Hacker News new | past | comments | ask | show | jobs | submit login
US city rejects $5.3M ransom demand and restores encrypted files from backup (secalerts.co)
467 points by GiulioS 14 days ago | hide | past | web | favorite | 238 comments



ZFS snapshots are immutable (read-only) for normal users.

So, if you had your data stored on a cloud storage platform that created and maintained ZFS snapshots, Mallory could gain all of the credentials and still not be able to touch your daily/weekly/monthly snapshots.

Now, if only there were a cloud backup platform that included zfs snapshots ...


> ZFS snapshots are immutable (read-only) for normal users.

Unless you've given them "destroy" that is.

> Now, if only there were a cloud backup platform that included zfs snapshots ...

I see what you did there...


Yup, he's the guy behind https://www.rsync.net/

I wonder when ransomware will get smart enough to detect backups and insinuate themselves into them to foil the "just restore from backups" strategy.

Yes. They are often targeting IT providers of SMBs by phishing/otherwise compromising their credentials, and deleting backups before encrypting. It works sometimes, 2FA hygiene and secondary site redundancy are usually good enough to protect you.

If you inject the ransomware into a system that is subsequently backed up and wait a significant period of time, you could potentially lock all backups as they are restored. Then people have to decide between paying up or restoring to a time before the ransomware was injected.

I'm not sure if it's feasible to have ransomware lock backups as they're restored, however.


2FA is so overrated. You can so easily do a sim swap to get access to a particular phone number and bypass 2FA.

The problem isn't with 2FA, the problem is with SMS-based 2FA.

True, and that's why you shouldn't use SMS 2FA. The unfortunate part is when that's the only method offered.

TOTP and HOTP 2FA are unbreakable and supported by literally everyone. Who still does SMS 2FA anymore?

Lots, unfortunately. With no way to opt out

They already do, I worked a case last week where that happened.

Trickbot for example will be on a machine for 2-5 months so that it's in your backups, and is commonly followed by Ryuk ransomware.

So if you get hit with Ryuk and just restore from backups without re-mediating anything you will likely be hit with Ryuk again.


Most likely they already do that if its on the same computer. Details aren't out yet, but I would guess the backups came from other computers.

There are many known cases of ransomware attacks that have deleted backup repositories.

What if someone uses the credentials to file a support request in that platform asking the snapshots to be deleted?

Hopefully anyone with the ability to delete them would decline such a request.

So the platform would keep data against the wishes of the client? That doesn't sound good.

A better interpretation is that there might be multiple channels used for different identification purposes (a la 2-factor authentication) and the provider can ask for confirmation in a higher security channel. Whether this is done/feasible in practice is debatable.

More like it would include a more elaborate, person to person process.

Is ZFS really that popular in the enterprise? Amazon GovCloud is not that old and I doubt municipalities have switched to AWS. They might not have the same FedRamp requirements as federal agencies.

I don't know about the Enterprise, but Datto is a very popular backup appliance provider among small/medium businesses and some smaller municipal governments, which uses zfs snapshots as it's storage backend.

Datto is interesting. I suppose small to medium businesses and governments could just use off the shelf NAS products.

> "I decided to make a counter-offer using insurance proceeds in the amount of $400,000, which I determined to be consistent with ransoms recently paid by other municipalities,"

They didn't say no. It's odd there is so little recourse against things like this.


You're right, they didn't outright give a hard "no," but the story gets more interesting after New Bedford's counter offer. By attempting to negotiate, the city bought valuable time that they used to harden and restore their systems.


That didn't make sense to me. What did negotiating actually buy them? I don't see any indication that the attackers paused the attack.


Little to gain in restoring from backup if the same attack vector is still open. So it was really just a bit of misdirection.

It bought them time to figure out the root cause, fix it, and check if restoring backups is a viable option. Smart play.

Yes, but my understanding of the article is the city was negotiating in good faith. They were willing to pay the $400k. Still a lot of money.


Any reason laws can't be introduced making it highly illegal to pay a ransom, with serious criminal repercussions (same for government officials doing so)?

After all paying a ransom is very literally funding terrorism, in the most direct possible way.

"Whosoever knowingly pays a ransom", etc.

Of course those seeking a ransom could make their language less and less clear, so it's no longer clearly a ransom. But isn't that still an improvement over the status quo?

Maybe I'm missing something, but I don't see why it should be legal to pay.


Because you shouldn't criminalize being a victim.

I agree that it's probably a bad idea to pay a ransom, since that just supports the success rate and makes ransomware more popular. But do you really think that you should throw a grandparent in jail because paying a ransom is the only way they can get their digital memories back? Are you going to throw all of City Hall in jail because they needed to pay to get their tax records back?

The best option is to have good backups and not give into the demands, and that should be encouraged. But criminalizing people because they didn't adhere to the best digital practices is a bad idea.


In the 80s there was a wave of kidnappings in Italy. A new law made it so that relatives bank accounts were frozen immediately and they where forbidden to pay. I don't remember the details but it was a wildly successful move.

Why relatives of a victim didn't stopped informing police about the kidnaping? If government didn't know, then bank accounts wouldn't be blocked. Now a victim has a reason to not inform government, and now it is possible to kidnappings to continue without any government record, and we may come to a situation when it is all nice on the paper, while it becomes even worse than was before law-maker's intervention.

Was those bank accounts blocks where a successful move, or kidnappings stopped due to other measures government made?


I can only assume that hiding the kidnapping of a prominent person for months is really hard. Also in a time of high distress most people probably preferred to seek help from the state rather than making the situation even more complex and stressful.

This is different, though. Freezing their bank accounts makes it impossible to pay and thus gives the victim a plausible excuse not to pay.

Right, in the same way that making it illegal for cities to pay would. Probably wouldn't stop normal people paying but they don't have $400k of data to steal.

So I'd say it's exactly the same.


It is not the same as the city essentially is put in the situation were they need to choose between losing data and paying both a ransom and a fine (unless you want a federal agency to freeze ALL city controlled funds).

If you want to stop city from paying the the law need to state that even if they get their data back they need to delete it.


You shouldn’t criminalize victimhood, but for a municipality to have no backups should be considered criminal negligence - and if you do have proper backups, the cost of restoring them should be a small fraction of the ransom — so in such a setting, paying ransom should involve a criminal indictment even though it shouldn’t be about the payment.

This city had proper backups, and indeed was able to avoid paying ransom. Others weren’t so competent.

Unfortunately, these networks will continue to be insecure and that’s a real problem - right now everyone is pretending that it’s “lose your data or pay” for which backups are useful. However, if a hacker gains foothold into a network, and then, for 3 months, randomly changes record (say, randomly exchanging penalties owed among 1000 people every day through the day), then it’s unlikely backups will help - you’d have a mix of new and corrupt data in every backup set even if you have a daily one going back a whole year (and most places are lucky to have more than a week at daily)


Criminal negligence requires violation of established standards. Not just 'common industry practice' or even 'basically sensible', but legally established standards bodies who have laid out what practices and requirements must be fulfilled. Computer and software systems lack these standards completely. There is nothing. As such, if a computer is involved, it is impossible to prosecute criminal negligence. This is a big issue that will only become more pressing, but there are strong arguments on both sides of the argument over whether such standards should be established or not.

