So there's that woman I follow who used to work in hostage and ransom negotiation business, and she's adamant there's no such thing as "no negotiations with terrorists" no matter public rhetoric or legislation. When push comes to shove, side channels and loopholes are inevitably found and third party contractors like her are getting hired.
I strongly suspect this too will end up mostly a jurisdiction/accounting nuance rather than a substantial change.
>...there's no such thing as "no negotiations with terrorists" no matter public rhetoric or legislation.
I've heard this as well. A professor was flying into a less than stable area or Afghanistan and for some reason they were descending just like a normal commercial flight.
"What are you doing, we're going to get shot down!". He was used to a steep descent or a spiral to the runway to minimize the risk of getting hit.
They then explained they had a deal with the local warlord. The military provided barrels of used oil from all their ground vehicles, and in exchange they don't fire on the airplanes as they takeoff or land. The warlord burns the oil for heating, and the military doesn't need to deal with (hopefully correctly) disposing of large quantities of used oil.
You have to wonder how much of that transaction is saving face? The warlord doesn't have to deal with the messy business of trying to shoot down jets belonging to a well-funded army; the military doesn't have to deal with the difficult business of engaging a warlord with local connections and support. Both sides get to wink and imply that they each got the better end of a "business deal". It's Clausewitz in reverse -- commerce as a de-escalation of war by other means.
It's the Coase theorem [0] in action! No matter what the laws may or may not be against shooting down planes, the socially efficient outcome of planes not being shot down was arrived at through negotiation.
Ayup, another example I can remember of is that swedish professor who went ahead and hired services of a PMC to extract her grad student and his family from Iraq[0].
Background: the student vent to visit his family back in Iraq as his town was under an ISIS attack, which is how he ended up getting stuck there.
That wasn’t as exciting as you appear to think it was. I have family from Ukraine (now living with us) and worked with a lot of Ukrainians (and Russians) when the shooting war started. Most of my current contractors are displaced Ukrainians.
There were no “Zero Dark Thirty” style extractions.
The policy has been widely misreported as "we don't negotiate with terrorists", which is wrong. The actual policy is we won't make concessions to terrorists.
You should have pointed out that her view is self-serving. if you are a hostage negotiator (retired even or whatever), it's natural to argue that we will still negotiate with terrorists. Just like programmers argue about whether we'll still have a job even as ai gets better and better ;-)
Perhaps it's time I hang up this old keyboard, rally together a ratpack of seasoned elementary school teachers, and swiftly bring an end to the Global War on Terror.
You're mistaking what someone says for the way things actually are. I'm talking about them exaggerating how in demand their own services are. The danger of this is especially acute if they do more than one thing.
One, this article is not about banning crypto ransom. Two, if you wanted to do that, you’d criminalise it with the threat of sanctions. At that point your K&R retiree and anyone who signed off on paying them would be fugitives in almost anywhere in the world.
As long as you have a non-signatory among otherwise first world nations (and there's always a handful on any treaty) there absolutely will be a legal way that you can't do much about.
DC doesn't go after these "security consulting firms located in non-signatory states" just precisely because they want to be able to use them if the need arises.
The first thing you do after conquering the throne is to bundle up all your pending atrocities in one and eliminate competition. The second thing you do is slaughter the mercenaries you had hired to win your war of ascension.
No reason to leave them around and let the next usurper hire them to dethrone you.
In practice, it typically happens across administrations, i.e. the effect is accidental. (We forget what an asset having a fresh executive every decade makes.)
IIRC feds have gone against companies using some third-party consultants to pay a ransom that eventually went to a entity on US sanctions list like Iran or North Korea. Or at least they have loudly threatened to do so.
It took what, over two decades to convince Switzerland and Austria to get on board for (part of) money laundering treaties? And ransom(ware) is not anywhere as pressing.
> took what, over two decades to convince Switzerland and Austria to get on board for (part of) money laundering treaties
Yet they still complied with U.S. sanctions. (Or were arrested abroad for defying them.)
