
University of Utah pays $457k to ransomware gang - jpkoning
https://www.zdnet.com/article/university-of-utah-pays-457000-to-ransomware-gang/
======
paulpauper
This shows how bug bounties are pitifully small and inadequate. Stop thinking
that a $10k reward will prevent hackers. Either pay-up for sec experts or be
prepared to pay-up through extortion or having your site exploited, and it
will cost way more than 10k.

~~~
paxys
Actually it's the exact opposite. Bug bounty programs have constantly proven
to be among the most effective ways of increasing a company's security, no
matter how "pitiful" the payouts are. The overwhelming majority of people,
when they find an exploit, are going to to do the right thing and report it,
not sell it to the highest bidder. Increasing the bounties isn't really going
to help, considering there's always going to be a hacker group or government
entity willing to pay more.

Of course the programs aren't going to be a replacement for real product
security teams, but they were never meant to be.

~~~
Veserv
Actually you are both right. Bug bounty programs are extremely effective
because they find serious vulnerabilities for vastly less than the damages you
would expect if they were exploited. However, the fact that the bug bounties
are so low indicates that the prevailing security is atrocious.

To explain, generally speaking a bug bounty is going to the smaller of:

1\. Cost of Discovery since that is the amount someone would be willing to
find bugs at otherwise they are losing money on each bounty they get.

2\. Cost of Damage (risk-adjusted) since that is the most a company would be
willing to pay.

The reason for this is that as long as the Cost of Discovery is lower than the
Cost of Damage (up to ROI), it is reasonable to keep paying the Cost of
Discovery since you are paying less than the risk-adjusted harm. But, there is
also no point paying significantly more than the Cost of Discovery as long as
people keep reporting problems as fast as you can fix them since there is no
real reason to pay to get more problems than you can fix. So, to first order
the bug bounty for a certain type of problem reflects the cost of discovery of
that type of problem.

Circling back to the original point, we see problems that can cause millions
in damages getting bug bounties on the order of $10K. This means that, to
first order, million dollar attacks only cost $10K to execute which results in
a crazy high ROI in the 100s. With an ROI in the 100s, it should be no wonder
that such attacks have been increasing in frequency given their sheer
profitability. The fact that bounties are so low for such critical problems is
a major indictment on the prevailing level of security in the industry.

~~~
giancarlostoro
> 1\. Cost of Discovery since that is the amount someone would be willing to
> find bugs at otherwise they are losing money on each bounty they get.

This is probably the biggest issue in terms of incentives to a researcher.
You're either finding the bug by accident or out of curiosity, or you stop
short of basically losing money you would otherwise earn going a paid audit.

------
frakt0x90
I have to say I think ransomware is one of the most interesting "business"
practices. The trustworthiness of the criminals is huge because if they have a
track record of providing the decryption key, you may as well pay.

In a logical extreme you could start adding features like "Give us the info of
people you know and for every one we successfully extract a ransom from we'll
give you 10% off your ransom."

It's interesting to think about at least.

~~~
jjeaff
I think one of the only ways to stop ransomware would be to setup a team
distributing the ransomware, extracting fees from the victims and then -not-
providing the keys. A few high profile cases of this should be enough to
destroy confidence that paying a random will work.

~~~
russellendicott
This is brilliant. Destroy the credibility of the criminals.

~~~
jacquesm
By becoming a criminal yourself? The cure seems to be much worse than the
disease.

------
Hitton
You really can't blame them much, they had backups. University doesn't work
like corporate, you have thousands of student who change every year, do their
projects for which they require lot of access; you can't lock everything
dangerous, can't have any sensible BYOD policy, ... It's really hard to lock
up everything while not limiting students too much. With organization like
this, that sort of incidents is unfortunate but inevitable.

~~~
tomashertus
Public universities and their security budget are highly underfunded. They
can’t afford to invest heavily into security.

~~~
Scramblejams
Is it that they can't afford it? Or is it instead that they would need to
reprioritize some of their spending to invest into security?

------
leephillips
What if it were a federal criminal offense to pay ransom? With long prison
sentences for any individual convicted of participating in or having knowledge
of a payoff? And the government was serious about tracking down and
prosecuting anyone who did so? Nobody would pay ransom, and, at least in
countries with such a law, these extortion gangs would stop bothering.

~~~
colinmhayes
Then they just wouldn't admit to being attacked. Companies would still pay
ransoms, but we wouldn't know about it.

~~~
gruez
I mean that's like saying "banning insider trading/securities fraud won't
work, because people will still do it". Yeah, they might, but I find it hard
to believe that an executive is loyal to their company to the extent that
they'll risk year of jail time for it.

~~~
eternalban
Trading is a public act. Cooking the books to hide a payment by some random
corp is orders of magnitude more obscure than trading in securites.

------
iandev
> "The university's cyber insurance policy paid part of the ransom, and the
> university covered the remainder. No tuition, grant, donation, state or
> taxpayer funds were used to pay the ransom"

I was looking to dunk on them but it seems that what they did wasn’t entirely
unreasonable. The article further states that they paid to protect student
data.