Computer people don't want to raise the barrier to entry by requiring licensing and following regulations, and money people don't want to pay for licensed computer/software engineers. Not to mention just deciding what the standards should BE and how the standards body should be constituted and run is guaranteed to be a rats nest and a sequence of progress-thwarting horrors... but the cost of not tackling it and paying for it will cost lives. We can be guaranteed that.


For private individuals perhaps it shouldn't be criminal. But for businesses responsible for other people's private information? Yes, I think there is professional negligence if they cannot even restore backups in a timely manner.

(Or cannot detect infections before they become so widespread the whole thing falls down.)


The action that a business should be punished for is not keeping their customer's information secure. Paying a ransom to recover after they are the victim of a crime should not be what they are punished for. If they were doing everything right but still got hit by ransomware I don't think they should be punished. If you can prove that they wrote their login info on a sticky note and left it in the main lobby then you should punish the bad security practice if it exposes other people's information.

Several parts of the world have kidnapping and piracy issues, and you can buy kidnapping/piracy insurance to pay ransoms in case you are the victim of such a crime. I think most people in the world acknowledge that sometimes bad things happen even when you take reasonable precautions, and you shouldn't be punished just because you were the unlucky one. Most security experts agree that no computer system is un-crackable, there are just varying levels of sophistication and access needed to do so. We've even seen that Stuxnet was capable of jumping air gaps. If a business had such good security that their database and backups were air-gapped but still was hit by ransomware do you think that they should still be fined?


> If they were doing everything right but still got hit by ransomware

Then I'd say there weren't doing things right. Granted there should be exceptions for when they really did do their best, but generally no.

> Most security experts agree that no computer system is un-crackable

It doesn't have to be, merely needs being not worth the effort to the criminals.


Sure, Maybe they could do more.

Could they have done more with the resources they had? Would taxpayers/stockholders fund it? Would a small business have the cash flow to do better? If they were told it was secure from the tech folks, would the non-tech folks have any way to prove this wrong?

It is really easy to say after something happens that they weren't doing things right. It isn't always so easy before things happen to know if things are done correctly, though. And trying to figure out what isn't worth it to the criminals is rather difficult. Some folks do quite a bit for an otherwise small amount of money, especially if they feel the victim "deserves" it.


> Would taxpayers/stockholders fund it?

And who pays the ransomware when it happens, if not the taxpayers/stockholders? Or does money just get created out of nothing when needed?

> Would a small business have the cash flow to do better?

IME small businesses can do it if they want to. It takes care, meaning policies, it's not expensive. Also small businesses are less attractive to large criminals.

> If they were told it was secure from the tech folks, would the non-tech folks have any way to prove this wrong?

If they got publicly ransomed, it would become very obvious something needed looking at. The process of potentially hammering them legally would involve them being taken to court where their level of culpability would be decided (and it may be they did do enough so get let off, and everyone can see what happened, and other businesses can decide perhaps to up their security based on the results).

These are all strawmen. I'm not asking for uncrackability, merely due diligence. A little of that goes a long way. These arguments don't stand up. You seem to be arguing for... what?


> And who pays the ransomware when it happens, if not the taxpayers/stockholders?

considering the order of magnitude of place that do not receive a ransom compared to places that get ransomed, the cost is probably on the security side.

> These are all strawmen. I'm not asking for uncrackability, merely due diligence.

but you apparently define due diligence as "not getting cracked," which while different from uncrackability is still an unfeasible demand.


> considering the order of magnitude of place that do not receive a ransom compared to places that get ransomed, the cost is probably on the security side.

And if ransoming is profitable, what does that do to the market? Does it a) inhibit more ransoming or b) encourage more ransoming?

> but you apparently define due diligence as "not getting cracked,"

Don't misrepresent me - here's what I actually said: "The process of potentially hammering them legally would involve them being taken to court where their level of culpability would be decided (and it may be they did do enough so get let off..."

So they can be let off. It says clearly.


An alternative is that by working together with law enforcement you can use the interactions with the criminals (together with tracking the money) to better understand the criminal organizations.

How is this different from making it illegal to give your wallet to a thief at gunpoint?

(obviously here there is the difference of personal harming which correctly resides at a different level; at the same time the stance of non-negotiation with terrorist organization was also justifiable in my opinion.

If what we can agree on is that you must way for the permission of law enforcement before you pay ransom so that they can reasonably confirm you are not inadvertently funding ISIS and also put in place all available precautions that is already a step forward.

Nobody think that paying ransom is a good thing that should be done as soon as possible. At the same time not everything is a nail.)


> An alternative is that by working together with law enforcement...

If we put that on the table, yes, that's a grand idea.


The part I would criminalize is the money-wiring part.


I used to work for a city and had the demand been something reasonable to the size of the city (tens of thousands of dollars) they may have just paid it. The city I worked for had pretty good backups in place but still might have even done it to not lose a few days worth of work. FWIW the city I worked for was a suburban city with a population of about 80k

The city was ready to pay $400k. Or their insurance was, at least. Insurance was looking at it from the coldest perspective possible-- how much would it cost us to fix this otherwise?

Yup that's what I came here to say. It might have been easier to take a higher insurance premium and let it pay the ransom than to do a restore exercise. Either way, bravo.

There is of course the terrible secondary effect of encouraging more ransomware but the insurance companies can simply sidestep this by saying "we don't cover that."

Do you think Americans should be free to wire money to ISIS if it's a "ransom" - something as little as unlocking some digital photos?


The wording “free to” implies that the victim feels like they’re doing something voluntary rather than coerced.

Think of it this way - let’s suppose you make it a crime to give your wallet to a mugger with a gun. Is that going to end up with less crime, or just more people shot, and some innocent victims going to jail just because they didn’t want to get shot?


You seem to presume all of these cases are involuntary.

This seems like an excellent way to siphon public funds. Get infected by "malware", pay "ransom". Voilà, public funds are now some cryptocurrency under your control.

It would surprise me if this has never happened.


Replacing regular corruption, which is often "unethical but legal" or "barely punished", with a federal crime that is known to be harshly prosecuted doesn't seem like a great idea to me.

You have a good point that the standards could be different for individuals vs organizations.

My point is simply that Grandma shouldn’t go to jail or be punished because she got hacked and a hacker made her pay to get her grandkids photos back. If you’re saying we shouldn’t let state governments do the same I think that’s reasonable.


it is however a crime to give money to terrorist organizations. So the wording "free to" really means do you think it should be legal to do so.

But how are we supposed to tell whether a given bitcoin wallet is controlled by terrorists?

I can cherry-pick counter-examples too, imagine Bill Gates or other billionaire paying a a billion dollar ramsom to Isis, but letting them walk away for free because he is "just a victim". A law against paying ramsoms should exist, maybe it should have exceptions for small amounts or something, but letting them legal by default it's way more problematic.


My examples weren't cherry picked, they were the most common type of occurrence and also the one directly related to the post.

But to attack your admittedly cherry picked example, I guarantee that the US government wouldn't fault Bill Gates, they would help him out and track the money that he transferred and turn it against the terrorists.


Sure, I would like to see the government tracking back the bitcoins and transferring them back.

By the way, another other dark side of making paying ransoms legal is that transferring money to a terrorist group (just because they support it) now has a plausible deniability: "Don't blame me! It was just a ransom!"


