Most of these start as phishes to lower level employees. It makes sense to me that’ll happen again and I’m not sure I can say the solution is better backups.
Another issue with backups, is are you restoring to an already infected / immediately infectable state?
I think the better closer is “The certainly will begin to take security, training, and best practices seriously”.
And let's not discount the moral of low paid, overworked employees, and companies that let low level managers run roughshod over lower level employees. My point is don't discount inside corporate espionage by disgruntled any level employees.
Thank goodness I didn't have access to a script that would lock up at least two of my past employers when coming up years ago? Then again, I personally haven't been that mad, but boy do I know employees who were.
I could say that we are all choir boys, but you piss on an employee, especially during a recession, well let's just say I have seen unpstanding guys rub magnets over hard drives over pure apathy. (The guy didn't know about strength of magnents, and it did not hurt anything.)
Plugging in a usb, or downloading a suspicious email is something I can see happening, especially to "those" companies.
I'd like to think security training can take care of it, that people can be careful and considerate and have a skeptical eye about every single message they receive. But it only takes one person and these huge companies employ so many people. So many times, even at companies with really strict security training I've seen people just walk away from their unlocked computers, click random links in emails, stuff like that. People are always the first line of defense but it's one of those one-sided battles, where every single person in the entire company has to make 0 mistakes, and an attacker only has to get lucky once.
> Most of these start as phishes to lower level employees. It makes sense to me that’ll happen again and I’m not sure I can say the solution is better backups.
Why? Secretary gets a call from a nigerian prince, starts that letter.exe she gets in her e-mail, her computer gets fscked, IT takes her drive, restores a clean image, and she gets back to work.
If the only copy of some important document is on his/her pc, or that pc can overwrite/delete the only copy, then they've fscked up by design... and yes, now better backups would help.
There are many steps in the chain between a phish message and a ransomware attack - the user opening a phish is just one of them. You might prevent lateral movement afterwards, you may detect the attack in time (there often are days or even weeks between the phish and the ransom) to protect it, you might prevent the payload from reaching the user, etc. So yes, you're right, the solution is not just better backups but stepping up the whole security game - however that takes will, money and quite some time.
> Most of these start as phishes to lower level employees.
They used to (and probably still) do this. But more recently these folk are paying access brokers. A bit like bank robbers teaming up with criminal locksmiths.
> It makes sense to me that’ll happen again and I’m not sure I can say the solution is better backups.
You'll ideally need:
- Better security awareness training to cover human weakness such as spotting dodgy email and what to do if you click a link
- Patch vulnerabilities quickly as this will reduce risk considerably
- Company wide tested and sufficient backup strategy (most companies fail on this) to protect key identified data assets
- Regularly pen-test both your internal and external environments
Obviously it doesn't stop there, but those are key.
Backups might get you up and running again, but the new hotness is threatening to release trade secrets, competitive advantages, and embarrassing emails. Even with an ironclad recovery some people might be inclined to pay in such a situation.
I suspect you mean filesystem snapshots and as long as the snapshot lives on the same physical media you are correct. But when you take the snapshot and transfer it to a physically separate location where it cannot be altered it sounds like a backup to me.
The insurance cost is increasing due to rising ransomware attacks. This is causing a lot of stress within insurance companies and insured companies. An HBR post cited that this is a new niche for insurance companies and 5 big ransom demands can wipe out the insurance premium they collected from 250 customers.
Makes sense to me. From what I've read, it's pretty clear the ransom payment is for a one-time ability to get your data back. It's not advertised as some sort of permanent opt-out.
Makes more sense if the group offered a subscription model for decrypting files encrypted by that group. Then you wouldn't have to keep paying the big lump sum.
Different groups have different policies. I believe some do actually add you to a whitelist if you pay and grant you at least a year or two before your immunity expires. (Maybe some do permanent whitelists? Not sure.)
I think it is, actually. Well, not advertised; but these big ransoms, they can be negotiated. And one of the victim company's requirements will be that if I pay, then you agree to leave me alone.
I think these negotiations are fine, if you're just buying time to gather your backups; I've assumed the payouts were made by insurance companies, so go ahead - buy a zero-value promise from a gang of crooks, if you want.
But your org has been rooted (at best, you can't prove it hasn't). Compromised systems can't be really be cleaned, they have to be reinstalled from scratch, if you want to have confidence in them.
And an attack can be stored in data - which you're about to restore from backup. That's a problem I have faced, and I chose to ignore that threat. No choice - I didn't know how to address it then, and I still don't now.
I'm kind of reminded of the mafia and their protection rackets. Obviously, you never could trust criminal organizations. At the same time, if you're a medium-sized corporation or small business and they have your important data, and you know you could pay to get it back, what do you do? I can imagine they really have some people by the balls, metaphorically speaking. They could drive you bankrupt.
I hope the authorities find a way to go after these people, but it's obviously got to be difficult, because they might well be in China or Russia. It would take some international cooperation that's probably impossible right now.
In the meantime... Switch to Linux, have a competent offsite backup strategy...?
Wonder what percentage of those that were hit had someone actively looking to get back in. Maybe 20% learned their lesson and improved their security. I wonder how many iterations of this will it take for most companies to learn that leaving your doors unlocked in a shady neighborhood/the internet is a bad idea.
if it were me, I'd leave webshells or other backdoors to let myself back in if they didn't do proper cleanup. Especially if they paid, I have a "known good" customer.
It makes you think about how many of those are inside jobs and/or compromised employees. In the case of colonial, it would seem highly likely given it was a credential compromise, but then again secure passwords are a known weakness
I mean they just proved that they are willing to pay the ransom. If they are also unwilling or unable to clean up their shop and keep it from happening again, it surely will.
It is almost like the groups hacking them are providing a good service. If they get hacked once, shit happens. But if it happens multiple times then someone should probably answer for it.
Ah yes, we should outlaw the ability for people to send money to each other and have civilization take the burden of incompetent corporations that can't be bothered to follow basic infosec practices (let alone whatever product they are selling in the first place is probably garbage and has no value beyond monopoly).
This view is similar to saying things like "The terrorists and the media have a symbiotic relationship and the media is responsible for enabling terrorist attacks, therefore let's ban the media".
Cryptocurrencies are decentralized. It would have to be banned literally every country in the world for them not to be able to use it and convert to a non-digital currency. Good luck with that.
And I'm sure they'd just invent or go back to some other method -- possibly riskier and more violent -- so they can continue to ransom money from people.
Once the criminals start maintaining their own backups of victims data and helping them restore from rival attacks, they can successfully call themselves a mob.
If only organizations would backup their own data. Then they could just restore and avoid paying.
I have a backup device of my own at home and that's the one I have to use. The company I work relies on some MSFT service that is pretty inflexible and won't back up the entire machine.
Hardest part is to find subscribers, from then on the milking process is easy. Leaving the joke aside, does this mean that the systems remained unprotected after the initial ransom was paid or that they continued to threat leaking sensitive data?
Paying the ransom a second time would guarantee nothing. Neither was paying the first time either.
If they were caught in the first place and paid up, the attacker presumably learned enough about the infra to find another way in? Or it was social engineering.
Like, is a company who runs its IT infra on Windows XP and pays the ransom likely to switch to the latest and greatest, no expenses spared, in a total and utter overhaul of all their systems? Or will they only try to patch the holes that were already revealed and gloss over the rest? Blame it on the intern, all that.
I wonder if there are like Russian mob investors in these cybercrime "startups" and they also have to make decks that show YoY revenue / user growth. Lmao!
Well, to my understanding, fronting money in drug deals for a cut and interest is a common model crime already, so I would say it's more likely than you think. The only difference between VC funding and bankrolling the mob is one is legal.
If the attacker isn't paid for the first attack, why would she attack again? She's not doing it for the lulz!
I do agree with you that there should be more visibility for the "silent majority" of firms who operate their businesses responsibly, and therefore don't ever need to pay ransom.
“Never negotiate with terrorists” is a simple and clear mantra, and as most clear and simple concepts it hides a lot of assumptions.
One of them is you are ready to lose the hostage in the worst case scenario. That’s how the police sees it, because the society benefits more from being firm in individual cases than losing a few of its members that might not come back anyway.
That’s a hard one to swallow, hard enough that govs also sometimes can’t follow the mantra and just pay the ransom.
It’s crazy hard to get people to sacrifice themselves for the better good, it’s yet a bigger ask for corporations who already screw the public day in day out.
> “Never negotiate with terrorists” is a simple and clear mantra, and as most clear and simple concepts it hides a lot of assumptions.
This has nothing to do with that idea.
The reason the orgs paid the random once was because they had a severe lack of backup and other data safety protocols in combination with a vector to be infected (from all what we know, the latter is common and difficult to avoid): paying the ransom is likely their only choice to maintain the business.
It is not surprising at all that these orgs can and will be infected again, and will continue to show a lack in the security and data safety departments, and so they will continue to pay ransoms.
It's sort of an inverse survivorship bias: if you get infected once because you're susceptible, you're likely to get infected again unless you fix your susceptibility.
I would be totally fine with legislation making it illegal to pay in the case of ransomware attacks. Some companies might be completely destroyed by an attack that they can't pay off, but that is for the greater good of society: if criminals know companies have a low probability of paying since they're legally barred from doing so, they're less likely to target them.
It has from a certain angle: For society/the internet as a whole it might be better for no one to pay the ransom at the cost of some of them perishing. The ransomware attacks would become unprofitable and would eventually stop. But to assume any organization wouldn't pay the ransom if its survival depends on it is obviously unrealistic.
I mean couldn't government pay the ransom and then go great lengths to track the suspects and send special forces after them? Surely US govt. has the ability to track almost anyone.
Having US govt. on your ass should a decent deterrent.
Just take a look at how hard FBI came down on cartels and individuals who were involved in killing Enrique Camarena. Cartel leaders were arrested in Mexico and several individual in the US.
It appears that some of the major ransomware gangs are operating from Russia and are tolerated by the government, as long as they don't hit domestic targets.
The US cannot really send special forces there without risking a massive escalation.
I am sure an IRL hostage situation alrrady happened at an hospital, so we could have the answer in a variety of cases.
My opinion would be the hospital should open up to the police and accept their fate whatever the outcome. The gov./police makes the calculation of the impact of X people dying a very public way, the Y amount that is requested, and the ton of other wildcards (e.g. can we catch the gang now ? after the ransom is paid ? void the ransom some way afterwards ? limit the number of death in other ways ? what will the other victims take away fom this case ?).
At the end of it there should be a custom approach to that specific situation and not some blanklet policy application.
This also assumes a cooperative and somewhat decent police force, which might not be the case everywhere (but then I think we're screwed anyway)
They’re supposed to back up their data and set up proper contingencies. By failing to do so, they are already putting patients lives in the hands of the encryptors.
"“Never negotiate with terrorists” is a simple and clear mantra, and as most clear and simple concepts it hides a lot of assumptions"
The word 'terrorists', for one. It's mostly used to mean 'my opponents' these days.
What we are facing with ransomware is not insurrectionists or protestors, but gangsters. They make their living by stealing from people, cheating them, and threatening them. Many insurrectionists are honourable people that you can safely make a deal with. There is no gangster with that property.
Take backups, test the recovery procedure, don't make bargains with gangsters.
It’s not really about sacrificing people for the greater good. Negotiating has high externalities that include future murders. Like all externalities, the involved people don’t give a shit.
I tried to put it in a neutral way, and I think it’s a far from a black and white issue.
Not to go too sideways, but hostage (with humans, not data) situations are typically about other people. When you’re the target, it’s not your life on the line, but your loved/valuable ones. So you’re not defending just yourself, you actually have to care about at least someone else to have it happen to you. And some care about a lot more than just their loved ones, they’ll also think about their friends, family, sometimes the rest of the society.
Everyone is different and there is no absolute best, but let’s at least recognize it’s complex and there’s lots of ways to think about it.
I don't see any discussion of typical entry points. How do these guys get into the system? Is it by having someone download a malicious file? If so what type of file? PDF? MS Office? If so Adobe and Microsoft should be held accountable for their security holes, only then will they have enough motivation to maybe consider rewriting some of their code in a safer language such as Rust.
* Bugs in anything that's common in enterprises, exposed to the Internet and not patched fast enough, including MS Exchange, various security/VPN products, vcenter, you name it. All of these had pretty critical pre-auth bugs exposed just this year
Lack of MFA, lack of hardware whitelisting, servers exposed directly to the Internet, lack of user privilege restrictions, allowing passwords that are known-compromised, ...
There is much confusion and many bad analogies surrounding this issue.
Some claim - without evidence - that nation states are behind it. Which, with a moments reflection, is absurd; nation states may have an interest in disabling certain systems for military purposes (at the appropriate time), but no nation state needs ransom money. Easier ways for a government to get money; namely, just print some.
Others liken it to the mafia or cartel or other well-organized criminal organizations. This too misses the mark.
Like most business crimes, the culprit is almost always an insider. Period.
As the tools to pull this off are trivial to come by on the internet, the obvious suspect would be some disgruntled IT person within the company.
It’s as if — after a bank robbery — everyone claims it must have been some crack team of Russians flown in under radar in helicopters. Instead, they should be looking at the numerous employees who have access to the security system and the safe.
But, it’s much more exciting to pretend that Putin is sponsoring hackers to get trivial amounts of money from companies across the globe. Ha.
I’m not even an IT guy, but at my last job, even I had access sufficient to destroy or corrupt all the data. That was before cryptocurrency and the like... I assume assembling a ransomware set of tools off the internet is no more or less difficult than it was to assemble a set of tools to make pirated copies of AdobePhotshop back in the day.
> Easier ways for a government to get money; namely, just print some.
What is money? If a government wants more domestic resources, it can get it by printing money. If a state is so limited in domestic resources that it fundamentally needs resources from outside, printing money doesn't help. Printing money can help a state devote more of its country's resources to trade, but if no one wants to trade with you at any cost, it doesn't matter what parts of the local economy the state controls.
North Korea has incentives compatible with these kinds of acts, and relatively few interesting ways of deploying software engineers locally.
Readit News
Now just wait to see what will happen to your insurance rate after you pay the third ransom.
They certainly will begin to understand the need for backups.
Another issue with backups, is are you restoring to an already infected / immediately infectable state?
I think the better closer is “The certainly will begin to take security, training, and best practices seriously”.
Thank goodness I didn't have access to a script that would lock up at least two of my past employers when coming up years ago? Then again, I personally haven't been that mad, but boy do I know employees who were.
I could say that we are all choir boys, but you piss on an employee, especially during a recession, well let's just say I have seen unpstanding guys rub magnets over hard drives over pure apathy. (The guy didn't know about strength of magnents, and it did not hurt anything.)
Plugging in a usb, or downloading a suspicious email is something I can see happening, especially to "those" companies.
I imagine Xfinity employees dream about it?
Why? Secretary gets a call from a nigerian prince, starts that letter.exe she gets in her e-mail, her computer gets fscked, IT takes her drive, restores a clean image, and she gets back to work.
If the only copy of some important document is on his/her pc, or that pc can overwrite/delete the only copy, then they've fscked up by design... and yes, now better backups would help.
They used to (and probably still) do this. But more recently these folk are paying access brokers. A bit like bank robbers teaming up with criminal locksmiths.
> It makes sense to me that’ll happen again and I’m not sure I can say the solution is better backups.
You'll ideally need:
- Better security awareness training to cover human weakness such as spotting dodgy email and what to do if you click a link
- Patch vulnerabilities quickly as this will reduce risk considerably
- Company wide tested and sufficient backup strategy (most companies fail on this) to protect key identified data assets
- Regularly pen-test both your internal and external environments
Obviously it doesn't stop there, but those are key.
Deleted Comment
Snapshots aren't backups.
Backups that aren't physically-isolated, typically offsite, aren't backups.
I suspect you mean filesystem snapshots and as long as the snapshot lives on the same physical media you are correct. But when you take the snapshot and transfer it to a physically separate location where it cannot be altered it sounds like a backup to me.
Relevant analysis here:
http://www.vendormanagementoffice.net/2021/06/cyber-insuranc...
---
But we've proved it again and again, / That if once you have paid him the Dane-geld / You never get rid of the Dane.
--- https://www.poetryloverspage.com/poets/kipling/dane_geld.htm....
By paying, you’ve just proven that you are a profitable target to hit.
> 80% of organizations that paid the ransom were hit by a second attack, and almost half were hit by the same threat group.
The same group!
I think these negotiations are fine, if you're just buying time to gather your backups; I've assumed the payouts were made by insurance companies, so go ahead - buy a zero-value promise from a gang of crooks, if you want.
But your org has been rooted (at best, you can't prove it hasn't). Compromised systems can't be really be cleaned, they have to be reinstalled from scratch, if you want to have confidence in them.
And an attack can be stored in data - which you're about to restore from backup. That's a problem I have faced, and I chose to ignore that threat. No choice - I didn't know how to address it then, and I still don't now.
My half-baked opinions about ransomware are largely based on watching this documentary: https://www.bbc.co.uk/programmes/w172wx9056p6bd6
I hope the authorities find a way to go after these people, but it's obviously got to be difficult, because they might well be in China or Russia. It would take some international cooperation that's probably impossible right now.
In the meantime... Switch to Linux, have a competent offsite backup strategy...?
You know they’re vulnerable to the attack (the hard part?) so why not keep doing it until they shore up their defenses.
Dead Comment
Deleted Comment
As soon as this occurs, ransomware events will collapse since the ransoms will become unpayable.
The negatives of cryptocurrencies (ransomware enablement, chip and electricity shortages, scams) clearly outweigh the positives at this point.
And I'm sure they'd just invent or go back to some other method -- possibly riskier and more violent -- so they can continue to ransom money from people.
Somehow, that's a quite believable scenario.
Fire fighting in Rome had a similar premise.
I have a backup device of my own at home and that's the one I have to use. The company I work relies on some MSFT service that is pretty inflexible and won't back up the entire machine.
Or Backblaze's evil twin.
Paying the ransom a second time would guarantee nothing. Neither was paying the first time either.
Like, is a company who runs its IT infra on Windows XP and pays the ransom likely to switch to the latest and greatest, no expenses spared, in a total and utter overhaul of all their systems? Or will they only try to patch the holes that were already revealed and gloss over the rest? Blame it on the intern, all that.
If they earn a reputation of coming back for seconds...
Two things:
People fix things faster to prevent double dipping.
People opt to not pay the initial ransom if they’re going to be taken hostage again.
It’s a kind of tragedy of the commons where the commons are the potential victims.
Plus, if the original vuln used to gain access is still open, there’s no reason why somebody else doesn’t find it later.
Though I suppose those thieves could also pay for the encryption key, or just go directly to the "service provider" for a paid copy.
Ransom gangs are business oriented.
I do agree with you that there should be more visibility for the "silent majority" of firms who operate their businesses responsibly, and therefore don't ever need to pay ransom.
Maybe it's all automated shotgun based attacks and they don't close the holes and so the act of paying the ransom is statistically meaningless
This is shoddy journalism. Might as well just say "X%". It implies you shouldn't pay lest you fall victim again but they don't actually say that.
Things that implicate what they refuse to say is kind of suspect
One of them is you are ready to lose the hostage in the worst case scenario. That’s how the police sees it, because the society benefits more from being firm in individual cases than losing a few of its members that might not come back anyway.
That’s a hard one to swallow, hard enough that govs also sometimes can’t follow the mantra and just pay the ransom.
It’s crazy hard to get people to sacrifice themselves for the better good, it’s yet a bigger ask for corporations who already screw the public day in day out.
https://www.bbc.com/news/world-asia-50471186
It's the sort of thing you say publicly, but then privately you settle with your adversary.
Absolutism is never a useful tactic.
This has nothing to do with that idea.
The reason the orgs paid the random once was because they had a severe lack of backup and other data safety protocols in combination with a vector to be infected (from all what we know, the latter is common and difficult to avoid): paying the ransom is likely their only choice to maintain the business.
It is not surprising at all that these orgs can and will be infected again, and will continue to show a lack in the security and data safety departments, and so they will continue to pay ransoms.
It's sort of an inverse survivorship bias: if you get infected once because you're susceptible, you're likely to get infected again unless you fix your susceptibility.
I would be totally fine with legislation making it illegal to pay in the case of ransomware attacks. Some companies might be completely destroyed by an attack that they can't pay off, but that is for the greater good of society: if criminals know companies have a low probability of paying since they're legally barred from doing so, they're less likely to target them.
Having US govt. on your ass should a decent deterrent.
Just take a look at how hard FBI came down on cartels and individuals who were involved in killing Enrique Camarena. Cartel leaders were arrested in Mexico and several individual in the US.
The US cannot really send special forces there without risking a massive escalation.
https://threatpost.com/ransomware-hits-hospitals-hardest/162...
My opinion would be the hospital should open up to the police and accept their fate whatever the outcome. The gov./police makes the calculation of the impact of X people dying a very public way, the Y amount that is requested, and the ton of other wildcards (e.g. can we catch the gang now ? after the ransom is paid ? void the ransom some way afterwards ? limit the number of death in other ways ? what will the other victims take away fom this case ?).
At the end of it there should be a custom approach to that specific situation and not some blanklet policy application.
This also assumes a cooperative and somewhat decent police force, which might not be the case everywhere (but then I think we're screwed anyway)
Dead Comment
The word 'terrorists', for one. It's mostly used to mean 'my opponents' these days.
What we are facing with ransomware is not insurrectionists or protestors, but gangsters. They make their living by stealing from people, cheating them, and threatening them. Many insurrectionists are honourable people that you can safely make a deal with. There is no gangster with that property.
Take backups, test the recovery procedure, don't make bargains with gangsters.
That's the theory. But much like war on drugs or TSA, whether its real-world outcomes match the theoretical ones is debatable.
https://www.newamerica.org/international-security/policy-pap...
https://cisomag.eccouncil.org/paying-ransom-is-now-illegal-u...
And then everyone clapped at the high-brow analysis.
You might even want to establish an isolated society, but if you try, good luck dealing with the IRS.
And on a purely primal level it's common to prioritize one's offspring over one's self. I think most cultures recognize this intuitively.
Not to go too sideways, but hostage (with humans, not data) situations are typically about other people. When you’re the target, it’s not your life on the line, but your loved/valuable ones. So you’re not defending just yourself, you actually have to care about at least someone else to have it happen to you. And some care about a lot more than just their loved ones, they’ll also think about their friends, family, sometimes the rest of the society.
Everyone is different and there is no absolute best, but let’s at least recognize it’s complex and there’s lots of ways to think about it.
Typically:
* Password spraying from previous data leaks
* Good old-fashioned fishing
* Bugs in anything that's common in enterprises, exposed to the Internet and not patched fast enough, including MS Exchange, various security/VPN products, vcenter, you name it. All of these had pretty critical pre-auth bugs exposed just this year
* malicious browser plugins
* malicious O365 apps
... and so on.
- ActiveX for legacy ad-hoc software
There is much confusion and many bad analogies surrounding this issue.
Some claim - without evidence - that nation states are behind it. Which, with a moments reflection, is absurd; nation states may have an interest in disabling certain systems for military purposes (at the appropriate time), but no nation state needs ransom money. Easier ways for a government to get money; namely, just print some.
Others liken it to the mafia or cartel or other well-organized criminal organizations. This too misses the mark.
Like most business crimes, the culprit is almost always an insider. Period. As the tools to pull this off are trivial to come by on the internet, the obvious suspect would be some disgruntled IT person within the company.
It’s as if — after a bank robbery — everyone claims it must have been some crack team of Russians flown in under radar in helicopters. Instead, they should be looking at the numerous employees who have access to the security system and the safe.
But, it’s much more exciting to pretend that Putin is sponsoring hackers to get trivial amounts of money from companies across the globe. Ha.
I’m not even an IT guy, but at my last job, even I had access sufficient to destroy or corrupt all the data. That was before cryptocurrency and the like... I assume assembling a ransomware set of tools off the internet is no more or less difficult than it was to assemble a set of tools to make pirated copies of AdobePhotshop back in the day.
What is money? If a government wants more domestic resources, it can get it by printing money. If a state is so limited in domestic resources that it fundamentally needs resources from outside, printing money doesn't help. Printing money can help a state devote more of its country's resources to trade, but if no one wants to trade with you at any cost, it doesn't matter what parts of the local economy the state controls.
North Korea has incentives compatible with these kinds of acts, and relatively few interesting ways of deploying software engineers locally.
Sure, this is obvious, makes intuitive sense, except...it explains why something like Iran-Contra or the equivalent in other countries can't happen.