And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
First off, that is an excellent comment and again, I love Hacker News. How many communities on the planet will have a Rudyard Kipling poem in their lead comment???
I would have used this stanza as I think it's a little more applicable in this situation:
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that plays it is lost!"
As another commenter said, individuals can prevent themselves from being victimized again by starting a regime of proper backups. It isn't as ideal as arresting the motherfuckers and sentencing them to 25 years in federal prison, but it prevents an individual from being labelled a mark.
On the other hand, when the FBI says 'just pay it', I'd argue that it makes all of North America more vulnerable. The end of this game is oppression and shame, and the nation that plays it is lost.
For the cyber-criminals there is little or no per-user cost to implement this attack. The refuse-to-pay strategy works when there is some hope of making their attack not worth their effort. To make it not profitable, you would have to convince such a high percentage of people to not pay that the refuse-to-pay strategy is intractable. Instead, we need to rely on the FBI and other organizations to raise the risk of getting caught.
They want you to reinforce the ransomware creator's behaviour, but if you hunt them down and physically punish them yourselves, you'll go to jail. Why does a democratic government exist, and why do I pay taxes to support it?
In my opinion, the FBI is the slacker here. We are paying taxes to the government for services which should include hunting down and making examples of the perps so that they think twice about ever writing ransomware again.
"If you hunt them down and physically punish them yourselves, you'll go to jail"
The U.S. Constitution actually has provisions for legally doing that. Lobby your congressmen to issue "letters of marque and reprisal", which Congress is authorized to provide precisely for businesses to engage in warlike behavior against pirates et al, which includes the modern form in "ransomware".
That's a slippery slope which is bound to harm innocent parties. Large corporations would just love to get letters of marque and reprisal, let's hope that it is not authorized by Congress anytime soon.
This all assumes that the FBI's purpose is to go after criminals who are harming the citizenry. I am no longer certain that is the purpose of the police (federal, state, or municipal), given their exceptionally poor record of preventing crime, and finding those responsible for crimes.
Or, paying random teaches yourself to make backups. Cryptolocker is essentially a "get-out-of-data-loss-for-a-small-price" card. Alternatives, like your disk having a fatal error, are not nearly as forgiving.
The 'you' in this case is all of us, collectively. Unfortunately, for the individual victim, paying is usually the best of a set of bad options, even though it is not the best one for us, collectively.
> Unfortunately, for the individual victim, paying is usually the best of a set of bad options
Is it?
From the perspective of the hacker, the hacker's best move is to take the money and simply demand more. There's zero incentive for the hacker to return the victim's data.
This becomes a probablistic situation: the approach I'd take if I were a victim would be to borrow an analogy from poker for the problem of deciding whether to call in order to possibly win a pot. First, I'd determine how much the data is worth to me, and use that to determine my "pot odds":
pot_odds = ransom / value_of_data
I'd then try to figure out how often hackers actually return the data on a ransom:
At this point, we can decide whether it's a rational choice to pay the ransom:
if pot_odds < odds_of_data_being_returned:
pay_the_ransom()
Areas for research: this is a pretty unsophisticated way of determining the odds of the data being returned. I don't have data on how often hackers return data upon being paid the ransom, but I suspect if we gathered data we could get a better probability. For example, one could use linguistic patterns in the hacker's communication to fingerprint different ransomware hackers, and use that to get a probability for each individual hacker. It's likely that some hackers never return the data, and some hackers always return the data, and each of these probabilities has drastically different effects on the outcome of our decision algorithm.
Not in the long-term, because then they gain a reputation as someone not to be "trusted". Many of these outfits have their own support forums, make it easy to pay, etc and happily hand your data back over because they make money in volume, not from one particular mark. You gain a reputation as being easy to work with and unlocking data and offering the support to do so, many more people will pay just to get rid of the headache when their computers are locked down.
For (1), this is the reason the ransom is small. Since "many" are actually trustworthy, it's a small risk to pay the relatively small ransom. (Also, you can verify via bitcoin address if you're dealing with a hacker who is known to give data back.)
For (2), could you also find a way to get the FBI to release a statement saying you are trustworthy?
The vast majority of the "hackers" never see you signing in and paying the Bitcoin. The systems are automated to the point that paying the ransom triggers a process that results in the browser passing the decryption key back to the client-side malware which then decrypts your file. Electronic software delivery is a much more economical way for these enterprising thugs to be profitable at scale.