Let's clear one thing up: Fraud is still illegal, and I have never suggested that we legalize fraud. If you're using "ransomware" as a pretext to fund terrorism then you should go to jail- but a prosecutor should be able to prove your guilt. If, however, you pay a ransom because you are a legitimate victim then that should not be a crime.

Most these "what ifs" get close to solutions in search of problems. Instead of ensnaring innocent people in the hopes of catching people who intentionally commit fraud and fund terrorism, let's use the laws we already have on the books to do so.

Edit to address the bitcoin issue: While a bitcoin transaction is hard to reverse, knowing the wallet addresses of terrorists and being able to track their bitcoin transactions would be a huge win for the good guys. And when that bitcoin inevitably gets turned into useful currency it will be another opportunity to track them. I don't think ISIS would move a billion dollars through bitcoin anyway, they'd probably pick a different method. That kind of transaction would be super hard to deal with and the network would get stressed to the point that trying to sell a billion dollars worth of bitcoin would ensure that it would be worth a lot less than a billion dollars.


> By the way, another other dark side of making paying ransoms legal is that transferring money to a terrorist group (just because they support it) now has a plausible deniability: "Don't blame me! It was just a ransom!"

Only if you assume that federal law enforcement agencies are a bunch of rule-following robots incapable of rational deduction.


If you think federal law enforcement isn't plagued by extremely dumb mistakes you are in for a treat: https://www.abc.net.au/news/2017-05-17/fbi-james-comey-trump...

No, that's not what I said. I'm saying that the feds are not going to go "Shit, this guy with ties to violent Islamic groups just sent $50,000 to Al Qaida, but he said it was to ransom the files on his PC! Our hands are tied!" That's not how the law works.

Is that dark side something that has actually happened?

It seems weird to talk about ‘making ransoms legal’ or ‘allowing ransoms to be legal by default’, as if someone has decided it. That’s not how laws work, at least in the US & EU. Laws can only limit rights, there aren’t any default restrictions.

Italy tried to make kidnap ransoms illegal, and it’s controversial, but there have been some high-profile cases of it backfiring. https://www.independent.co.uk/news/kidnap-makes-an-ass-of-it...


No dude youd end up arresting and trying people who do not deserve literally anything that was happening to them.


Just the first year at most, then word spreads around that paying a ransom is as bad as asking for ransom and as people stop paying them ransomers stop doing them due lack of money on that criminal enterprise.

So many innocent people pay ransoms. Any politician who pushed though that law would get destroyed by the press the first time the government imprisons some sympathetic person who panicked and paid a ransom to keep their nudes from being sent to their family.


Or the government has a word with the Tabloids who would love to run headlines "CELEB X'S KINKY SEX TAPES..."

Before Sarkozy, that was France policy for hostage takers: the only thing you will receive is the GIGN. Caused a few loss but was generally considered an overall good strategy. Then Sarkozy started paying ransoms and abducting French in war zones started being profitable instead of calling for trouble.


> Any reason laws can't be introduced making it highly illegal to pay a ransom

Yes, there are many reasons. You seem to adopt a highly deontological ethical stance. But in actual decision making, being pragmatic, showing some grace by being human and making hard compromises, and at the same time being utilitarian are often more rewarding. For example, governments all over the world have (often secretly) paid ransom money for kidnapped citizens. If they couldn't do that any longer, because it is illegal, then that would doom the fate of many kidnapped citizens.

Elected officials should make reasonable decisions that minimize harm and costs and should be willing to make compromises, not brag with their iron fist policies no matter what the consequences are. (That's just my personal opinion, of course.)

> After all paying a ransom is very literally funding terrorism

Do you have any proof for that claim? If not, then you are merely watering down the meaning of the word "terrorism". AFAIK, these ransomware attacks are conducted by ordinary criminals, not by terrorists.


He's saying that the ransomware attack is itself a terrorist attack.

It's not, it's just robbery.

When everything is terrorism, nothing is terrorism.


San Francisco just declared the NRA to be a terrorist organisation, thereby instantly creating millions of terrorists - many of whom joined the organization not for poltical reasons but because you have to in order to shoot at certain ranges or to participate in safety classes or shooting sports.

Sure, but he's also saying that paying any ransom should always be illegal. To completely overexaggorate - if after hitting the first tower of World Trade Centre the terrorists said "pay us $100M or we'll hit the other building" then the logical solution is to make sure they get that $100M immediately. They have already demonstrated the ability to hit one building and kill hundreds of people by doing so - whatever price they name for preventing the second attack should be paid. Of course, we need to apply good sense to this - whole paying ransom to save human lives is a good idea, we can have a discussion about paying ransom to save computer systems. I can see an argument being made that if it isn't paid, the city's welfare system stops working and the people in most need do not get the support they require - so resolving the situation quicker by paying the ransom can be the moral thing to do.

> then the logical solution is to make sure they get that $100M immediately.

What? No, that's not the logical solution. Have you considered the consequences of paying that money beyond the immediate deaths? You've suddenly put a real price on terrorist attacks - as in, if I decide to go through with a terrorist attack after 9/11, I know that I can extort the country for anywhere up to $100m. Hell, everybody with a grudge against the US suddenly has massive financial incentive to carry out attacks against the US. How many more people will die because you've decided that it's okay to pay terrorists?


They don't just disappear- the money is probably going to be marked, the people will be eventually traced and dealt with. Money is very traceable.

There are plenty of people with a grudge against the US, some of them quite rich. US foreign policy made sure of that. Extra 100 million would make no real difference. The thing stopping them is distance to US and threat of deadly force.


>Any reason laws can't be introduced making it highly illegal to pay a ransom, with serious criminal repercussions (same for government officials doing so)?

Technically no, but pigs will fly and the state police will stop abusing the overtime system first. Massachusetts is not known for passing laws that reduce the ability of government officials to do as they see fit and of the possible reasons to pass such a law "we gotta be responsible with taxpayer money" would have everyone crying with laughter on beacon hill. The idea of criminalizing paying a ransom for the common man is bad for reasons other commenters have stated. There is exactly zero chance of MA making it illegal for the government to do something peasants can do.


For anyone still reading this, I found this interesting article summarizing some of the subject:

https://www.ibanet.org/Article/NewDetail.aspx?ArticleUid=780...


I’ve seen too many laws passed with the best of intentions but lead to the imprisonment of the wrong people.


Switzerland has such laws.

That sounds like whitewashing to me, to be honest: The city were willing to pay a ransom, and are now trying to make it sound like a shrewd move instead of negotiating with criminals.

Restoring a backup they already had?

Get outta here


I wonder if they just didn't check their email or were on vacation that day. That is a HUGE payoff to just ignore.

> They didn't say no.

Most likely they don't know english and only have pre-written formats to talk to the victim.


I don't understand what I'm reading here. Why did they offer to pay $400K to recover ~100 PCs if they had backups? Was it so expensive to restore those PCs?

I guess the good news is that we can now sell backups as "anti-ransomware" cybersecurity.


>Why did they offer to pay $400K to recover ~100 PCs if they had backups?

"Backup is lets says weekly and someone high up the chain really wants the power point he put together on Tuesday." is probably what happened in my experience.


