
Ransomware gangs now outing victim businesses that don't pay - miles
https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/
======
sparrish
They're not just outing them, they're dumping their data. That changes the
risk dynamic significantly. Before, if you didn't pay, you didn't get your
data back. Now, you don't pay, they expose all your data to the world. For
some companies, that will be a significantly more compelling reason to pay the
ransom.

~~~
tomp
Looks like they're doing our job.

First, the message was "backup your data". Now, they also added "encrypt your
data"!

~~~
jfengel
Does encryption really help? If they've compromised your system well enough to
lock you out of it, aren't they likely to have nabbed your passwords in the
process? Even if you were incredibly careful, there's not much you can do
about a keylogger. If you could prevent a keylogger, you could lock them out
entirely.

~~~
tomp
Maybe? AFAIK having more walls will result in less intrusions... Like, I
imagine that you can delete/encrypt all the files simply by having a local
username / network filesystem accesss. Doesn't necessarily mean you also
managed to hack usernames/passwords/databases/source code... Each wall is
another barrier to pass/hack!

~~~
cosmodisk
You can have 25 walls if you want but all it takes is Sally in accounts who
thinks it's a good idea to open this one email attachment...If went rogue I'd
probably be able to hack my company left and right and I'm not even remotely
someone with those skills.

~~~
tomp
Relying on every employee to not do something "stupid" (i.e. stupid to _us_
but how would a non-programmer know without extensive training) is a
fundamentally flawed approach... Companies need to think about this, need to
adapt processes to account for failure at as many levels as possible. "bus
factor" and so on.

------
loup-vaillant
> _Less than 48 hours ago, the cybercriminals behind the Maze Ransomware_

I'd rather just call them "criminals".

The "cyber" prefix is generally unnecessary, and sometimes even misleading.

~~~
Jach
Add to your favorite text substitution add-on the mapping "cyber" -> "spider"
and you'll be less annoyed at its pervasive use.

~~~
sombremesa
So, what'd you think of Elon's spidertruck?

------
_trampeltier
If you had good backups, you didn't had to pay until now.

But to make the data public, they have to download all the data first. This
might be detected.

I know from several companys who did set up the complete network again.

The most prominent company I know at moment is Pilz (pilz.com). There website
was almost down for a month. Now after 2 months it possible to download
datasheets and manuals again.

~~~
blackflame
To be fair, if you are taken over by ransomware, it's probably the best
decision to start from scratch and redesign your network so that this sort of
thing is mitigated in the future.

~~~
bboygravity
Who said these things come from "your" network?

~~~
blackflame
Because if it's an insider threat then you should have protections in place to
identify bad actors so that they know they will be caught if they even try. If
you don't then what are you even doing?

------
tinkertamper
I thought the big advantage of ransomware (for "the gangs") was that it didnt
actually require them to be able to extract the data. To impact a company you
only needed to be able to get your malware on their device; extracting the
data was not necessarily for you to acquire a ransom.

If my company is beset by ransomware, and they claim they will release it I
can either assume:

1\. They have extracted the data and therefor have to assume they arent just
going to delete it because I sent them a check.

2\. They are bluffing and have only encrypted my data.

I dont think I can count on #2.

------
dmix
If the US had a thing like the UK's CBE/knighting Krebs would be worthy of one
for his constant public service exposing this stuff.

~~~
jt2190
[https://en.wikipedia.org/wiki/Presidential_Medal_of_Freedom](https://en.wikipedia.org/wiki/Presidential_Medal_of_Freedom)

------
freeflight
Some of those comments below the article are just scary.

People demanding death sentences and that Iran/China/Russia/North Korea be
nuked, over private business data leaks?

It's like the problem of attribution never has existed, nowadays the "smoking
cyber guns" are apparently everywhere.

~~~
ourmandave
Krebs has a better measured reply to the "Nuke 'em all!" comments.

[https://krebsonsecurity.com/2019/12/ransomware-gangs-now-
out...](https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-
victim-businesses-that-dont-pay-up/#comment-501971)

 _What needs to become the norm for the US Govt response to these gangsters is
for them to get in the habit of doing what they did in the Evil Corp case:
Once the offenders are positively identified, get the Treasury to issue
financial sanctions on them that prevent the crooks from transacting with
people and businesses outside their home country.

[https://krebsonsecurity.com/2019/12/inside-evil-
corp-a-100m-...](https://krebsonsecurity.com/2019/12/inside-evil-
corp-a-100m-cybercrime-menace/)

This is perhaps the most effective tool in law enforcement’s hands to combat
cybercrime — short of apprehending the bad guys. None of these dudes want to
be stuck in Russia, and they sure as hell don’t want all their money kept
their either. Rather, they tend to launder it by investing in properties and
other businesses outside their own country. Making it a crime for others to
accept their money is an extremely effective way of frustrating these
criminals._

~~~
big_chungus
On the other hand, many nations are making a concerted effort to undermine
America's position as the global financial hegemon (e.g. Europe's INSTEX).
What would America's recourse be were she to lose her control over global
financial markets?

~~~
jacquesm
As long as oil is traded in USD that won't happen.

~~~
perl4ever
That makes as much sense as thinking it matters whether the volume of a barrel
of oil is measured in US or metric measurements.

You can, like, exchange one currency for another. How do you think people buy
oil with every currency other than the dollar?

------
zelly
Maybe this will convince businesses to encrypt user data end-to-end.

Either lose the pennies you would've made from data mining or lose real
millions from getting ransomed. Your choice.

~~~
siffland
I would bet most of this users clicking things they should not. recently my
company put out a phishing email and people clicked on it and then started a
thread on the internal forums about how mad they were the company would do
this (they had to take extra training if the fell for it). Another co worker
was telling me about his old position where he put the thumb drives in parking
lots and people would pick them up and plug them into their work computer, and
the would get mad that their security team did this exercise and caught them.

Yes a lot can still be done with security on machines and traffic, etc.... But
the human factor is hard to control and fix. If someone sent out a phishing
email with a link that said "click here to see magical unicorns jumping over a
rainbow", someone would click it, i know poeple i work with who would click
it. It gets, frustrating at least for me, since i have a lot to do with
security where i am at.

~~~
AnIdiotOnTheNet
What's frustrating is that we're still dealing with systems where these kinds
of simple and obvious actions are not safe.

What reasonable person thinks that clicking on a link is a potentially
dangerous act? That's how everything is done these days, and we're not
supposed to trust that it is a safe operation?

We're not supposed to plug in a USB drive to see what's on it? That's pretty
much all they're for!

~~~
loopz
People expect to plug in USB and all to magically work. In this case
hardware/firmware get full access and can fry your port.

0-day bugs and lacking updates make promiscuous internet use hazardous, yet
people expect browser to do everything a PC can.

------
C1sc0cat
Is this not a confession, anyone connected to the domain and the hosting asn
and the ISP is going to have good opsec or not ever travel outside certain
countries.

~~~
gruez
>anyone connected to the domain and the hosting asn and the ISP is going to
have good opsec

Why would the hosting company/ISP be at risk? Just run it from a non-US
extradition friendly country, and say that you won't take any action unless
there's a court order from your local court.

~~~
C1sc0cat
Conspiracy, computer misuse laws for one and if you targeted CNI sites - much
stronger laws -)

------
throwawaysea
I can see this being a catastrophic outcome for hospitals. If the health and
privacy of your patients is at stake, wouldn’t you pay up?

------
interestica
Just today, in Canada, LifeLabs released that they paid the ransom after info
for 15 million people was stolen.

[https://customernotice.lifelabs.com/](https://customernotice.lifelabs.com/)

------
hhahah
Thanks to the bitcoin without it Ransomware gangs can't do that

------
gradschool
Let's hope this idea catches on with patent trolls too. It's about time they
outed all the businesses that don't agree immediately to settle.