You seem to misunderstand that sanctions are not a treaty obligation. If your country deals with a sanctioned entity, it gets sanctioned as well. That enforces compliance indirectly. America and and does unilaterally extend sanctions.
> it's great to know that money laundering is a solved problem
We don’t sanction money launderers generally. And no, terrorism finance isn’t a solved problem either. Hence why I said one would need to keep company with that category of people were such a measure enacted. But again, your K&R retiree cum schoolteacher was describing a political constraint. Not a functional one.
The only case in which ransomware seems actually similar to hostage taking is when a hospital or something is hit. And I think that is actually a morally complicated situation, because lives are actually at risk.
Otherwise ransomware payments are just a collective action problem, paying them builds this harmful ransomware industry, but might be cheaper than losing or restoring your data. Making it costlier to pay the ransomware groups is a great strategy, in the sense that even if it isn’t perfect it might bump some cases from “pay” to “don’t pay,” damaging the industry.
I suspect if this coalition of nations actually criminalized paying ransoms, that would go a long way towards closing up all those loopholes. Perhaps that is what needs to happen next.
Until a government organization or close enough public need arises where a new loophole would be created PDQ? Also "close all the loopholes" has a ridiculously poor record in law. On the one hand, people with no incentives, on the other people whose entire line of work is to extract the maximum result of whatever the law happens to be.
We should make it a criminal offense with severe penalties to pay any sort of ransom regardless of the consequences. Use the Foreign Corrupt Practices Act as a model. Even if it means hostages will die or businesses will be destroyed, that is an acceptable price to pay in order to cut off funding to terrorists and other criminals.
In the case of corporate, it is often not despair but incompetence and lack of consequences: CEO will get their yearly bonus if the ransom is paid. If the ransom is not paid, the information might leak out that the company lacks good cybersecurity practices and there will be a new CEO.
Or even worse, like shareholder or regulator action, see SolarWinds
Note that in the EU under GDRP companies are still liable for privacy violations and related fines if ransomware attackers gain access to your personal details, random or no random (a hack is enough).
I think ransomware is not really like drugs or hostages.
For drugs, there’s some inherent desire for some people to consume them. Maybe they harm society a bit (in the sense that they might destroy the people that take them), but the main cost for the rest of us is that they fund criminal enterprises because they are illegal. People want drugs, if they could buy them at CVS I suspect they would.
Ransomware is already illegal, we don’t create a new criminal enterprise by making it illegal to do business with them, we just make it harder.
Also, lots go the biggest ransomware gets have been big institutional entities where everything is documented. People just buy drugs in small amounts and consume them, two parties, neither of whom wants to get caught, minimal paper trail. Basically impossible to ban.
For physical hostages—people are desperate to get their friends and family back, and so they’ll go to desperate measures to pay. For ransomware, it is usually an economic decision, nobody’s life is at risk (other than when, like, a hospital is hit). Increasing the cost increases the chance the decision will go the other way. And increases the incentives to keep IT defenses up to date. (I know you didn’t bring up the hostage analogy, I think it is worth noting that the desperation you point to here is really an artifact of the tangent we’re on from the analogy leading us astray).
We're not talking about desperate drug addicts here. The threat of criminal prosecution and being sent to federal prison is a pretty effective deterrent for most people. Especially the corporate officers who would ultimately have to authorize any ransomware payment. They won't take that risk to help their employer.
Upwards. Second order effects of schemes like prohibition are much worse than the original problems.
It's also not quite analogous to the ransomware prohibition, because it's more akin to a prisoner's dilemma, and there's no inherent desire to pay ransomware criminals in the human psyche like there is to alter consciousness.
> Second order effects of schemes like prohibition are much worse than the original problems.