"> Unfortunately, for the individual victim, paying is usually the best of a set of bad options
Is it?"
Also, think what would happen if a ransomer failed to give the data back after being paid. The only benefit for the ransomer on that mark is to then say, "No, now I want x-more dollars." What is the mark going to do then, once the ransomer has proven untrustworthy? Give them yet more money?
99% of the time, no, the mark will give them nothing, but it only takes 1% to make it viable.
I do buy the reputation argument when applied on a larger scale, though. I didn't realize that some of these operations were as large as other commenters have pointed out.
Most ransomware cases aren't targeted they are opportunistic, ransomware spreads like normal malware rather than some targeted "APT" operation.
And while initially ransomware operators quite "solid" and for lack of a better word "trustworthy" the popularization of it lead to everyone and their mother writing ransomware in hopes to get a quick buck.
In those cases you can't even rely on the encryption being recoverable because the malware it self is utter garbage and the criminals don't care or don't even have the technical skills to operate a full ransom cycle campaign.
It's not uncommon to see even fairly fresh ransomware examples in the wild with dead BC wallet addresses, banned paypal, skrill (and other transaction providers accounts), incorrect routing numbers etc.
This ins't 5-10 years ago where some ransomware would actually give you a voip phone-number/skype/email to call or mail and you would get to speak to some Russian or Malaysian guy give them the money and actually get a key to recover your data.
Sure some ransomware operators still operate that way, some have more sophisticated automated systems with C&C servers but most figured it out that it doesn't matter because they are in it for the quick buck and well if you are going to commit a crime then what not fraud/scam your target in the same swoop.
Ironically this reality lead to the more established organized crime organizations that employ ransomware to generate income to actively fight against the new waves of quick cash ransom scams because they need people to still have some trust in the fact that they can get their data back if they pay.
Even firing at random is a better strategy in a target-rich environment compared to an environment where your targets either don't pay out or attempt to fight back.
Not really relevant where (1) they're generally not targeting specific individuals, and (2) once you pay the ransom one time, you can mitigate your future risk with backups and other measures.
That's true from a societal perspective, but from the perspective of the victim of ransomware, "just pay the ransom" is even worse advice. Once you have paid the ransom, what incentive does the hacker have to fulfill their end of the bargain? If, for example, a hacker encrypts your hard drive and demands bitcoins as payment, paying the hacker means you're likely out a few bitcoins AND your hard drive is still encrypted.
In this case, I believe both of you are wrong. The ability to blindly conduct ransom en masse changes the calculus.
First, the ransomers have every incentive to actually abide by their promise to decrypt. In essence, they're running a business. Whereas in a kidnapping situation, ransoms are high ransomers tend to stay anonymous, and risk is high, with ransomware the monetary amounts involved are low, the ransomers typically conduct their actions under an established pseudonym, and the risk in upholding their side of the bargain is low. If they were to not hold up their end of the bargain and it became known that "LeetSquad" doesn't actually decrypt data, victims would stop paying. This would be a disaster.
Furthermore, while it's correct that a victim who pays signals their ease of being shaken down, again, the economics of the situation work in the victim's favor. These attacks aren't targeted. Given an effectively endless supply of potentially-paying victims, direct targeting is unnecessary, wasted effort. And again, risk of reputational damage is high. For evidence, look no further than this FBI recommendation!
For further evidence, consider the fact that in practice, these groups overwhelmingly keep their promises and don't appear to specifically re-target previous victims. They even, no joke, have online support staff who will work with you in the event of difficulties unlocking your data!
I had the idea once that one way to combat these groups would be to run a PR and news campaign attempting to convince the general population that ransomware groups will take the money and run, and that they'll just come after you again. Even if it isn't true, a successful campaign might do some serious damage to their profit margins.
> run a PR and news campaign attempting to convince the general population that ransomware groups will take the money and run
This would be not enough IMO. Creating and spreading malware that takes money and NOT decrypt data will probably do. PR and news will follow. (And give that money to orphans or starving as a self-justification :)
The hacker actually has incentive to fulfill their end of the bargain. If they didn't, the victim might go public with this, and then no one would ever pay the ransom.
The hacker wants to be trustworthy here so that new victims will be more likely to pay the ransom because they believe they will actually get their data back.
What's stopping a victim from paying the ransom and still going public and asserting that the ransomer didn't decrypt the hard drive which hurts the reputation (ha!) of the ransomer and causes other people not to pay?
This might be one of the smarter moves to make so long as you kept your identity as a victim anonymous so you don't get retargeted by the ransomer.
In practice the ransomers do exactly what they offer to do. Most of them are part of one of a very small group of criminal organizations. The Russian mob is making 10s of millions or 100s of millions a year on this. Why would you not fulfil your end of the bargain.
Looks like free enterprise has introduced a tax on people who fail to secure their systems against untargeted attacks and fail to make backups.
One also wonders what's the point of all NSA's "SIGINT" efforts if they can't or won't use it to catch such usually foreign actors, so maybe they also introduced an argument against mass surveillance.
The NSA isn't interested in defensive work these days. As Dan Geer explained[1]:
I suggest that the cybersecurity tool-set favors offense these days.
Chris Inglis, recently retired NSA Deputy Director, remarked that
if we were to score cyber the way we score soccer, the tally would
be 462-456 twenty minutes into the game, i.e., all offense. I will
take his comment as confirming at the highest level not only the
dual use nature of cybersecurity but also confirming that offense
is where the innovations that only States can afford is going on.
This is a serious problem, not only from the problems intelligence angies with many powers and poor oversight; ignoring defense is going to bite a lot of people in bad ways. We are already seeing the beginnings of this with the escalating impact computer-based attacks are having on their victims.
I also recommend considering Jacob Appelbaum's response to this question[2] from the audience - from someone currently working for the NSA. The summary is that we need people doing NSA-style work, but on the defense side, and we need it now. If the NSA isn't doing that, then maybe people that want to actually protect their country should find somewhere else to work that is actually working on defense.
I assume part of the problem is that it is hard to quantify successes or wins in defense.
What is a good way to protect against ransomware? Symantec buries the lede with the answers (possibly because of conflicting business interests) which are
1. Limit end user access to mapped drives
2. Deploy and maintain a comprehensive backup solution
But really, how do we justify spending thousands of dollars on hardware? I hate myself for saying this but there are real risks of doing too much as well. We could have our own mini tyrannical regime of secure computing a la the TSA security theater.
Effective user education is challenging. Even developers are prone to use elevated user permissions where none is strictly required just for the sake of convenience. I know I've found myself right-clicking visual studio and clicking "Run as administrator" reflexively after just a few months of working on ASP.NET and IIS.
This is a little off-topic but I imagine the whole funding offense vs defense might be a little more "natural" than we like to admit. Imagine you're a defense manager and there's this other guy who is an offense manager. Just as a football analogy, how do you justify your team's worth when the other team says that there is no good way to quantify the worth of the work you're doing and there is a good way to quantify their team's work? I guess what I'm asking is how do we put a dollar and cent value to defensive cyber security? Can we just ask "How much does the business stand to lose if we lost all our data to ransom ware or worse to a competitor?" or would business think that is overreaching?
> The NSA isn't interested in defensive work these days.
Hasn't "a great offense is always the best defense" always been the name of the game? We've gone from fists, to stick and rocks, to spears, to swords, to Greek Fire, to gunpowder, to nuclear weapons. Why not now be the ones to own the power to take down any computer or network?
While cyberdefense is not in the same unrealistic realm as SDI was in the 80s, the ways that most people think about security- firewall on the perimeter and/or securing each node, pen testing, patches, and locking down what can be installed/used- don't really solve the problem of having a wide attack vector. Imagine if you could shoot a single soldier out in the field and it would kill his/her whole battalion, the base in which he/she was stationed, and perhaps destroy or weaken the entire army or even armed forces to which he/she belonged? That is the situation now.
Playing ultimate defense requires much more isolation. We shouldn't be on the same network, we shouldn't always be connected, and we should really limit how the outside world can affect each node. That isn't often the case with the networks we have currently.
Exactly my thoughts. NSA was supposed to provide measures to protect the network of the government. But see the OPM's breach as one example.
Seems NSA is obsessed with penetrating everywhere using 'terrorism' as a means to ensure continued funding. Thus the 'defense' nature is quite boring and sadly ignored.
SELinunx and SE for Android are two examples of NSA doing defensive work recently. Also NSA's Information Assurance Directorate puts out guidance[1]. But as to the level of investment in offense versus defense, you'll have to draw your own conclusions.
SELinux made its public debut seventeen years ago, so it's not the best example of "recent" defensive work done by the NSA. ;)
To speak about SE for Android: I'm not sure how much weight I would lend to a few NSA employees helping Google/AOSP create SELinux profiles for Android. (It is recent work, though!)
