> With a U.S. population of ~200M, let’s call it 4M infections/year. We know that 4% of respondents paid the ransom, so that’s 160,000 ransom payments. If we say $200 per paid ransom as a guess, that means the ransomware ‘industry’ is making about $32M a year.
The U.S. population is actually ~327M, but since we're talking ballpark figures, let's just say that ~200M represents the adult computer-using population. It strikes that ransomware is both much bigger and much smaller than I thought. The 160,000 ransom payments is much bigger than I would have guessed. It's not like being struck by lightning; it's more like a serious car accident. But the actual revenue generated, $32M as he's estimated, is pitiful. There are all sorts of illegal, quasi-legal, and legal ripoffs that generates billions per year. For the amount of attention ransomware gets, it's just noise.
As with most criminal activity, the damage created by it is much larger than the money made. I couldn't find any US figures, but global estimates claim ransomware-caused damages of 11.5 billion USD in 2019: https://cybersecurityventures.com/ransomware-damage-report-2...
> As with most criminal activity, the damage created by it is much larger than the money made.
That's what makes extortion work. If the cost to avoid damage is on par with the potential damage, few if any victims would actually pay the criminal. The extorted amount being a fraction of the potential damage makes victims more willing to pay.
This was calculated by Cisco & Cybersecurity Ventures, who both directly profit from the fear generated by these figures. I do not trust these figures.
This is marketing for CIO/CISO's to read so they make sure to add in various security features to their BoM for purchase.
Cybersecurity Ventures is not a clickbaity newspaper. They are specialists. Obviously when they publish articles in their domain, it has an advertising purpose but producing shoddy figures would only hurt their brand.
You can't trust everything coming from companies at face value. That doesn't mean you shouldn't trust anything.
I'm guessing the damage numbers are higher because of a number of high-impact city-focused attacks. I live in Baltimore, where all of the city's systems were shut down for a few months over a ransomware attack asking for <100k. A similar attack occurred last year in Atlanta; wikipedia quotes a demand of 50k & Atlanta estimated around 10M in contractors for recovery.
Long-tail damage to governments and hospitals is definitely part of it - there's very little upper bound on how much ransomware can cost if you botch the response badly enough. And given how much ransomware simply doesn't decrypt if you pay, there's no reason the ransom prices should have any real correlation to the damage inflicted.
The other part of it appears to be some slightly funny calculations. If ransomware shuts down Target's online store for a day, Target might compute the loss based on 24 hours of no revenue, but purchases that go to Amazon, or to Target a day later, shouldn't be added into total "damage". The dollar value being computed there is something more like disruption.
Hm, that's an interesting calculation. I'm glad you added it here, it's a useful reference point, but it does look like some serious sleight of hand was done to produce it.
The report is from 2017, and relies on a 300% increase in the rate of ransomware to get that 2019 cost. That sounds high, but apparently the 2016 rate did triple in that much time (although the WannaCry spike drove a bunch of that).
On the other hand, it appears to be assuming 300% growth in attacks with a a constant rate of victimization. This doesn't make much sense alongside stats like "In 2016, an average of 40 percent of spam emails contained malware links to ransomware, an increase of 6,000 percent over 2015, when less than one percent contained ransomware." That's a qualitative change from "not a threat" to "threat", and presumably 40% -> 80% would not double attack success rates.
Further, the damage stat attempts to include subjective costs like employee training and reputational harm, as well as a naive calculation of revenue costs which assumes no revenue lost to donwtime will be recovered post-attack. That's a fairly reasonable corporate estimate, but summing it across all victims this way isn't valid at all. Only a fraction of that balance-sheet loss is actual GDP-shrinking damage, while the rest becomes either loss to competitors or value-creating OpEx like security and training investment.
Hilariously, one of the linked Cybersecurity Ventures writeups also claims[1] that "cybercrime will cost the world in excess of $6 trillion annually by 2021, making it more profitable than the global trade of all major illegal drugs combined". It's amazing what kind of numbers you can invent when you compare the societal cost of one crime to the net profit of another. As much as I love William Gibson, I don't think the cartels will be swapping their chemists for programmers within the next two years.
The attention seems to be due to two factors: the high-profile cases that hit large organizations like school districts, local government or hospitals (which are not affected by common scams), and the relative novelty of using cryptocurrency for paying the ransom (though not predominantly, according to this survey; I would guess that using cryptocurrency reduces the yield from the individual users that are the common victims.)
Ransomware can be hard to trace, which keeps risk low, and that means criminals can afford to ask for less money. It's also a benefit to keep the ransoms small enough that people will pony up instead of getting the FBI involved.
For now it may be just noise, but the ransoms are quickly getting bigger and bigger. Last month I facilitated the payment of 3 BTC to decrypt the files.
I imagine these sort of attacks are more like spear phishing, in that they look for high value targets. No one is paying $25k for the family laptop files, but a medium sized business,perhaps digital in nature, would be quick it pay that price to fix the problem.
Does it actually work? I haven't had a virus in decades to my knowledge, and I stopped running virus scanners back in 2005 or so. Windows Defender is on my computer, but I never run a scan. Maybe it does in the background, but I've never seen anything notifying me about a virus or ransomware or malware.
Not sure about the registry, but it's definitely something you can disable in Group Policy (though Group Policy is only available on Windows 10 editions greater than Home).
I believe Win10 recently added (or is adding) something equivalent to directory-level permissions, so that you can mark applications unable to touch certain directories (like My Documents) unless they've been whitelisted.
It's their ransomware protection. The last time I tried it months ago, it was really aggressive to the point that it made it uncomfortable to work with my computer. Maybe that's necessary to keep people safe, but I had to disable it because basic things like downloading files and opening them with another program simply didn't work. Maybe it's improved since then?
The same thing happened with the introduction of UAC.It may be necessary though it conditions people to blindly allow as their default reaction, which is really counter-productive to safety.
It actually doesn't provide a prompt. It silently denies access (I think maybe it shows a notification in the bottom right?) and that's that. You have to navigate to the protection settings window in order to whitelist a program. Which I guess makes sense, since if you don't add friction, people will just blindly allow everything as you say. I had problems like stuff not working despite whitelisting, which is what really annoyed me. I would've left it on otherwise.
The short answer is sometimes yes, sometimes no, like with a lot of software. It's not universal protection.
For example, there if someone mails you an attachment that you open, there is a program that can find your dropbox and encrypt all your files....including on your local machine (whatever filesystem elements are linked to dropbox) and drop new virus vectors on your dropbox directories. Windows Defender didn't notice when it happened in our office.
Of course you just revert your file folders in Dropbox (machines that are also linked to that dropbox that aren't the original vector, which should be quarantined) and lose all the work since the last synchronization, but you aren't dead in the water.
It told me a driver I downloaded for my Razer had a virus. I have no idea if it did or didn't. I do know that Razer's website for driver downloads is http not https
I have processing program I wrote that runs though hundred of thousand html-files on a Windows machine monthly and it is really slow unless I turn off defender, so I assume it's checking what my program does somehow.
You can turn off (preferably temporarily) the windows defender real-time protection (that's the setting name). That speeds up such things. That setting will after a while reset to the default (on) by itself.
Also note that Windows is pretty slow on such operations, opening and reading of lots of files (eg a build). It may actually be quicker to set up a virtual machine running Linux for such a thing.
Every now and again I see a '0 viruses found since last scan' message in the notification tray. Maybe check and see if there is anything like that in yours?
Second this. The only annoying thing about it is the number of false positives. When I leave a large build running overnight, it randomly triggers the check and halts the entire build.
I am going to start using this immediately, thank you.
I have long wondered why precisely this isn't built into all the major OS's.
Edit: Although, reading more, I'm not sure I love how the logic works. For instance, it ignores all Apple apps. I understand the logic behind that, but there should be different thresholds: If any process on my machine, Apple or not, rewrites 10GB or more (to choose a somewhat arbitrary amount), I want to know about it ASAP. Otherwise, what if the ransomware finds a way to leverage Apple processes?
There's no need to monitor Apples own processes because MacOS already do that with "System Integrity Protection" which stops any modification of system files.
A ransomware can technically encrypt all drives, steal password from cloud backup software, and destroy it too. Or they can be destroyed by uploading encrypted files. No software can destroy data on a hard drive that's disconnected and unpowered. Only I can.
usually I don't say anything since this usage is so prevalent, and I typically hate being pedantic about grammar, but since this is a journal title:
it is not 'a' software. not here, not there, never.
the construct <category-of-material>-ware is plural. period. therefore there can never be 'a' of them.
it is 'software' or 'a <noun describing unit> of software', e.g. 'a piece of software' or perhaps '<quantifier> software' as in 'some software' 'this software', 'malware removing software', etc. 'a software program', which can be shortened to 'a program', etc, is fine, because the 'a' refers to 'program', which is implicitly in the singular.
this is both non-sense. proscriptive arguments drawn from nothing but your single minded authority have little value in discurs. "a software" (sorry) is quite frequent. fullstop.
Frequency of 'a software' arrived with the growth of non-native speakers on the internet, and is irrelevant to its 'correctness'. Plenty of bad non-native speach patterns are 'frequent', one can often tell the country of origin of a person from speech irregularities and even adapt a pseudo-dialect which may even improve the ability to communicate with them.
Don't have stats to back it up, but I have been involved in computers from the mid 80s and literally never heard this term until ~99 or so, initially typically in the context of text clearly written by non-native speakers, and then gradually gaining some traction among younger users who think it's 'cool' or 'normative'. I have no doubt that a more formal investigation would line up with this, give or take.
2) It's 'discourse' not 'discurs'. It's also 'nonsense' and not 'non-sense', and also 'full stop'. All of which would imply that the anser to #1 is 'no' - which proves a further point - that idioms and patterns of speech matter to correctness and are quickly seen by native speakers, but are not usually obvious to those who learned the language second hand.
Based on these mistakes, the bizarre 'this is both' introductory phrasing, parenthetical '(sorry)' and the general dry, dismissive tone with a petite je-ne-seis-pas of anti-authoritarian mockery that is just begging for a leading 'pfft', my guess is that you are French. Not really germane to the conversation, but, if correct, it underlines my point about the obviousness of idioms and cultural undertones to native speakers (of any language really).