~~~
Lionga
Where did the money come from if not from "tuition, grant, donation, state or
taxpayer funds"? And if they have another source of funding, this still means
the money is missing to fund things in the future that now they have to use
"tuition, grant, donation, state or taxpayer funds" for.

They also send a clear message that ransom ware blackmail is a great business
model. I think that is more than enough reason to dunk on them.

~~~
pc86
No you don't understand, they didn't use _that_ money, they used _different_
money! Nevermind that money is fungible.

Unless they set money in the budget every year for "Ransomware Insurance
Shortfall" this is 100% "tuition, grant, donation, state or taxpayer funds" at
some point in the chain.

~~~
sgeorge96
It was partly covered by insurance.

~~~
pc86
We're talking about the part that wasn't.

~~~
scarmig
Even the insurance policy that distributed the payout was ultimately paid for
with those funds.

~~~
colinmhayes
Sunk cost

------
0xbkt
Out of curiosity, are these hackers still demanding ransom money in Bitcoin,
or say any traceable cryptocurrency?

I remember encountering similar scenarios before and they all seem to want the
money in a Bitcoin address.

Why not Monero, or an alternative if there is any, which I guess makes moving
the funds around much more stealthily? Please correct me if I'm wrong.

~~~
paulpauper
no one is getting arrested or caught in spite of the traceability, unless the
hacker is dumb enough to just deposit the BTC on an exchange immediately. The
btc is split up and sent through mixers and laundered into thousands of tiny
pieces and after a few years or so forgotten by anyone trying to track it.

~~~
mihaifm
All the tiny pieces could be traced in an automated way. It’s probably the
lack of regulation that lets exchanges get away with not implementing better
anti-laundering mechanisms.

~~~
colinmhayes
That's not how tumblers work. There's no way to link the input and output
addresses when you go through a tumbler.

~~~
readams
You could refuse to transact any tumbler output.

~~~
mianos
Some exchanges are refusing tumbled input. That said, it seems most of the
time if you complain enough and provide more id they do anyway.

------
nick_kline
Interesting discussions here about the actual costs and value of finding the
bugs that enable these problems. There's basically very little cost to the
companies in most cases that have vulnerabilities.

It's absolutely crucial, in my opinion, that we pass laws making paying off
criminals illegal.

There are arguments here that paying off via insurance or other 'secondary
means' are somehow shielding the institutions. It's morally wrong, and I
suspect in reality it's technically wrong to make these payments. It's just
wrong. There is the problem that at least some of these ransomware groups are
in countries like Russia that don't care to really prosecute them. We need to
stop this, make it clear it's not acceptable, fight with our usual means
against money laundering. Pretty much every company company in the western
world is vulnerable to these problems, every public school, and behind the
scenes lots of people are vulnerable.

------
fizixer
When you pay ransom for physical possession you get your possession back.

When you pay ransom for lost data you get a copy of your data back. The
culprits still have the data, but they likely don't have a use for that data.

But this is the worst kind of ransom.

You already have the data, you're paying ransom to make sure the culprits
don't use the data, but the culprits still are in possession of the data and
they can use the data next year, or two years later, or demand more payment
next year.

What in the world?

~~~
parliament32
>The culprits still have the data

It'd be too hard/expensive to exfiltrate the data once it gets large enough,
without much added benefit. They just encrypt it in-place.

~~~
beervirus
Well it's exactly what happened here.

> The university said its staff restored from backups; however, the ransomware
> gang threatened to release student-related data online, which, in turn, made
> university management re-think their approach towards not paying the
> attackers.

The university is paying them not to release the data, but it has no way of
forcing them to delete it.

------
sho
Devil's advocate: ransomware is good. The financial incentives around it
directly encourage this variety of hacking. It's an involuntary "bug bounty".
And IT security becomes something more than a "nice to have" for these
institutions, which it never would have before.

$450k? Universities know all about paying to learn. That's cheap, and they
won't make the same mistakes again.

~~~
AnIdiotOnTheNet
Actually, depending on the cost of mitigating this sort of disaster in the
future, they may learn the lesson that it is simply less expensive to pay the
ransom.

The criminals doing these sorts of things are businesses too, the are unlikely
to price themselves out.

~~~
ipnon
Markets in everything: The price of ransomware will reach equilibrium when the
cost of paying the ransom becomes equal to the cost of paying for
cybersecurity. Then we're back to "to pay or not to pay" once again being a
merely moral/ethical issue.

