and
| reintegrate that however they want.
| api wrote:
| They paid 457k for not having backups.
| lern_too_spel wrote:
| They had backups. They paid $457k for a pinky promise not to
| release private data.
| dmd wrote:
| To be fair, it's a pinky promise where the attackers know
| that if they _ever_ break one of these promises, nobody will
| _ever_ pay them a dime again.
| lern_too_spel wrote:
| They can make it a monthly subscription to get recurring
| revenue.
| lotsofpulp wrote:
| RaaS.
| notahacker wrote:
| tbh that's not necessarily the case since the attackers are
| anonymous. It's just they don't actually have much
| incentive to release the records once they've collected
| their blackmail money.
| c22 wrote:
| They can just change their name next time.
| frank2 wrote:
| It is not its own reputation that this particular attacker
| is able to defend, it is the reputation of _anonymous_
| attackers in general, which depends mostly on how other
| attackers behave, not how this particular attacker behaves.
|
| So the incentive to keep its promise is only weak.
| ttymck wrote:
| So, we can only assume that, if we follow the money far
| enough, we would almost surely find this "gang" is connected
| to one or more administrators at the institution.
| panpanna wrote:
| Oh wonderful.
|
| Now we will see more of these types of attacks.
| gowld wrote:
| The data was leaked. They didn't "pay ransom to stop leaks".
| bluecalm wrote:
| At this point the government agency should perform some of those
| attacks, extort the money, make it public and then delete the
| data so the victim is out of data and the money.
|
| Paying ransoms is terrible for the world. We will have more
| attacks on more targets. There needs to be heavy incentive to not
| pay.
| renewiltord wrote:
| ^ things that will get you instantly unelected
| folmar wrote:
| No one was up to admitting it happened in the first place.
| caddie wrote:
| Why would a university have so much cash laying around? Oh yeah,
| it's in the business of making money with a side effect of MAYBE
| educating people. SO DAMN WRONG. Time to hit the RESET button in
| the higher education system in USA.
| trillic wrote:
| U of Utah has an operating budget of nearly $5 Billion so
| having a couple hundred grand in cash isn't exactly a lot.
| apta wrote:
| Aren't public universities much cheaper than private ones?
| werber wrote:
| For the most part, that's true for in state tuition but the
| costs up if you're out of state or international to the point
| they can rival many private institutions.
| ocdtrekkie wrote:
| The article states the ransom was paid by an insurance
| provider. Cyber insurance is actually not uncommon these days,
| and is presumably a normal part of their annual budget.
| pc86 wrote:
| Part, not all. They did have to pay a portion.
| jaclaz wrote:
| Yes, I often wonder about two things:
|
| 1) How much is the actual insurance rate for such a
| guarantee?
|
| 2) Which kinds of checks the insurance provider makes on the
| security of the setup, I mean in a much more common car theft
| case the insurance provider requires that the user has not
| left the keys in the car and that the car was locked
| (evidently balancing the risk against the "normal" provisions
| the car manufacturer has implemented and on "correct standard
| procedures" by the final user).
| eli wrote:
| Both questions are related and the answer is "it really
| depends." Small business cyber insurance can be a few
| thousand dollars a year. I'm sure you can get a better rate
| (and at some scale it probably becomes almost required) to
| have pen tests and third-party audits and formal
| certifications.
| jaclaz wrote:
| Thanks, I know that "it depends", but a few thousands a
| year is just a (vague) number, as well as how much small
| is the small business is to be agreed upon and - very
| likely - small businesses are "easy wins" for insurance
| companies, not because they have better security, but
| rather because they are very unlikely probable targets.
|
| I wondered about what would be rates (order of magnitude)
| and on what they would be calculated.
|
| To give you an example, AFAIK if you were to get
| insurance, so called "Contractors All Risk" for a
| building project, you could expect anything between 0.7
| and 1.5 % of the value of the project, on average around
| 1.1-1.2 % over the usual 5-6 years of duration, with the
| lower end about (relatively) low risk projects (roads
| without particularly complex contructions and normal
| houses) and the higher end on (relatively) high risk ones
| (roads with bridges, tunnels, skyscrapers).
|
| These can be negotiated a bit, based on experience on
| past projects, internal safety and quality assurance
| procedures, but the order of magnitude remains in that
| range, but in case of an accident/claim, not entirely
| unlike the car theft example, but much more complex, you
| need to prove that you followed all safety and employment
| regulations, respected building codes, that machinery was
| efficient, etc..
|
| In the case of IT, rates for a given firm/institution
| would depend on the invoicing or on the amount of
| personal data?
|
| I mean, you can make 1,000,000 US$/year with 10,000
| customers (personal data) at 100 US$ each/year or with 50
| customers at 20,000 US$ each/year.
|
| And what kind of "good practice" would you need to prove
| (if any)?
| eli wrote:
| I'm sure it depends on revenue, the amount of personal
| data, and the nature of the business. I don't know how
| the rates are calculated but I've helped fill out the
| paperwork on a few applications and it's not dissimilar
| to what you might have to go through to become an
| approved technology partner with a Fortune 100 company.
| Do you have a disaster recovery policy? If so, when was
| it last tested? Do you get pen tests? What was the result
| of the last one? Are there any open items? Describe the
| technical access controls around customer data. Describe
| the physical security measures in place around your
| servers and IT infrastructure.
|
| Keep in mind that you don't need to necessarily "prove"
| things that can be checked later. The insurance company
| is happy to take your word that there's no PCI card data
| on your network and cash your premiums. If there is and
| it gets stolen in a hack they simply won't pay out.
| colejohnson66 wrote:
| While I agree with you, is half a million dollars really that
| much money for a university to have? Not to mention that U of U
| is _not_ private; they're publicly funded by the state.
| marcinzm wrote:
| Like any entity that wishes to not fail miserably at the next
| recession universities have cash reserves and investments. It'd
| be rather stupid of them not to since their income can be
| impacted by outside events ( _cough_ covid _cough_ ) and they
| wish to survive long term (more so than corporations). To that
| same effect donations go into an endowment which allows for
| stable long term income to be generated.
___________________________________________________________________
(page generated 2020-08-21 23:00 UTC)