Which sounds ridiculous to me - on Macs you have, available to all users with a reasonable GUI, TimeMachine which is basically hourly backup (though i don’t know if you can make old ones effectively immutable).

But if you know how to run a script (and hopefully anyone administering a 100 computer network does), at least on Linux / Mac, you could use bup or borg or a few others to have effective immutable hourly backups that take almost no space - we do that where I work. I’m sure there’s something similar for Windows.


In this case you can still lose hour worth of data. Multiply this with whole city/company scale. Paying a ransom for preventing this much effort going waste would still worth something.

Then these are incompetent people who forget to multiply the cost of the ransom by the amount of times it will likely repeat if they don't refuse to discuss with abductors.

It's like saying "why would we put this guy is jail? He's committed a crime but it's done now". Yeah, sure. Except without a deterrent he'll do it again tomorrow. This is the same except it gets rid if the motive instead.


There are such products for Windows, it's even built in. It requires the sysadmin to set it up though, and therefore is non functional in 99% of deployments.

Snapshots (not incremental nor differential) that take space proportional to change (1 byte change in a 5GB file takes 10K or so in backup, even insertion/deletion), built in to windows? How is it called?

TimeMachine in macs has a similar feature set notably lacking proportional space (insert 1 byte anywhere in a 5GB file and the snapshot takes an additional 5GB)


Can't say I'm sure about the actual space usage, but the subsystem is "Shadow Copy". https://en.wikipedia.org/wiki/Shadow_Copy

That’s a low level mechanism that is used to implement consistent backups, (comparable to e.g. LVM snapshots for any file system or ZFS/Btrfs snapshots) but it does not offer anything directly to end users. The venerable built in NTBackup (afaik the only built in user backup system included in Windows) is better than nothing but is a far cry from Borg/Bup - it is practically infeasible to snapshot e.g. every hour.

> "I decided to make a counter-offer using insurance proceeds in the amount of $400,000, which I determined to be consistent with ransoms recently paid by other municipalities," Mayor Mitchell said during a press conference (image above). "The attacker declined to make a counter-offer, rejecting the city's position outright."

Because that's what they had an insurance policy for.


Just because they made a counter-offer doesn't mean they intended to actually send the money to a criminal.


Right? I saw the line above about giving away taxpayer money. Um...no, only in that while the money originated from taxes, it actually paid to hedge against risk (and the cost of insuring up to 400k is probably significantly less than that amount - what are we talking, several thousand dollars a year MAX of taxpayer money? Worth it!)

Maybe they first had to verify the backups actually existed like they should and were up-to-date enough


Indeed. I've worked at a big corp where it was belatedly discovered that backups were broken.

A second reason would be to give the attackers reason to pause, in case they somehow had a second bomb to throw, while IT hardened defenses:

>Since the attack, the city has installed additional security software and is developing new protocols.


> Indeed. I've worked at a big corp where it was belatedly discovered that backups were broken.

Ancient wisdom: If you don't test your backups then you don't have any backups.


My thoughts exactly. I bet they did not have any backups for the Forth of July weekend so anyone doing city business that weekend may have to redo any paperwork or payments. Small price to pay to laugh at these clowns.

What exactly are the FBI doing about this. Perhaps if they got off their asses and quit investigating Presidential piss parties they could find this email recipient. How hard is it for the FBI/NSA to trace an email. They just want to cry about going dark instead. If foreign put a CIA hit on the computer terrorist.


I guess the good news is that we can now sell backups as "anti-ransomware" cybersecurity.

Backup software has been touted as protection from malware and cyberattacks for a very long time.


Except now there is a more visible dollar sign attached to it. Before, it was hand-wavy what-if scenarios, now you can actually point at real world examples.

> if they had backups?

I would put a delay in ransomware so it sneaks in weekly and monthly backups, and only then trigger it. If stuff gets restored, sneaked warez will activate again. I bet backups are overwritten after several months.


Such a thing is likely to happen but it is much more target specific (e.g. my office backs up data, not code, so you would have to find something scripted that’s in use for that to work on my office) so it will likely happen only if the Low hanging fruits (generic attacks that need much less customization) aren’t lucrative anymore.

> my office backs up data, not code

No user's apps? No Registry? Ok, sneak it in Word document then. This delay thing can be applied wholesale, not targeted.


everything is backed up for reference, but only data is ever restored.

Macro execution is supposed to be disabled on Word/Excel, though I trust that less (and there’s always the issue of some unpatched/zeroday); however, to go through here is more expensive for attackera because much more individual targeting and customization is required.


It is difficult to imagine people who are heavy Excel users being ok with macros being disabled wholesale.

Indeed, they are not heavy excel users. Which is sort of the point: the need for targeted attacks greatly reduces and segments the addressable “market” for the bad guys.

Nah. Point stands, attack can survive the restore inside Office docs because macros are generally allowed.

Good practice. I'm just playing around, devil's advocate.

I think the next paradigm shift is going to be state-synchronization algorithms that make it easy to be eventually-consistent across many peers, all while keeping data encrypted end-to-end. The threat of a data ransom disappears when centralized server role is de-emphasized, and participants all have copies of their data/work (and potentially others' data/work, encrypted).


Why not make it a crime to pay the ransom demand for cryptolocker attacks? This way the flow of money to these gangsters will stop.

If you get hit with a cryptolocker and you have no backup you simply lose that data. Or you can pay the ransom, get your data back and go to jail.

While this might seem unfair, it might stop 1000 other attacks because there will be no money in it. It would be for the greater good.


Why don't we make getting mugged illegal while we are prosecuting victims. If you give your wallet to a mugger, you go to jail. Then no one mugs anyone anymore, right? /s

People pay ransoms because they want back whatever is being ransomed. Making it illegal to pay the ransom isn't going to stop that. It will just push everything underground and make it harder to catch the ransomers.


Because getting mugged isn't a choice that somebody makes. A closer analogue is criminalizing paying kidnapping ransoms. Which is a crime in several developed countries, so as to disincentivize kidnappers.


Technically it is illegal in the US, at least if the kidnapping organization is labelled as a terrorist group. However, as far as I can tell, no one has ever been prosecuted under this law.


If you think that getting hacked is a choice that somebody makes, you have your perspective way out of whack. Computers are hard.

I don't think my point way conveyed correctly to you. Getting hacked is not a choice and should not be criminalized. Paying ransomes to hackers is a choice and there are good reasons to prohibit that to disincentivize hacking.

Giving a wallet over while being mugged is the analogy to paying the ransom here. Having the knife brandished in your face is the analogy to the hack.

Not saying I agree with it either way, just pointing out that y'all appear to be talking past each other.


Its not really a good analogy.

If you get mugged you are coerced to give your wallet, on pain of _much_ greater punishment, usually the greatest there is - death.

If your company’s data is cryptolocked, you are coerced to give money on pain of getting that data lost.

The difference is that the punishment for non compliance is much different.

If you made paying a ransom in this case illegal you would actually promote better backup/restore/security practices, at the cost of sometimes loosing data.

If it was vital for that data not to be lost then not having adequate backups is a _much more_ serious problem as that data could be lost for different reasons. And you’re funding organized crime which has very bad downstream effects.

If you had to make a more adequate analogy, imagine someone stealing your personal documents then demanding money to get them returned - you should have a strategy to restore those in other events like fires and stuff, so you might pay money, or not. But if you do you encourage future theft like that for you and others, and that money might be used for some other, usually nefarious stuff.


