
Universities Targeted by NetWalker Ransomware - cdepman
https://www.insidehighered.com/news/2020/06/11/colleges-face-evolving-cyber-extortion-threat
======
CapriciousCptl
Ransom probably isn’t the right term, it’s more like extortion. Failing to pay
is hardly the moral high ground. It’s just the least expensive option.
Businesses aren’t held accountable for their breeches by the US justice system
and so facing the courts and captive customers/staff is the cheap and easy way
out.

~~~
waynecochran
Morality aside, the right thing to do is not pay them. That is the only move
to win in the long run.

~~~
Anon1096
At least at my company, ransomware payments are covered by insurance so it's
always worth it to pay and have a pretty good chance at getting our data back.

~~~
tashoecraft
The problem with the equation is it doesn’t include the individual who had
their data stolen. If the school didn’t properly construct itself to code and
I got hurt inside of it, I can sue. But if my data was stolen and my credit is
destroyed I don’t have an option (I haven’t heard of anyone claiming this, but
it could be true and idk).

We need laws out in place to treat human data as someone’s property. If your
data is mishandled with negligence and you experience provable hardship, there
should be repercussions just like any other situation.

~~~
cgriswald
I'm not sure if you're just using building codes as an analogy or if you're
recommending them as a model, so take this for what it's worth.

I agree there should be some laws in place, but I think building codes would
be a terrible model for software. If a building doesn't incorporate code
changes until the owner modifies some system, the building doesn't become less
safe. Fire doesn't look for ways to get around building codes. Largely, there
aren't new threats, just new, better ways of dealing with those threats. The
incentive is for building owners to not modify their buildings so they can put
off and avoid those code change costs as long as possible. If the building was
up to code when it was built/modified, and you get hurt, you might be out of
luck.

Software is nearly the opposite and it's faster. I think that makes it a more
difficult problem to solve. The last thing you want is to make the entire
world work like tech in the medical field...

------
rshnotsecure
Not surprising. University of Texas has something like 55,000 subdomains. I
don't think 50 full time sysadmins/cybersecurity people could keep that
secure.

Also interesting of note, why does UTexas's name servers point to University
of Illinois's name servers?

Could be nothing. After all UI was where Firefox was developed originally by
Marc Andreesen and others around 1994. This is also where the Apache web
server was created.

------
p0llard
Within the EU, GDPR seems to have an interesting impact on how
companies/organisations respond to cyber attacks like this: if they don't pay
the ransom, the data is leaked, and they are now liable under GDPR and will
likely have to pay a (very large) fine to the regulator for the data leak.
Attackers are surely savvy to this, and should set the ransom to be slightly
lower than what they estimate the fine would be, which 'motivates' the
organisation to pay the ransom.

In theory however, even if the organisation recovers the data by paying the
ransom, they should still report this as a data breach, and would probably be
fined by the regulator even though the data was recovered, since the breach
still occurred in the first place.

I'd be very interested to know the impact the new California state laws on
privacy have had on UC's decision to (seemingly) pay the ransom; I'm not based
in the US, nor am I familiar with the jurisdiction, but I imagine that this
will have been taken into account and might explain why UC acted differently
to MSU here.

~~~
sukilot
Why does anyone stay in business in the EU? I wouldn't run a store if getting
robbed earned me a fine.

~~~
luesterklemme
Because a lot of people just get this whole thing wrong. This whole discussion
got poisoned by fear mongering and not understanding of the actual rules. Yes
you can be liable to a huge amount but you will be only be hit by that if you
are either working with malicious intend or objectively don't give a shit
about data security and privacy of your users.

There is no such thing as "estimated fine amount" to base you ransom on. It
depends on how important the company treated its security and how obvious the
data leak is.

~~~
p0llard
> It depends on how important the company treated its security and how obvious
> the data leak is.

Indeed. Which allows an attacker who is familiar with previous regulatory
action to estimate the fine based on the specific circumstances involved in
their attack.

~~~
luesterklemme
Different sector, different country, different regulatory body, different
regulator. Maybe the fines are comparable but I have my doubts that this could
ever be a viable strategy.

But in any case that is not the problem of the regulations.

~~~
p0llard
I'm not convinced by this; if a company was approached by an attacker who
threatened to

a) Release stolen data;

b) Anonymously supply the regulator with full details of the leak

unless a ransom was paid, I imagine that the threat of an audit and potential
regulatory action would be enough to persuade the company to pay the ransom if
it believed the cost of the ransom to be lower than the cost of an
investigation by the regulator.

~~~
luesterklemme
The incentive of the GDPR is for the companies to place inherent value in
their data safety. So either the companies can pay and not invest in future
safety to come out cheaper in the short run with the added risk of future
attacks. Or they could cooperate, proactively reach out to regulators with a
plan to improve and pay the fine.

~~~
p0llard
Yes, they could.

Or they could pay the ransom, which they deem to be less expensive than
dealing with the regulator, _and_ improve their data security to ensure they
don't get caught out again.

I fully understand (and support) the reasoning behind GDPR; I just think that
in this case there is a path which is easily open to abuse by attackers.