I'm fairly certain that I would lend a lot of weight to public efforts to harden systems against the kinds of attacks that their TAO division launches.
Just like the Brits could have used the cracked Enigma code to stop each and every German operation during the War, they refrained from doing so and used it only for very specific situations (in order to avoid their cover being blown).
Expect the same behavior from the NSA. They will use their power first and foremost whenever it benefits themselves, not to protect all citizens or corporations.
The Brits acted sparingly using the cracked Enigma code precisely because they were trying to protect as many citizens as they could -- if they acted every time, the Germans would have figured out the code was compromised and switched to a stronger code.
Except now everyone knows a lot about the capabilities of the NSA, and every serious criminal is already using the strongest encryption available and doesn't have any course of action for when the NSA is onto them.
It would be like if the British "blew their cover" and the Germans could only respond by completely ceasing all encrypted communication. Not the best possible outcome if they do, but still a positive outcome.
It's an even better outcome for cybercrime, since ceasing all communications would mean ceasing everything. If the NSA did this, the criminal would probably just stop operating, which means they might not be brought to justice, but at least the attacks would stop.
American government agencies put one thing above all else: Self preservation. If a duty to society involves risk which could make them be seen in a bad light, they will avoid it,
or try to state it isn't their problem.
Free enterprise? This is an embarrassing extension of the idea of enterprise (Since when can enterprises tax anyhow?). This is racketeering 101 plain and simple. I will burn your business down unless you pay me to protect your business. It is a new application of a very old concept.
Can you imagine the FBI saying, just pay the mafia?
I believe free enterprise requires that all parties to a transaction be free to participate, or decline, according to their own judgement and resources. Clearly absconding with and holding another's property for ransom is not free enterprise.
I hesitate to say something so pedantic, but with the number of people who attribute crazy properties to the concept of "free markets", etc. I think we should just be clear on this one.
The government is already accused of being in bed with commerce all the time ala fascism comparisons, NSA helping companies directly like this could be viewed as favoritism for big companies and politically dangerous. Also, NSA's offensive mission is historically to attack nation-states aligned to the federal government's needs rather than to attack commercially motivated hackers. This is blurring with national security issues like espionage and economic terrorism coming into play, but this again raises the question of where the dividing line between helping private enterprise with tax dollars should go compared to doing something for everyone's benefit.
There is also a defensive side to NSA's mission that is defense-oriented (IAD), but the most recognizable contributions that most of the HN crowd may be familiar with are SELinux and perhaps a modest body of research involving how to secure your systems (the defense side is much more open than the offensive side). The problems I see there is that these measures are all very much aimed at large corporations, not start-ups (seriously, I can count the number of start-ups outside the intelligence / DoD space I've ever heard of that use SELinux or follow NSA hardening guidelines on two fingers) and there is clearly a huge gap between how much big businesses take security seriously compared to start-ups from both a cultural and business driven set of motivations.
The number of start-ups derailed / completely wiped out by extortion attempts is rather small compared to the number that actually exist but the legions of security consulting companies around the DC beltway wants everyone to think that it's really terrible and that everyone's a target. The truth is that everyone needs to be secure "enough" to not be as vulnerable as the really stupid guys and that while it might sting a lot to be down for a few hours or so and lose revenue / trust from users, diverting your company's resources towards hardening so much is quite costly for smaller companies and it's just more practical to have really fast re-provisioning set as a priority for your devops / ops engineers (most start-ups can do this far better than larger companies).
This is precisely exactly like saying that if in xyzland rape with impunity becomes rampant, "Looks like free enterprise has just introduced a rape tax on not having brothers."
To be blunt, if you think like this and make legal arguments like this, you don't understand western civilization and should go and think for a while about all of society.
Unless of course you're kidding and being cynical.
It's 2015: computing is part of society, and computing free from attacks is little different from walking about in public unharmed. It takes massive contortions of perception to feel otherwise. Everyone is online! (Just as everyone goes out now and then.)
The FBI doesn't make recommendations to companies; instead, the Bureau explains
what the options are for businesses that are affected and how it's up to
individual companies to decide for themselves the best way to proceed.
That is, either revert to back up systems, contact a security
professional, or pay.
It's probably good advice for any individual person / company who gets infected. Unfortunately, it's terrible advice for society in general, because the blackmailers profit from their crime and will go on to target more people.