That personal document could be life and death for some people. How do you determine what is the value of data being hacked. E.g. For a hospital if patient data is hacked it could mean life and death situation.

Nobody's life is ended by the leak or destruction of any document. How does a hospital patient record getting leaked or destroyed kill anyone? A leak means private data is being divulged and that's not good but it's nowhere remotely close to murder. Deleting medical data means that the doctors need to get that data from the patient redundantly, which causes a drain on hospital resources but again it's not remotely close to murder.

If, say, the mafia threatens to assassinate someone if a document is leaked and a hacker obtains and leaks it the hacker still didn't kill anyone - the hitman sent by th mafia is the killer. And regardless that this kind of situation seems very far fetched.


I think the question then becomes if it's a life or death document why would you only have one copy and store it in a relatively insecure space?

No, because getting hacked does not threaten your life. Getting mugged does, th victim is acting under threat of injury or death.

Someone getting hacked is only acting under the threat of information or access to systems being released or eliminated. There is no immediate threat if force. Sure, if you want to get pedantic someone might hack a power plant and threaten to blow it up, but I've never heard of that happening and it's far, far different from the overwhelming majority of hacks.


No, paying the ransom is the choice.

As an example of nuances in Italy once there was strict law regarding ransom for kidnap cases that would immediately freeze all bank accounts of your close relatives.

This did not make it illegal to pay ransom and also gave the victim family a reasonable justification for not being able to pay.

Compared to just putting the victim between a rock and an hard place it looks like a nicer option.


> As an example of nuances in Italy once there was strict law regarding ransom for kidnap cases that would immediately freeze all bank accounts of your close relatives.

This seems so absurd. Freezing banks accounts cause so much issue to everyone involved, you just made an incentive not to declare a kidnapping and trying to solve it without interference from the police.

For sure you'll see much less bar if you make drinking illegal, but believe me, they are still there ;).


> you just made an incentive not to declare a kidnapping and trying to solve it without interference from the police.

the same as the other method proposed.

> you just made an incentive not to declare a kidnapping and trying to solve it without interference from the police.

agree, but this does not make it illegal to pay, it just forces the ransom to be delayed so that the police can investigate. If the family manages to get money in another way then they can choose to pay.


Mugging involves threat of physical harm. Getting ransomeware'd doesn't, and if cities stopped paying then this kind of attack would stop. It's more like outlawing giving muggers your wallet when you're dressed like Iron Man.


I'm not sure why the distinction between physical and virtual harm is relevant. Physical harm is valuable for a person to stop because their life has value to them, and virtual harm is valuable for an organization or person to stop because the virtual assets being harmed have value to the organization or person.

We could get into the monetary value of a life and whether a sufficient amount of virtual harm, especially when that virtual harm might reasonably translate into a life (emergency systems, insurance payouts, etc.), but I don't think we even need to.


The difference is the mugger gets your wallet one way or the other. The only difference is if you survive to tell the story. The ransomware attacker is only rewarded if the victim capitulates.

Edit: On the other hand, if the counter-factual was a mugger at an ATM demanding you enter your PIN, that distinction doesn't exist. So maybe you're right.

Maybe the right answer is to outlaw paying the ransom except to save human life, but also create a federal fund to compensate victims of these attacks.


I don’t like this argument: if the ransomware takes out emergency dispatch, hospital systems, etc it gets much closer to what you’re claiming.


That's assuming attacks that are specifically targeted instead of a scatter approach. If the latter, then it will only stop when the perceived potential for payout worldwide drops low enough.


What happens if the ransomwares don't stop? Do you spend a bunch of money on investigations to see if some thousands of small towns or little agency somewhere kept if quiet because the cost otherwise is huge? Up the fines the tax payers will pay when they get caught?


You might be right for private individuals, but it's much harder for a business, let alone a municipal government, to pay a ransom under the table and get away with it.


Or easier, because the government can get away with a lot. Either way is speculation


I think a viable alternative would be to flow the cost down to the elected or appointed officials in charge who created such an environment.

The town should have bylaws to force resignation and emergency elections in the event that this happens. Then the town should have legal precedent to bring the administration to civil court for damages. The town administration, personally, should be collectively on the hook to the town the cost of the ransom.

It really does amount to a dereliction of duty.


It's not being the victim of a crime that would be illegal, it's the response to it.

If you are attacked by an unarmed person and you shoot them while defending yourself it's fairly common for that case to go to trial to test whether the homicide was justified. Presumably people have gone to prison under just those circumstances.

You could quite easily frame a law around justified ransom-paying, how fair it would be is unknowable.


Municipalities that don’t have backups aren’t the victims. Taxpayers are, and if they stop paying ransoms, they won’t be victimized any further.


It seems like a terrible misuse of state power to further punish people who were the victim of a crime.

Also notice that this won't necessary ransom payments. It will raise the cost to: 1. The victim who pays with jail time. 2. Society who spends time investigating and jailing victims.

Notice that ransomware authors are not on that list.


I was assuming they are already commuting a crime.


> It would be for the greater good

I'm not so sure. We're nearing an interesting equilibrium where insurance companies pay ransoms, thereby taking an interest in the security of their pool, while attackers probe for vulnerabilities.

Put another way, we have a pen testing group being paid by a digital security group. If the net result is better security in exchange for the insurance "tax," that could be a modest improvement.


Is there any evidence the insurers are actually driving increased security? Do their policies require certain security standards or backup processes? If they do, it's not a bad start.


Matt Levine wrote a little on the perverse incentives of insurers in this case: "This creates weird incentives. [Insurers] want the risk to be big and dangerous and salient. [Insurers] want everyone to worry about it all the time, so they [get] lots of money for premiums. Then ideally [insurers] help clients avoid the risk, so that [Insurers] can keep more of the premiums, but basically it is a volume business and [insurers would] rather collect more premiums and pay more claims than have fewer of each."

Scroll down about 2/3rd to the "Insurance" heading for his complete comments: https://www.bloomberg.com/opinion/articles/2019-08-27/the-li...


It’s not black/white as having backups solves ransomware attacks. All that the ransomware must do is lay low long enough that the oldest backup is likely to have occurred after the infection, hence containing it.


Backup systems should not be executing the data they are backing up. It would be easy for the ransomware to get the backup system to make a backup of the ransomware. It's much harder for it to then execute itself on the backup machine/wherever that data ends up.

For a ransomware to propagate that way it would have to employ multiple exploits against unknown operating systems, and against computers managed by people who should have some idea about security rather than just the desktop of a random employee. In many cases you'll be backing up to storage provided by a 3rd party who simply don't even offer the capability to run code, or permanently delete data programatically.


It doesn't need to execute on the backup system. It just needs to execute again on the target system, after being restored from the backup.

Running "low and slow" isn't a tremendously good strategy for ransomware. Slowly encrypting data over time is more likely to get caught and stopped, versus "shock and awe".

I'm waiting until ransomware starts leveraging the encryption functionality in common backup systems. Not many sysadmins would notice if their backup encryption keys were changed-out for 6 months and deleted at the same time that the "encrypt all the data" event happened. (The only Customers I've ever worked with who were already doing air-gapped backup verification were regulated businesses in the financial sector.)


