
“I was told to buy a software or lose my computer: I ignored it” - feross
https://blog.acolyer.org/2019/10/16/ransomware/
======
mysterypie
> _With a U.S. population of ~200M, let’s call it 4M infections /year. We know
> that 4% of respondents paid the ransom, so that’s 160,000 ransom payments.
> If we say $200 per paid ransom as a guess, that means the ransomware
> ‘industry’ is making about $32M a year._

The U.S. population is actually ~327M, but since we're talking ballpark
figures, let's just say that ~200M represents the adult computer-using
population. It strikes that ransomware is both much bigger and much smaller
than I thought. The 160,000 ransom payments is much bigger than I would have
guessed. It's not like being struck by lightning; it's more like a serious car
accident. But the actual revenue generated, $32M as he's estimated, is
pitiful. There are all sorts of illegal, quasi-legal, and legal ripoffs that
generates billions per year. For the amount of attention ransomware gets, it's
just noise.

~~~
est31
As with most criminal activity, the damage created by it is much larger than
the money made. I couldn't find any US figures, but global estimates claim
ransomware-caused damages of 11.5 billion USD in 2019:
[https://cybersecurityventures.com/ransomware-damage-
report-2...](https://cybersecurityventures.com/ransomware-damage-
report-2017-part-2/)

~~~
codemac
This was calculated by Cisco & Cybersecurity Ventures, who both directly
profit from the fear generated by these figures. I do not trust these figures.

This is marketing for CIO/CISO's to read so they make sure to add in various
security features to their BoM for purchase.

~~~
brmgb
Cybersecurity Ventures is not a clickbaity newspaper. They are specialists.
Obviously when they publish articles in their domain, it has an advertising
purpose but producing shoddy figures would only hurt their brand.

You can't trust everything coming from companies at face value. That doesn't
mean you shouldn't trust anything.

------
tmikaeld
On MacOS, the free "RansomWhere?" tool is a really nice thing to have, it
warns if any app is hammering files and stops it until you approve/deny.

[https://www.objective-
see.com/products/ransomwhere.html](https://www.objective-
see.com/products/ransomwhere.html)

~~~
vezycash
Windows 10 now has in-built randsomware protection with Windows Defender.

~~~
jermaustin1
Does it actually work? I haven't had a virus in decades to my knowledge, and I
stopped running virus scanners back in 2005 or so. Windows Defender is on my
computer, but I never run a scan. Maybe it does in the background, but I've
never seen anything notifying me about a virus or ransomware or malware.

~~~
rightbyte
I have processing program I wrote that runs though hundred of thousand html-
files on a Windows machine monthly and it is really slow unless I turn off
defender, so I assume it's checking what my program does somehow.

~~~
vezycash
Have you tried whitelisting your program in defender?

~~~
rightbyte
No, good idea I will try it.

------
Const-me
Offline backups.

A ransomware can technically encrypt all drives, steal password from cloud
backup software, and destroy it too. Or they can be destroyed by uploading
encrypted files. No software can destroy data on a hard drive that's
disconnected and unpowered. Only I can.

------
cat199
usually I don't say anything since this usage is so prevalent, and I typically
hate being pedantic about grammar, but since this is a journal title:

it is not 'a' software. not here, not there, never. the construct <category-
of-material>-ware is plural. period. therefore there can never be 'a' of them.

it is 'software' or 'a <noun describing unit> of software', e.g. 'a piece of
software' or perhaps '<quantifier> software' as in 'some software' 'this
software', 'malware removing software', etc. 'a software program', which can
be shortened to 'a program', etc, is fine, because the 'a' refers to
'program', which is implicitly in the singular.

~~~
matthewowen
Uhhhhh it's a quote from someone who said it that way, and that choice is
presumably meant to convey that they aren't particularly tech savvy.

~~~
posterboy
this is both non-sense. proscriptive arguments drawn from nothing but your
single minded authority have little value in discurs. "a software" (sorry) is
quite frequent. fullstop.

Ger _ware_ is singular by the way.

~~~
cat199
1) Are you a native speaker?

Frequency of 'a software' arrived with the growth of non-native speakers on
the internet, and is irrelevant to its 'correctness'. Plenty of bad non-native
speach patterns are 'frequent', one can often tell the country of origin of a
person from speech irregularities and even adapt a pseudo-dialect which may
even improve the ability to communicate with them.

Don't have stats to back it up, but I have been involved in computers from the
mid 80s and literally never heard this term until ~99 or so, initially
typically in the context of text clearly written by non-native speakers, and
then gradually gaining some traction among younger users who think it's 'cool'
or 'normative'. I have no doubt that a more formal investigation would line up
with this, give or take.

2) It's 'discourse' not 'discurs'. It's also 'nonsense' and not 'non-sense',
and also 'full stop'. All of which would imply that the anser to #1 is 'no' \-
which proves a further point - that idioms and patterns of speech matter to
correctness and are quickly seen by native speakers, but are not usually
obvious to those who learned the language second hand.

Based on these mistakes, the bizarre 'this is both' introductory phrasing,
parenthetical '(sorry)' and the general dry, dismissive tone with a petite je-
ne-seis-pas of anti-authoritarian mockery that is just begging for a leading
'pfft', my guess is that you are French. Not really germane to the
conversation, but, if correct, it underlines my point about the obviousness of
idioms and cultural undertones to native speakers (of any language really).

3) To support 1 and 2: If I am incorrect, which, weighing my thoughts against
North American vs British idioms, I'd happy to be incorrect but am fairly
certain am not, please show me a single usage of 'bakeware', 'cookware',
'hardware' or any other 'ware' where people say 'a <x>' existent in any piece
of literature prior to the existence of computers:

    
    
      I took a bakeware and baked a lasagna: no.
    
      A pan is a bakeware: no.
    
      I washed a cookware and made a salad in it: no.
    
      A bowl is a cookware: no.
    
      Can you hand me a silverware? I need to cut my steak.: no.
    
      A knife is a silverware: no.
    
      I bought a hardware from the hardware store to fix the fence: no.
    
      A hammer is a hardware: no.
    

And, even in computers, the (incorrect) 'a software' use is inconsistent w/r/t
hardware:

    
    
      I bought a new hardware to run my application: no.
    
      The new iPad is a great new hardware: no.
    

4) 'A ware' is singular, but also non specific. X-ware is plural. Whatever
this meant in pseudo-proto-germanic is irrelevant to a discussion of English.

------
IOT_Apprentice
I don't understand the title of the article or presentation. It appears to be
a quote, and on first glance doesn't seem to be part of the article body
itself.

------
djhaskin987
"Removed by someone else" = my family member called me up in tears

------
jnty
Interesting that despite the huge effort both sides put in to to
fixing/exploiting vulnerabilities the biggest risk factor seems to be directly
downloading random dodgy stuff.

~~~
thomascgalvin
I suspect that this is always going to be the case. There are a lot of people
literate enough to operate a computer, but not literate enough to understand
the risks they're taking by running something they download off of
scammers.ru. Exploiting these people will always be easier than actively
circumventing OS-level security.

~~~
inanutshellus
I was going to say "Desktop apps need permissions like Android apps" that ask
your permission to access resources and then was immediately reminded of the
"I'm a Mac" commercials mocking Windows for doing exactly that... /Le sigh/...

I used to use this software called Clean Slate that would watch all the
changes you made to your computer and undo them when you restarted. Maybe it's
time for Grandma to get her own Docker instance.... :-)

~~~
greggman2
Is Steam a big vector? Gamers download hundreds of apps, all get installed as
admin. You have to trust every dev of the game and the devs of every library
they use. Not just trust that the devs weren't actively trying to be evil but
also that their is no bugs in their networking code
([https://momo5502.com/blog/?p=34](https://momo5502.com/blog/?p=34)) nor any
bugs in their deserialization code for mods

~~~
freeflight
> Is Steam a big vector?

I've never heard of something like that happening, and I've been using Steam
since day 1.

Trying to find something on Google about that only turns up the usual
"Hijacked accounts spreading malware to friends" scheme [0] and
vulnerabilities in the client itself [1], but nothing about Steam distributing
malware hidden in games.

Which is kinda unexpected, I probably just didn't dig deep enough?

[0] [https://www.hackread.com/hacked-steam-accounts-spreading-
mal...](https://www.hackread.com/hacked-steam-accounts-spreading-malware/)

[1] [https://thenextweb.com/apps/2019/03/21/valve-steam-
vulnerabi...](https://thenextweb.com/apps/2019/03/21/valve-steam-
vulnerability-malware-steal/)

------
jansan
At the end of the article you can see quite a bold attempt at curve fitting.

~~~
nothrabannosir
Not to mention that there is very little motivation given for the
quantification of the individual threats. Not having 2fa is apparently 1
point, backing up only ever few weeks is 2, .. it almost seems as if these
were chosen retroactively to make the curve look the way it does.

From the paper:

 _> Given the results above, we now present and discuss a proof-of-concept
approach to risk assessment to estimate futureransomware infection that is
based only on self-reported se-curity habits and past exposure to online
scams. The methoddemonstrates that assessments can, in theory, be made with
relatively little information, enabling consumers to estimatetheir own risk.
We stress from the outset, however, that wemerely intend to illustrate the
general approach; in particular, the strategy we present would need to undergo
more rigor-ous evaluation before it could be responsibly used for
riskassessment in the broader population._

Seems tenuous, that disclaimer notwithstanding.

~~~
jmmcd
> it almost seems as if these were chosen retroactively to make the curve look
> the way it does.

That's what regression does! And maybe they should've used regression, indeed.
Instead, this looks more like an "improper linear model"
[http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.188....](http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.188.5825)
\-- something we see less and less of now that regression models are at our
fingertips.

