
UCSF admits it paid NetWalker more than $1M ransom - hakh
https://www.databreaches.net/ucsf-admits-it-paid-netwalker-more-than-1-million-ransom/
======
sliken
Previous thread:
[https://news.ycombinator.com/item?id=23659590](https://news.ycombinator.com/item?id=23659590)

------
MattGaiser
The poor IT guys there probably asked for a couple thousand for backups
instead and were previously denied. Ransomeware first rose to prominence three
years ago.

Yet seemingly little has been learned?

~~~
RNCTX
I know the university I attended has learned nothing at all. State university
in a wealthy US area with over 30,000 students. They still think security is
forcing everyone to change passwords once every 6 months. No offer of 2fa of
any sort for any service.

I stopped using my email address between transcript requests because the whole
student/faculty directory is rampant with student employees of local
businesses sending spam within the system.

A permanent link is a complete mystery of a concept to them as well. Every
time sun shines on an article in public media for them the glory is sure to be
short lived, because google's link will be broken in 6 months tops.

~~~
MattGaiser
> A permanent link is a complete mystery of a concept to them as well. Every
> time sun shines on an article in public media for them the glory is sure to
> be short lived, because google's link will be broken in 6 months tops.

I am baffled that universities (and so many others) don't just use WordPress
for publishing their media.

~~~
ElCapitanMarkla
Why would you use crappy free Wordpress when you can pay a couple hundred
thousand for a vastly superior MS SharePoint setup...

~~~
mercer
Or Drupal, if that's still a thing...

~~~
RNCTX
The important thing is that you change whatever you use as often as possible
so that those social media and search links stop working ASAP.

------
nradov
Paying ransoms should be a criminal offense. That's the only way to remove the
incentives for ransomware attacks. If that means some businesses fail or
government agencies get temporarily shut down then that's acceptable
collateral damage and will serve as an object lesson to others about the
importance of IT security.

~~~
smabie
How about kidnapping insurance? Should that be illegal?

~~~
bananamerica
That is not a reasonable comparison.

~~~
cheriot
It's insurance that negotiates and pays ransom. How is that not comparable?

~~~
cj
One has to do with a human life.

The other has to do with ones and zeroes on a hard drive.

~~~
paulcole
What if the ones and zeros have to do with human life?

Imagine there was a cyber attack on Juicero and software engs throughout SF
couldn’t make their Soylent-Bitcoin shakes.

~~~
Ghjklov
Don't even joke. Think of how many SEs you just shook out of their sleeveless
jackets.

~~~
paulcole
Sleeveless jackets? You mean the Patagonia vests?

~~~
Ghjklov
Yeah lol, I meant to say vest, but I thought it was wrong and edited it to
jackets.

~~~
paulcole
Wasn’t sure if Apple had rebranded vests as sleeveless jackets. Tim Cook like,
“You’re going to love what we’ve created and we can’t wait to see how you use
it to keep warm while waiting in line at Philz.”

------
captn3m0
Always been curious about the tax accounting for ransoms.

Does anyone know how it is reported usually? Going public must make it harder
I guess?

How do you explain a bitcoin purchase from a business account without an
invoice to the taxman otherwise?

~~~
secabeen
It's a business expense like most others. In this case, it's considered theft,
but you still can deduct it:
[https://www.forbes.com/sites/robertwood/2017/05/16/if-you-
pa...](https://www.forbes.com/sites/robertwood/2017/05/16/if-you-pay-ransom-
write-it-off-on-your-taxes/#46e1960e14c4)

------
Ghjklov
I'm imagining a scenario where a UCSF insider could coordinate this with
someone by deliberately getting their system infected and then splitting the
money with whoever is behind that NetWalker instance. Do you guys think that
would work?

~~~
mc32
They had better had well though out plans to make a new life in France...

------
logicallee
Why isn't paying ransom illegal?

Points:

* Anytime any ransom is paid it is in the most literal sense funding ransom, even more directly than funding terror in the most direct way possible: when you send a check to ISIS that may or may not _actually_ fund terror. Maybe whoever you sent it to is just good at making an ISIS recruitment page and doesn't do much real terror, just marketing.

* But paying a ransom by definition directly funds ransom, far more directly than sending money to ISIS directly funds terror.

* Whoever gets the money at ISIS might spend it at a brothel, there's no proof of terror.

* But whoever gets your ransom when you are ransomed by definition engages in ransom.

* You are funding ransom by definition.

* Additionally, since all rich nations are generally pretty law-abiding, making paying a ransom strongly illegal means that the companies have no choice. They're simply not able to write the check or wire the funds.

* Finally, another strong reason to make it illegal: anyone could claim falsely to be ransomed. If I wanted to fund ISIS I could literally write on a piece of paper which messages to send me in what sequence, and then I could send them money and claim falsely to be ransomed by them.

* Paying a ransom should be strongly illegal.

* Also note that this is a good analogy with "possession of stolen goods" \- the fact that such is a crime largely destroys the market for stolen goods. The market would be much stronger if possession of stolen goods weren't a crime.