I wonder if it might be worth it for the compromise to lie dormant for a while though - if the compromise was injected nine months ago and a ticking clock was started then full image backups will essentially be useless - as soon as the image is restored then the attack will re-trigger. This probably lowers the domain that can be effected because many potential targets won't have vectors that could be compromised in a compatible manner.


They wouldn't be useable as full image backups, but if the data had not been encrypted yet, then that data is stored somewhere in the image and can be recovered, albeit perhaps with a lot of work.

If you use thin clients or at least require all files to be stored on a centralized server, then no matter how many hundreds of PCs were affected, you'd only have to go through on set of images.


Yeah, I was going to say: the last company I worked for sent their backups off-site on a nightly basis. They were also often requesting old tapes to be pulled in for the next night's delivery/pickup so that they could test against old data.

It would be pretty hard to get your ransomware to encrypt all those offsite backups sitting in a vault somewhere.


For whole system backups only. If you just backup the data then it doesn't matter if the ransomware is there as data - data can't execute without some actor who runs it, be that the system or a person.


Executables should not be part of a data backup and recovery plan.


I read in a scifi book, I think Larry Niven short story... The wealthy elite signed contracts to the effect that regardless of the demands of kidnappers, no ransoms would be paid by families or estates. Once news of the contracts became public knowledge the rate of kidnappings plummeted.

Of course, at the start a few hostages were sent back to families piece by piece. But word did get around after that.

So instead of straight out crime, contracts if implemented globally, nationally or even statewide, might be a solution. I'm probably overlooking something :)


Probably that in real life the US position of "we don't negotiate with terrorists" might not be helping:

> But the data just doesn't support it. Kidnapping is really a crime of opportunity. And there is no evidence or very little evidence to suggest that kidnappers are checking passports, and your nationality is going to determine whether you're kidnapped or not, regardless of the particular policy that your government has.

https://www.pbs.org/newshour/show/why-u-s-policy-toward-nego...


I'd be very surprised if such a thing would work outside of fiction. Nobody feels more entitled to break the rules than the wealthy elite, and very few people in the situation of having a loved one held hostage are going to stand on principle. As soon as one has paid, the bluff has been called.

If you really want to game-theory this out...

Why not enact into law a limited immunity for any such ransomware that (a) only charges a modest amount for decryption; (b) never exfiltrates private data to elsewhere; (c) after payment, reveals all security lapses that allowed penetration?

From a certain perspective, ransomware identifies & forces correction upon institutions that have been careless with their security or backups. Truly nasty attackers could do even worse: stealing & reselling data, or leaving silent long-term compromises in place to bleed targets more extensively.

So, carving out an safe harbor for "uncontracted vulnerability discovery & remediation" via the payment of modest ransoms could be a socially-efficient policy, aligning incentives of many participants: targets, the customers of targets, and grayware authors.

Perhaps, the whole process could be automated even without explicit support from lawmakers: leave an appropriate crypto balance, on the systems at risk, in a conventional place. It'd mean: "If you can see this, we know we've screwed up – but we're OK with you taking this amount, and no more, if you close the hole behind you & leave us a note of what we did wrong." Viewing the movement of that bounty on a blockchain would be a public disclosure of the compromise, and gray-hat actors that confined their activity to the collection of such bounties wouldn't need to fear criminal prosecution.

(Hmm, maybe we should just put private-keys controlling small bitcoin-balances into any free-form fiels of our records with typically-careless institutions – so we can independently sense when our private data has been accessed by dishonest actors – whether institution insiders or hackers.)


Why not enact into law a limited immunity for any such ransomware that (a) only charges a modest amount for decryption; (b) never exfiltrates private data to elsewhere; (c) after payment, reveals all security lapses that allowed penetration?

We can't even hold commercial software developers to enforce secure coding standards, yet we're expected to trust anonymous malware writers to write code that is proven to not exfiltrate data and trust that they are ethical enough to reveal all of the weaknesses they found?


You can still capture the malware in honeypots & analyze its behavior – and try all the investigation and enforcement methods currently used.

But, those grayhats seeking to use this safe-harbor would be more open about their identities & methods. They can even deposit their earnings into KYC'd bank accounts!

So imagine some bad-faith actor pretends to be complying, but then turns out not to be & tries to double-dip – taking both the conditional bounty, and more. Such people will now be competing with other hackers who are playing by the rules – leaving the nastier actors fewer open systems. And anyone who seems to obfuscate their identity/methods will stick out as a likely bad-faith actor. Thus I'd expect they'd be a lot easier to catch, and have more to lose, than in the status quo.


yeah why not hold the original software manufacturer responsible for the defect, like every other industry

But the ransomware attackers are already breaking the law with greater proceeds. Why would they stop and decide to play by rules that require them to do more work to make the same pay?


Yes, but they're still facing some risk of criminal penalties. This removes that, in return for more orderly behavior.

To some extent, the current risk of criminal penalties will cause them to be more damaging. What they're doing is already illegal; why minimize collateral damage? Why not try to double-dip, both stealing data and encrypting it? Why not disappear if there's any risk of discovery, rather than follow-through with decryption keys and information about plugging holes?

Also, the current regime means only "criminal"-minded people are performing this activity. And yet, the activity still has some positive side-effects! It causes organizations to close security holes (which could put their customers' data at even greater risk) and improve backup procedures.

A limited carve-out for "responsible" vigilante penetration-and-remediation would allow other more-law-abiding operators to participate in this activity, with more responsible practices. (You could do this with your real name & put your wins against name-brand organizations on your resume!) This should lead to flaws being more rapidly discovered & closed, and perhaps at less cost and collateral damage than the current legal regime – which, after all, isn't doing a great job of catching perpetrators or assigning accountability to vendors and IT departments after incidents.


They're already doing this - ransomware attackers are astoundingly good at acting in a collectively beneficial manner. Most ransomware attackers will go out of their way to make sure you're able to decrypt your data because they know if enough people can't then no one will pay their ransom.

The selfish and optimal play in this scenario is to be among good-actors using ransomware and never both with the effort of allowing users to decrypt their data, but surprisingly few people are acting this way - enough that most companies have confidence gambling that the criminal that just compromised their system will act honestly. It's seriously astounding.


It would require responsible enforcement - how many people who have had their bike stolen have gotten a non-committal response from the cops and then found and tried to recover their bike after some trivial googling and searches on craigslist?

If the policy were responsive and funded to the point where individuals outperforming them by putting in some effort was a rare thing then it might be reasonable to impose a fine for giving in (as it encourages more crime). Right now ransomware is thriving on the fact that LEOs are too disorganized, underfunded and unmotivated (since this is way outside the domain knowledge of their personnel) but if some serious efforts were made to provide secure recovery snapshots as a public service then maybe we could look at taking this route.

As it is right now ransomware attacks are incredibly common and usually conceded to, you'd be fining pretty much everyone.


I think it might better to make the insurance illegal. That way the money or losing the data really stings. You can't just pay a premium and ignore actually having good security and reasonable backup systems.


Banning insurance in a market that naturally denies it just opens people up to be more arbitrarily singled out by the fickleness of fate. Making payments illegal and requiring people who are vulnerable to ransomware (i.e. everyone) to pay to be audited for good security practices on a regular basis is a more reasonable approach to eliminate the threat - do that for thirty years or so and the best practices for combating ransomware will become common knowledge and standard practice.


