[HN Gopher] 80% of orgs that paid the ransom were hit again
___________________________________________________________________
80% of orgs that paid the ransom were hit again
Author : prostoalex
Score : 516 points
Date : 2021-06-18 17:17 UTC (5 hours ago)
(HTM) web link (venturebeat.com)
(TXT) w3m dump (venturebeat.com)
| ghostly_s wrote:
| Why would you expect otherwise?
| toxik wrote:
| Ransomware is actually a net benefit. They force information
| security into the business agenda in a way that we haven't really
| been able to accomplish before. You can now quantify the cost of
| getting pwned. It's a bit like the immune system needing
| pathogens every once in a while.
| kristopolous wrote:
| What percent that didn't though? Basic controls here...
| RalfWausE wrote:
| Solution: Don't pay the ransom, instead offer a bounty 'Wanted
| dead or alive (preferred dead of course, if it can be made to
| look like an accident)'
| cronix wrote:
| Does it really surprise anyone that criminals would (re)target a
| place that paid out quickly and made their "jobs" easier? The aim
| is to get paid as quickly as possible with the least complexity
| and move on to the next target, is it not? If you're a freelancer
| and you have 10 clients and 8 always pay within 14 days of
| invoice and the other 2 let it drag on 90+ days and having to
| send out "reminder" letters, who do you favor doing business
| with?
| yelling_cat wrote:
| According to a study by Cybereason, which sells endpoint
| protection software.
| robocat wrote:
| One has to wonder if Cybereason measured the 80% figure from
| their own clients - endpoint protection is the lowest form of
| security.
|
| Alternatively, Cybereason are probably in a really good
| position to snarf passwords and then parallel construct an
| attack from a third party who gives a few major individual
| shareholders a kickback.
|
| Does endpoint security even work?
| surround wrote:
| What percentage of orgs that _didn 't_ pay the ransom were hit
| again?
| acheron wrote:
| Once you pay 'em the Danegeld
|
| You'll never be rid of the Dane
| sharken wrote:
| I don't see why you have to pick on the Danes :)
|
| But the similarities are there, although the person's behind
| the ransomware attacks are probably not vikings.
| coldcode wrote:
| The ancestors of the Russians were themselves Vikings. Their
| kingdom of Rus is where the name came from.
| hprotagonist wrote:
| https://www.poetryloverspage.com/poets/kipling/dane_geld.htm.
| ..
|
| https://en.wikipedia.org/wiki/Danegeld
| afrcnc wrote:
| Please never take these security surveys seriously.
|
| Most are created by companies looking for media coverage and are
| just made up.
| admax88q wrote:
| Meaningless stat without a baseline to compare against. How many
| who didn't pay were hit again?
| jessaustin wrote:
| If the attacker isn't paid for the first attack, why would she
| attack again? She's not doing it for the lulz!
|
| I do agree with you that there should be more visibility for
| the "silent majority" of firms who operate their businesses
| responsibly, and therefore don't ever need to pay ransom.
| kristopolous wrote:
| That's not for us to intellectually deduce, give the numbers.
| They have it. Is it 79%? 99? 1?
|
| Maybe it's all automated shotgun based attacks and they don't
| close the holes and so the act of paying the ransom is
| statistically meaningless
|
| This is shoddy journalism. Might as well just say "X%". It
| implies you shouldn't pay lest you fall victim again but they
| don't actually say that.
|
| Things that implicate what they refuse to say is kind of
| suspect
| jessaustin wrote:
| The "journalism" has been shoddy from the start. This
| entire "Russians are pwning the electric company" meme has
| always been motivated more by politics, CYA, PR, and
| marketing than it has by anything real. TFA itself is a
| mail-it-in, paraphrase-the-press-release "effort". They
| actually link to the press release rather than the original
| marketing document; it's possible TFA's authors haven't
| read the latter! There's no guarantee the marketing
| document answers your question, but if you have an email
| address you don't mind getting spammed you could find out
| for yourself. [0] I don't have such an email address.
|
| [0] https://www.cybereason.com/ebook-ransomware-the-true-
| cost-to...
| TameAntelope wrote:
| The whole point of gathering statistics is that making up
| logic for what could be the case is generally a massive waste
| of time.
| Trias11 wrote:
| Because second attacker might not be briefed by the first
| one.
| Covzire wrote:
| If they actually have proper backups to avoid paying the
| first one, my guess is they are much more likely to also
| have the skills to prevent a second breach.
| Trias11 wrote:
| I agree on backups and actually working and robust
| restore system.
|
| Cheapest way to avoid paying ransoms.
|
| You can never be sure about 100% hacker safe but
| backup/restore system can be life saver
| 8note wrote:
| And also due to the attacks being cheap to run
| arnvald wrote:
| If the victim doesn't pay the first time, they suffer
| consequences and next time might decide to pay instead.
| jessaustin wrote:
| ISTM we only hear about the tiny minority of "victims" who
| do "suffer consequences". Most organizations who get
| ransomed just shut off a bunch of unnecessary stuff, re-
| provision the necessary stuff with passwords turned off,
| restore from backup, and hire some security consultants.
| Tade0 wrote:
| I'm sorry but I have to ask: why assume the attacker is
| female?
| jessaustin wrote:
| "Mallory" is commonly understood to be a woman's name. Come
| to think of it, so is "Trudy".
|
| It's interesting to see the various reactions to a
| perfectly innocent idiom.
|
| https://en.wikipedia.org/wiki/Alice_and_Bob#Cast_of_charact
| e...
| dang wrote:
| I understand how this sort of off-topic snag can feel
| provocative, but please don't copy it into the thread where
| it can turn into an entire flamewar. There's nothing new in
| any of this at this point, and therefore nothing
| interesting. When there's nothing interesting, discussions
| turn nasty. Solution: focus on the interesting specific
| information and diffs in a post, and ignore the provocative
| bits.
|
| https://news.ycombinator.com/newsguidelines.html
| leesalminen wrote:
| It seems like "they're" would've been a better choice
| there, as there are a plurality of attackers in the world.
| tacostakohashi wrote:
| Why not? Why assume that they are male?
| AnimalMuppet wrote:
| Statistically it seems the safer bet that they are male.
| jmcgough wrote:
| Probably trying to diversify pronoun usage. Would we be
| pointing this out if they said 'he'?
| flatline wrote:
| No, because for better or worse "he" is the default for a
| plurality or unknown gender in most (all?) romance
| languages, including English. Times and sensitivities
| change but "she" still connotes more knowledge than "he"
| so it's bound to cause some confusion.
| acomar wrote:
| what was true centuries ago is no longer true. "he" is
| not gender neutral in English, in any sense of the term.
| it's only used as such in historical writing - languages
| evolve over time. "she" connotes as much knowledge as
| "he".
| wackro wrote:
| Language changes over time, yes, but also over space.
| Something other than 'he' might be default where you are,
| but not where I am.
| gotoeleven wrote:
| English up until recently used male pronouns by default for
| everything but we have learned recently, thanks to our
| heroic Gender Studiers, that this actually perpetuates
| systemic sexist patriarchy. So the solution is to randomly
| use male or female pronouns, making language unclear and
| confusing--which helps fight the patriarchy.
| wrycoder wrote:
| To preempt criticism.
| jalgos_eminator wrote:
| The first time I saw this (using female pronouns for an
| unidentified person instead of "him/her" or "they") was in
| RMS's writings. So instead of using the indefinite/singular
| they, RMS would just say she/her. I thought it was an
| interesting way to hack language to break assumptions we
| have about gender, especially in technology.
| insickness wrote:
| It's likely the reinfection rate is high in both cases since
| it's so difficult to ensure every possible back door has been
| closed.
| spywaregorilla wrote:
| The most important line:
|
| > 80% of organizations that paid the ransom were hit by a second
| attack, and almost half were hit by the same threat group.
|
| The same group!
| sslayer wrote:
| It makes you think about how many of those are inside jobs
| and/or compromised employees. In the case of colonial, it would
| seem highly likely given it was a credential compromise, but
| then again secure passwords are a known weakness
| tyingq wrote:
| Makes sense to me. From what I've read, it's pretty clear the
| ransom payment is for a one-time ability to get your data back.
| It's not advertised as some sort of permanent opt-out.
| hiccuphippo wrote:
| It's right there in the small print. These companies sure
| know about that.