3) To support 1 and 2: If I am incorrect, which, weighing my thoughts against North American vs British idioms, I'd happy to be incorrect but am fairly certain am not, please show me a single usage of 'bakeware', 'cookware', 'hardware' or any other 'ware' where people say 'a <x>' existent in any piece of literature prior to the existence of computers:
I took a bakeware and baked a lasagna: no.
A pan is a bakeware: no.
I washed a cookware and made a salad in it: no.
A bowl is a cookware: no.
Can you hand me a silverware? I need to cut my steak.: no.
A knife is a silverware: no.
I bought a hardware from the hardware store to fix the fence: no.
A hammer is a hardware: no.
And, even in computers, the (incorrect) 'a software' use is inconsistent w/r/t hardware:
I bought a new hardware to run my application: no.
The new iPad is a great new hardware: no.
4) 'A ware' is singular, but also non specific. X-ware is plural. Whatever this meant in pseudo-proto-germanic is irrelevant to a discussion of English.
Actually it's an uncountable noun. You use a singular verb form - "the software is" not "the software are." But you can't pluralize it or use an indefinite article.
Same with "code," unless it means "cipher" or "regulation."
I don't understand the title of the article or presentation. It appears to be a quote, and on first glance doesn't seem to be part of the article body itself.
Interesting that despite the huge effort both sides put in to to fixing/exploiting vulnerabilities the biggest risk factor seems to be directly downloading random dodgy stuff.
I suspect that this is always going to be the case. There are a lot of people literate enough to operate a computer, but not literate enough to understand the risks they're taking by running something they download off of scammers.ru. Exploiting these people will always be easier than actively circumventing OS-level security.
I was going to say "Desktop apps need permissions like Android apps" that ask your permission to access resources and then was immediately reminded of the "I'm a Mac" commercials mocking Windows for doing exactly that... /Le sigh/...
I used to use this software called Clean Slate that would watch all the changes you made to your computer and undo them when you restarted. Maybe it's time for Grandma to get her own Docker instance.... :-)
Is Steam a big vector? Gamers download hundreds of apps, all get installed as admin. You have to trust every dev of the game and the devs of every library they use. Not just trust that the devs weren't actively trying to be evil but also that their is no bugs in their networking code (https://momo5502.com/blog/?p=34) nor any bugs in their deserialization code for mods
I've never heard of something like that happening, and I've been using Steam since day 1.
Trying to find something on Google about that only turns up the usual "Hijacked accounts spreading malware to friends" scheme [0] and vulnerabilities in the client itself [1], but nothing about Steam distributing malware hidden in games.
Which is kinda unexpected, I probably just didn't dig deep enough?
I mean, there's a reason why Microsoft wanted to lock the typical user behind PKI-verified Windows Store apps with extremely limited access to the raw resources of a computer.
The problem is that Apple, Google, and Microsoft want to conflate "tight chains of custody for software distribution" with "we want to be a gatekeeper charging 30 percent on every sale." TBH, the number of dodgy (absurd subscriptions, me-too clones, toxic ads) apps on mobile platforms suggests they aren't even really capable of delivering that promise. If you really want to push your platform as "the place you can trust", especially for nontechnical people, you've got to go beyond signing to actual curation for content and quality.
Conversely, putting a huge financial and certification burden on developers hurts power users and enthusiasts-- how do you bootstrap a new programmer if he has to spend a week generating (and paying for) certificates and learning signing tools before he can emit his first "Hello World?"
Only for a certain group of users, while another group of users is degraded to guests on their own systems while "the cloud" ends up having the actual control.
Not to mention that there is very little motivation given for the quantification of the individual threats. Not having 2fa is apparently 1 point, backing up only ever few weeks is 2, .. it almost seems as if these were chosen retroactively to make the curve look the way it does.
From the paper:
> Given the results above, we now present and discuss a proof-of-concept approach to risk assessment to estimate futureransomware infection that is based only on self-reported se-curity habits and past exposure to online scams. The methoddemonstrates that assessments can, in theory, be made with relatively little information, enabling consumers to estimatetheir own risk. We stress from the outset, however, that wemerely intend to illustrate the general approach; in particular, the strategy we present would need to undergo more rigor-ous evaluation before it could be responsibly used for riskassessment in the broader population.
> it almost seems as if these were chosen retroactively to make the curve look the way it does.
That's what regression does! And maybe they should've used regression, indeed. Instead, this looks more like an "improper linear model" http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.188.... -- something we see less and less of now that regression models are at our fingertips.
The U.S. population is actually ~327M, but since we're talking ballpark figures, let's just say that ~200M represents the adult computer-using population. It strikes that ransomware is both much bigger and much smaller than I thought. The 160,000 ransom payments is much bigger than I would have guessed. It's not like being struck by lightning; it's more like a serious car accident. But the actual revenue generated, $32M as he's estimated, is pitiful. There are all sorts of illegal, quasi-legal, and legal ripoffs that generates billions per year. For the amount of attention ransomware gets, it's just noise.