------
lacker
Just imagine how much Facebook would pay up if a hacker had exfiltrated the
database of all private Facebook messages, and was threatening to release
them.

~~~
bagacrap
What incentive would the hackers have for actually deleting their copy after
receiving payment?

------
dmix
> KrebsOnSecurity was able to verify that at least one of the companies listed
> on the site indeed recently suffered from a Maze ransomware infestation that
> has not yet been reported in the news media. I'd bet 90% of companies never
> publicly acknowledge they paid.

Another checkmark in the category of not making paying ransoms illegal. This
whole new data-dump threat vector just doubles down the threat to keep it
quiet and pay it out.

Law enforcement will rarely catch enough of these companies who do pay to make
it meaningful. Most of these are small time private businesses who are more
than capable of keeping it quiet, without information release obligations to
investors.

We need public education campaigns for backing up company data offsite and
encouraging more companies investing in security firms to up the bar for these
attacks. It's the only way they'll slow down.

------
dang
Recent and related:
[https://news.ycombinator.com/item?id=21806821](https://news.ycombinator.com/item?id=21806821)

------
Miner49er
Anyone have a link to Maze's website?

~~~
jacquesm
Obviously even if someone did have that link they should not post it here.
Giving wider visibility to this makes the problem worse, though I'm all for
releasing the names of those companies.

~~~
avthrow9
> Giving wider visibility to this makes the problem worse, though I'm all for
> releasing the names of those companies.

Aren't these mutually exclusive positions?

~~~
jacquesm
No, because the data affects the data subjects but the names of the companies
just affect the companies and gives their customers a fighting chance at
limiting the damage.

------
thrownaway954
this could be a two fold disaster. correct me if I'm wrong, but isn't NOT
reporting a breach a pretty heavy fine in some countries today? Worst, if they
are dumping the data, people in the EU could be hit by GDPR fines as well if
the exposed data shows they weren't keeping up with guidelines.

~~~
jacquesm
Absolutely, and this is problematic because now we end up with a set of
incentives that works against the public interest. This will make it more
likely for the companies affected to pay up. The one bit of light here is that
it will show up in their accounting and auditors tend to have reporting
obligations if they come across evidence of a crime.

------
PleaseLoveMe
If I understand correctly you are already required to report the data loss
according to GDPR and you'll be fined accordingly, whether the data is then
leaked or not.

Isn't the clear course of action then to report, pay the fine and tell the
criminals to get lost?

------
buboard
Some of us mentioned that this would happen once GDPR came out. Not disclosing
breaches is now a punishable offense, and this becomes a weapon in the hands
of malicious hackers.

~~~
mannykannot
From article 4:

(12) ‘personal data breach’ means a breach of security leading to the
accidental or unlawful _destruction, loss_ , alteration, unauthorised
disclosure of, or _access to_ , personal data transmitted, stored or otherwise
processed;

So it seems that a ransomware attack is considered a breach - as it should be
- and neither exfiltration nor disclosure is necessary for that to be the
case.

Any sort of access is a weapon in the hands of a malicious hacker. Penalties
for allowing it to happen are weapons in the hands of those trying to do
something about it.

~~~
buboard
security is notoriously asymmetric and a continuous arms race, so it's rarely
a case of "allowing it to happen". There is a case to be made for making it
unprofitable for hackers to run such operations. The law here does the
opposite by making it more lucrative.

i think the best thing to do is to minimize sensitive data completely, no logs
no nothing. But then you move the burden of security to the end user (e.g.
they 'll have to re-enter their credit card every time), which is probably
higher risk.

~~~
mannykannot
If everyone adopted your solution, the issue that you originally posted about
would no longer be an issue, so the best way to get everyone to your solution
would be increase the penalties until nothing else is viable!

The reality is that you are creating a false dichotomy / straw man here. While
reducing the amount of personal information that is gathered and stored should
be the first response, that which remains can be handled appropriately with
encryption and defense-in-depth.