| denton-scratch wrote:
| I think it is, actually. Well, not advertised; but these big
| ransoms, they can be negotiated. And one of the victim
| company's requirements will be that if I pay, then you agree
| to leave me alone.
|
| I think these negotiations are fine, if you're just buying
| time to gather your backups; I've assumed the payouts were
| made by insurance companies, so go ahead - buy a zero-value
| promise from a gang of crooks, if you want.
|
| But your org has been rooted (at best, you can't prove it
| hasn't). Compromised systems can't be really be cleaned, they
| have to be reinstalled from scratch, if you want to have
| confidence in them.
|
| And an attack can be stored in data - which you're about to
| restore from backup. That's a problem I have faced, and I
| chose to ignore that threat. No choice - I didn't know how to
| address it then, and I still don't now.
|
| My half-baked opinions about ransomware are largely based on
| watching this documentary:
| https://www.bbc.co.uk/programmes/w172wx9056p6bd6
| mumblemumble wrote:
| > And one of the victim company's requirements will be that
| if I pay, then you agree to leave me alone.
|
| I'm curious how one would enforce that. From the fact that
| the ransom got paid in the first place, we can establish
| that there's no legal body that's able and willing to
| exercise any authority over the ransomware group. So it's
| not like you can sue them for breach of contract.
|
| Perhaps you can rely on the honor system? Though, given
| this is a group of professional extortionists we're talking
| about, if you choose to go that route, you may be at
| elevated risk of getting what you deserve.
| perlgeek wrote:
| It's a matter of reputation.
|
| If a ransomware group has a reputation of not actually
| delivering the unlock upon payment, or of re-infection
| shortly afterwards, the decision to pay them becomes
| harder to defend.
| mumblemumble wrote:
| A sticky problem indeed. I'm sure their sock puppet
| budgets must run into the tens of dollars.
| tyingq wrote:
| I don't know that you can even reliably identify what
| ransomware group you're dealing with. They seem to use
| similar software, wallet addresses can change, people can
| claim to be some group they aren't, etc. And they
| probably identify potential victims with similar methods
| and tools.
| Blikkentrekker wrote:
| How would the statistics then be gathered that half were
| hit by the same?
| dylan604 wrote:
| Everyone knows that once you find a loose slots machine, you
| keeping playing it.
| jessaustin wrote:
| You might come back next week, but if it just jackpotted
| it's empty right now.
| dylan604 wrote:
| That's so 1980s! Now, they update the balance on your
| Player's Card.
| abledon wrote:
| Where is the hacker's Honor... Cmon man
| mikewarot wrote:
| It went away when telling someone their system was broken
| stopped being treated a favor and started being treated as
| a crime.
|
| All the good guys shut up, and so you're left with the
| criminals who then exploit the flaws instead.
| qyi wrote:
| You sure some ransomware crooks don't provide contracts to
| their clients?
| ffhhj wrote:
| Coming soon: ransomware with subscription business model
| Scoundreller wrote:
| "Up next on 'You Won't Believe It', viruses were created by
| the antivirus industry"
| hindsightbias wrote:
| That's already a thing
|
| "SCHWIRTZ: What DarkSide does is they're a ransomware
| creator. So they create the program that is uploaded into a
| victim's computer system that locks down their data. But
| what they do is they basically contract out to these
| affiliates who are other hackers. And these are the people
| that are responsible for actually penetrating the victim's
| computer services. And what they do is operate basically on
| a subscription service. You, as an affiliate, can sign on
| to DarkSide services, in which case you get access to their
| malware, their ransomware to use for a fee that operates on
| a sliding scale depending upon the size of the ransom."
|
| https://www.npr.org/2021/06/10/1005093802/inner-workings-
| of-...
| dragonwriter wrote:
| I think they meant the ransom as a subscription service,
| not malware to franchisees as a service.
| xrd wrote:
| I up voted you for the lulz, but I'm actually unsure if
| this isn't the basic "legitimate" business model for
| everyone anyway.
| earleybird wrote:
| I'm not so unsure - that's what make's it funny
| cdstyh wrote:
| Makes more sense if the group offered a subscription model
| for decrypting files encrypted by that group. Then you
| wouldn't have to keep paying the big lump sum.
| rossdavidh wrote:
| ...and if you pay for our Premium Level Service, we'll
| secure your systems against other criminal enterprises as
| well!
| mywittyname wrote:
| What Hackers Can Learn From The Sopranos.
| vntok wrote:
| Some groups will actually tell you how they got in and
| help you patch your systems.
|
| Some groups will hack you AND also uninstall viruses
| emanating from other groups, or they will hack you and
| patch other flaws so that other malwares cannot take
| their spot. It's all game theory.
| tyingq wrote:
| A referral revenue sharing program for jaded employees
| would probably do well also.
| meowface wrote:
| Different groups have different policies. I believe some do
| actually add you to a whitelist if you pay and grant you at
| least a year or two before your immunity expires. (Maybe some
| do permanent whitelists? Not sure.)
| DaiPlusPlus wrote:
| Something something Norton Anti-Virus something.
| judge2020 wrote:
| Although I think false advertising would be the least of
| their worries if they decided to do it.
| nathias wrote:
| That group's name? The NSA.
| bostonsre wrote:
| Wonder what percentage of those that were hit had someone
| actively looking to get back in. Maybe 20% learned their lesson
| and improved their security. I wonder how many iterations of
| this will it take for most companies to learn that leaving your
| doors unlocked in a shady neighborhood/the internet is a bad
| idea.
| mysterydip wrote:
| if it were me, I'd leave webshells or other backdoors to let
| myself back in if they didn't do proper cleanup. Especially
| if they paid, I have a "known good" customer.
| vlunkr wrote:
| Unless the attackers revealed their exploit, it probably wasn't
| fixed and they just got in again the same way.
| Black101 wrote:
| I would leave a backdoor too if I was them (maybe not what they
| did)... I wonder how many paid for a 2nd and 3rd time...
| ineedasername wrote:
| I'm shocked at such unethical practices by the hackers. I
| expected better from a group of terrorists.
| snek_case wrote:
| I'm kind of reminded of the mafia and their protection
| rackets. Obviously, you never could trust criminal
| organizations. At the same time, if you're a medium-sized
| corporation or small business and they have your important
| data, and you know you could pay to get it back, what do you
| do? I can imagine they really have some people by the balls,
| metaphorically speaking. They could drive you bankrupt.
|
| I hope the authorities find a way to go after these people,
| but it's obviously got to be difficult, because they might
| well be in China or Russia. It would take some international
| cooperation that's probably impossible right now.
|
| In the meantime... Switch to Linux, have a competent offsite
| backup strategy...?
| redisman wrote:
| What would be the incentive not to? Honor among thieves?
|
| You know they're vulnerable to the attack (the hard part?) so
| why not keep doing it until they shore up their defenses.
| nhumrich wrote:
| I mean, of course! This is like classic sales book play. Your
| previous "costumers" are almost always less effort to dollar
| than new prospects.
| jdsully wrote:
| "threat group" is odd phrasing, is it really the same actual
| group?
| AnimalMuppet wrote:
| Were I an evil criminal, I'd include a backdoor in the restore
| image I gave them, so that I could attack the same people
| again.
| mateuszf wrote:
| Shouldn't they improve their security?
| jcims wrote:
| Given 0-day vulnerabilities and supply chain risks, I'm going
| to take a little bit of poetic license and say it's impossible
| to stop ransomware attacks, certainly with commercially viable
| levels of investment in infosec. You can mitigate some of the
| exposure, but the level of validation required to continuously
| guarantee that those mitigations are intact and effective.
|
| So attacks will continue, the level of impact will hopefully be
| reduced along with the commensurate justifiable ransom payment.
| TwoBit wrote:
| maybe, but most ransomware attacks aren't via zero-days but
| via simpler means. Also ransomware infects a whole network
| and so part of the cause is systems that allow that.
| cronix wrote:
| About half did. From the article...
|
| > After an organization experienced a ransomware attack, the
| top 5 solutions implemented included security awareness
| training (48%), security operations (SOC) (48%), endpoint
| protection (44%), data backup and recovery (43%), and email
| scanning (41%). The least deployed solutions post-attack
| included web scanning (40%), endpoint detection and response
| (EDR) and extended detection and response (XDR) technologies
| (38%), antivirus software (38%), mobile and SMS security
| solutions (36%), and managed security services provider (MSSP)
| or managed detection and response (MDR) provider (34%). Only 3%
| of respondents said they did not make any new security
| investments after a ransomware attack.