There are loads of countries that have illegalized alcohol and not devolved into levels of organized crime that the US did. Specifically, nearly every Muslim nation on earth. I feel this one example is way overplayed by advocates of legalization
Well, I guess if you think ruin or death is a valid consequence for fairly low stakes "crimes", you can implement pretty much any regime you like, assuming you've got enough boots and knives.
> that is an acceptable price to pay in order to cut off funding to terrorists and other criminals.
You're offering to increase the stick, what's the carrot for the people/corporation losing everything ?
Making the punishment bigger also means victims have stronger incentives to work closely with the terrorists so the whole thing never gets public or never gets labelled as a ransom.
Have fun being the DA who presses charges against a mother of three who paid so their kids could see daddy again instead of watching him get beheaded by terrorists.
It's sounds nice in the abstract; in practice it's political suicide.
> It's sounds nice in the abstract; in practice it's political suicide.
Depends on how you spin it. I suspect it would be quite easy to spin the narrative on this one. "So you knowingly funded a terrorist group that's likely going to use the money to commit further crimes against US citizens?" or something of the sort. Have some experts testify on that too, preferably ones in officers uniform.
Yeah what's the point of extorting a company that can't pay. You're just risking getting stuffed in the trunk of a car and driven to some place with an extradition treaty.
It wouldn't surprise me if places like Nigeria have a bunch of semi-whitewashed English speaking faces/voices to perform this kind of grey area work. Even better if some of their family is part of a hostage taking gang so they can burn the candle from both ends.
I responded to a comment on hostage and ransom negotiation business. Hostages aren't normally considered ransomware, although said negotiators would have excellent overlapping skill set.
Travel.gov has an advisory for hostage taking in your country. I can assure you there are well spoken negotiators in your nation to deal with that.
Cool here's a documentary with an English speaking hostage negotiator in Nigeria with family in the other side of the business (talks start around 4:30).
I'm afraid, YOU are wrong. My opinion wasn't idle thought but derived from research on Nigeria rather than some weird borderline racist baseless rhetoric that Nigerians don't have this level of organization.
Didn’t vice catch a bunch of flack for over sensationalizing their “reporting?” Regardless I’d be more inclined to believe an actual Nigerian than a YouTube video. That person didn’t say there were zero people doing this, they said it wasn’t likely Nigeria had a widespread and systemic issue with organized crime doing this.
>Didn’t vice catch a bunch of flack for over sensationalizing their “reporting?”
Awesome ad hominem against the people recording actual Nigerians testimony.
>Regardless I’d be more inclined to believe an actual Nigerian than a YouTube video
And I provide video with actual Nigerians yet it's crickets from you when some guy just flippantly says I'm wrong with no supporting facts. Unless by actual Nigerians you want one to jump through the screen and talk to us... we're going to have to settle for electronic communication. It's what worth noting the Nigerian commenter above denied ransomware related activities but never denied the rest.
>That person didn’t say there were zero people doing this, they said it wasn’t likely Nigeria had a widespread and systemic issue with organized crime doing this.
They said what they said, not what you've retranslated them to say. I never said the issue was systemic, but if they really said that then their flippant dismissal was just as invalid as they'd be addressing a strawman.
>Neuberger told journalists a new “black list” will also be created by the US treasury department to identify and highlight digital wallets being used to deposit and move ransomware payments.
>The establishment of these information sharing platforms means that “if one country is attacked, others can quickly be defended”, Neuberger said.
pardon the dust whilst I apply my 14th century naval hammer to this clearly 21st century nail.
Could you expand why you believe an old hammer doesn’t work with current nails? As a metaphor it seems completely the opposite of your intended meaning since it’s a good example of an ancient technology which still works compatibly.
Adding wallets to a black list is highly effective because while there was a lot of dishonest marketing around blockchains improving privacy they’re actually perfect for censorship since a public ledger allows you to transitively taint every transaction downstream, significantly reducing the value of certain tokens and removing the ability of people to say they didn’t know the funds they are receiving were connected to a crime.
Observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories, but im sure my old 14th century hammer will address this issue somehow even though subaddresses can be created that arent even remotely linked to my main address.
You just ban Monero then. If something is a problem, and you want to ensure financial visibility then ban all transaction types that hide visiblity, like banning mixers. This is separate from whether it's a good idea or not.
And then you mix in DeFi. Or into and out of L2/HTLCs. Or via atomic swaps, which went live but are buggy, and won’t show the monero interaction. Or cross-chain. And on and on. Let’s ban it all?
Yes, that's where I think financial regulators are heading. And anyone who thinks for one second of course sees that these are also problems with cash that drug cartels deal with by sending bales of $100 bills around. And so we added kyc and discourage cash.
I don't think you can ban people doing crypto entirely, but you can make the financial exchange points where cash goes in and out ever more difficult.
It’s in the process of being grey listed. Similar to running an all-cash lifestyle, it’s possible. But you’ll have your money frozen and seized and stolen from time to time. And you will hit intentional roadblocks any time you attempt a major financial move.
Those two first things have sure been tried, over and over as everyone knows. I said the obviousness of banning monero next was separate from whether it's a good idea.
First, you misunderstood the point: the hammer is a poor metaphor because it's something which _hasn't_ changed massively over time – for the 14th century, if you took the ancient Roman who was used to working with these to Home Depot, they'd they'd immediately know what to use work with their modern counterparts:
Now, back on topic. Monero's claims have been lightly tested but never against a nation-state level adversary, so I'd be hesitant putting anything onto a blockchain which would be problematic if a flaw is discovered since there is, of course, no way to remove it. That said, let's assume that everything works exactly as planned and they've perfectly nailed the implementation. Do you ever wonder why cryptocurrency people call what they're building cash? That's because while a 14th century treasury officer wouldn't known a thing about hash functions, they were already very familiar with the problems caused by a truly anonymous means of exchanging value: actual cash.
If you've ever read old novels where people had to show explain their source of wealth, maintain accounts at specific banks with good reputations, visiting traders were required to store funds at state sanctioned banks, etc. that's because while it's impossible to tell where someone's coins came from you can make crime, especially tax evasion, considerably harder by requiring people to show positive proof of income and adding points where other people would have to collaborate with you. That certainly doesn't prevent fraud but it can reduce it considerably by increasing the cost and likelihood of being caught.
Obviously we have a big shift in the technology, but that same basic approach works well now: you don't need to control every blockchain transaction if the gateways into the real financial system are required to follow money laundering laws like everyone else. That's one of the reasons why almost no businesses used Tornado Cash, Monero, etc. because they didn't have a need to and when your accountants ask “how will we avoid the drug cartels using us to launder money?” and you say “we can't, that's a feature!”, they're going to start asking questions like who's going to go to prison.
Now think about how you get funds into that wallet: if your shiny new account has a transaction chain tracing back to a banned address, legitimate merchants aren’t going to accept transactions from you and you’re going to be selling a discount.
If you use a mixer, that expands to cover all of your transactions. Any legitimate business has to worry about complying with local laws and they’re going to stop using options which don’t allow that or cost too much.
Letters of marque aren't transferable, so making them NFTs is kinda silly. Their entire purpose is that the state has entrusted you, captain of the ship, to abide by certain rules (don't plunder our ships, take prisoners when possible).
That said, cyber-privateering is actually a good idea. Cyberwarfare is in the same space as naval warfare was in the 17th century: it's not really an overt act of war, it's mostly committed by criminal organizations with the occasional big news state actor action, and there's a lot of money to be made.
Hey, but I can sell you a 21st century e-hammer with AuthentiCode licensing. Swing power savings of up to 2% can be achieved. (Requires constant internet connection).
There have also been centuries of advancement on the idea of a hammer. The US and friendly countries have just a hammer, in the same way that a forge with a power hammer has just a hammer, or a wrecking ball could be seen as a complicated sledgehammer.
I know those are traditionally buzz words but are they here? Trying to analyze traditionally anonymous payment methods that are virtual the only way randsomware is paid off seems like not a crazy idea.
It's not crazy, but tracing blockchain transactions has been done since blockchains were invented. I'm not sure if new AI techniques are helpful or not.
"Identifying non-obvious patterns in messy data" is a textbook application for ML. I don't know if it'd be helpful or not - it's unwise to believe anyone who asserts that ML will definitely work better than traditional statistical methods - but it's definitely worth trying.
I wish my health provider had paid the ransom. They screwed up and got hacked and wouldn’t or couldn’t pay the ransom, now the entire clinic has no health records for their patients. My doctor can’t see any health info older than a few years. I couldn’t believe what she was telling me.
The randsomware seems like a side issue. Evidently, your health provider doesn't care that much about your health records. Even ignoring security issues, they had no reliable backup. A fire would have produced this result.
Perhaps, perhaps not - there are many companies which had reasonable backups which would have protected them in case of a fire, but since they were accessible remotely with administrator privileges, the ransomware operators were able to destroy the backups, as is their standard practice.
To be fair, a sophisticated ransomware attack is more difficult to mitigate than most data loss events. A fire won't steal your AWS credentials. Not understanding the need for backups that are both off-site and offline isn't quite the same as not caring.
This is the reality of where the pay/don't pay falls down.
If your records have been encrypted and taken, you have already taken a reputational hit to sensitive information. If you can recover your operations then you shouldn't even think about paying the ransom. However, if your systems have been encrypted AND you can't recover them AND not having your systems is catastrophic to your business continuing then you may consider paying the ransom. Hopefully with a renewed understanding of how important it is to have appropriate information security controls in place.
The only way not paying ransoms will happen, is if it is made illegal or there are significant penalties as a result of doing so. Otherwise, for some businesses not paying the ransom when their systems are offline is too risky.
It hurts, but it’s the only way we can get the wealthy to take security seriously. Otherwise, to take an exaggerated example, only rich hospitals will be able to pay ransoms and poor people /hospitals will have no records (globally).
If they had to pay the ransom there would be a price set on security complacency, and that becomes the yardstick to use on further investments to harden their systems.
In contrast, losing all patient data is now associated with a malicious attack, so they can hide behind the victim status, the actual damage isn't directly on their bottom line but on the quality of the care to their patient, and they can keep underinvesting in security as long as they have plausible deniability of wrongdoing in the next attack.
Or instead of banding together to not pay, organizations/nations could pool money to help poorer hospitals pay. Maybe that, too, would make the rich think more about global security.
So some asshat will be in charge of IT at [poor hospital], some rich people will foot the bill, and somehow that will improve...what? What is "global security?"
Global security meaning: Perhaps, if the rich found that the cost of supporting poor hospitals was high, they'd determine that they would prefer to invest in cybersecurity in poor hospitals. (Not likely, considering how few wealthy organizations care about cybersecurity in their own organizations.)
I don't think that's quite fair. Each organization, especially ones that possess sensitive customer data, have a custodial duty to secure that data. Most of these attacks are very preventable by following well documented best practices and industry recommendations.
I think that "I wish my health provider paid the ransom" and "Health organizations should be responsible for protecting my data" are completely compatible views to hold.
If nobody paid the ransom, ransomware attacks would be reduced to nearly zero. Paying the ransom means that other people will get ransomware attacks. So, effectively speaking, wishing someone paid the ransom means that you're also wishing that other will get hit with attacks because that's a direct consequence of paying.
I follow your logic, I just think your conclusion is vastly oversimplified. Not paying the ransom also means that other people will get ransomware attacks. There is not direct causality here.
There is some game theory, sure (a prisoner's dilemma, really). If nobody ever paid ransoms, there would be very little incentive for ransomware (though still not zero, some people just want to create chaos).
But I don't think in a world-sized game with billions of actors that you can ascribe causality to the actions of a single actor. Wishing that you had driven to work instead of taking public transit (perhaps you missed an important meeting as a result) is not equivalent to wishing for public transit to be defunded (there is an equivalent feedback loop - decreasing ridership corresponds to reduced funding for public transit programs).
Then consider that ransomware is only possible because of cybersecurity failings, and investing money into reasonable (some might even call them "common sense") security measures would also reduce these incidence rates to nearly zero.
To be clear, I'm not advocating for paying ransomware ransoms, generally. I think this coalition is a good thing. But if a healthcare provider loses years of customer health data, that could lead to measurably worse health outcomes, and even excess mortality, for real people. An institution getting financially punished for not investing adequately in security seems like a better outcome than jeopardizing the health of real patients in the name of 'solidarity'. Meanwhile, a dozen other institutions pay the ransom and business continues as usual.
Yes, I completely understand the purely practical side of the issue. And perhaps paying the ransom does achieve a local maxima in terms of least harm, but it also prevents achieving an even greater maxima of least harm.
To be clear, I'm not saying that anyone is obligated to "take one for the team", or that anyone is bad for not being willing to. I'm just saying that if everyone was willing to, far less harm would be done in the longer term.
To me, a ransomware attack is little different than if someone just physically blew up the computers (or, with medical records, the hospital). It's a huge, costly disaster, but the damage is done. If we as a society thought of it like that and perhaps provided support (financial and otherwise) for people who get harmed like we do with any other large disaster, we could be in a better place for everyone except the criminals. Maybe we'd even put systems into place for the greater redundancy of medical records, to mitigate against actual health consequences of such attacks.
We'd also have greater interest in providing support for implementation, education & investigation in terms of hardening against such attacks.
> The members of the International Counter Ransomware Initiative (CRI)— Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Croatia, Czech Republic, Dominican Republic, Estonia, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway, Poland, Republic of Korea, Romania, Singapore, South Africa, Spain, Sweden, Switzerland, United Arab Emirates, United Kingdom, United States, and Ukraine, and the European Union..
> This will see the launch of two new information-sharing platforms for participating countries. One will be created by Lithuania while another will be jointly created and hosted by Israel and the United Arab Emirates.
Nice to see smaller countries taking the initiative and also being trusted for projects like this.
Maybe it's also time that companies take cybersecurity more seriously, and maybe not just companies, but governments too.
If insurance companies would cover ransomware damage, you can be certain those insurance companies would IMMEDIATELY lobby the government to enforce cyber security standards, audits, pentesting etc.
It's not happening as long as the NSA is on top of the race of cyberweapons, but once that changes, you can be certain that software is going to be more secure.
Not sure if you're aware, but ransomware insurance is already a significant industry, and the contracts usually stipulate that the client company undergoes some type of regular auditing.
From what I've heard, insurance companies are actually kinda souring on the business because it's incredibly bad from an actuarial perspective: many of those targeted are SMBs (i.e. they're not paying the kind of premiums that would make it worthwhile), but even for large corps as time passes the odds of a ransom event approach 1. I mean, can anyone think of a large non-tech enterprise that doesn't have that doesn't have that one load-bearing Windows Server 2008 machine in a closet?
So to an extent, this seemingly represents the industry collectively declaring that even massive monthly insurance premiums are insufficient for companies to get their security posture together, and so they're trying to cut it off at the source by making ransomware as an endeavor unprofitable.
The HN title matches the article headline, but the article headline is horribly inaccurate.
This is not about making ransom payments illegal, as many commenters have assumed. They are setting up an international information-sharing system to help track cryptocurrency wallets that are receiving ransom payments.
The headline isn't inaccurate. "End ransomware payments" doesn't necessarily mean "make illegal the act of victims sending ransom payments", even though many are presuming that.
Most of the action on this is on the receiving end of the payment process -- making it difficult for criminals to cash out, freezing their assets, or finding them.
(The submitted headline was "US-led coalition of nations agrees to end ransomware payments to hackers". We since changed the URL - more at https://news.ycombinator.com/item?id=38088780.)
Yes, everyone within the legal arms-length of the US is required to comply with sanctions prohibitions -- if sanctions are applied. The OFAC has a lot of power.
First of all, it's not a nation who pays in case of a breach. It's some company. Nation as countries do not have anything to do with it, unless they create some laws denying payments. Which would tight control of any businesses in hands of politicians signing off indulgences (exceptions to pay as "too big to fail").
I would guess that the affected entities here are not companies, but public entities. Federal departments, the state governments, and municipal governments all run their own IT systems and have been affected by ransomware; if there is a top-down policy of "don't pay the ransom" it presumably affects policy for all of those.
Even if there is a top down policy of not paying ransoms, the attackers still have an incentive to format the drives and leak the data to gain credibility for their next attack.
Many types of attack don't actually know where they're breaking into at the time they break in. And once you're in, you might as well try running a ransom attack.
Nations setting up financial regulations on who you can and cannot pay is a standard accounting practice these days. If you consider that a tight control, then we're already far past that.
The reality of where the pay/don't pay falls down.
If your records have been encrypted and taken, you have already taken a reputational hit to sensitive information. If you can recover your operations then you shouldn't even think about paying the ransom.
However, if your systems have been encrypted AND you can't recover them in a reasonable way AND not having your systems is catastrophic to your business continuing then this is where companies consider paying. Hopefully with a renewed understanding of how important it is to have appropriate information security controls in place.
The only way not paying ransoms will happen, is if it is made illegal or there are significant penalties as a result of doing so. Otherwise, for some businesses not paying the ransom when their systems are offline is just too risky.
So let's imagine a company like Garmin experiences a ransomware attack. Their business is paralyzed. What would stop them from paying the ransom and what could possibly be an alternative to that?
They can bring their systems back up and operational for less cost (both immediate, but also payroll during the fix, lost revenue from both downtown and reputationally after they're back, and opportunity cost off the top of my head).
Your only two options and rebuild on your own at significant cost or pay the ransom. There were long, heated discussions about what to do, and several people suggested paying the ransom but we ultimate decided not to and it ended up costing more than the ransom if you factor in payroll and lost revenue.
I still think out of principle you shouldn't pay the ransom, ever. Assume whatever the ransom would cost is already gone, if you can rebuild for less than that (you probably can't) it's a win.
But even when paying the ransom, you still need to roll back a portion of your environment after you've assessed the intrusion. Can you really trust you've patched everything and removed all trace of persistence that was put by the attacker as a contingency to get back in the system?
That's the job of an external cyber incident response team who can trace how it occurred and to check that the vulnerability has been appropriately eradicated and locked before resuming business operations
> I still think out of principle you shouldn't pay the ransom, ever
There may have been a time when a company would act on principle, but I think it's very rare today. You hardly even expect people to do that. It's the world we have made.
All human activities, including things like principles, charity, sacrifice, and duty, are ultimately self-serving attempts by the biological DNA and cultural memes that constitute us to replicate and improve it's standing.
Nothing, so far. The alternatives to that would be to legislate penalties for paying, to mandate certain precautions like regular offline backups (which could usually be done through regulation), to forbid the government from doing business with entities that have paid in the past X time (procurement regulations are somewhat flexible) and/or to task some government agency with aiding private sector entities in recovery if they don't pay (which has varying difficulty depending on the jurisdiction).
Obviously none of these make it impossible, but the goal needs to be to tip the value proposition the other way.
There are a handful of problems with this approach, which is part of why these types of insurance policies are incredibly expensive. The entire MO of these operations is to infect a company's systems, and wait until most or all of the backups are affects before locking the system down. They will wait months or for bigger targets, years.