I'd guess that the malware users are being quite clever in keeping the ransom demands (relatively) small, to make it easy to choose to pay. They then profit in scale because targetting thousands of people is simple.
It's irrelevant advice for society in general, because just like with spam, the costs of producing this are so low that even if the FBI had convinced 99% of people not to pay, it'd still be worth it for the scammers.
The FBI should always advise companies never to pay ransoms. It's the only way to stop it. The Bureau doesn't care if a company or individual loses data. They do care about crime, and the only logical way to stop a class of crime is to remove all financial incentive.
Whoever is advising people to "just pay the ransom" is a fool.
"Don't pay the ransom" is just the first sentence. The rest of the paragraph would be: "Restore your data from backups, and have an IT professional come in and remove the malware if it's also on the backup."
Just telling people to pay the ransom is idiotic. It actually leaves the malware in place, and what guarantee is there that they won't be blackmailed again the next day?
is it possible for vendors to ship a system like this that would also allow for users to encrypt their entire hard drives? Maybe it would be something like OS X firmware lockdown, but that is less convenient and takes away a lot of the options for the user.
Next up, FBI will say you should negotiate with the terrorists.
From removing advice that you should encrypt your data, to arguing for backdoors, to advising that you should pay ransoms, Comey has been a complete buffoon.
Still, the Boston head of cyber said that organizations
that have procedures in place for regularly backing up
their data can avoid paying a ransom at all, by simply
restoring the infected system to a state prior to the
infection.
The sad part is that quite a few of the ransomware cases aren't actually recoverable, as the malware could be just dumb AES implementation which doesn't send the key to some C&C server some where, in some cases the key is hardcoded into the malware or is just generated at random so even if you pay the ransom you might not get your data back.
The other important thing to consider is that you data is already tainted so the cost of the ransom are meaningless compared to the cost of re-evaluating all the data once you manage to decrypt it, as well as the cost of the decryption it self it's not like you'll get an easy tool do it.
But considering that recovering data from backups also costs a small fortune it might be a reasonable gamble after all.
Um, isn't the reason we have an FBI is to shut down operations such as these? Can't they track payments and have the ransomware operators apprehended, with cooperation from authorities in other countries?
Maybe we should defund the FBI if this is the best advice they can think of.
For the record, it's the FBI's advice on cryptowall, cryptolocker and their ilk that it's easier to pay the ransom because it's largely automated to the point that no human is directly involved in processing your ransom and returning the keys to your files - the web site you're directed to even gives you one single file recovered for free. Isn't technology grand? Aren't the disenfranchised youth of Eastern Europe (the primary agents responsible for crypto-ransomware) generous? So unless you had backups from before you were infected, pay the automated system its Bitcoin. It's a shame that so many people have this as their introduction to cryptocurrency.
I guess the ransomware will stop unless they throw a few of the crooks in to jail. I presume the NSA or someone like that could probably figure who they are but they are probably in Russia or similar where the courts won't do much. Hence a fix might be to do a deal with Putin or some such? - We'll drop some sanctions if you throw a couple of dozen cybercrooks in jail say.
I presume they are probably in US. Hence a fix might be to do a deal with Obama?
really?
If you have any evidence about authors, you can report to local police who will contact with Interpol and then Russia's police. Russia has all necessary laws to punish cyber criminals.
"..FBI’s most wanted list of cybercriminals: Russian hacker Evgeniy Bogachev. Bogachev, the authorities believe, was responsible for operating both viruses... GameOver Zeus and CryptoLocker" http://www.slate.com/articles/technology/technology/2014/06/...
"still appears to be at large in Russia, where officials have shown little interest in helping the FBI"..."What a talented guy," said Mikhail, 23, who recognised Bogachev's FBI photo as the man he would see in the lobby with his wife and nine-year-old daughter. "Sitting at his computer at home, he broke into our enemies' camp, but did not harm his fellow Russians." http://www.telegraph.co.uk/news/worldnews/europe/russia/1088...
"His alleged bank heists topped $100 million"..."Bogachev, 30, who lives luxuriously in Anapa, Russia, a beautiful seaside resort town of 60,000 on the northern coast of the Black Sea, and often sails his yacht to various Black Sea ports, remains a fugitive." http://www.usatoday.com/story/news/nation/2014/06/03/fbi-bus...
Guess the authorities can't find him because yachts are pretty tricky to spot.
Paying ransom merely teaches the criminal that you're an easy mark that they should demand more ransom from in the future.