------
mensetmanusman
Just think, they could have paid two engineers to fortify their systems
against such an attack and still saved lots of money.

~~~
lern_too_spel
How do you know they weren't already paying at least two engineers to fortify
their systems?

~~~
mensetmanusman
Hmm. I’m guessing not having backups means they may have been paying one
person but also giving that person way too many responsibilities such that
they couldn’t focus on doing a backup well.

~~~
R0b0t1
The ransom was paid by an insurance provider, so they were at least doing
something to acquire coverage.

~~~
paulpauper
probably insurance is cheaper than hiring sec experts

~~~
adrr
Insurance coverage is common. Depending on coverage amount may require
independent audits.

------
akeck
Can one detect a ransomware infection early by watching copy-on-write
snapshots on a file server?

~~~
gpm
You can, the company I work for makes a product that does exactly that.

It's very much a last line of defense way of detecting attacks because it
means the attackers are already in and already have access to whatever
workload is being protected.

[https://www.rubrik.com/en/products/polaris-
overview/polaris-...](https://www.rubrik.com/en/products/polaris-
overview/polaris-radar)

Disclaimer: I'm just an engineer (not a sales person/pr/...) and _all_ my
comments on HN including this one are entirely my own views/not the companies
views.

------
croh
> "The university's cyber insurance policy paid part of the ransom, and the
> university covered the remainder. No tuition, grant, donation, state or
> taxpayer funds were used to pay the ransom," University of Utah officials
> added.

Can anybody elaborate more on this ? What are the other resources than
tution/grant/donation/state/fund to earn money ?

------
bluecalm
At this point the government agency should perform some of those attacks,
extort the money, make it public and then delete the data so the victim is out
of data and the money.

Paying ransoms is terrible for the world. We will have more attacks on more
targets. There needs to be heavy incentive to not pay.

~~~
renewiltord
^ things that will get you instantly unelected

~~~
bluecalm
It's not like advocating for strategies that work and make the world a better
place get you elected anyway. It's all about making feel good promises anyway.
Maybe you can convince someone already elected in their last term to actually
implement it.

------
Giorgi
There is no way those 450k are not being traced right now like a hell, most
likely it was allowed just because investigation said so, its matter of time
now

------
leephillips
They had backups: good for them.

But they also had unencrypted, sensitive information sitting on their
networks.

------
gowld
The data was leaked. They didn't "pay ransom to stop leaks".

~~~
rrss
do you have a source?

[https://attheu.utah.edu/facultystaff/university-of-utah-
upda...](https://attheu.utah.edu/facultystaff/university-of-utah-update-on-
data-security-incident/) says they paid the ransom to prevent leaks.

------
amelius
It's good to be aware that this entire thing wouldn't have been possible
without Bitcoin.

~~~
Forbo
It's good to be aware that this entire thing wouldn't have been possible
without encryption.

I'm sorry, I'm not sure I'm seeing what point you're trying to make. Are you
trying to say that Bitcoin is bad?

~~~
panpanna
Bitcoin was sold to me as freedom, from governments, from banks, etc.

But now I have come to realize that a completely unregulated payment system is
very dangerous.

To be clear, Bitcoin is not "bad". Humans are bad and this is why we can't
have nice things.

~~~
zelly
Bitcoin is more regulated and more spied on than most forms of payment. To
turn a large amount of Bitcoin into dollars in a bank account, you have to go
through extreme AML/KYC checks. I can go to a gas station in California and
send $1000 in cash to someone in Turkey who could receive cash and walk out a
few minutes later. A briefcase full of cash is not regulated at all and can be
used to settle debt or pay taxes, unlike Bitcoin. The only advantage of
Bitcoin is not requiring the risk of physical presence, which has to be <1% of
all crime. Also, unlike cash, Bitcoin by design retains a full immutable
public ledger. The criminals can mix their coins, but it'd still be possible
(although computationally expensive) to recreate a chain of transactions going
back to the original ransom. In the future if Bitcoin is to become used in
commerce more, it should be expected that these dirty transaction outputs
would be worth less than clean ones or not accepted, like dollar bills cut in
half taped together.

~~~
rossjudson
If a chemical plant sets up in an area then pollutes the environment during
the course of business, it is required to clean up the mess. Known risks are
required to have mitigations ready, and sometimes-expensive procedures must be
followed to ensure safety.

Bitcoin (and everything like it) is very much at the "Pollute the environment
with whatever the hell I want" phase of its existence. That should change.

Bitcoin should be taxed to recover the externalized costs it imposes --
basically, compensate the victims of bitcoin-enabled crime.

Is only a small fraction of bitcoin usage related to crime? No problem -- the
tax will be very low.

~~~
Forbo
We don't have a tax to compensate the victims of crimes enabled by cash, gift
cards, Western Union, wire transfers, etc. Sorry, but I'm still not seeing the
point being made here.