| tfang17 wrote:
| Ransomware attacks are multi-round games.
| anikan_vader wrote:
| Looks like ransomware criminals are going for the subscription
| model.
| ozim wrote:
| Well beating up someone to death will bring you money once,
| beaing someone multiple times will bring you more money.
|
| Ransom gangs are business oriented.
| chucka9 wrote:
| Why not just the prices up?
| arthurcolle wrote:
| I wonder if there are like Russian mob investors in these
| cybercrime "startups" and they also have to make decks that
| show YoY revenue / user growth. Lmao!
| trutannus wrote:
| Well, to my understanding, fronting money in drug deals for a
| cut and interest is a common model crime already, so I would
| say it's more likely than you think. The only difference
| between VC funding and bankrolling the mob is one is legal.
| tartoran wrote:
| Hardest part is to find subscribers, from then on the milking
| process is easy. Leaving the joke aside, does this mean that
| the systems remained unprotected after the initial ransom was
| paid or that they continued to threat leaking sensitive data?
|
| Paying the ransom a second time would guarantee nothing.
| Neither was paying the first time either.
| ljm wrote:
| If they were caught in the first place and paid up, the
| attacker presumably learned enough about the infra to find
| another way in? Or it was social engineering.
|
| Like, is a company who runs its IT infra on Windows XP and
| pays the ransom likely to switch to the latest and greatest,
| no expenses spared, in a total and utter overhaul of all
| their systems? Or will they only try to patch the holes that
| were already revealed and gloss over the rest? Blame it on
| the intern, all that.
| Drakim wrote:
| To unsubscribe you have to talk to a sales representative and
| send in a fax.
| cronix wrote:
| Just click that innocent looking unsubscribe link at the
| bottom of the email. Case solved!
| mc32 wrote:
| I wonder if this hurts their reputation.
|
| If they earn a reputation of coming back for seconds...
|
| Two things:
|
| People fix things faster to prevent double dipping.
|
| People opt to not pay the initial ransom if they're going to be
| taken hostage again.
|
| It's a kind of tragedy of the commons where the commons are the
| potential victims.
| jnwatson wrote:
| It doesn't even have to be the same attacker. The attacker
| could just as easily sell the info to another attacker.
|
| Plus, if the original vuln used to gain access is still open,
| there's no reason why somebody else doesn't find it later.
| sdenton4 wrote:
| Which vulnerability did the attackers use to gain initial
| access? Do the attackers disclose this along with
| decrypting the data? And are you sure they didn't leave a
| sleeper Trojan behind for later?
| odshoifsdhfs wrote:
| A few months ago one chat between hackers and the company
| was leaked. The hacker actually explained how to fix the
| vulnerabilities. On mobile but it should show up in
| google (think it was posted here on hn also)
| jbverschoor wrote:
| RaaS
| abledon wrote:
| Do they have the Java SDK released yet?
| ineedasername wrote:
| They're becoming a file encryption service. No one can steal
| your files either because they will just get encrypted trash.
|
| Though I suppose those thieves could also pay for the
| encryption key, or just go directly to the "service provider"
| for a paid copy.
| fiddlerwoaroof wrote:
| "Data escrow service"
| cblconfederate wrote:
| AB testing shows 80% of the customers like it
| gentleman11 wrote:
| Their engagement is through the roof and we have the data to
| prove it
| arcticbull wrote:
| I'm looking forward to one of them going public in a country
| where ransomware is legal lol, seems like they've got really
| solid ARR.
| dheera wrote:
| How the hell do people got hit with ransomware anyway? Do they
| not have offline nightly backups of critical data?
| wrycoder wrote:
| See my post in the peer thread.
| akomtu wrote:
| Meh, it looks like the ransom businesses have customer
| retention problem if only 80% stay.
| marcosdumay wrote:
| Once the criminals start maintaining their own backups of
| victims data and helping them restore from rival attacks, they
| can successfully call themselves a mob.
|
| Somehow, that's a quite believable scenario.
| smnrchrds wrote:
| > _they can successfully call themselves a mob_
|
| Or Backblaze's evil twin.
| smarx007 wrote:
| Ablaze?
| smnrchrds wrote:
| Frontblaze
| easrng wrote:
| Freezefront
| [deleted]
| pokstad wrote:
| For a second there, I thought you were going to say they can
| call themselves a backup service.
| tshaddox wrote:
| If only there were organizations who weren't criminals at all
| and who could be paid by a company to maintain backups of the
| company's data.
| lmkg wrote:
| It's a crowded marketplace, anybody who wants to succeed in
| there needs some growth hacking. Where in this case "growth
| hacking" hacking literally means hacking.
| Fragoel2 wrote:
| If only managers would perceive the money spent to pay such
| organizations as a necessity rather than burned cash
| tshaddox wrote:
| As randomware attacks become more prevalent I suspect
| managers' impressions will change!
| tomrod wrote:
| https://en.wikipedia.org/wiki/History_of_firefighting#Rome
|
| Fire fighting in Rome had a similar premise.
| EGreg wrote:
| The privately owned fire brigades in NYC 100 years ago
| weren't much better. The free market at work:
|
| https://www.youtube.com/watch?v=9zoXk1vnmcg
|
| The real Bowery Boys would sometimes sabotage other
| companies' insured buildings by setting the fires.
|
| https://en.wikipedia.org/wiki/Bowery_Boys
| WalterBright wrote:
| Setting fires on other peoples' property is not "the free
| market at work".
| EGreg wrote:
| But the rest of it was. The part in the first half of my
| message and the linked video is entirely free-market.
|
| Also, please do the work to expound on your claim.
| WalterBright wrote:
| > do the work to expound on your claim
|
| A free market system requires protection of property
| rights. Arson violates property rights, and so is not
| free market.
| antris wrote:
| Free market in action.
| saltedonion wrote:
| Doesn't mean the free market doesn't work. Asking people
| to pay before putting out the fire could be seen as a pay
| per use model. While a government run service funded by
| tax dollars could be seen as a subscription service that
| price discriminates on income tax rates.
|
| In both cases it's the market at play.
| ethn wrote:
| Free market requires strong property rights, as private
| property is a legal fiction which otherwise does not
| exist enough to sustain a market.
|
| This is instead a dysfunctional government approaching
| anarcho-individualism.
| CapriciousCptl wrote:
| I think wikipedia got the details wrong there. Crassus
| didn't offer to buy the burning buildings, he offered to
| put fires out. At least, that's how I understood it years
| ago and that's what Wiki's own source shows--
| http://www.trivia-library.com/b/richest-people-in-history-
| ma... .
|
| edit: Actually, Plutarch wrote that Crassus _did_ buy the
| burning buildings.
| rebuilder wrote:
| That's interesting - I definitely have heard it taught
| the way Wikipedia has it. But I suppose some website here
| or there doesn't really count as much of a source when
| we're talking of events so far in the past. Maybe someone
| can provide a primary source or two?
| CapriciousCptl wrote:
| Hmm, I dug further. The story probably comes from
| Plutarch (Lives), "[Crassus] would buy houses that were
| afire, and houses which adjoined those that were afire,
| and these their owners would let go at a trifling price
| owing to their fear and uncertainty"[1].
|
| Plutarch was closer to Crassus than I am so I guess I
| can't argue.
|
| [1] https://penelope.uchicago.edu/Thayer/e/roman/texts/pl
| utarch/...
| stretchwithme wrote:
| If only organizations would backup their own data. Then they
| could just restore and avoid paying.
|
| I have a backup device of my own at home and that's the one I
| have to use. The company I work relies on some MSFT service
| that is pretty inflexible and won't back up the entire
| machine.
| gentleman11 wrote:
| How do you go about testing your personal backups? I find
| my own desktop is harder to verify than a server with
| automated tests
| WalterBright wrote:
| What I do is see if it can be read by an independent
| system. For example, many dvd players can read media
| files plugged into a USB port. Put some media files on
| your backup drive, and see if your dvd player can read
| them.
| denton-scratch wrote:
| You _have_ to have backup. You can 't trust professional
| crooks, because - well - they're crooks.
|
| If you are penetrated, it's not so easy as just restoring
| your data from backup. You have to sterilise the machines
| you are restoring to. And you have to sterilise the data
| you want to restore. CM automation can deal with the system
| sterlisation, but I don't know how to sterilise data
| without using human judgement.
|
| Don't get penetrated.
| wrycoder wrote:
| Many people's backup routines aren't good enough.
|
| Some of these guys encrypt over a period of time which is
| long enough to exceed the backup rotation. Their code
| decrypts on request, until the trigger day, when it posts
| the banners and deletes itself.
| dheera wrote:
| Maybe corporations should make it standard practice to
| have cold storage backups that are physically
| disconnected from the network (by humans) in a rotated
| fashion. Backup A is physically disconnected on B days
| and backup B is physically disconnected on A days.
| sreitshamer wrote:
| Or stored an a cloud storage provider that supports
| S3-style object lock.
| WalterBright wrote:
| That's why you have a combination of rotating backups,
| say 7, one a day, and non-rotating permanent backups, say
| once a week.
|
| Also, one should use "append only" backups (such as
| tape), or a disk drive designed to be append only with
| hardware write enables.
| paulryanrogers wrote:
| There is also the threat of leaking private data. Companies
| which collect PII could be liable if it's proven they were
| negligent.
| btilly wrote:
| _If only organizations would backup their own data. Then
| they could just restore and avoid paying._
|
| This is commonly suggested, and entirely useless.
|
| What the ransomware groups do is put a time bomb on the
| computer, then leave it to trigger on a future condition.
| Your backup will backup the time bomb, and the second you
| restore it, it also goes boom. And therefore your backup is
| a perfect copy of your data but entirely useless.
| NilsIRL wrote:
| This is not entirely useless as you still have a backup
| of the data, you just need to restore it without the
| "time bomb".
| btilly wrote:
| Good luck finding the time bomb. See also my above
| comments about ways that they can corrupt data.
| Frost1x wrote:
| That assumes the backup couples the data and compute
| together, like a system image or something. If the backup
| is just data and is somewhere else, you can just rebuild
| the compute infrastructure from a known secure state
| (which arguably may require rebuilding the entire compute
| environment).
|
| Even if your backup does couple the data and compute
| together, if it's simply time based (not sure what other
| event you could use really, perhaps some pure
| probabilistic function), then it seems like you can just
| trick the environment that the time is something else to
| get back in.
|
| The real underpinning issue is that this stuff breaks the
| state of the infrastructure and the business can't afford
| the downtime to go around and repair these issues.
|
| If you have your infrastructure build out mostly
| automated, that automation is backed up, and critical
| data is backed up, then you can reasonably sidestep these
| issues (I supposed a real thorough breach might integrate
| the ransomware in this very automation system but it
| should be reasonable to root out). The other issue is of
| course if the intruders threaten to release private data
| (empkoyee and customer PII, financials, so on). There's
| also business integrity but that doesn't really seem to
| matter anymore.
| btilly wrote:
| First of all the goal is to make people not trust their
| backups. So they study and target the systems that do
| backups and restores. If you are separating data from
| systems, they have a number of tricks. One is to have the
| backup system corrupt data in subtle ways. Sure, you have
| a backup. But you can't trust it. And they make sure that
| you KNOW you can't trust it by pointing you at some
| easily verifiable corruption...and not letting you know
| what ELSE they changed.
|
| But as for an event to use, what they can do is have the
| machine check a remote URI to see whether it should let
| the system run, and if it should then set itself up to
| lock things at a specified time. In order to restore that
| you need to have it starting on a network with networking
| to a system that has the attacker's private key to sign
| the request. This is not an environment that you are able
| to create.
| alamortsubite wrote:
| The data corruption approach is devious and something I
| hadn't considered, but I also feel like it eliminates
| much of an attacker's advantage. The more extensive the
| corruption, the more likely it will draw attention,
| possibly to the ransomware itself, so an attacker would
| want to keep this to a minimum. In turn, a victim would
| probably choose to live with minor data corruption over
| paying a ransom, or at least I'd expect the payout
| threshold to greatly diminish vs the scenario where 100%
| of the data is held hostage.
| Schinken_ wrote:
| One should still be able to just mount the disk and not
| boot the OS associated to browse through the files? Not
| fully automated but at least some solution and maybe
| worthwhile for smaller businesses
| smsm42 wrote:
| Backup is only part of the picture, one needs a proper
| disaster recovery strategy that is tested and updated.
| Otherwise it could turn out that backups exist, but it'd
| take half a year to bootstrap the company back into
| function using them. Backing up and restoring one PC is
| trivial, doing the same to 10000 PCs and another 1000 of
| interconnected software systems is a whole different
| business.
| tempestn wrote:
| The criminals already do often recommend firms to manage the
| payment and recovery process.
| josephorjoe wrote:
| I think they can start calling themselves the corporate IT
| department.
| manquer wrote:
| Perhaps the red team, there is more to IT than backups
| datadata wrote:
| Why not just criminalize paying ransoms? Remove incentives and
| don't fund criminals.
| perlgeek wrote:
| Because in the short term, this could have some pretty nasty
| consequences for some companies that are hit the hardest, and
| few politicians want to take that hit.
| yawaworht1978 wrote:
| Seems like the ones with the payloads distribute it to more than
| one affiliate. Or at least a previously hit target does not get a
| mark that is globally respected.
|
| The fast growth desires lead to a lot of vulnerabilities,
| yesterday I signed up to a service and they emailed me my own
| username and password, simple plain text. Incredible.
| qyi wrote:
| The standard business solution to solve security issues - for
| example like having all your database in a public folder - is to
| get a guy to implement "security" (whatever that means) who is 40
| years old and is really confident he knows what he is doing. He
| will go configure some firewalls and stuff that has absolutely
| nothing to do with preventing any real risk aside from automated
| attacks. Every time someone still gets the files from some 90's
| vuln, everyone is surprised that some sooper dooper hacker wizard
| was able to own their fortune 500 company.
|
| > The least deployed solutions post-attack included web scanning
| (40%), endpoint detection and response (EDR) and extended
| detection and response (XDR) technologies (38%), antivirus
| software (38%), mobile and SMS security solutions (36%), and
| managed security services provider (MSSP) or managed detection
| and response (MDR) provider (34%). Only 3% of respondents said
| they did not make any new security investments after a ransomware
| attack.
|
| uh huh. uh huh. uh huh. uh huh.
|
| Meanwhile, for example, earlier today: a web search for "cat
| /etc/passwd" blocks my IP. What even is the point of this
| article? _Of course_ if you don't patch they will just hack you
| again. _Of course_ if your company follows terrible 90's
| practices, it will get owned again.
| YuriNiyazov wrote:
| So, what age must one be to supervise implementing security
| practices at an organization?
| diego_moita wrote:
| What I suspect: the first ransom was paid by insurance, therefore
| it didn't hurt them, therefore they didn't bother protect
| themselves for the second.
|
| Now just wait to see what will happen to your insurance rate
| after you pay the third ransom.
|
| They certainly will begin to understand the need for backups.
| SV_BubbleTime wrote:
| Most of these start as phishes to lower level employees. It
| makes sense to me that'll happen again and I'm not sure I can
| say the solution is better backups.
|
| Another issue with backups, is are you restoring to an already
| infected / immediately infectable state?
|
| I think the better closer is "The certainly will begin to take
| security, training, and best practices seriously".
| [deleted]
| ryanmcbride wrote:
| I'd like to think security training can take care of it, that
| people can be careful and considerate and have a skeptical
| eye about every single message they receive. But it only
| takes one person and these huge companies employ so many
| people. So many times, even at companies with really strict
| security training I've seen people just walk away from their
| unlocked computers, click random links in emails, stuff like
| that. People are always the first line of defense but it's
| one of those one-sided battles, where every single person in
| the entire company has to make 0 mistakes, and an attacker
| only has to get lucky once.
| sandworm101 wrote:
| >> But it only takes one person and these huge companies
| employ so many people.
|
| No. It never takes only one employ clicking a bad link. It
| takes that click, plus a browser/email/os system that allow
| for random code to executed. It take an IT department that
| has allowed individual non-IT employees to use computers
| with elevated privileges. It requires a management
| structure that has failed to invest in proper off-site/cold
| backups. It requires an organization that doesn't have a
| proper business continuity plan.
|
| And at the top of the incompetency pyramid, it requires a
| vendor that sells an email system that allows evil email
| messages to somehow infect entire operating systems. Want
| your email to connect to your office suite? Sure. Want to
| install random software based on clicked links? Sure thing.
| Want to update your firewall, install a new browsers and
| simultaneously backup all your encryption keys to a random
| server in the far east? Why not! Anything to make your
| operating system experience seamless.
| ryanmcbride wrote:
| that's what I'm saying. Just training isn't enough the
| system has to be hardened.
| WalterBright wrote:
| A single computer should never have access to all the
| company's data. Neither should a single login.
|
| It's like compartmentalization on a battleship. A single
| hole won't sink it, in fact, many holes won't.
| hobs wrote:
| Most people's enterprise software is akin to an already
| waterlogged dingy.
| everdrive wrote:
| I genuinely don't put any faith in education. Every
| phishing education program I've seen has effectively said
| "look out for _weird_ emails, (perhaps with misspellings)
| and if you see them report them to security! " I haven't
| seen any which went into the real specifics which might
| actually educate users:
|
| - A phishing email which can pwn you without user
| interaction is basically unheard of.
|
| - Even malicious sites generally can't do anything bad
| simply by visiting them. (and yes, I'm aware browser
| exploitation exists, but it is exceedingly rare)
|
| - Ultimately, it's entering your credentials in a malicious
| site which is what puts users at risk. A user must click a
| malicious link (sometimes two) and then intentionally enter
| their credentials into the malicious site.
|
| Between this, and the fact that users must read emails,
| visit sites, and enter their credentials over and over,
| just to get through their workday, I believe the outcome is
| that user education doesn't amount to much. It would be
| much better if a normal user's workflow didn't usually
| require clicking on email links and then entering their
| credentials. The fact that this is required means that even
| a savvy users will eventually be tired / rushed / working
| on automatic and get owned.
| carlosf wrote:
| Which is why basic stuff like MFA and MDM (block sign-ins
| coming from non compliant devices) works wonders against
| ransomware attacks.
| spicybright wrote:
| Which is why you need a level above the individual to
| protet from attacks.
|
| It sucks locking things down for each employee, and
| subjecting them to bureaucracy to unlock things they need
| to do, but it's better than ransomware.
|
| It's unrealistic to expect every employee to catch hacking
| attempts 100% of the time.
| lurquer wrote:
| > where every single person in the entire company has to
| make 0 mistakes, and an attacker only has to get lucky once
|
| Good post. I don't mean this criticism for you
| specifically. But, why is there an assumption among HN
| types that there are no bad-actors among the insiders? You
| can have all the safeguards you want, but if an insider
| deliberately installs something, you're screwed.
|
| In some industries -- armored trucks, banks, military stuff
| -- there is a huge emphasis on background checks, security
| clearances, and the like to weed out bad actors. (And, even
| then, it often fails.)
|
| I sense there is nothing similar for employees handling the
| company's data. Obviously, there might be background checks
| and the like -- hell, McDonalds has background checks. But,
| I'm not aware of the intensive FBI-style screening you see
| in the aforementioned realms.
|
| Am I wrong?
|
| How many thousands of people, for instance, could corrupt
| or lock the data at, say, Amazon? Are these people
| scrutinized to the same level as standard Brinks Armored
| Truck driver? I doubt it.
| squiggleblaz wrote:
| I guess there's two questions:
|
| - is protecting against internal sabotage actually
| different that protecting against external attack. I
| don't think it's all that different. It comes down to
| authenticating actions and enforcing the principle of
| least privilege. If you built a system that was actually
| secure (i.e. one that depends on reasonable
| inconveniences, rather than one that depends on people to
| be perfect all the time or is so inconvenient it inclines
| them to do the digital equivalent of jamming the door
| open) it is likely that it will be secure enough against
| most internal saboteurs.
|
| - is protecting against internal sabotage going to pay
| off? Most people probably aren't inclined to deliberately
| target their own company. It's far more likely that there
| is a bad actor in the world who wants to target your
| company, than that there is in your company. And making a
| person's job secure less stable is probably going to make
| them more likely to be a saboteur, so you should
| carefully evaluate whether gratuitously adding stress to
| someone who might get behind on their mortgage is a good
| idea. (Which I suppose is what this kind of background
| check would cause.)
| ipaddr wrote:
| Malware comes from the outside. Stealing company secrets
| and selling them is what I would be worried about from
| internal threats. Either way least access necessarily
| where possible is a good strategy.
| PeterisP wrote:
| There are many steps in the chain between a phish message and
| a ransomware attack - the user opening a phish is just one of
| them. You might prevent lateral movement afterwards, you may
| detect the attack in time (there often are days or even weeks
| between the phish and the ransom) to protect it, you might
| prevent the payload from reaching the user, etc. So yes,
| you're right, the solution is not just better backups but
| stepping up the whole security game - however that takes
| will, money and quite some time.
| hellbannedguy wrote:
| And let's not discount the moral of low paid, overworked
| employees, and companies that let low level managers run
| roughshod over lower level employees. My point is don't
| discount inside corporate espionage by disgruntled any level
| employees.
|
| Thank goodness I didn't have access to a script that would
| lock up at least two of my past employers when coming up
| years ago? Then again, I personally haven't been that mad,
| but boy do I know employees who were.
|
| I could say that we are all choir boys, but you piss on an
| employee, especially during a recession, well let's just say
| I have seen unpstanding guys rub magnets over hard drives
| over pure apathy. (The guy didn't know about strength of
| magnents, and it did not hurt anything.)
|
| Plugging in a usb, or downloading a suspicious email is
| something I can see happening, especially to "those"
| companies.
|
| I imagine Xfinity employees dream about it?
| gerdesj wrote:
| "I have seen unpstanding guys rub magnets over hard drives
| over pure apathy."
|
| Open up a spinning rust hard drive and you will find two
| very strong magnets inside, positioned opposite each other.
| ajsnigrutin wrote:
| > Most of these start as phishes to lower level employees. It
| makes sense to me that'll happen again and I'm not sure I can
| say the solution is better backups.
|
| Why? Secretary gets a call from a nigerian prince, starts
| that letter.exe she gets in her e-mail, her computer gets
| fscked, IT takes her drive, restores a clean image, and she
| gets back to work.
|
| If the only copy of some important document is on his/her pc,
| or that pc can overwrite/delete the only copy, then they've
| fscked up by design... and yes, now better backups would
| help.
| Trias11 wrote:
| Pay or not - you gotta fix security.
|
| Outsourcing it to el-cheapo, offshore middlemen is not going to
| cut it.
| bserge wrote:
| I believe that's a big part of why governments don't negotiate
| with terrorists and police just stall for time in real world
| ransom cases.
| fibers wrote:
| Except that is a terrible analogy and has everything to do with
| a poor security culture on the firm's part because IT is
| treated as a liability rather than an asset.
| prepend wrote:
| I think the analogy is apt since both paying terrorists and
| ransomers is counterproductive.
|
| If you pay the terrorists they just do it again. If you pay
| the ransomers they just do it again. And the payment
| increases their capabilities.
|
| I think, except for rare conditions where a temporary need
| exists, it's a net negative to pay.
|
| But I think the security flaws that allow random ware
| typically are a sign of institutional incompetence so it
| makes sense they would also be incompetent to pay, and pay
| again, and pay again. Rather than to prevent the attack or to
| correct the flaw that allowed the attack.
| mullingitover wrote:
| "We don't negotiate with terrorists" is more of a slogan than a
| real policy[1].
|
| [1]
| https://www.foreignaffairs.com/articles/2007-01-01/negotiati...
| anoncake wrote:
| The difference is that even if you don't negotiate with
| terrorists, they can still terrorize you. It's impossible to
| successfully ransom someone without their cooperation.
| AbraKdabra wrote:
| Get attacked once? It's on me. Get attacked TWICE by the same
| group and did absolutely nothing to better the security after the
| first attack? Yeah, it's on you.
| holtalanm wrote:
| Doesnt this just mean that 80% of orgs that were hit with
| ransomware attacks just didn't bother to fix their infosec, and
| got hit again because they left the same holes open to be
| exploited?
|
| Fool me once, shame on you. Fool me twice, shame on me.
| kerblang wrote:
| It can just as easily mean that the attacker found a second
| exploit after the first was resolved.
| beloch wrote:
| Since so many were hit by the very same ransomware group,
| it's likely that the attacker spotted a second exploit
| _during_ the first attack. It 's easier to spot things when
| you've already busted your way in and have the run of the
| place.
|
| i.e. An attacker breaks into a system using one
| vulnerability, spots a few more vulnerabilities while
| snooping for data, files them away for future reference,
| extracts a ransom, and then repeats the process later after
| the victim fixes the first vulnerability but fails to address
| the others.
|
| The takeaway lesson appears to be that, if you are hacked and
| fix the vulnerability that made it possible, you shouldn't
| stop there. You're marked as a target that pays and detailed
| information on your system is now out there. Even having
| fixed the first hack, you're more vulnerable than ever.
| ADHDreamer wrote:
| So ransomware already means they got into the system, they
| could open a new secret backdoor or completely tear down your
| security if they wanted to. Plus it takes time to identify the
| ransomware to undo/remove it, so in that time they could attack
| again. paying ransomware ransoms is just saying "pretty please
| don't do this again".
| astockwell wrote:
| Most likely.
| mywittyname wrote:
| > Fool me once, shame on you. Fool me twice, you're not going
| to fool me twice.
|
| - These Companies (probably)
| aiisjustanif wrote:
| Yes, but even more importantly it means they don't have proper
| backups and disaster recovery.
| data_spy wrote:
| how many were hit again who didn't pay?
| heavyset_go wrote:
| Once scammers know you're a mark, they'll exploit it. This is why
| email lists are next to gold to scammers, because they're lists
| of people or organizations who have parted with their money under
| false pretenses before, and are most likely willing to do so
| again in the future.
| simonw wrote:
| "After an organization experienced a ransomware attack, the top 5
| solutions implemented included security awareness training (48%),
| security operations (SOC) (48%), endpoint protection (44%), data
| backup and recovery (43%), and email scanning (41%)."
|
| Only 43% of organizations invested in data backup and recovery
| after a randsomware attack? I would expect that number to be
| closer to 100%!
| artful-hacker wrote:
| And how many of that 43% actually put in place a method to test
| their backups regularly? I'd bet its less than 5%
| munk-a wrote:
| Hey guys - I know security is hard to justify cost-wise but if
| you get hit by ransomware then shape up and actually do some due-
| diligence around your data stewardship.
|
| Wait - is this how the market fixes poor security practices?
| boringg wrote:
| IS ANYONE SURPRISED?!
| boringg wrote:
| There is no honor among thieves.
| uhhhhhhhhhhhhhh wrote:
| This is an interesting dance. Which company has paid the most? Is
| it on the jira board every monday "remit darkside for db access"
| trentnix wrote:
| Because that's where the money is, someone once said.
| tempfs wrote:
| I mean they just proved that they are willing to pay the ransom.
| If they are also unwilling or unable to clean up their shop and
| keep it from happening again, it surely will.
| avgDev wrote:
| It is almost like the groups hacking them are providing a good
| service. If they get hacked once, shit happens. But if it
| happens multiple times then someone should probably answer for
| it.
| [deleted]
| chihuahua wrote:
| "We don't have money in the budget for backups. But we do
| have money in a different budget for ransom payments!"
| mywittyname wrote:
| "how much you got?"
| BizarroLand wrote:
| RAAS, Ransomware As A Service
| ArkanExplorer wrote:
| The responsibility lies at the nation-state level, and the
| clear decision is for Governments to ban the formal exchange of
| cryptocurrencies.
|
| As soon as this occurs, ransomware events will collapse since
| the ransoms will become unpayable.
|
| The negatives of cryptocurrencies (ransomware enablement, chip
| and electricity shortages, scams) clearly outweigh the
| positives at this point.
| bouncycastle wrote:
| This view is similar to saying things like "The terrorists
| and the media have a symbiotic relationship and the media is
| responsible for enabling terrorist attacks, therefore let's
| ban the media".
| kemonocode wrote:
| If you believe banning cryptocurrencies will suddenly stop
| ransomware, then I have a bridge to sell you.
| viraptor wrote:
| In the theoretical universe where banning crypto is
| possible, yes it would stop almost all ransomware of the
| scale we see reported in news today.
|
| There's just no other form of payment which would work for
| them. You can't easily go "can I have $50k worth of
| giftcards" and on the receiving side you can't easily
| validate or sell millions of them without tanking the
| value. Any kind of wire transfer would expose the source
| immediately at that scale. There's only so much money you
| can move through services that give you kickbacks of
| various kinds. What else is left?
|
| Basically unless ransomware teams know of a new really good
| way of laundering money without a trail, or are happy to
| take a massive pay cut, that would be the end of most of
| their operations.
| this_user wrote:
| There is an easy fix here: make it illegal for companies to
| transact in crypt currencies. Then they would have no way
| of paying a ransom without engaging in illegal activities.
| This would destroy the ransomware business model.
| kemonocode wrote:
| Then you hire the services of brokers that don't have the
| same compunctions about transacting in crypto. And even
| if you were to magically erase all cryptocurrency from
| the earth, it wouldn't still stop ransomware, or the same
| state sponsored actors would gravitate towards even worse
| things.
|
| It's like nobody has learned a thing from the war on
| drugs, my point being: you deal with the root cause of
| the disease (infosec in most companies and even
| government offices is a joke and bad people have taken
| notice), not playing whack-a-mole with the symptoms
| (crypto use) that hint towards systemic decay.
| dmoy wrote:
| There was ransomware before crypto currencies. There will
| be ransomware after crypto currencies.
| cableshaft wrote:
| Cryptocurrencies are decentralized. It would have to be
| banned literally every country in the world for them not to
| be able to use it and convert to a non-digital currency. Good
| luck with that.
|
| And I'm sure they'd just invent or go back to some other
| method -- possibly riskier and more violent -- so they can
| continue to ransom money from people.
| mytherin wrote:
| > Cryptocurrencies are decentralized. It would have to be
| banned literally every country in the world for them not to
| be able to use it and convert to a non-digital currency.
| Good luck with that.
|
| The effect would not come from the criminals being able to
| cash out, it would come from the company not being able to
| cash in. If cryptocurrency were to be banned and public
| exchanges were closed purchasing cryptocurrency to the tune
| of millions of dollars worth becomes practically impossible
| for a regular company without connections in the space. If
| the company is not able to pay the ransom, the entire
| venture is pointless.
|
| > And I'm sure they'd just invent or go back to some other
| method -- possibly riskier and more violent -- so they can
| continue to ransom money from people.
|
| Sure, there will be other methods of transferring some
| amount of money. To the tune of millions of dollars,
| though? Unlikely. Cryptocurrency enables these companies to
| pay ransoms of this amount. Without cryptocurrency you
| might be able to ask for a 50K ransom instead of a 5M
| ransom, but that reduces your payout by 100X. 5M is enough
| to retire from. 50K is less than the yearly wage these
| people can make.
|
| It's not like ransomware didn't exist before
| cryptocurrency, we know what ransomware without
| cryptocurrency looks like. What cryptocurrency changed is
| the scale of the payout. Instead of getting a few thousand
| dollars in gift cards the hackers are now rewarded with
| millions in bitcoins. It is hard to deny that the change in
| incentives caused by cryptocurrency is the primary driver
| behind the huge increase in ransomware attacks in the last
| few years.
| eh9 wrote:
| And that's why you never pay dane-geld[1]
|
| [1]https://en.wikipedia.org/wiki/Dane-geld_(poem)
| [deleted]
| mkr-hn wrote:
| See also: why people who want to pay to not see ads are ideal ad
| targets.
| flowerlad wrote:
| I don't see any discussion of typical entry points. How do these
| guys get into the system? Is it by having someone download a
| malicious file? If so what type of file? PDF? MS Office? If so
| Adobe and Microsoft should be held accountable for their security
| holes, only then will they have enough motivation to maybe
| consider rewriting some of their code in a safer language such as
| Rust.
| lurquer wrote:
| Agree.
|
| There is much confusion and many bad analogies surrounding this
| issue.
|
| Some claim - without evidence - that nation states are behind
| it. Which, with a moments reflection, is absurd; nation states
| may have an interest in disabling certain systems for military
| purposes (at the appropriate time), but no nation state needs
| ransom money. Easier ways for a government to get money;
| namely, just print some.
|
| Others liken it to the mafia or cartel or other well-organized
| criminal organizations. This too misses the mark.
|
| Like most business crimes, the culprit is almost always an
| insider. Period. As the tools to pull this off are trivial to
| come by on the internet, the obvious suspect would be some
| disgruntled IT person within the company.
|
| It's as if -- after a bank robbery -- everyone claims it must
| have been some crack team of Russians flown in under radar in
| helicopters. Instead, they should be looking at the numerous
| employees who have access to the security system and the safe.
|
| But, it's much more exciting to pretend that Putin is
| sponsoring hackers to get trivial amounts of money from
| companies across the globe. Ha.
|
| I'm not even an IT guy, but at my last job, even I had access
| sufficient to destroy or corrupt all the data. That was before
| cryptocurrency and the like... I assume assembling a ransomware
| set of tools off the internet is no more or less difficult than
| it was to assemble a set of tools to make pirated copies of
| AdobePhotshop back in the day.
| perl4ever wrote:
| >no nation state needs ransom money. Easier ways for a
| government to get money; namely, just print some
|
| Sure, this is obvious, makes intuitive sense, except...it
| explains why something like Iran-Contra or the equivalent in
| other countries can't happen.
| perlgeek wrote:
| The entry points are "whatever works".
|
| Typically:
|
| * Password spraying from previous data leaks
|
| * Good old-fashioned fishing
|
| * Bugs in anything that's common in enterprises, exposed to the
| Internet and not patched fast enough, including MS Exchange,
| various security/VPN products, vcenter, you name it. All of
| these had pretty critical pre-auth bugs exposed just this year
|
| * malicious browser plugins
|
| * malicious O365 apps
|
| ... and so on.
| TwoBit wrote:
| Lack of MFA, lack of hardware whitelisting, servers exposed
| directly to the Internet, lack of user privilege
| restrictions, allowing passwords that are known-compromised,
| ...
| flowerlad wrote:
| If so, it doesn't make sense to blame Putin. The blame lies
| on US lawmakers, for not incentivizing US businesses to
| have a budget for fixing these sorts of issues. For
| example, when companies such as Equifax are hacked because
| of poor security practices do they pay a penalty? No.
| That's the problem.
| systematical wrote:
| The amazing part is they allowed themselves to get hit again.
| You'd think these organizations would tighten security after the
| first one...
| okareaman wrote:
| Once they are in, who knows what back doors the installed
| ajonit wrote:
| It is Sales101 - Getting business from an existing customer is
| easier than on-boarding a new one.
| _tom_ wrote:
| Anyone else think we should make it illegal to pay ransom?
|
| These people are just financing the next generation of cyber
| criminals.
|
| Once people stop paying, people will stop attacking.
| schelling42 wrote:
| No. Not with profit margins that high compared to operational
| cost, it would not be an effective deterrent. They will just
| continue to hit as many targets as possible. You would end up
| punishing the victims. What if they target some _really_
| critical infrastructure, where it would be rational to just pay
| and then fix the holes? Seek exemptions from law for each?
|
| But it would be very interesting to see if the ransomware gangs
| can devise a scheme that gives the payer plausible deniability.
| rytcio wrote:
| Yes, because criminals definitely follow the law.
| jhgb wrote:
| No, you become a criminal by paying. You continue not being a
| criminal by not paying.
| Miner49er wrote:
| I think we should actually legalize ransomware. By that I mean
| create a government-ran national bug bounty program. All
| companies of a certain size are automatically included in it.
| Bounties are awarded based off severity, and bounties are paid
| for by fines to the companies hit.
| trvrprkr wrote:
| Interesting idea. But what you're describing is absolutely
| not "ransomware."
| jjeaff wrote:
| It is already illegal in the US as of late 2020. But we know
| nothing really happens when corporations break the law.
|
| https://cisomag.eccouncil.org/paying-ransom-is-now-illegal-u...
| randomhodler84 wrote:
| Only for sanctioned parties I believe -- which would apply
| for any money transfers regardless of purpose. Most random
| criminal rw attackers are not going to be on a sanction list.
| [deleted]
| kag0 wrote:
| I wish this said how many of those hit again also paid again. I
| find it easy to believe that you could be hit twice in a row
| despite your best intentions, but hard to believe that you'd need
| to pay the second time if you had established a backup solution.
| splithalf wrote:
| Security is impossible. As long as there are incentives, nothing
| will be secure. It's just a matter of incentive/difficulty. With
| enough incentive stuxnet or solar winds or omb are possible.
| Bitcoin values are causing this equilibrium to be disrupted,
| making this appear as though it were a new problem.
| fairity wrote:
| What does the outcome distribution look like if you don't pay the
| ransom?
|
| What percent of orgs that did not pay the ransom get hit again?
| underseacables wrote:
| How long do major companies keep back ups? It seems like all of
| these companies that keep getting hit with ransomware Only have
| last weeks back up laying around. Why can't you go back eight
| months? True the data is going to be lacking, but at least the
| structure is going to be there. I completely understand that a
| Trojan or a virus can get locked into a back up and it just keeps
| getting backed up, but if you go far enough back you will find a
| clean copy.
| SV_BubbleTime wrote:
| I have yearly backups for three years. Right now, we could use
| one of those.
|
| At my last place, they only kept 1 year and monthly, but the
| problem was it was hundreds of terabytes of data on lots of
| VMs. We tried to restore backups and it was going to take
| longer than the long weekend just for file transfer.
|
| I don't know what normal process is, but I believe I saw file
| locker Trojan that didn't hit every byte of the drive; but
| rather crawled the file system and did a bit on every file
| header for speed. So I imagine it's still faster to pay and fix
| than restore from backups for some.
| underseacables wrote:
| The company I work for does nightly back ups and we keep them
| for five years in cold storage. Our CTO got hit with an
| attack years ago that almost cost him his job at another
| company, and he vowed to never let it happen again. Are we
| unusual for this?
| makeitdouble wrote:
| "Never negotiate with terrorists" is a simple and clear mantra,
| and as most clear and simple concepts it hides a lot of
| assumptions.
|
| One of them is you are ready to lose the hostage in the worst
| case scenario. That's how the police sees it, because the society
| benefits more from being firm in individual cases than losing a
| few of its members that might not come back anyway.
|
| That's a hard one to swallow, hard enough that govs also
| sometimes can't follow the mantra and just pay the ransom.
|
| It's crazy hard to get people to sacrifice themselves for the
| better good, it's yet a bigger ask for corporations who already
| screw the public day in day out.
| henvic wrote:
| Taxation works exactly like this.
|
| You might even want to establish an isolated society, but if
| you try, good luck dealing with the IRS.
| formerly_proven wrote:
| > "Never negotiate with terrorists" is a simple and clear
| mantra, and as most clear and simple concepts it hides a lot of
| assumptions.
|
| This has nothing to do with that idea.
|
| The reason the orgs paid the random once was because they had a
| severe lack of backup and other data safety protocols in
| combination with a vector to be infected (from all what we
| know, the latter is common and difficult to avoid): paying the
| ransom is likely their only choice to maintain the business.
|
| It is not surprising at all that these orgs can and will be
| infected again, and will continue to show a lack in the
| security and data safety departments, and so they will continue
| to pay ransoms.
|
| It's sort of an inverse survivorship bias: if you get infected
| once because you're susceptible, you're likely to get infected
| again unless you fix your susceptibility.
| thepete2 wrote:
| It _has_ from a certain angle: For society /the internet as a
| whole it might be better for no one to pay the ransom at the
| cost of some of them perishing. The ransomware attacks would
| become unprofitable and would eventually stop. But to assume
| any organization wouldn't pay the ransom if its survival
| depends on it is obviously unrealistic.
| kelnos wrote:
| I think that mantra does work here.
|
| I would be totally fine with legislation making it illegal to
| pay in the case of ransomware attacks. Some companies might
| be completely destroyed by an attack that they can't pay off,
| but that is for the greater good of society: if criminals
| know companies have a low probability of paying since they're
| legally barred from doing so, they're less likely to target
| them.
| enkid wrote:
| Never negotiate with terrorists is only a thing because it puts
| you in a stronger negotiation position.
| cwkoss wrote:
| And it's just posturing. I'm sure the US negotiates with
| groups it labels as terrorists through backchannels.
| koheripbal wrote:
| Literally every government says this publicly, and then
| negotiates privately.
| dilyevsky wrote:
| I don't think this mantra was ever anything more than a meme.
| LE always negotiate, this mantra is designed to just better
| their negotiating position
| smnrchrds wrote:
| > _because the society benefits_
|
| That's the theory. But much like war on drugs or TSA, whether
| its real-world outcomes match the theoretical ones is
| debatable.
|
| https://www.newamerica.org/international-security/policy-pap...
| andrewmcwatters wrote:
| From the perspective of the individual, there is no greater
| good than defending one's self.
| kag0 wrote:
| Hardly. There are many philosophies that argue that the
| greatest good lies with how we interact with the other.
|
| And on a purely primal level it's common to prioritize one's
| offspring over one's self. I think most cultures recognize
| this intuitively.
| andrewmcwatters wrote:
| I'm not arguing philosophy. I'm arguing how absurd the
| statement "it's crazy hard to get people to sacrifice
| themselves for the better good" is, as if OP would
| sacrifice his or herself for anyone here they didn't know.
|
| What a grand delusional statement, like the sibling comment
| here. It's literally arguing moral superiority while
| ignoring pragmatic reality.
|
| Maybe you watch a little bit too much television, but there
| are plenty of spouses out there who would, for example, not
| want their wife to die in childbirth if they had the
| option.
| SamBam wrote:
| If you don't see the chasm between "people should
| sacrifice themselves for the greater good" (which I'd
| generally disagree with, particularly if you're not
| defining what the greater good is) and "there is no
| greater good than defending one's self" then I can't help
| you.
| [deleted]
| SamBam wrote:
| What an absurd statement, to just say unequivocally, ignoring
| the plenty of philosophies and ethical systems have disagreed
| entirely with that.
| andrewmcwatters wrote:
| Yeah, totally absurd. Would you sacrifice your life for the
| strangers on this forum? Let me guess, no? Huh, wild.
| rurp wrote:
| Wait, so you think that defending anonymous strangers
| from the internet is an exhaustive set of circumstances
| where one might risk their life?
| andrewmcwatters wrote:
| Oh, of course.
| [deleted]
| SamBam wrote:
| Yawn.
| kag0 wrote:
| From another comment, it looks that mantra will become law in
| the US
|
| https://cisomag.eccouncil.org/paying-ransom-is-now-illegal-u...
| MattGaiser wrote:
| Isn't that just applying existing sanction law to ransomware?
| avgDev wrote:
| I mean couldn't government pay the ransom and then go great
| lengths to track the suspects and send special forces after
| them? Surely US govt. has the ability to track almost anyone.
|
| Having US govt. on your ass should a decent deterrent.
|
| Just take a look at how hard FBI came down on cartels and
| individuals who were involved in killing Enrique Camarena.
| Cartel leaders were arrested in Mexico and several individual
| in the US.
| microtherion wrote:
| It appears that some of the major ransomware gangs are
| operating from Russia and are tolerated by the government, as
| long as they don't hit domestic targets.
|
| The US cannot really send special forces there without
| risking a massive escalation.
| MrMorden wrote:
| No, but the people operating in Russia like to travel
| elsewhere, and do.
|
| Also, the US and allies can enforce Russian AML laws as
| written on paper. If, say, the UK freezes all of Oleg
| Deripaska's assets there, Vova will absolutely get the
| message. We're not going to bring down the Russian
| government with military force for a million different
| reasons, but doing it with sanctions and prosecution is a
| totally different story.
| smsm42 wrote:
| When they do US gets them. That happens from time to
| time, if you watch the news, you notice there are guys
| caught periodically who thought it's time for a nice
| vacation in Spain resting from their criminal
| activities... only to be picked up in the airport.
| However, the smarter ones stay put inside Russia and
| those are hard to get.
| chihuahua wrote:
| Best example was when VW's Oliver Schmidt was arrested in
| Miami as he was changing planes. He was in trouble from
| the emissions fraud scheme.
| londons_explore wrote:
| I'm sure the US has hundreds of spies and personnel in
| Russia at any point in time.
|
| But sending a spy to a software developers house and
| assassinating them probably isn't going to stop the problem
| - more people will spring up doing the same.
| kilroy123 wrote:
| We might not though. We don't even have a main diplomat
| there.
|
| Russia has always been notoriously hard to spy on.
|
| I would not be surprised if there was only a handful of
| well placed assets and most of the spying being done
| electronically.
| Griffinsauce wrote:
| That introduces a scale problem. Even for the US.
| SamBam wrote:
| When they hit a hospital, what is the hospital supposed to do?
| Not negotiate, for some "greater good" and let patients die?
|
| https://threatpost.com/ransomware-hits-hospitals-hardest/162...
| blindmute wrote:
| Yes.
| SwanRonson wrote:
| They're supposed to back up their data and set up proper
| contingencies. By failing to do so, they are already putting
| patients lives in the hands of the encryptors.
| SamBam wrote:
| Yes. Of course they were supposed to do so, _then_. But
| they didn 't, and now they've been hit. Now, in the real
| world, what are they supposed to do: pay, or hold out and
| let the patients die as punishment for the hospital's
| mistakes?
| nradov wrote:
| The US government has negotiated with the Taliban (a formally
| designated terrorist group) for prisoner exchanges.
|
| https://www.bbc.com/news/world-asia-50471186
| koheripbal wrote:
| The "don't negotiate with terrorists" is itself a negotiation
| tactic meant to lower the attack surface of any entity.
|
| It's the sort of thing you say publicly, but then privately
| you settle with your adversary.
|
| Absolutism is never a useful tactic.
| munificent wrote:
| Yes, but getting your opponent to _believe_ you will take
| an absolute position is often the most useful tactic.
| kevincox wrote:
| > Absolutism is never a useful tactic.
|
| That sounds pretty absolutest.
| Frost1x wrote:
| I absolutely never always disagree, most of the time.
| denton-scratch wrote:
| ""Never negotiate with terrorists" is a simple and clear
| mantra, and as most clear and simple concepts it hides a lot of
| assumptions"
|
| The word 'terrorists', for one. It's mostly used to mean 'my
| opponents' these days.
|
| What we are facing with ransomware is not insurrectionists or
| protestors, but gangsters. They make their living by stealing
| from people, cheating them, and threatening them. Many
| insurrectionists are honourable people that you can safely make
| a deal with. There is no gangster with that property.
|
| Take backups, test the recovery procedure, don't make bargains
| with gangsters.
| notdang wrote:
| Until your own child or spouse is held hostage or sequestrated.
| You will negotiate.
| skybrian wrote:
| There's a somewhat better article about the survey here [1],
| including which countries were surveyed.
|
| It looks like you can download the full report by filling out a
| form [2]. (So I didn't.)
|
| [1] https://www.zdnet.com/article/most-firms-face-second-
| ransomw... [2] https://www.cybereason.com/ebook-ransomware-the-
| true-cost-to...
| dragonwriter wrote:
| Rudyard Kipling explained this:
|
| ---
|
| But we've proved it again and again, / That if once you have paid
| him the Dane-geld / You never get rid of the Dane.
|
| ---
| https://www.poetryloverspage.com/poets/kipling/dane_geld.htm....
|
| By paying, you've just proven that you are a profitable target to
| hit.
| dalbasal wrote:
| I'm from Dublin. We didn't pay the Danegeld, and in retaliation
| they built a city.
| Beached wrote:
| from my experience responding to these. orgs that entertain the
| ide of paying the ransom often do not care about root cause
| analysis to the degree they should.
|
| orgs that completely ignore payment as an option spend their time
| identifying the entry point, and vulns, and close those before
| restoring or rebuilding.
| smsm42 wrote:
| Makes sense. We have a company with bad security practices (not
| easy to fix), inadequate disaster recovery strategy (not easy to
| fix) and willing to pay money to criminals to make problems go
| away. Of course it's an ideal target. I wonder if by now the
| criminals compile and trade the list of easy target companies.
___________________________________________________________________
(page generated 2021-06-18 23:00 UTC)