* There is an argument made about direct consequences: "But if we don't pay they will _actually_ kill my daughter!" The same argument applies directly to paying bribes: "But if we don't pay, we _actually_ can't get a license to sell in that country!" Still, paying bribes abroad for routine administrative work is _illegal_. Companies can't do it. If they do it, they get fined. Result? 1) (immediately) companies stop doing it. 2) administrators stop requiring it.

The world becomes free of bribery. This proves that making paying bribes
illegal _works_.

Why wouldn't it work for making ransoms illegal? UCSF just funded a ransomist
$1M. That should be illegal.

The going rate for a thug in a third world country might be $800 per month.
UCSF just paid for one thousand two hundred and fifty man-months of abduction.

~~~
ineedasername
_> The world becomes free of bribery. This proves that making paying bribes
illegal works._

Have I misunderstood your tone here, or do you actually believe this? Because
bribery is illegal, and happens all of the time. The few who get caught get in
trouble. Heck, Goldman Sachs does it when it's needed to land deals! [0]

I imagine the same would happen if ransom for ransomware was made illegal.
Thieves would wouldn't care, what they do is already illegal. If someone they
infect with ransomware can't figure out how to get them their money, what do
they care? I'm sure their profits would go down, but it wouldn't stop. If
anything it might just drive them to hit many smaller targets to get through
volume what they can no longer get through big hits.

[0] [https://www.sec.gov/news/press-
release/2019-260](https://www.sec.gov/news/press-release/2019-260)

~~~
logicallee
I don't think there are any countries left where international companies can't
operate _at all_ without paying bribes. Maybe they won't get their permits as
fast, but they can still operate.

The fact that GS acts criminally is on GS. The fact that you can do business
without being criminal like GS proves that this works.

See how I just shifted the conversation to the fact that GS is criminal?
That's what we want. Not some routine transaction.

~~~
ineedasername
Sure, yes, bribes are criminal. But making them criminal didn't make them go
away. Now you are shifting your claim from saying the world id bribe-free to
simply saying it's not necessary. Which is also not true anyway:

I know someone, in the US, who was unable to get a health-inspection sign off
without making a separate "gift" to the inspector. The permit languished for
months , with no apparent progress or response. Money was being lost. Finally
the inspector showed up and made a reference to this "gift". The person I know
said he might take his issue to the head of the health department. The
inspector said "that's fine, you can do that. When you speak to him, tell my
father that I said hello." Other areas of the same business were unable to get
a certain supplier to either show up, or when they did, to provide usable
product, until a kickback was given. Why not choose a different supplier?
Because the type of supplier had to have a specific license to distribute the
product, and suppliers had divide up territory so there was only one supplier
in any area.

Bribery is alive & well. All making it criminal has done is ensure that when
it's discovered, it is punished.

~~~
logicallee
So I have a different perspective on what you just wrote. To me a world where
you have to pay a bribe is very different to one where it is possible to do
business without one. If anyone is doing business in a country without paying
a bribe, then everyone can. It's like the difference between being able to run
a restaurant without paying the mob and basically ignoring them, and not being
to run that restaurant because they will come and beat you up until you do.
That is a huge difference. The mob might still sell heroin or do other stuff
the city doesn't want them to do but they are not beating up business people
who refuse to pay them. That is a _huge_ difference. When it is illegal for
you to pay a bribe you can _always_ say that you are not able to, because it's
illegal and you're law-abiding. It's that simple.

Regarding your example: to me "that's fine, you can do that. When you speak to
him, tell my father that I said hello" sounds like a scared bluff. After all
the father in this situation has even more to lose than the son does! (Because
of the father's higher rank.)

So the conversation is totally shifted. It might not even be his father in
this case. It is always easy to be on the side of lawfulness. When there's a
law behind you.

Without that law, it is just you and the ransom seeker, making a private
arrangement. No, that's not the way the world should work.

I think making paying bribes illegal is fantastic, and the same thing should
be done for paying any ransom. People respond to incentives. The government
has to destroy that business model.

Let me paint you a picture: imagine if you were scared to go on the Internet
right now, from any of your devices, because it is similar to going to a gang-
infested part of the city where you will get beaten up. That's the world you
think is okay: one in which you are being cyber attacked and forced to pay a
ransom for "protection". No.

Actually that's not the world we live in: when I connect a device to the
Internet, I don't feel like I'm about to get beaten up, and neither do you.
This works. When someone pays $1 million to change that world, they're doing
something very wrong, and it must be strongly illegal.

------
joemazerino
How many breaches does it take for the right policies to be put in place?

~~~
MattGaiser
It usually need to be an expensive or embarrassing breach to bring change.

~~~
signa11
hello equifax...

------
julianeon
Has anyone considered designing an IT infrastructure from the ground up that
would be maximally resistant to ransom ware?

I think past generations are excused for not preparing this, simply because it
was theoretical. It is real now. So designing systems that _assume_ some part
will be captured eventually, and then work to minimize that before they are
even deployed, would be timely now.

------
cosmodisk
Why I'm not surprised? The first two minutes doing google dorks returns all
sorts of private stuff from quite a few US universities.They are easy targets
to say the least.

------
pengaru
Apparently when you're accustomed to paying SF cost of living $1.14M loses its
sting. /s