> While this might seem unfair, it might stop 1000 other attacks because there will be no money in it. It would be for the greater good.

It wouldn't stop any attacks because the ransomers are already willing to break the law, the only thing that would change is that you'd end up punishing a few victims that get caught paying.

Probably after reporting the crime in the first place, which means victims will be less likely to report it. That hardly sounds like a sensible solution, or any solution at all because it wouldn't affect the actual criminals at all.


I was surprised to hear there is not already a law/policy against taxpayer money being used to pay known criminals. How is this different that the city paying off the mafia for protection?


What happens when a hospital gets hacked? This law could kill people.


"I recorded all our conversations and your Bitcoin transaction tied to your Coinbase.com identity."

Now the attacker can extort twice.


All that will happen is that victims will be afraid to go to the police, and hackers will be even more emboldened.

Which country are you suggesting implements this? Every country on earth?

maybe we should just put the FBI in jail whenever they don't catch them in the act


> simply lose that data

Maybe the worst use of "simply" ever.


Do I read this right? They offered to pay $400K even though they had backups to restore their data from? Does this mean that the restore operation cost more than 400K or was this an incredible sample of laziness?

They'd rather pay the ransom to a criminal than invest the time it takes to restore backups?


Even with good backups and a prompt recovery, you could be looking at losing a day or so of data/work across the affected organisation. If the system had been backing up encrypted files for days/weeks then there’s a much higher cost to restoring from older backups

Making sure the systems are actually clean after getting the files decrypted costs too though. The comparison would be (due diligence to make sure systems are clean + ransom) vs. (restoring backups + lost work).

"Restore from backup" really ought to be the default response to ransomware. That will probably never happen though...


It's very liberating to know you can do this. You can sleep at night knowing your confidential data is safe. From a business continuity standpoint, worst case scenario you get a new machine, restore, and you're back in business. When I trade-in my work laptop for a new one I love the feeling of handing them my old one, picking up my new one, and not looking back. Works just as well for ransomware, other viruses, ruined hard-drives, etc.


> It's very liberating to know you can do this. You can sleep at night knowing your confidential data is safe

If ransomware was able to infect the machine, then I doubt the data was safe either


Exfiltrating is insanely more difficult especially of "the useful stuff" - and even then you have to sell it or use it to embarrass your target, it's pretty difficult unless you target people ahead of time - easier to just interrupt business.


All my data is in Dropbox, with a few helper bash scripts that I run from time to time to sync a couple choice filters. Otherwise, I interact with it on the website. Ransomware would have to be extremely targeted just to me to cause any issues. Security by obscurity. :D


But whatever attack vector was used is probably still wide open on your machine even after restoring a backup. Most people will just get infected again straight away.


Well, maybe. On the other hand forcing someone to update often reveals that updating does not in fact break the world, particularly in linux-land where API updates are supposed to not break userland. Many times users who don't understand the risk incorrectly assume worst case scenario.


See also Matt Levine's take on ransoms (scroll down):

https://www.bloomberg.com/opinion/articles/2019-08-27/the-li...

And the linked article:

https://www.propublica.org/article/the-extortion-economy-how...

Tl;dr: perverse incentives, paying some ransoms is in the interest of cyber crime insurers, as it expands the cyber crime insurance market. Also there's more ransomware crime now that the word is out that insurers do pay out ransoms.


I wonder if a law that you can't pay ransom money for files should be passed.

This should work to take any government and larger companies off the target of these groups as they are likely to obey these laws. Kinda like the we dont negotiate with terrorists approach.


Yep. I'm actually surprised it isn't already illegal, given that the money is likely being used to fund organized crime, rogue states, etc.

Not only that, there's money to be made by insiders leaking (or even creating) security holes for the hackers to exploit and then getting a kickback.

Absolutely.

It's sort of the same as the "We don't negotiate with hostage-takers" policy. Once you negotiate, it's now a strategy known to work and you'll signal how good of a tactic it is.


Exactly. It's going to incentivize more hacking

NetApp has a solution for all of that: Cloud Volumes ONTAP is a virtualized storage platform running on AWS, Azure, and Google,it consumes native cloud resources and it provides NFS/CIFS/iSCSI.

Cloud Volumes ONTAP has the best snapshots out there, immutable and without any resource penalty. you can take any size snapshots (or restore) in seconds. you can also create clones out of these snapshots, so you can check if that data been affected or not, again in seconds. Adding to that Cloud Manager's Ransomeware protection that blocks known Ransomware files.

In short- this is the best solution out there for any hybrid/ cloud and it can actually be cheaper than free, if you have enough capacity, due to all of its storage efficiencies like dedup, compressions and compaction, with auto-tiering of unused blocks to the checper object storage,.


So they offered $400,000 for restoring what was most likely a week of lost work for 158 employees. That works out to $2,531.65 per employee for that week. Is the average salary of the compromised employee $131,645.57 ($2,531.65*52)? It sounds like the town was just willing to throw a lump of cash at the attacker based on what other victims had paid with no regard to what the lost work was actually worth. I know the attacker did not accept and it allowed them to strengthen their security and etc., but it bothers me that the attacker could have just gotten a $400,000 payout. It’s almost as if the moral of the story is “even if a town government had backup system in place, you can still pull in a few years of income with a ransomware attack!”

You would lose more than a week of work if your entire team is no longer doing this week's work to make up for last week's.

Let's say they instead of doing this week's work, they do last week's, next week they're still a week behind and you have to start paying 100+ government employees overtime in order to regain the catch up on the remaining week. This could take a while to catch up and be incredibly expensive.

The $400,000 wasn't taxpayer money it was their insurance companies offer to make this go away.


Local government work is mostly cyclical and the "customer" is captive. It's not the end of the world if they bill someone a day late or have to re-add the new librarian to the payroll system. It's not like people can up and switch to a new government because they don't like the quality of service.

Based on having grown up in the region and having, um, "connections" to state and local government I think it is highly likely that their desire to not throw out work was based around reasoning around how their public image would be affected if a batch of fines/taxes/fees/bills had to be waived. Cutting people (collectively, waiving something on a case by case basis is fine) a break because the government screwed up is kind of a non-starter because of the possibility of setting a precedent.


That assumes the work is repeatable.

It also assumes no one but the employees would have to put time into recreating the repeatable work.

For example, people turning in documents in order to get permits. Now they'd have to figure out which ones were lost and regenerate them. It adds up.


I guess accepting it would set the precedent that they are easy to lowball? Also, it might even be a lower sum for the city, if they need to redo the work, the employees will already know more or less what to do and it might be faster.

Could somebody contextualize how targeted this particular attack really was?

According to random Google result #1: https://www.2-spyware.com/remove-ryuk-ransomware.html#qm-h2-... the specific malware distribution is unclear but likely involves email attachments and/or vulnerable and exposed RDP.

While reporting on ransomware cases often sounds like targeted APTs, more often than not the details in these stories read like "we didn't bother to pay enough admins to actually patch and secure our systems" and "we didn't train our users not to click on every random attachment".


It sounds like they played every card right, and that's probably not by accident. I'd be fascinated to see a case study made out of this - especially with a breakdown of how they performed against their CSIRP - because there's no way they didn't tabletop that plan at some point, and it paid off in the end. Sort of like insurance, eh?

