[HN Gopher] 80% of orgs that paid the ransom were hit again ___________________________________________________________________ 80% of orgs that paid the ransom were hit again Author : prostoalex Score : 516 points Date : 2021-06-18 17:17 UTC (5 hours ago) (HTM) web link (venturebeat.com) (TXT) w3m dump (venturebeat.com) | ghostly_s wrote: | Why would you expect otherwise? | toxik wrote: | Ransomware is actually a net benefit. They force information | security into the business agenda in a way that we haven't really | been able to accomplish before. You can now quantify the cost of | getting pwned. It's a bit like the immune system needing | pathogens every once in a while. | kristopolous wrote: | What percent that didn't though? Basic controls here... | RalfWausE wrote: | Solution: Don't pay the ransom, instead offer a bounty 'Wanted | dead or alive (preferred dead of course, if it can be made to | look like an accident)' | cronix wrote: | Does it really surprise anyone that criminals would (re)target a | place that paid out quickly and made their "jobs" easier? The aim | is to get paid as quickly as possible with the least complexity | and move on to the next target, is it not? If you're a freelancer | and you have 10 clients and 8 always pay within 14 days of | invoice and the other 2 let it drag on 90+ days and having to | send out "reminder" letters, who do you favor doing business | with? | yelling_cat wrote: | According to a study by Cybereason, which sells endpoint | protection software. | robocat wrote: | One has to wonder if Cybereason measured the 80% figure from | their own clients - endpoint protection is the lowest form of | security. | | Alternatively, Cybereason are probably in a really good | position to snarf passwords and then parallel construct an | attack from a third party who gives a few major individual | shareholders a kickback. | | Does endpoint security even work? | surround wrote: | What percentage of orgs that _didn 't_ pay the ransom were hit | again? | acheron wrote: | Once you pay 'em the Danegeld | | You'll never be rid of the Dane | sharken wrote: | I don't see why you have to pick on the Danes :) | | But the similarities are there, although the person's behind | the ransomware attacks are probably not vikings. | coldcode wrote: | The ancestors of the Russians were themselves Vikings. Their | kingdom of Rus is where the name came from. | hprotagonist wrote: | https://www.poetryloverspage.com/poets/kipling/dane_geld.htm. | .. | | https://en.wikipedia.org/wiki/Danegeld | afrcnc wrote: | Please never take these security surveys seriously. | | Most are created by companies looking for media coverage and are | just made up. | admax88q wrote: | Meaningless stat without a baseline to compare against. How many | who didn't pay were hit again? | jessaustin wrote: | If the attacker isn't paid for the first attack, why would she | attack again? She's not doing it for the lulz! | | I do agree with you that there should be more visibility for | the "silent majority" of firms who operate their businesses | responsibly, and therefore don't ever need to pay ransom. | kristopolous wrote: | That's not for us to intellectually deduce, give the numbers. | They have it. Is it 79%? 99? 1? | | Maybe it's all automated shotgun based attacks and they don't | close the holes and so the act of paying the ransom is | statistically meaningless | | This is shoddy journalism. Might as well just say "X%". It | implies you shouldn't pay lest you fall victim again but they | don't actually say that. | | Things that implicate what they refuse to say is kind of | suspect | jessaustin wrote: | The "journalism" has been shoddy from the start. This | entire "Russians are pwning the electric company" meme has | always been motivated more by politics, CYA, PR, and | marketing than it has by anything real. TFA itself is a | mail-it-in, paraphrase-the-press-release "effort". They | actually link to the press release rather than the original | marketing document; it's possible TFA's authors haven't | read the latter! There's no guarantee the marketing | document answers your question, but if you have an email | address you don't mind getting spammed you could find out | for yourself. [0] I don't have such an email address. | | [0] https://www.cybereason.com/ebook-ransomware-the-true- | cost-to... | TameAntelope wrote: | The whole point of gathering statistics is that making up | logic for what could be the case is generally a massive waste | of time. | Trias11 wrote: | Because second attacker might not be briefed by the first | one. | Covzire wrote: | If they actually have proper backups to avoid paying the | first one, my guess is they are much more likely to also | have the skills to prevent a second breach. | Trias11 wrote: | I agree on backups and actually working and robust | restore system. | | Cheapest way to avoid paying ransoms. | | You can never be sure about 100% hacker safe but | backup/restore system can be life saver | 8note wrote: | And also due to the attacks being cheap to run | arnvald wrote: | If the victim doesn't pay the first time, they suffer | consequences and next time might decide to pay instead. | jessaustin wrote: | ISTM we only hear about the tiny minority of "victims" who | do "suffer consequences". Most organizations who get | ransomed just shut off a bunch of unnecessary stuff, re- | provision the necessary stuff with passwords turned off, | restore from backup, and hire some security consultants. | Tade0 wrote: | I'm sorry but I have to ask: why assume the attacker is | female? | jessaustin wrote: | "Mallory" is commonly understood to be a woman's name. Come | to think of it, so is "Trudy". | | It's interesting to see the various reactions to a | perfectly innocent idiom. | | https://en.wikipedia.org/wiki/Alice_and_Bob#Cast_of_charact | e... | dang wrote: | I understand how this sort of off-topic snag can feel | provocative, but please don't copy it into the thread where | it can turn into an entire flamewar. There's nothing new in | any of this at this point, and therefore nothing | interesting. When there's nothing interesting, discussions | turn nasty. Solution: focus on the interesting specific | information and diffs in a post, and ignore the provocative | bits. | | https://news.ycombinator.com/newsguidelines.html | leesalminen wrote: | It seems like "they're" would've been a better choice | there, as there are a plurality of attackers in the world. | tacostakohashi wrote: | Why not? Why assume that they are male? | AnimalMuppet wrote: | Statistically it seems the safer bet that they are male. | jmcgough wrote: | Probably trying to diversify pronoun usage. Would we be | pointing this out if they said 'he'? | flatline wrote: | No, because for better or worse "he" is the default for a | plurality or unknown gender in most (all?) romance | languages, including English. Times and sensitivities | change but "she" still connotes more knowledge than "he" | so it's bound to cause some confusion. | acomar wrote: | what was true centuries ago is no longer true. "he" is | not gender neutral in English, in any sense of the term. | it's only used as such in historical writing - languages | evolve over time. "she" connotes as much knowledge as | "he". | wackro wrote: | Language changes over time, yes, but also over space. | Something other than 'he' might be default where you are, | but not where I am. | gotoeleven wrote: | English up until recently used male pronouns by default for | everything but we have learned recently, thanks to our | heroic Gender Studiers, that this actually perpetuates | systemic sexist patriarchy. So the solution is to randomly | use male or female pronouns, making language unclear and | confusing--which helps fight the patriarchy. | wrycoder wrote: | To preempt criticism. | jalgos_eminator wrote: | The first time I saw this (using female pronouns for an | unidentified person instead of "him/her" or "they") was in | RMS's writings. So instead of using the indefinite/singular | they, RMS would just say she/her. I thought it was an | interesting way to hack language to break assumptions we | have about gender, especially in technology. | insickness wrote: | It's likely the reinfection rate is high in both cases since | it's so difficult to ensure every possible back door has been | closed. | spywaregorilla wrote: | The most important line: | | > 80% of organizations that paid the ransom were hit by a second | attack, and almost half were hit by the same threat group. | | The same group! | sslayer wrote: | It makes you think about how many of those are inside jobs | and/or compromised employees. In the case of colonial, it would | seem highly likely given it was a credential compromise, but | then again secure passwords are a known weakness | tyingq wrote: | Makes sense to me. From what I've read, it's pretty clear the | ransom payment is for a one-time ability to get your data back. | It's not advertised as some sort of permanent opt-out. | hiccuphippo wrote: | It's right there in the small print. These companies sure | know about that. | denton-scratch wrote: | I think it is, actually. Well, not advertised; but these big | ransoms, they can be negotiated. And one of the victim | company's requirements will be that if I pay, then you agree | to leave me alone. | | I think these negotiations are fine, if you're just buying | time to gather your backups; I've assumed the payouts were | made by insurance companies, so go ahead - buy a zero-value | promise from a gang of crooks, if you want. | | But your org has been rooted (at best, you can't prove it | hasn't). Compromised systems can't be really be cleaned, they | have to be reinstalled from scratch, if you want to have | confidence in them. | | And an attack can be stored in data - which you're about to | restore from backup. That's a problem I have faced, and I | chose to ignore that threat. No choice - I didn't know how to | address it then, and I still don't now. | | My half-baked opinions about ransomware are largely based on | watching this documentary: | https://www.bbc.co.uk/programmes/w172wx9056p6bd6 | mumblemumble wrote: | > And one of the victim company's requirements will be that | if I pay, then you agree to leave me alone. | | I'm curious how one would enforce that. From the fact that | the ransom got paid in the first place, we can establish | that there's no legal body that's able and willing to | exercise any authority over the ransomware group. So it's | not like you can sue them for breach of contract. | | Perhaps you can rely on the honor system? Though, given | this is a group of professional extortionists we're talking | about, if you choose to go that route, you may be at | elevated risk of getting what you deserve. | perlgeek wrote: | It's a matter of reputation. | | If a ransomware group has a reputation of not actually | delivering the unlock upon payment, or of re-infection | shortly afterwards, the decision to pay them becomes | harder to defend. | mumblemumble wrote: | A sticky problem indeed. I'm sure their sock puppet | budgets must run into the tens of dollars. | tyingq wrote: | I don't know that you can even reliably identify what | ransomware group you're dealing with. They seem to use | similar software, wallet addresses can change, people can | claim to be some group they aren't, etc. And they | probably identify potential victims with similar methods | and tools. | Blikkentrekker wrote: | How would the statistics then be gathered that half were | hit by the same? | dylan604 wrote: | Everyone knows that once you find a loose slots machine, you | keeping playing it. | jessaustin wrote: | You might come back next week, but if it just jackpotted | it's empty right now. | dylan604 wrote: | That's so 1980s! Now, they update the balance on your | Player's Card. | abledon wrote: | Where is the hacker's Honor... Cmon man | mikewarot wrote: | It went away when telling someone their system was broken | stopped being treated a favor and started being treated as | a crime. | | All the good guys shut up, and so you're left with the | criminals who then exploit the flaws instead. | qyi wrote: | You sure some ransomware crooks don't provide contracts to | their clients? | ffhhj wrote: | Coming soon: ransomware with subscription business model | Scoundreller wrote: | "Up next on 'You Won't Believe It', viruses were created by | the antivirus industry" | hindsightbias wrote: | That's already a thing | | "SCHWIRTZ: What DarkSide does is they're a ransomware | creator. So they create the program that is uploaded into a | victim's computer system that locks down their data. But | what they do is they basically contract out to these | affiliates who are other hackers. And these are the people | that are responsible for actually penetrating the victim's | computer services. And what they do is operate basically on | a subscription service. You, as an affiliate, can sign on | to DarkSide services, in which case you get access to their | malware, their ransomware to use for a fee that operates on | a sliding scale depending upon the size of the ransom." | | https://www.npr.org/2021/06/10/1005093802/inner-workings- | of-... | dragonwriter wrote: | I think they meant the ransom as a subscription service, | not malware to franchisees as a service. | xrd wrote: | I up voted you for the lulz, but I'm actually unsure if | this isn't the basic "legitimate" business model for | everyone anyway. | earleybird wrote: | I'm not so unsure - that's what make's it funny | cdstyh wrote: | Makes more sense if the group offered a subscription model | for decrypting files encrypted by that group. Then you | wouldn't have to keep paying the big lump sum. | rossdavidh wrote: | ...and if you pay for our Premium Level Service, we'll | secure your systems against other criminal enterprises as | well! | mywittyname wrote: | What Hackers Can Learn From The Sopranos. | vntok wrote: | Some groups will actually tell you how they got in and | help you patch your systems. | | Some groups will hack you AND also uninstall viruses | emanating from other groups, or they will hack you and | patch other flaws so that other malwares cannot take | their spot. It's all game theory. | tyingq wrote: | A referral revenue sharing program for jaded employees | would probably do well also. | meowface wrote: | Different groups have different policies. I believe some do | actually add you to a whitelist if you pay and grant you at | least a year or two before your immunity expires. (Maybe some | do permanent whitelists? Not sure.) | DaiPlusPlus wrote: | Something something Norton Anti-Virus something. | judge2020 wrote: | Although I think false advertising would be the least of | their worries if they decided to do it. | nathias wrote: | That group's name? The NSA. | bostonsre wrote: | Wonder what percentage of those that were hit had someone | actively looking to get back in. Maybe 20% learned their lesson | and improved their security. I wonder how many iterations of | this will it take for most companies to learn that leaving your | doors unlocked in a shady neighborhood/the internet is a bad | idea. | mysterydip wrote: | if it were me, I'd leave webshells or other backdoors to let | myself back in if they didn't do proper cleanup. Especially | if they paid, I have a "known good" customer. | vlunkr wrote: | Unless the attackers revealed their exploit, it probably wasn't | fixed and they just got in again the same way. | Black101 wrote: | I would leave a backdoor too if I was them (maybe not what they | did)... I wonder how many paid for a 2nd and 3rd time... | ineedasername wrote: | I'm shocked at such unethical practices by the hackers. I | expected better from a group of terrorists. | snek_case wrote: | I'm kind of reminded of the mafia and their protection | rackets. Obviously, you never could trust criminal | organizations. At the same time, if you're a medium-sized | corporation or small business and they have your important | data, and you know you could pay to get it back, what do you | do? I can imagine they really have some people by the balls, | metaphorically speaking. They could drive you bankrupt. | | I hope the authorities find a way to go after these people, | but it's obviously got to be difficult, because they might | well be in China or Russia. It would take some international | cooperation that's probably impossible right now. | | In the meantime... Switch to Linux, have a competent offsite | backup strategy...? | redisman wrote: | What would be the incentive not to? Honor among thieves? | | You know they're vulnerable to the attack (the hard part?) so | why not keep doing it until they shore up their defenses. | nhumrich wrote: | I mean, of course! This is like classic sales book play. Your | previous "costumers" are almost always less effort to dollar | than new prospects. | jdsully wrote: | "threat group" is odd phrasing, is it really the same actual | group? | AnimalMuppet wrote: | Were I an evil criminal, I'd include a backdoor in the restore | image I gave them, so that I could attack the same people | again. | mateuszf wrote: | Shouldn't they improve their security? | jcims wrote: | Given 0-day vulnerabilities and supply chain risks, I'm going | to take a little bit of poetic license and say it's impossible | to stop ransomware attacks, certainly with commercially viable | levels of investment in infosec. You can mitigate some of the | exposure, but the level of validation required to continuously | guarantee that those mitigations are intact and effective. | | So attacks will continue, the level of impact will hopefully be | reduced along with the commensurate justifiable ransom payment. | TwoBit wrote: | maybe, but most ransomware attacks aren't via zero-days but | via simpler means. Also ransomware infects a whole network | and so part of the cause is systems that allow that. | cronix wrote: | About half did. From the article... | | > After an organization experienced a ransomware attack, the | top 5 solutions implemented included security awareness | training (48%), security operations (SOC) (48%), endpoint | protection (44%), data backup and recovery (43%), and email | scanning (41%). The least deployed solutions post-attack | included web scanning (40%), endpoint detection and response | (EDR) and extended detection and response (XDR) technologies | (38%), antivirus software (38%), mobile and SMS security | solutions (36%), and managed security services provider (MSSP) | or managed detection and response (MDR) provider (34%). Only 3% | of respondents said they did not make any new security | investments after a ransomware attack. | tfang17 wrote: | Ransomware attacks are multi-round games. | anikan_vader wrote: | Looks like ransomware criminals are going for the subscription | model. | ozim wrote: | Well beating up someone to death will bring you money once, | beaing someone multiple times will bring you more money. | | Ransom gangs are business oriented. | chucka9 wrote: | Why not just the prices up? | arthurcolle wrote: | I wonder if there are like Russian mob investors in these | cybercrime "startups" and they also have to make decks that | show YoY revenue / user growth. Lmao! | trutannus wrote: | Well, to my understanding, fronting money in drug deals for a | cut and interest is a common model crime already, so I would | say it's more likely than you think. The only difference | between VC funding and bankrolling the mob is one is legal. | tartoran wrote: | Hardest part is to find subscribers, from then on the milking | process is easy. Leaving the joke aside, does this mean that | the systems remained unprotected after the initial ransom was | paid or that they continued to threat leaking sensitive data? | | Paying the ransom a second time would guarantee nothing. | Neither was paying the first time either. | ljm wrote: | If they were caught in the first place and paid up, the | attacker presumably learned enough about the infra to find | another way in? Or it was social engineering. | | Like, is a company who runs its IT infra on Windows XP and | pays the ransom likely to switch to the latest and greatest, | no expenses spared, in a total and utter overhaul of all | their systems? Or will they only try to patch the holes that | were already revealed and gloss over the rest? Blame it on | the intern, all that. | Drakim wrote: | To unsubscribe you have to talk to a sales representative and | send in a fax. | cronix wrote: | Just click that innocent looking unsubscribe link at the | bottom of the email. Case solved! | mc32 wrote: | I wonder if this hurts their reputation. | | If they earn a reputation of coming back for seconds... | | Two things: | | People fix things faster to prevent double dipping. | | People opt to not pay the initial ransom if they're going to be | taken hostage again. | | It's a kind of tragedy of the commons where the commons are the | potential victims. | jnwatson wrote: | It doesn't even have to be the same attacker. The attacker | could just as easily sell the info to another attacker. | | Plus, if the original vuln used to gain access is still open, | there's no reason why somebody else doesn't find it later. | sdenton4 wrote: | Which vulnerability did the attackers use to gain initial | access? Do the attackers disclose this along with | decrypting the data? And are you sure they didn't leave a | sleeper Trojan behind for later? | odshoifsdhfs wrote: | A few months ago one chat between hackers and the company | was leaked. The hacker actually explained how to fix the | vulnerabilities. On mobile but it should show up in | google (think it was posted here on hn also) | jbverschoor wrote: | RaaS | abledon wrote: | Do they have the Java SDK released yet? | ineedasername wrote: | They're becoming a file encryption service. No one can steal | your files either because they will just get encrypted trash. | | Though I suppose those thieves could also pay for the | encryption key, or just go directly to the "service provider" | for a paid copy. | fiddlerwoaroof wrote: | "Data escrow service" | cblconfederate wrote: | AB testing shows 80% of the customers like it | gentleman11 wrote: | Their engagement is through the roof and we have the data to | prove it | arcticbull wrote: | I'm looking forward to one of them going public in a country | where ransomware is legal lol, seems like they've got really | solid ARR. | dheera wrote: | How the hell do people got hit with ransomware anyway? Do they | not have offline nightly backups of critical data? | wrycoder wrote: | See my post in the peer thread. | akomtu wrote: | Meh, it looks like the ransom businesses have customer | retention problem if only 80% stay. | marcosdumay wrote: | Once the criminals start maintaining their own backups of | victims data and helping them restore from rival attacks, they | can successfully call themselves a mob. | | Somehow, that's a quite believable scenario. | smnrchrds wrote: | > _they can successfully call themselves a mob_ | | Or Backblaze's evil twin. | smarx007 wrote: | Ablaze? | smnrchrds wrote: | Frontblaze | easrng wrote: | Freezefront | [deleted] | pokstad wrote: | For a second there, I thought you were going to say they can | call themselves a backup service. | tshaddox wrote: | If only there were organizations who weren't criminals at all | and who could be paid by a company to maintain backups of the | company's data. | lmkg wrote: | It's a crowded marketplace, anybody who wants to succeed in | there needs some growth hacking. Where in this case "growth | hacking" hacking literally means hacking. | Fragoel2 wrote: | If only managers would perceive the money spent to pay such | organizations as a necessity rather than burned cash | tshaddox wrote: | As randomware attacks become more prevalent I suspect | managers' impressions will change! | tomrod wrote: | https://en.wikipedia.org/wiki/History_of_firefighting#Rome | | Fire fighting in Rome had a similar premise. | EGreg wrote: | The privately owned fire brigades in NYC 100 years ago | weren't much better. The free market at work: | | https://www.youtube.com/watch?v=9zoXk1vnmcg | | The real Bowery Boys would sometimes sabotage other | companies' insured buildings by setting the fires. | | https://en.wikipedia.org/wiki/Bowery_Boys | WalterBright wrote: | Setting fires on other peoples' property is not "the free | market at work". | EGreg wrote: | But the rest of it was. The part in the first half of my | message and the linked video is entirely free-market. | | Also, please do the work to expound on your claim. | WalterBright wrote: | > do the work to expound on your claim | | A free market system requires protection of property | rights. Arson violates property rights, and so is not | free market. | antris wrote: | Free market in action. | saltedonion wrote: | Doesn't mean the free market doesn't work. Asking people | to pay before putting out the fire could be seen as a pay | per use model. While a government run service funded by | tax dollars could be seen as a subscription service that | price discriminates on income tax rates. | | In both cases it's the market at play. | ethn wrote: | Free market requires strong property rights, as private | property is a legal fiction which otherwise does not | exist enough to sustain a market. | | This is instead a dysfunctional government approaching | anarcho-individualism. | CapriciousCptl wrote: | I think wikipedia got the details wrong there. Crassus | didn't offer to buy the burning buildings, he offered to | put fires out. At least, that's how I understood it years | ago and that's what Wiki's own source shows-- | http://www.trivia-library.com/b/richest-people-in-history- | ma... . | | edit: Actually, Plutarch wrote that Crassus _did_ buy the | burning buildings. | rebuilder wrote: | That's interesting - I definitely have heard it taught | the way Wikipedia has it. But I suppose some website here | or there doesn't really count as much of a source when | we're talking of events so far in the past. Maybe someone | can provide a primary source or two? | CapriciousCptl wrote: | Hmm, I dug further. The story probably comes from | Plutarch (Lives), "[Crassus] would buy houses that were | afire, and houses which adjoined those that were afire, | and these their owners would let go at a trifling price | owing to their fear and uncertainty"[1]. | | Plutarch was closer to Crassus than I am so I guess I | can't argue. | | [1] https://penelope.uchicago.edu/Thayer/e/roman/texts/pl | utarch/... | stretchwithme wrote: | If only organizations would backup their own data. Then they | could just restore and avoid paying. | | I have a backup device of my own at home and that's the one I | have to use. The company I work relies on some MSFT service | that is pretty inflexible and won't back up the entire | machine. | gentleman11 wrote: | How do you go about testing your personal backups? I find | my own desktop is harder to verify than a server with | automated tests | WalterBright wrote: | What I do is see if it can be read by an independent | system. For example, many dvd players can read media | files plugged into a USB port. Put some media files on | your backup drive, and see if your dvd player can read | them. | denton-scratch wrote: | You _have_ to have backup. You can 't trust professional | crooks, because - well - they're crooks. | | If you are penetrated, it's not so easy as just restoring | your data from backup. You have to sterilise the machines | you are restoring to. And you have to sterilise the data | you want to restore. CM automation can deal with the system | sterlisation, but I don't know how to sterilise data | without using human judgement. | | Don't get penetrated. | wrycoder wrote: | Many people's backup routines aren't good enough. | | Some of these guys encrypt over a period of time which is | long enough to exceed the backup rotation. Their code | decrypts on request, until the trigger day, when it posts | the banners and deletes itself. | dheera wrote: | Maybe corporations should make it standard practice to | have cold storage backups that are physically | disconnected from the network (by humans) in a rotated | fashion. Backup A is physically disconnected on B days | and backup B is physically disconnected on A days. | sreitshamer wrote: | Or stored an a cloud storage provider that supports | S3-style object lock. | WalterBright wrote: | That's why you have a combination of rotating backups, | say 7, one a day, and non-rotating permanent backups, say | once a week. | | Also, one should use "append only" backups (such as | tape), or a disk drive designed to be append only with | hardware write enables. | paulryanrogers wrote: | There is also the threat of leaking private data. Companies | which collect PII could be liable if it's proven they were | negligent. | btilly wrote: | _If only organizations would backup their own data. Then | they could just restore and avoid paying._ | | This is commonly suggested, and entirely useless. | | What the ransomware groups do is put a time bomb on the | computer, then leave it to trigger on a future condition. | Your backup will backup the time bomb, and the second you | restore it, it also goes boom. And therefore your backup is | a perfect copy of your data but entirely useless. | NilsIRL wrote: | This is not entirely useless as you still have a backup | of the data, you just need to restore it without the | "time bomb". | btilly wrote: | Good luck finding the time bomb. See also my above | comments about ways that they can corrupt data. | Frost1x wrote: | That assumes the backup couples the data and compute | together, like a system image or something. If the backup | is just data and is somewhere else, you can just rebuild | the compute infrastructure from a known secure state | (which arguably may require rebuilding the entire compute | environment). | | Even if your backup does couple the data and compute | together, if it's simply time based (not sure what other | event you could use really, perhaps some pure | probabilistic function), then it seems like you can just | trick the environment that the time is something else to | get back in. | | The real underpinning issue is that this stuff breaks the | state of the infrastructure and the business can't afford | the downtime to go around and repair these issues. | | If you have your infrastructure build out mostly | automated, that automation is backed up, and critical | data is backed up, then you can reasonably sidestep these | issues (I supposed a real thorough breach might integrate | the ransomware in this very automation system but it | should be reasonable to root out). The other issue is of | course if the intruders threaten to release private data | (empkoyee and customer PII, financials, so on). There's | also business integrity but that doesn't really seem to | matter anymore. | btilly wrote: | First of all the goal is to make people not trust their | backups. So they study and target the systems that do | backups and restores. If you are separating data from | systems, they have a number of tricks. One is to have the | backup system corrupt data in subtle ways. Sure, you have | a backup. But you can't trust it. And they make sure that | you KNOW you can't trust it by pointing you at some | easily verifiable corruption...and not letting you know | what ELSE they changed. | | But as for an event to use, what they can do is have the | machine check a remote URI to see whether it should let | the system run, and if it should then set itself up to | lock things at a specified time. In order to restore that | you need to have it starting on a network with networking | to a system that has the attacker's private key to sign | the request. This is not an environment that you are able | to create. | alamortsubite wrote: | The data corruption approach is devious and something I | hadn't considered, but I also feel like it eliminates | much of an attacker's advantage. The more extensive the | corruption, the more likely it will draw attention, | possibly to the ransomware itself, so an attacker would | want to keep this to a minimum. In turn, a victim would | probably choose to live with minor data corruption over | paying a ransom, or at least I'd expect the payout | threshold to greatly diminish vs the scenario where 100% | of the data is held hostage. | Schinken_ wrote: | One should still be able to just mount the disk and not | boot the OS associated to browse through the files? Not | fully automated but at least some solution and maybe | worthwhile for smaller businesses | smsm42 wrote: | Backup is only part of the picture, one needs a proper | disaster recovery strategy that is tested and updated. | Otherwise it could turn out that backups exist, but it'd | take half a year to bootstrap the company back into | function using them. Backing up and restoring one PC is | trivial, doing the same to 10000 PCs and another 1000 of | interconnected software systems is a whole different | business. | tempestn wrote: | The criminals already do often recommend firms to manage the | payment and recovery process. | josephorjoe wrote: | I think they can start calling themselves the corporate IT | department. | manquer wrote: | Perhaps the red team, there is more to IT than backups | datadata wrote: | Why not just criminalize paying ransoms? Remove incentives and | don't fund criminals. | perlgeek wrote: | Because in the short term, this could have some pretty nasty | consequences for some companies that are hit the hardest, and | few politicians want to take that hit. | yawaworht1978 wrote: | Seems like the ones with the payloads distribute it to more than | one affiliate. Or at least a previously hit target does not get a | mark that is globally respected. | | The fast growth desires lead to a lot of vulnerabilities, | yesterday I signed up to a service and they emailed me my own | username and password, simple plain text. Incredible. | qyi wrote: | The standard business solution to solve security issues - for | example like having all your database in a public folder - is to | get a guy to implement "security" (whatever that means) who is 40 | years old and is really confident he knows what he is doing. He | will go configure some firewalls and stuff that has absolutely | nothing to do with preventing any real risk aside from automated | attacks. Every time someone still gets the files from some 90's | vuln, everyone is surprised that some sooper dooper hacker wizard | was able to own their fortune 500 company. | | > The least deployed solutions post-attack included web scanning | (40%), endpoint detection and response (EDR) and extended | detection and response (XDR) technologies (38%), antivirus | software (38%), mobile and SMS security solutions (36%), and | managed security services provider (MSSP) or managed detection | and response (MDR) provider (34%). Only 3% of respondents said | they did not make any new security investments after a ransomware | attack. | | uh huh. uh huh. uh huh. uh huh. | | Meanwhile, for example, earlier today: a web search for "cat | /etc/passwd" blocks my IP. What even is the point of this | article? _Of course_ if you don't patch they will just hack you | again. _Of course_ if your company follows terrible 90's | practices, it will get owned again. | YuriNiyazov wrote: | So, what age must one be to supervise implementing security | practices at an organization? | diego_moita wrote: | What I suspect: the first ransom was paid by insurance, therefore | it didn't hurt them, therefore they didn't bother protect | themselves for the second. | | Now just wait to see what will happen to your insurance rate | after you pay the third ransom. | | They certainly will begin to understand the need for backups. | SV_BubbleTime wrote: | Most of these start as phishes to lower level employees. It | makes sense to me that'll happen again and I'm not sure I can | say the solution is better backups. | | Another issue with backups, is are you restoring to an already | infected / immediately infectable state? | | I think the better closer is "The certainly will begin to take | security, training, and best practices seriously". | [deleted] | ryanmcbride wrote: | I'd like to think security training can take care of it, that | people can be careful and considerate and have a skeptical | eye about every single message they receive. But it only | takes one person and these huge companies employ so many | people. So many times, even at companies with really strict | security training I've seen people just walk away from their | unlocked computers, click random links in emails, stuff like | that. People are always the first line of defense but it's | one of those one-sided battles, where every single person in | the entire company has to make 0 mistakes, and an attacker | only has to get lucky once. | sandworm101 wrote: | >> But it only takes one person and these huge companies | employ so many people. | | No. It never takes only one employ clicking a bad link. It | takes that click, plus a browser/email/os system that allow | for random code to executed. It take an IT department that | has allowed individual non-IT employees to use computers | with elevated privileges. It requires a management | structure that has failed to invest in proper off-site/cold | backups. It requires an organization that doesn't have a | proper business continuity plan. | | And at the top of the incompetency pyramid, it requires a | vendor that sells an email system that allows evil email | messages to somehow infect entire operating systems. Want | your email to connect to your office suite? Sure. Want to | install random software based on clicked links? Sure thing. | Want to update your firewall, install a new browsers and | simultaneously backup all your encryption keys to a random | server in the far east? Why not! Anything to make your | operating system experience seamless. | ryanmcbride wrote: | that's what I'm saying. Just training isn't enough the | system has to be hardened. | WalterBright wrote: | A single computer should never have access to all the | company's data. Neither should a single login. | | It's like compartmentalization on a battleship. A single | hole won't sink it, in fact, many holes won't. | hobs wrote: | Most people's enterprise software is akin to an already | waterlogged dingy. | everdrive wrote: | I genuinely don't put any faith in education. Every | phishing education program I've seen has effectively said | "look out for _weird_ emails, (perhaps with misspellings) | and if you see them report them to security! " I haven't | seen any which went into the real specifics which might | actually educate users: | | - A phishing email which can pwn you without user | interaction is basically unheard of. | | - Even malicious sites generally can't do anything bad | simply by visiting them. (and yes, I'm aware browser | exploitation exists, but it is exceedingly rare) | | - Ultimately, it's entering your credentials in a malicious | site which is what puts users at risk. A user must click a | malicious link (sometimes two) and then intentionally enter | their credentials into the malicious site. | | Between this, and the fact that users must read emails, | visit sites, and enter their credentials over and over, | just to get through their workday, I believe the outcome is | that user education doesn't amount to much. It would be | much better if a normal user's workflow didn't usually | require clicking on email links and then entering their | credentials. The fact that this is required means that even | a savvy users will eventually be tired / rushed / working | on automatic and get owned. | carlosf wrote: | Which is why basic stuff like MFA and MDM (block sign-ins | coming from non compliant devices) works wonders against | ransomware attacks. | spicybright wrote: | Which is why you need a level above the individual to | protet from attacks. | | It sucks locking things down for each employee, and | subjecting them to bureaucracy to unlock things they need | to do, but it's better than ransomware. | | It's unrealistic to expect every employee to catch hacking | attempts 100% of the time. | lurquer wrote: | > where every single person in the entire company has to | make 0 mistakes, and an attacker only has to get lucky once | | Good post. I don't mean this criticism for you | specifically. But, why is there an assumption among HN | types that there are no bad-actors among the insiders? You | can have all the safeguards you want, but if an insider | deliberately installs something, you're screwed. | | In some industries -- armored trucks, banks, military stuff | -- there is a huge emphasis on background checks, security | clearances, and the like to weed out bad actors. (And, even | then, it often fails.) | | I sense there is nothing similar for employees handling the | company's data. Obviously, there might be background checks | and the like -- hell, McDonalds has background checks. But, | I'm not aware of the intensive FBI-style screening you see | in the aforementioned realms. | | Am I wrong? | | How many thousands of people, for instance, could corrupt | or lock the data at, say, Amazon? Are these people | scrutinized to the same level as standard Brinks Armored | Truck driver? I doubt it. | squiggleblaz wrote: | I guess there's two questions: | | - is protecting against internal sabotage actually | different that protecting against external attack. I | don't think it's all that different. It comes down to | authenticating actions and enforcing the principle of | least privilege. If you built a system that was actually | secure (i.e. one that depends on reasonable | inconveniences, rather than one that depends on people to | be perfect all the time or is so inconvenient it inclines | them to do the digital equivalent of jamming the door | open) it is likely that it will be secure enough against | most internal saboteurs. | | - is protecting against internal sabotage going to pay | off? Most people probably aren't inclined to deliberately | target their own company. It's far more likely that there | is a bad actor in the world who wants to target your | company, than that there is in your company. And making a | person's job secure less stable is probably going to make | them more likely to be a saboteur, so you should | carefully evaluate whether gratuitously adding stress to | someone who might get behind on their mortgage is a good | idea. (Which I suppose is what this kind of background | check would cause.) | ipaddr wrote: | Malware comes from the outside. Stealing company secrets | and selling them is what I would be worried about from | internal threats. Either way least access necessarily | where possible is a good strategy. | PeterisP wrote: | There are many steps in the chain between a phish message and | a ransomware attack - the user opening a phish is just one of | them. You might prevent lateral movement afterwards, you may | detect the attack in time (there often are days or even weeks | between the phish and the ransom) to protect it, you might | prevent the payload from reaching the user, etc. So yes, | you're right, the solution is not just better backups but | stepping up the whole security game - however that takes | will, money and quite some time. | hellbannedguy wrote: | And let's not discount the moral of low paid, overworked | employees, and companies that let low level managers run | roughshod over lower level employees. My point is don't | discount inside corporate espionage by disgruntled any level | employees. | | Thank goodness I didn't have access to a script that would | lock up at least two of my past employers when coming up | years ago? Then again, I personally haven't been that mad, | but boy do I know employees who were. | | I could say that we are all choir boys, but you piss on an | employee, especially during a recession, well let's just say | I have seen unpstanding guys rub magnets over hard drives | over pure apathy. (The guy didn't know about strength of | magnents, and it did not hurt anything.) | | Plugging in a usb, or downloading a suspicious email is | something I can see happening, especially to "those" | companies. | | I imagine Xfinity employees dream about it? | gerdesj wrote: | "I have seen unpstanding guys rub magnets over hard drives | over pure apathy." | | Open up a spinning rust hard drive and you will find two | very strong magnets inside, positioned opposite each other. | ajsnigrutin wrote: | > Most of these start as phishes to lower level employees. It | makes sense to me that'll happen again and I'm not sure I can | say the solution is better backups. | | Why? Secretary gets a call from a nigerian prince, starts | that letter.exe she gets in her e-mail, her computer gets | fscked, IT takes her drive, restores a clean image, and she | gets back to work. | | If the only copy of some important document is on his/her pc, | or that pc can overwrite/delete the only copy, then they've | fscked up by design... and yes, now better backups would | help. | Trias11 wrote: | Pay or not - you gotta fix security. | | Outsourcing it to el-cheapo, offshore middlemen is not going to | cut it. | bserge wrote: | I believe that's a big part of why governments don't negotiate | with terrorists and police just stall for time in real world | ransom cases. | fibers wrote: | Except that is a terrible analogy and has everything to do with | a poor security culture on the firm's part because IT is | treated as a liability rather than an asset. | prepend wrote: | I think the analogy is apt since both paying terrorists and | ransomers is counterproductive. | | If you pay the terrorists they just do it again. If you pay | the ransomers they just do it again. And the payment | increases their capabilities. | | I think, except for rare conditions where a temporary need | exists, it's a net negative to pay. | | But I think the security flaws that allow random ware | typically are a sign of institutional incompetence so it | makes sense they would also be incompetent to pay, and pay | again, and pay again. Rather than to prevent the attack or to | correct the flaw that allowed the attack. | mullingitover wrote: | "We don't negotiate with terrorists" is more of a slogan than a | real policy[1]. | | [1] | https://www.foreignaffairs.com/articles/2007-01-01/negotiati... | anoncake wrote: | The difference is that even if you don't negotiate with | terrorists, they can still terrorize you. It's impossible to | successfully ransom someone without their cooperation. | AbraKdabra wrote: | Get attacked once? It's on me. Get attacked TWICE by the same | group and did absolutely nothing to better the security after the | first attack? Yeah, it's on you. | holtalanm wrote: | Doesnt this just mean that 80% of orgs that were hit with | ransomware attacks just didn't bother to fix their infosec, and | got hit again because they left the same holes open to be | exploited? | | Fool me once, shame on you. Fool me twice, shame on me. | kerblang wrote: | It can just as easily mean that the attacker found a second | exploit after the first was resolved. | beloch wrote: | Since so many were hit by the very same ransomware group, | it's likely that the attacker spotted a second exploit | _during_ the first attack. It 's easier to spot things when | you've already busted your way in and have the run of the | place. | | i.e. An attacker breaks into a system using one | vulnerability, spots a few more vulnerabilities while | snooping for data, files them away for future reference, | extracts a ransom, and then repeats the process later after | the victim fixes the first vulnerability but fails to address | the others. | | The takeaway lesson appears to be that, if you are hacked and | fix the vulnerability that made it possible, you shouldn't | stop there. You're marked as a target that pays and detailed | information on your system is now out there. Even having | fixed the first hack, you're more vulnerable than ever. | ADHDreamer wrote: | So ransomware already means they got into the system, they | could open a new secret backdoor or completely tear down your | security if they wanted to. Plus it takes time to identify the | ransomware to undo/remove it, so in that time they could attack | again. paying ransomware ransoms is just saying "pretty please | don't do this again". | astockwell wrote: | Most likely. | mywittyname wrote: | > Fool me once, shame on you. Fool me twice, you're not going | to fool me twice. | | - These Companies (probably) | aiisjustanif wrote: | Yes, but even more importantly it means they don't have proper | backups and disaster recovery. | data_spy wrote: | how many were hit again who didn't pay? | heavyset_go wrote: | Once scammers know you're a mark, they'll exploit it. This is why | email lists are next to gold to scammers, because they're lists | of people or organizations who have parted with their money under | false pretenses before, and are most likely willing to do so | again in the future. | simonw wrote: | "After an organization experienced a ransomware attack, the top 5 | solutions implemented included security awareness training (48%), | security operations (SOC) (48%), endpoint protection (44%), data | backup and recovery (43%), and email scanning (41%)." | | Only 43% of organizations invested in data backup and recovery | after a randsomware attack? I would expect that number to be | closer to 100%! | artful-hacker wrote: | And how many of that 43% actually put in place a method to test | their backups regularly? I'd bet its less than 5% | munk-a wrote: | Hey guys - I know security is hard to justify cost-wise but if | you get hit by ransomware then shape up and actually do some due- | diligence around your data stewardship. | | Wait - is this how the market fixes poor security practices? | boringg wrote: | IS ANYONE SURPRISED?! | boringg wrote: | There is no honor among thieves. | uhhhhhhhhhhhhhh wrote: | This is an interesting dance. Which company has paid the most? Is | it on the jira board every monday "remit darkside for db access" | trentnix wrote: | Because that's where the money is, someone once said. | tempfs wrote: | I mean they just proved that they are willing to pay the ransom. | If they are also unwilling or unable to clean up their shop and | keep it from happening again, it surely will. | avgDev wrote: | It is almost like the groups hacking them are providing a good | service. If they get hacked once, shit happens. But if it | happens multiple times then someone should probably answer for | it. | [deleted] | chihuahua wrote: | "We don't have money in the budget for backups. But we do | have money in a different budget for ransom payments!" | mywittyname wrote: | "how much you got?" | BizarroLand wrote: | RAAS, Ransomware As A Service | ArkanExplorer wrote: | The responsibility lies at the nation-state level, and the | clear decision is for Governments to ban the formal exchange of | cryptocurrencies. | | As soon as this occurs, ransomware events will collapse since | the ransoms will become unpayable. | | The negatives of cryptocurrencies (ransomware enablement, chip | and electricity shortages, scams) clearly outweigh the | positives at this point. | bouncycastle wrote: | This view is similar to saying things like "The terrorists | and the media have a symbiotic relationship and the media is | responsible for enabling terrorist attacks, therefore let's | ban the media". | kemonocode wrote: | If you believe banning cryptocurrencies will suddenly stop | ransomware, then I have a bridge to sell you. | viraptor wrote: | In the theoretical universe where banning crypto is | possible, yes it would stop almost all ransomware of the | scale we see reported in news today. | | There's just no other form of payment which would work for | them. You can't easily go "can I have $50k worth of | giftcards" and on the receiving side you can't easily | validate or sell millions of them without tanking the | value. Any kind of wire transfer would expose the source | immediately at that scale. There's only so much money you | can move through services that give you kickbacks of | various kinds. What else is left? | | Basically unless ransomware teams know of a new really good | way of laundering money without a trail, or are happy to | take a massive pay cut, that would be the end of most of | their operations. | this_user wrote: | There is an easy fix here: make it illegal for companies to | transact in crypt currencies. Then they would have no way | of paying a ransom without engaging in illegal activities. | This would destroy the ransomware business model. | kemonocode wrote: | Then you hire the services of brokers that don't have the | same compunctions about transacting in crypto. And even | if you were to magically erase all cryptocurrency from | the earth, it wouldn't still stop ransomware, or the same | state sponsored actors would gravitate towards even worse | things. | | It's like nobody has learned a thing from the war on | drugs, my point being: you deal with the root cause of | the disease (infosec in most companies and even | government offices is a joke and bad people have taken | notice), not playing whack-a-mole with the symptoms | (crypto use) that hint towards systemic decay. | dmoy wrote: | There was ransomware before crypto currencies. There will | be ransomware after crypto currencies. | cableshaft wrote: | Cryptocurrencies are decentralized. It would have to be | banned literally every country in the world for them not to | be able to use it and convert to a non-digital currency. Good | luck with that. | | And I'm sure they'd just invent or go back to some other | method -- possibly riskier and more violent -- so they can | continue to ransom money from people. | mytherin wrote: | > Cryptocurrencies are decentralized. It would have to be | banned literally every country in the world for them not to | be able to use it and convert to a non-digital currency. | Good luck with that. | | The effect would not come from the criminals being able to | cash out, it would come from the company not being able to | cash in. If cryptocurrency were to be banned and public | exchanges were closed purchasing cryptocurrency to the tune | of millions of dollars worth becomes practically impossible | for a regular company without connections in the space. If | the company is not able to pay the ransom, the entire | venture is pointless. | | > And I'm sure they'd just invent or go back to some other | method -- possibly riskier and more violent -- so they can | continue to ransom money from people. | | Sure, there will be other methods of transferring some | amount of money. To the tune of millions of dollars, | though? Unlikely. Cryptocurrency enables these companies to | pay ransoms of this amount. Without cryptocurrency you | might be able to ask for a 50K ransom instead of a 5M | ransom, but that reduces your payout by 100X. 5M is enough | to retire from. 50K is less than the yearly wage these | people can make. | | It's not like ransomware didn't exist before | cryptocurrency, we know what ransomware without | cryptocurrency looks like. What cryptocurrency changed is | the scale of the payout. Instead of getting a few thousand | dollars in gift cards the hackers are now rewarded with | millions in bitcoins. It is hard to deny that the change in | incentives caused by cryptocurrency is the primary driver | behind the huge increase in ransomware attacks in the last | few years. | eh9 wrote: | And that's why you never pay dane-geld[1] | | [1]https://en.wikipedia.org/wiki/Dane-geld_(poem) | [deleted] | mkr-hn wrote: | See also: why people who want to pay to not see ads are ideal ad | targets. | flowerlad wrote: | I don't see any discussion of typical entry points. How do these | guys get into the system? Is it by having someone download a | malicious file? If so what type of file? PDF? MS Office? If so | Adobe and Microsoft should be held accountable for their security | holes, only then will they have enough motivation to maybe | consider rewriting some of their code in a safer language such as | Rust. | lurquer wrote: | Agree. | | There is much confusion and many bad analogies surrounding this | issue. | | Some claim - without evidence - that nation states are behind | it. Which, with a moments reflection, is absurd; nation states | may have an interest in disabling certain systems for military | purposes (at the appropriate time), but no nation state needs | ransom money. Easier ways for a government to get money; | namely, just print some. | | Others liken it to the mafia or cartel or other well-organized | criminal organizations. This too misses the mark. | | Like most business crimes, the culprit is almost always an | insider. Period. As the tools to pull this off are trivial to | come by on the internet, the obvious suspect would be some | disgruntled IT person within the company. | | It's as if -- after a bank robbery -- everyone claims it must | have been some crack team of Russians flown in under radar in | helicopters. Instead, they should be looking at the numerous | employees who have access to the security system and the safe. | | But, it's much more exciting to pretend that Putin is | sponsoring hackers to get trivial amounts of money from | companies across the globe. Ha. | | I'm not even an IT guy, but at my last job, even I had access | sufficient to destroy or corrupt all the data. That was before | cryptocurrency and the like... I assume assembling a ransomware | set of tools off the internet is no more or less difficult than | it was to assemble a set of tools to make pirated copies of | AdobePhotshop back in the day. | perl4ever wrote: | >no nation state needs ransom money. Easier ways for a | government to get money; namely, just print some | | Sure, this is obvious, makes intuitive sense, except...it | explains why something like Iran-Contra or the equivalent in | other countries can't happen. | perlgeek wrote: | The entry points are "whatever works". | | Typically: | | * Password spraying from previous data leaks | | * Good old-fashioned fishing | | * Bugs in anything that's common in enterprises, exposed to the | Internet and not patched fast enough, including MS Exchange, | various security/VPN products, vcenter, you name it. All of | these had pretty critical pre-auth bugs exposed just this year | | * malicious browser plugins | | * malicious O365 apps | | ... and so on. | TwoBit wrote: | Lack of MFA, lack of hardware whitelisting, servers exposed | directly to the Internet, lack of user privilege | restrictions, allowing passwords that are known-compromised, | ... | flowerlad wrote: | If so, it doesn't make sense to blame Putin. The blame lies | on US lawmakers, for not incentivizing US businesses to | have a budget for fixing these sorts of issues. For | example, when companies such as Equifax are hacked because | of poor security practices do they pay a penalty? No. | That's the problem. | systematical wrote: | The amazing part is they allowed themselves to get hit again. | You'd think these organizations would tighten security after the | first one... | okareaman wrote: | Once they are in, who knows what back doors the installed | ajonit wrote: | It is Sales101 - Getting business from an existing customer is | easier than on-boarding a new one. | _tom_ wrote: | Anyone else think we should make it illegal to pay ransom? | | These people are just financing the next generation of cyber | criminals. | | Once people stop paying, people will stop attacking. | schelling42 wrote: | No. Not with profit margins that high compared to operational | cost, it would not be an effective deterrent. They will just | continue to hit as many targets as possible. You would end up | punishing the victims. What if they target some _really_ | critical infrastructure, where it would be rational to just pay | and then fix the holes? Seek exemptions from law for each? | | But it would be very interesting to see if the ransomware gangs | can devise a scheme that gives the payer plausible deniability. | rytcio wrote: | Yes, because criminals definitely follow the law. | jhgb wrote: | No, you become a criminal by paying. You continue not being a | criminal by not paying. | Miner49er wrote: | I think we should actually legalize ransomware. By that I mean | create a government-ran national bug bounty program. All | companies of a certain size are automatically included in it. | Bounties are awarded based off severity, and bounties are paid | for by fines to the companies hit. | trvrprkr wrote: | Interesting idea. But what you're describing is absolutely | not "ransomware." | jjeaff wrote: | It is already illegal in the US as of late 2020. But we know | nothing really happens when corporations break the law. | | https://cisomag.eccouncil.org/paying-ransom-is-now-illegal-u... | randomhodler84 wrote: | Only for sanctioned parties I believe -- which would apply | for any money transfers regardless of purpose. Most random | criminal rw attackers are not going to be on a sanction list. | [deleted] | kag0 wrote: | I wish this said how many of those hit again also paid again. I | find it easy to believe that you could be hit twice in a row | despite your best intentions, but hard to believe that you'd need | to pay the second time if you had established a backup solution. | splithalf wrote: | Security is impossible. As long as there are incentives, nothing | will be secure. It's just a matter of incentive/difficulty. With | enough incentive stuxnet or solar winds or omb are possible. | Bitcoin values are causing this equilibrium to be disrupted, | making this appear as though it were a new problem. | fairity wrote: | What does the outcome distribution look like if you don't pay the | ransom? | | What percent of orgs that did not pay the ransom get hit again? | underseacables wrote: | How long do major companies keep back ups? It seems like all of | these companies that keep getting hit with ransomware Only have | last weeks back up laying around. Why can't you go back eight | months? True the data is going to be lacking, but at least the | structure is going to be there. I completely understand that a | Trojan or a virus can get locked into a back up and it just keeps | getting backed up, but if you go far enough back you will find a | clean copy. | SV_BubbleTime wrote: | I have yearly backups for three years. Right now, we could use | one of those. | | At my last place, they only kept 1 year and monthly, but the | problem was it was hundreds of terabytes of data on lots of | VMs. We tried to restore backups and it was going to take | longer than the long weekend just for file transfer. | | I don't know what normal process is, but I believe I saw file | locker Trojan that didn't hit every byte of the drive; but | rather crawled the file system and did a bit on every file | header for speed. So I imagine it's still faster to pay and fix | than restore from backups for some. | underseacables wrote: | The company I work for does nightly back ups and we keep them | for five years in cold storage. Our CTO got hit with an | attack years ago that almost cost him his job at another | company, and he vowed to never let it happen again. Are we | unusual for this? | makeitdouble wrote: | "Never negotiate with terrorists" is a simple and clear mantra, | and as most clear and simple concepts it hides a lot of | assumptions. | | One of them is you are ready to lose the hostage in the worst | case scenario. That's how the police sees it, because the society | benefits more from being firm in individual cases than losing a | few of its members that might not come back anyway. | | That's a hard one to swallow, hard enough that govs also | sometimes can't follow the mantra and just pay the ransom. | | It's crazy hard to get people to sacrifice themselves for the | better good, it's yet a bigger ask for corporations who already | screw the public day in day out. | henvic wrote: | Taxation works exactly like this. | | You might even want to establish an isolated society, but if | you try, good luck dealing with the IRS. | formerly_proven wrote: | > "Never negotiate with terrorists" is a simple and clear | mantra, and as most clear and simple concepts it hides a lot of | assumptions. | | This has nothing to do with that idea. | | The reason the orgs paid the random once was because they had a | severe lack of backup and other data safety protocols in | combination with a vector to be infected (from all what we | know, the latter is common and difficult to avoid): paying the | ransom is likely their only choice to maintain the business. | | It is not surprising at all that these orgs can and will be | infected again, and will continue to show a lack in the | security and data safety departments, and so they will continue | to pay ransoms. | | It's sort of an inverse survivorship bias: if you get infected | once because you're susceptible, you're likely to get infected | again unless you fix your susceptibility. | thepete2 wrote: | It _has_ from a certain angle: For society /the internet as a | whole it might be better for no one to pay the ransom at the | cost of some of them perishing. The ransomware attacks would | become unprofitable and would eventually stop. But to assume | any organization wouldn't pay the ransom if its survival | depends on it is obviously unrealistic. | kelnos wrote: | I think that mantra does work here. | | I would be totally fine with legislation making it illegal to | pay in the case of ransomware attacks. Some companies might | be completely destroyed by an attack that they can't pay off, | but that is for the greater good of society: if criminals | know companies have a low probability of paying since they're | legally barred from doing so, they're less likely to target | them. | enkid wrote: | Never negotiate with terrorists is only a thing because it puts | you in a stronger negotiation position. | cwkoss wrote: | And it's just posturing. I'm sure the US negotiates with | groups it labels as terrorists through backchannels. | koheripbal wrote: | Literally every government says this publicly, and then | negotiates privately. | dilyevsky wrote: | I don't think this mantra was ever anything more than a meme. | LE always negotiate, this mantra is designed to just better | their negotiating position | smnrchrds wrote: | > _because the society benefits_ | | That's the theory. But much like war on drugs or TSA, whether | its real-world outcomes match the theoretical ones is | debatable. | | https://www.newamerica.org/international-security/policy-pap... | andrewmcwatters wrote: | From the perspective of the individual, there is no greater | good than defending one's self. | kag0 wrote: | Hardly. There are many philosophies that argue that the | greatest good lies with how we interact with the other. | | And on a purely primal level it's common to prioritize one's | offspring over one's self. I think most cultures recognize | this intuitively. | andrewmcwatters wrote: | I'm not arguing philosophy. I'm arguing how absurd the | statement "it's crazy hard to get people to sacrifice | themselves for the better good" is, as if OP would | sacrifice his or herself for anyone here they didn't know. | | What a grand delusional statement, like the sibling comment | here. It's literally arguing moral superiority while | ignoring pragmatic reality. | | Maybe you watch a little bit too much television, but there | are plenty of spouses out there who would, for example, not | want their wife to die in childbirth if they had the | option. | SamBam wrote: | If you don't see the chasm between "people should | sacrifice themselves for the greater good" (which I'd | generally disagree with, particularly if you're not | defining what the greater good is) and "there is no | greater good than defending one's self" then I can't help | you. | [deleted] | SamBam wrote: | What an absurd statement, to just say unequivocally, ignoring | the plenty of philosophies and ethical systems have disagreed | entirely with that. | andrewmcwatters wrote: | Yeah, totally absurd. Would you sacrifice your life for the | strangers on this forum? Let me guess, no? Huh, wild. | rurp wrote: | Wait, so you think that defending anonymous strangers | from the internet is an exhaustive set of circumstances | where one might risk their life? | andrewmcwatters wrote: | Oh, of course. | [deleted] | SamBam wrote: | Yawn. | kag0 wrote: | From another comment, it looks that mantra will become law in | the US | | https://cisomag.eccouncil.org/paying-ransom-is-now-illegal-u... | MattGaiser wrote: | Isn't that just applying existing sanction law to ransomware? | avgDev wrote: | I mean couldn't government pay the ransom and then go great | lengths to track the suspects and send special forces after | them? Surely US govt. has the ability to track almost anyone. | | Having US govt. on your ass should a decent deterrent. | | Just take a look at how hard FBI came down on cartels and | individuals who were involved in killing Enrique Camarena. | Cartel leaders were arrested in Mexico and several individual | in the US. | microtherion wrote: | It appears that some of the major ransomware gangs are | operating from Russia and are tolerated by the government, as | long as they don't hit domestic targets. | | The US cannot really send special forces there without | risking a massive escalation. | MrMorden wrote: | No, but the people operating in Russia like to travel | elsewhere, and do. | | Also, the US and allies can enforce Russian AML laws as | written on paper. If, say, the UK freezes all of Oleg | Deripaska's assets there, Vova will absolutely get the | message. We're not going to bring down the Russian | government with military force for a million different | reasons, but doing it with sanctions and prosecution is a | totally different story. | smsm42 wrote: | When they do US gets them. That happens from time to | time, if you watch the news, you notice there are guys | caught periodically who thought it's time for a nice | vacation in Spain resting from their criminal | activities... only to be picked up in the airport. | However, the smarter ones stay put inside Russia and | those are hard to get. | chihuahua wrote: | Best example was when VW's Oliver Schmidt was arrested in | Miami as he was changing planes. He was in trouble from | the emissions fraud scheme. | londons_explore wrote: | I'm sure the US has hundreds of spies and personnel in | Russia at any point in time. | | But sending a spy to a software developers house and | assassinating them probably isn't going to stop the problem | - more people will spring up doing the same. | kilroy123 wrote: | We might not though. We don't even have a main diplomat | there. | | Russia has always been notoriously hard to spy on. | | I would not be surprised if there was only a handful of | well placed assets and most of the spying being done | electronically. | Griffinsauce wrote: | That introduces a scale problem. Even for the US. | SamBam wrote: | When they hit a hospital, what is the hospital supposed to do? | Not negotiate, for some "greater good" and let patients die? | | https://threatpost.com/ransomware-hits-hospitals-hardest/162... | blindmute wrote: | Yes. | SwanRonson wrote: | They're supposed to back up their data and set up proper | contingencies. By failing to do so, they are already putting | patients lives in the hands of the encryptors. | SamBam wrote: | Yes. Of course they were supposed to do so, _then_. But | they didn 't, and now they've been hit. Now, in the real | world, what are they supposed to do: pay, or hold out and | let the patients die as punishment for the hospital's | mistakes? | nradov wrote: | The US government has negotiated with the Taliban (a formally | designated terrorist group) for prisoner exchanges. | | https://www.bbc.com/news/world-asia-50471186 | koheripbal wrote: | The "don't negotiate with terrorists" is itself a negotiation | tactic meant to lower the attack surface of any entity. | | It's the sort of thing you say publicly, but then privately | you settle with your adversary. | | Absolutism is never a useful tactic. | munificent wrote: | Yes, but getting your opponent to _believe_ you will take | an absolute position is often the most useful tactic. | kevincox wrote: | > Absolutism is never a useful tactic. | | That sounds pretty absolutest. | Frost1x wrote: | I absolutely never always disagree, most of the time. | denton-scratch wrote: | ""Never negotiate with terrorists" is a simple and clear | mantra, and as most clear and simple concepts it hides a lot of | assumptions" | | The word 'terrorists', for one. It's mostly used to mean 'my | opponents' these days. | | What we are facing with ransomware is not insurrectionists or | protestors, but gangsters. They make their living by stealing | from people, cheating them, and threatening them. Many | insurrectionists are honourable people that you can safely make | a deal with. There is no gangster with that property. | | Take backups, test the recovery procedure, don't make bargains | with gangsters. | notdang wrote: | Until your own child or spouse is held hostage or sequestrated. | You will negotiate. | skybrian wrote: | There's a somewhat better article about the survey here [1], | including which countries were surveyed. | | It looks like you can download the full report by filling out a | form [2]. (So I didn't.) | | [1] https://www.zdnet.com/article/most-firms-face-second- | ransomw... [2] https://www.cybereason.com/ebook-ransomware-the- | true-cost-to... | dragonwriter wrote: | Rudyard Kipling explained this: | | --- | | But we've proved it again and again, / That if once you have paid | him the Dane-geld / You never get rid of the Dane. | | --- | https://www.poetryloverspage.com/poets/kipling/dane_geld.htm.... | | By paying, you've just proven that you are a profitable target to | hit. | dalbasal wrote: | I'm from Dublin. We didn't pay the Danegeld, and in retaliation | they built a city. | Beached wrote: | from my experience responding to these. orgs that entertain the | ide of paying the ransom often do not care about root cause | analysis to the degree they should. | | orgs that completely ignore payment as an option spend their time | identifying the entry point, and vulns, and close those before | restoring or rebuilding. | smsm42 wrote: | Makes sense. We have a company with bad security practices (not | easy to fix), inadequate disaster recovery strategy (not easy to | fix) and willing to pay money to criminals to make problems go | away. Of course it's an ideal target. I wonder if by now the | criminals compile and trade the list of easy target companies. ___________________________________________________________________ (page generated 2021-06-18 23:00 UTC)