That doesn't help. The system is already infected when the backups are taken, therefore the backups are infected. That's why these criminal organizations wait months until actually locking your system down, so that your oldest backups are deleted by retention policy. If they have access to your system and can figure out what your backup retention policy is, they'll set it to go off at the point when all your backups are infected.
Ransomware is often not triggered quickly. They will compromise a box, install a back door, and hang onto it for months. You also have to consider that once they pop it, they can check other vulns that are available and will still be present after the restore.
When I do remediation I usually recommend restoring only business state but installing and configuring all OSes and applications from scratch with latest freshly downloaded versions. You can't trust any executable or dll that has been laying around.
That is not the restore dream that the backup provider sold them but reinfection is common. Once the bad guy has a privileged credential it is trivial for them to investigate for other vulns to use in the reinfection phase and nobody has just one critical vuln. If a business is susceptible to ntlm relay it's also going to have unsigned smb and non encrypted ldap traffic for the same root cause -- it was the default in 2005 and never got modernized.
For a concrete example, someone could infect an image storing service with code that encrypts (and silently decrypts) the data when it's stored / retrieved. When the hacker removes the decryption key from the running service, the backups will also be inaccessible because they are also encrypted.
Are user accounts data or systems? Compromise of AD is a very common means. This said this can still be fixed before putting it back where it could reach the internet and cause trouble.
No reason such an insurance company couldn't be run in the early/mid 20th century manner, entirely with paper records. Send carbon copies of all documents to two remote locations to eliminate the threat of a fire wiping out the records.
This is easy. It requires you to hire a lot of human clerks, but since the customers are large businesses that means there aren't a whole lot of customers in the first place. And if you can't get enough typewriters, there's no reason the clerk work couldn't be done on computers connected to printers, with all document storage still being done on paper. If the computers get pwned, throw them out and buy new ones; it doesn't matter because the documents weren't being stored on those computers.
The dumbest take of companies was assuming insurance companies would keep paying their ransom because they were thinking fixing their networks was less important
> Partner countries will share a "black list" through the U.S. Department of Treasury that will include information on digital wallets being used to move ransomware payments
I don't think they realize how easy it is to generate new wallet. Nobody is going to use their home wallet address to demand ransom
I think this needs to be combined with ways to make companies more resistant to ransomware attacks, and more able to restore their computers if an attack does happen.
If companies could get back on line within 24 hours, they wouldn't pay the ransomware.
Ransomware-ing companies is terrorism. Knocking a hospital computer system offline is equivalent to bombing it and should be treated as such. There should be renditions/assassinations as a retaliatory measure.
If stakes are high enough nations will pay, this is different than enforcing corps not paying. It will be hard to detect at a national level if there was a hack or a payment unless they decide to declassify it
It often isn't. The criminals know that the game theory is such that the criminals know that if they don't actually provide the files when paid, none of them will get paid in the future as people will just assume the files are destroyed unrecoverably and move on. The scam critical depends on you being able to be confident that the files actually are recoverable and thus that paying the ransom is a viable option.
Encryption viruses are probably some of the best QA'ed code in the world.
I've heard of enough cases where the ransomware gang have not followed through after payment of the ransom, that I think that time ("if they don't actually provide the files when paid") has already passed.
1) There's no way to enforce this to private companies in the US without passing some sort of Federal law. I'm pretty certain no states have passed anything like this either.
2) So, we can assume the alliance is government agencies not paying ransomware. For the US, it's only the Federal government agreeing to this. If the County Court of Middle of Nowhere Nebraska gets ransomwared. The Feds can put all the pressure they want on them not to pay, but at the end of the day, they can't stop them from paying.
They have vast solutions to all online issues contact them through their mail remotespywise @gmil com Their services includes hacking phone,database,record expungements,spy,and private investigator .Their hacking service is completely anonymous and very easy to use. The most interesting thing about this is, it is very fast and comes with lots of features
I strongly suspect this too will end up mostly a jurisdiction/accounting nuance rather than a substantial change.