The city was extremely lucky the attackers played their hand too early. If servers had been encrypted it could have a lot worse.

Restore from backup isn't as easy as it sounds, well done to a disaster recovery plan that actually works

Honestly this success might encourage city governments to make sure their backup systems work better.

The counter offer of 400k was presumably the break even point for the cost of losing X days of work (depending on what was lost that could involve manually recovering things like tax payments, billing, tickets, etc)



The real solution is for them to hire out for their ops. No reason these rag tag city governments should store their stuff on-prem. Until then these okie dokie city bureaucrats will keep getting pwned.


I don’t know about that. They’re always going to have endpoints; maybe it’s better that they don’t get sucked into a multimillion-dollar AWS contract they didn’t need? I agree that they need better IT consulting (similar to many small businesses, I would think).


Yes but the attack surface would be much smaller. I think most cities have in-house IT employees running everything. Someone on the same network as a secretary has shell access, in other words. This is how most businesses were operating their tech 20 yrs ago, but government is always 30 yrs behind.

It doesn't need to cost a lot. What does a city need? Email, calendar, office apps, VoIP, file sharing, static website (basically GSuite). All of these have open source Linux solutions that cost nothing.

RedHat, Palantir, or some other would be happy to take this contract. It's ok to use contractors to kill people but not run computers?


Maybe the federal/state government should offer some of their generic services and allow wrapping for smaller cities.

This assumes at least one higher government body has technical chops and could reasonably extend their codebase. The cost could be paid by the equivalent of what would go to the ransom


That's a good point. The savings of not paying future ransoms would justify the expense.


Ok, but city governments are frequently very large, which means bringing in an outside contractor will be very expensive. Remember that every level of contractor adds additional overhead in the form of city funds being shifted into company profits.

For a small city, then yeah outsourcing might make sense. For a large one? Probably not.

The maths for cost is very simple: every person the contractor brings in is being paid for by the government, but now in addition to paying those employees, you also have to pay for a separate set of managers, and executives, and finally the business markup for profit.

If your org is large enough there is no way outsourcing is cheaper - it may be “easier”, but it inherently must cost more.


New Bedford city government has no reason to be that large though. Boston and some of its most urban suburbs maybe, but certainly not New Bedford or any of the other small cities in MA.


I have to hand it to New Bedford, it is a poor City and they know how to run an IT dept, esp. compared to what larger cities do. So they should give their IT dept a nice bonus and maybe educate other gov. entities.

>If your org is large enough there is no way outsourcing is cheaper - it may be “easier”, but it inherently must cost more.

I would agree with this if you were talking about a real business, but this is government. An island full of 14 year olds can't be trusted to operate a power plant, even if they outnumber the employees of Pacific Gas & Electric. It's not a choice between outsource vs insource security, it's a choice between security or none at all.


You're missing the point - there is a company that has employees that can [ostensibly] do the job you need. It's a free market so you could directly employ those people, and in that case you get the same level of expertise and you aren't paying for the outsourcing company's overhead.

Obviously employing those exact people may not be possible, but theoretically a large enough city can draw others of similar skill.


Why are we talking about large cities? New Bedford is under 100k people, and the parent post said "rag tag city governments" not large cities.

not sure how you are getting that from this one - sounds like this 'rag tag' govenment didn't get powned (completely) and was able to rely on good it practice to recover with minimal impact..


They got the victims' hard drives. Regardless of what happened besides that, that's a pwn.

What if the police chief had emails admitting to bribes or worse stuff on his pc? What if the hacker had an enemy he wanted framed and arrested?


>What if the police chief had emails admitting to bribes or worse stuff

Unless he's admitting to doing something that is directly counter to the platform of the ruling party (e.g. aiding ICE, rubber stamping CCW permits, racial profiling, etc) nobody would care. There would be some token outrage but it would mostly be business as usual. This is just how MA works. There's very much a "well that's government, nothing you can do, no sense getting bent out of shape over it" attitude by the majority of the population in MA.

For example, the state police overtime fraud is a recurring (every 1-3yr or so) "scandal". The latest instance is basically out of the news already.


Cryptocurrency is hardening IT infrastructure.

Paying hundreds of thousands to restore 158 backed up machines would be absurd. Surely a week of work for those 158 employees isn't worth that. They've gotta put a financial analyst on these issues, and not leave it up to panicking executives.

And look at how greedy the attacker was. Missed out on a 400k payday.


I would like to see your calculation for that.

My current company is much smaller in size and had 2 ransom attacks that I saw happening (in ~2 years). We use nimble as a backup and it is quite expensive (hundreds of thousands actually, depending on infrastructure) but worked flawlessly to restore all our systems in a short time. You will loose a few hours of work though. Attack vectors are the usual: mail with infected attachment and users with too many rights on documents. The attackers even know names of people working at the company and use correct mail signatures (not actual mail signatures, just the colorful stuff you put at the end of every business mail).

If production stopped for a week, the contractual penalties alone would probably eat up sums like that.


Why is a backup system so hard for people (especially businesses) to understand????


Only other people need it.


> Because the attack happened at night, most of the city's systems were turned off and the ransomware was unable to spread.

I used to complain Indian banks used to allow fund transfers only during working days and office hours. Now I see why it was useful.


Why isn't it mandatory for government orgs to use cloud?

I do not agree they should use "the cloud" but what is all too common is local, city, state, and even federal governments, love to enforce regulations and laws upon others they do not obey themselves.

the first rule of laws and regulations should be, government must adhere to the letter if they are to be enforced upon others seeking penalties if compliance is not met.

it is really difficult to hold government agencies responsible, it doesn't even have to be computer security, just look at the number of cities in the US who violate lead levels in water. even better, in the US, a lot of what happens can be protected from suits by sovereign immunity.

So keep it simple, what is required of private organizations and people is the minimum standard that a government agency must meet


Why would it be and how would you even define "the cloud"?

Key: backup

Do you ... backup?


Kudos to the city of New Bedford!

No Windows no cry :) Seriously, how can one compromised machine (inevitable) infect all others? Isn't there host firewalls on every machine?

If you believe that ransomware doesn't exist for macOS and Linux I'm afraid you've been misinformed.

Well, there is no SMB v1 on either, main propagation bug. Next propagation tools are SSH bruteforce, subnet scan for vuln apps, Domain admin creds stored locally and sniffing NTLM hashes from network interface. Again only SSH and app vulns are viable in non-windows.

I was asked once to do reference design of Windows on AWS. After I learned how many ports has to be open for every machine and all of them had to be in same network as Domain Controller, I quit my job.

> If you believe that ransomware doesn't exist for macOS

Example? I have not seen any.


Absence of evidence != Evidence of absence

but is a pretty good guideline :) If Windows got ransomed every time and MacOS is never, that is interesting, right?

Windows holds perceived monopoly on company-wide identity control. There are Mac solutions: https://www.jamf.com/products/jamf-pro/deployment/



Such as? Everytime ransomware is in the news, it's always something that targets Windows exploits. Even though Linux machines would be a much more valuable target since they usually host production databases and such.

Ya. And upvote my original comment plz, its down to -2 :)

Probably ancient versions being deployed, I still see ATMs deployed with XP.



Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: