
University pays $20,000 to ransomware hackers - andygambles
http://www.bbc.co.uk/news/technology-36478650
======
desdiv
Why openly announce that you're paying the ransom?

Here's some major disadvantages that I can think of:

1\. Announces to world that you have poor security/backup practices which
encourages more attacks against you

2\. Announces to world that making and distributing ransomware is good
business which encourages more attacks against everyone

I understand that public institutions needs financial transparency in order to
be accountable to the public. But the nature of this isn't any different from,
for example, a basement flooded due to poor design and required $20,000 to
fix. Someone screwed up, and it cost the university $20,000. Let's just pay
the money, fix the problem, and take steps to make sure it doesn't happen
again. No need to call up the local paper about it and make it a story.

~~~
cantrevealname
> Why openly announce that you're paying the ransom?

An effective thing they could have done is to announce that they paid the
ransom, but that the decryption did _not_ work (even though it did).

That has the advantage of discouraging other people from paying up, and
therefore reduces the incentive to create more ransomware attacks.

Hell, the government could step in and recruit people and companies to
_falsely_ claim that they were ransomware victims who paid up, but never got
decryption keys and were screwed over. That could put a damper on ransomware
psychology.

Thinking about it further however, this will probably lead to better "customer
service" by the ransomware makers. They'll adapt their software to selectively
decrypt part of your data for free, so they can offer you proof that that they
can and will give your working keys once you pay up.

~~~
deciplex
> _Hell, the government could step in and recruit people and companies to
> falsely claim that they were ransomware victims who paid up, but never got
> decryption keys and were screwed over. That could put a damper on ransomware
> psychology._

This actually did happen to me. Paid the money, got the key, couldn't unlock
my files. Damn shame.

~~~
cantrevealname
I'm sorry to hear that. Being Hacker News I think we'd all be very interested
if you are able to share some details such as:

\- how your system got compromised?

\- did you have backups? (and did the backups get encrypted?)

\- how much did you pay and by what method?

\- why do you think the key didn't work?

EDIT: It now occurs to me that you're following my suggestion about falsely
claiming to be a ransomware victim to discourage ransom payments. Whoosh!

~~~
jstanley
> you're following my suggestion about falsely claiming to be a ransomware
> victim

effective, isn't it!

------
downandout
Microsoft really needs to build ransomware behavior detection directly into
Windows. The behavior of these programs is quite distinctive. The advent of
cryptocurrency was the missing link to enable all manner of anonymous
extortion schemes, and this one in particular seems to now be a mainstream
threat. Microsoft should be all over this.

~~~
danieldk
Ransomware detection is just a (perhaps necessary) band-aid.

By default all applications should be sandboxed. Why should a random
application be able to read/write to every user directory? We enforce process
separation in memory, we should do the same on disk.

~~~
digler999
> all applications should be sandboxed.

not a bad plan, but also, all data should be _backed up_. In this 'cloud age'
of computing, there's no reason, and no excuse. I certainly don't want to
blame the victims of ransomware, but if that data was so important that they
paid ransom to get it back, why didn't they back it up ?

~~~
Mister_Snuggles
The Mac makes this so easy with Time Machine. Is there something that's
equally easy and effective in Windows?

~~~
fredsted
Why couldn't the ransomware encrypt your Time Machine drive as well?

~~~
Mister_Snuggles
It certainly could do this. I don't think Time Machine protects its data in
any way.

Backups have to be coupled with some kind of way of noticing that something is
wrong. If the ransomware encrypted your data slowly over the course of months
and you didn't notice you might be out of luck regardless of your backup
system.

------
oolongCat
Ranked 151-200 in the QS rankings for CS. I bet if they handed this problem
over to the CS people in the university they would have willingly helped them
out to fix it.

Information security is even listed as one of their main research areas.

[http://www.cpsc.ucalgary.ca/cpsc_research](http://www.cpsc.ucalgary.ca/cpsc_research)

they even have some labs that does infosec

[http://icis.cpsc.ucalgary.ca/](http://icis.cpsc.ucalgary.ca/)
[http://ispia.cpsc.ucalgary.ca/](http://ispia.cpsc.ucalgary.ca/)

I bet the people at the CS dept must be pissed.

~~~
21
You missed this quote under the picture: "University IT workers tried to crack
the ransomware for more than a week before the payment".

BTW, are you implying that a strong CS university can break asymmetric
encryption? Why is everybody assuming that hackers are stupid all the time,
and only they are smart...

~~~
oolongCat
Actually I am implying it is possible for some types of ransomware. Here's an
example.

[https://github.com/leo-stone/hack-petya](https://github.com/leo-stone/hack-
petya)

(the hn thread
[https://news.ycombinator.com/item?id=11474613](https://news.ycombinator.com/item?id=11474613)
)

------
tomjen3
The most interesting part of the article was that some ransomware sites have
threatened to publish their files if they don't pay - no backup strategy will
save you there.

~~~
skoocda
But consider the University of Calgary's actions in response... they publicly
announced the outcome of these events in the interest of transparency.

Wouldn't it be more transparent to just allow their files to be published?

Surely there are damages that could be caused, but as a public institution, I
feel like this is the way they should operate by default.

------
antihero
Since this exploits user level privileges, perhaps a good idea would be to
have a privileged version control system for user data. In that, you need
admin/root access to actually DELETE anything, and any file system changes by
users are simply versioned away. This means if you had ransomware that fucked
up your files (since this software typically runs at user level), you could
just instruct said versioning system to roll everything back as an admin?

~~~
pfg
I _think_ that's what many enterprise deployments do with shadow copies,
mostly for file shares. It would probably make sense for Microsoft to push
this feature for personal usage/smaller networks as well (not sure if you can
currently use it in that scenario).

------
jiqiren
I guess no backup strategy means no other option but to pay. Likely goes hand
in hand with weak or missing security strategy.

~~~
GP5Aloy
people who backup their stuff laugh at ransomware

~~~
joosters
...until they find the ransomware is in the backups too?

~~~
raverbashing
Only if they made their "backups" writable as well

~~~
joosters
It's difficult to create backups if you can't write into the backups storage.

~~~
gambiting
The way I do it is I create backups locally and then copy them to my NAS over
ftp(with a password), instead of samba. Hopefully, that way any ransomeware
would not be able to encrypt my nas as well, as it does not have any publicly
accessible folders on the network.

~~~
joosters
The problem is that ransomware doesn't have to activate immediately, so you
can end up with multiple copies throughout your backups before it takes
effect. Hence, restoring from backups may not solve an infection.

------
Gustomaximus
Easy solution - the government writes into law it's illegal to pay ransomware
hackers. Sure hackers might get the occasional payee after this but the
likelihood goes down dramatically removing much incentive, especially for
larger organisations to be targeted.

~~~
tim333
The ransomware would still be about. Even if the US banned paying, there are
other countries.

------
Cheyana
They reference another article that contains a quote from an Intel employee...

"Ransomware and crypto malware are rising at an alarming rate and show no
signs of stopping," said Raj Samani, European technology head for Intel
Security.

That statement instills a confidence in me that makes me so glad Intel bought
McAfee six years ago.

------
otempomores
Could one mimic the human imune system when it comes to security? All shared
data is blockchained and if one producer shows lacking response all his
contact partners get quarantined. Infections.. Yes on a large scale (even
local) no

------
tim333
Someone should make a usb hard disk that doesn't allow existing files to be
modified on it unless you flip a physical switch. Then you could back your
data to that and not worry about it being wiped / encrypted.

------
dsfyu404ed
Sorry but it was probably cheaper than implementing backups all along, eh?

------
VeejayRampay
People asking for ransoms are shady to begin with, but to target a university?
That's past gangster, that's just wrong.

~~~
digler999
universities charge fees that are tantamount to "ransom" in order to get your
degree. They aren't much better (at least US ones ) than the thieves.

~~~
markdown
> US universities charge fees...

FTFY.

The University that this story is about is Canadian.

------
otempomores
Security audits..im sorry Sir we don t have that kind of money..

------
SHFT101
With $20,000 one could get a really nice backup system.

~~~
barking
I see you backed up your comment

------
SHFT101
With 20,000$ could get a nice backup system.

------
whatsamattayou
If you're a Windows programmer, might be a good idea to write a Windows
Service that watches for drive encryption. Then you could stop it before it
does anything. For now, I think most of the methods are known, so they are
easy to watch for.

~~~
webtechgal
IMO, Micro$oft can gain a huge amount of positive press/PR as well as user-
love by integrating a defense/protection mechanism right into the OS.

~~~
simonswords82
The moment Microsoft try to be proactive and integrate a defence mechanism I
would suspect people would then try to hold them liable if another ransomware
attack succeeded.

Microsoft could do without the overhead, or the headache, and so despite the
PR upside it's probably not worth their effort.

Might be an opportunity for an ISV to make a utility though?

~~~
pfg
The same logic could be applied to their built-in anti-malware software
(Windows Defender), so I don't think that's what's stopping them.

------
hannob
The headline could also be "University willingly supports criminals with
$20.000" \- and it would be more honest.

That's really something that bothers me with the whole ransomware thing:
People seem to be completely ignorant to the fact that by paying they're not
only getting back their data - they're paying the bills for the people who
will launch more attacks against other people. And thus they're themselve
guilty of supporting the same crime that just hit them.

~~~
mapt
... under duress.

That's why it's termed 'ransom'. Because people who don't pay, have things
taken from them. You don't really get to condemn ransom payers on ethical
grounds without being an asshole.

~~~
kwhitefoot
Of course one does!

Paying a ransom encourages the criminal behaviour; it therefore negatively
affects all potential victims by making them more likely to become actual
victims.

Also, in some jurisdictions paying a ransom is actually a criminal offence so
one could end up causing further negative consequences for your family,
friend, colleagues, or the institution you work for.

