
UCSF forced to pay more than $1M ransom to perpetrators of malware attack - tlrobinson
https://www.ktvu.com/news/ucsf-forced-to-pay-ransom-to-perpetrators-of-malware-attack
======
gentleman11
Organizations should be legally prevented from being able to pay these ransoms
and should instead receive funding to help them recover from the damages. It
funds an entire industry that can just grow and grow because it pays off

~~~
JumpCrisscross
> _Organizations should be legally prevented from being able to pay these
> ransoms and should instead receive funding to help them recover from the
> damages_

Isn’t a simpler solution insurance? The insurance company becomes a specialist
in pricing and reducing this risk. And the malware writers become, in effect,
ersatz pen testers.

Like a ban, you’re reducing the incidence rate. Unlike the ban, you’re
extracting a public good from the ransom era’ work in the form of better
infosec.

~~~
bb2018
Right now - a lot of hacked organizations may just say "it's not worth the
payout" but if they are already paying insurance then of course they are going
to tell the insurance company its important and ask for the ransom to be paid.

I think the bright spot of the ban would be that if it was legally enforced
then all hackers would see this and quickly realize it wasn't worth the risk.

(Not sure if I'm for this 100% - but I think it is worth considering)

~~~
MaxBarraclough
> if they are already paying insurance then of course they are going to tell
> the insurance company its important and ask for the ransom to be paid

Interesting point. If this kind of insurance became widespread, that would be
great news for the attackers.

------
tempestn
A major University not keeping backups of information worth $1M+ is grossly
negligent. It's not like this is a private individual with a desktop (who of
course should also have backups, but could be forgiven for not knowing that).
I'm sure UCSF has a whole IT department; how could they allow this information
to not be backed up to cold or offsite storage?

~~~
Schiphol
Not to defend anyone, but knowing universities as I do, the data in question
were perhaps in the hands of a bunch of postdocs, and not subject to any
centralized protocols.

~~~
tempestn
It said it was servers that were compromised though, right? So you'd think
there should be backups of the servers' data drives. I could understand if it
were just people's desktops that they're not supposed to be storing sensitive
stuff on anyway.

------
spekcular
Assuming this is medical data collected as part of UCSF's research (which
seems to be implied by the article), doesn't it become worthless once you know
malicious actors could have edited it? In other words, the chain of custody
was broken, so how can we trust the resulting papers?

I realize the perps _say_ they just encrypted it, but if someone has root
access to your computer, they can do whatever the hell they please.

~~~
galacticaactual
One could take this line of thinking arbitrarily far. For example - how are
you supposed to trust that authors of any paper, anywhere, always had
authenticated, authorized, and controlled access to their integrity-checked
data at all times during the entire span of their research?

~~~
spekcular
The people I know who work with medical data do indeed follow protocols like
this, involving for example hardware security tokens and encrypted, physically
secured private servers. Though, I believe this is more to protect patient
privacy than the data itself.

More generally, I'm happy to presume (as long as the data is password-
protected, say) that scientific data that hasn't obviously been vandalized is
trustworthy. However, in this case we have positive evidence of tampering, and
therefore a good reason to be skeptical.

~~~
londons_explore
I clearly know different people... The people I know have all their important
data in "Copy of Copy of Copy of Datav2 - FINAL.xlsx" saved in an email from a
PhD student.

------
nabaraz
This was discussed here.
[https://news.ycombinator.com/item?id=23659590](https://news.ycombinator.com/item?id=23659590)

------
LinuxBender
Do people perceive this to be more cost effective than backing up data?

What is the total cost in terms of down-time, failing audits, disclosing to
customers and employees that control of their data has been lost? Would that
loss be greater than a backup solution? Has it become taboo in 2020 to do
backups that can't be tainted by attackers or dodgy automation? It was not a
problem 20 years ago. What changed?

If it's cost, even a low end gluster cluster [0] or Ceph with an archive read-
only share that has rsnapshot [1] diffs for 5 days would mitigate this,
assuming you know within 2 or 3 days to sound the alarm. Rsnapshot would run
on the server. People would just see multiple folders with the last 5 days of
changes. The snapshots would not be writable by employees or malware. To
further reduce cost, perhaps de-duplicate data with ZFS or VDO [2]. Everything
mentioned here is open source and has multiple enterprise supported options
that your engineering and IT staff are likely already aware of. If not, there
are plenty of documents on integrating gluster into active directory.

[0] - [https://www.gluster.org/community/](https://www.gluster.org/community/)

[1] -
[https://github.com/rsnapshot/rsnapshot](https://github.com/rsnapshot/rsnapshot)

[2] - [https://blog.delouw.ch/2018/12/17/using-data-
deduplication-a...](https://blog.delouw.ch/2018/12/17/using-data-
deduplication-and-compression-with-vdo-on-rhel-7-and-8/)

------
marmshallow
This is quite surprising. I feel like often the victims of ransomware do not
pay the thieves. Are there other high-profile examples of paying the
perpetrators?

~~~
gentleman11
My university paid when they got hacked. I think it’s more common than is
reported

