Hacker News new | past | comments | ask | show | jobs | submit login
UCSF forced to pay more than $1M ransom to perpetrators of malware attack (ktvu.com)
40 points by tlrobinson 14 days ago | hide | past | favorite | 32 comments

Organizations should be legally prevented from being able to pay these ransoms and should instead receive funding to help them recover from the damages. It funds an entire industry that can just grow and grow because it pays off

There's an easier way that forces them to behave in this manner: poison the well by releasing ransomware en masse, receiving the money, and then not releasing the data.

Once the well is sufficiently poisoned, no victim has an incentive to participate. They don't know if they're paying a defector or a cooperator.

No state can take this action. Any hero who does so will be prosecuted. But if they /dev/null their bitcoin address private key, they can rest easy that what they did was purely selfless.

The ransomeware makers can counter that by making their ransomware divide the victim’s data into a very large number of separately encrypted sections each using a different key. Then instead of trying to sell the victim one key for a million dollars they would offer say 100000 keys at $10 each.

Now it only costs the victim $10 to pick a random section and buy its key. If that works they can pick another and buy it’s key, and so one until they are confident the seller can be trusted and they can then buy the remaining keys.

Oh, that's a clever counter. Is it possible to think of a way to circumvent that?

Perhaps it is sufficient to simply ransomware the data in the first place and then refuse to give it back. Any measure that makes the victim immune to that will make them immune to the true ransomware folks as well.

Practically, this is how all these ransomwares work in big organisations...

It's usually ~$1000 per machine. Sometimes more for machines with big disks or depending on which active directory groups they're in.

That tells you that UCSF paid for data recovery on 1000+ machines probably...

Is there a volume discount for Enterprise customers?

Yes. It was $1M after the volume discount.

Perhaps, but fakers can do that too. Also I expect that the actual effective cost of the individual keys - especially the first - would be more than $10.

Let them unlock until they hit half point, but leave the rest unlockable.

It should be possible for ransomware groups to then just start sending signed messages, proving that a given attack was by them.

That way, they could build up a sort of "reputation".

Most companies probably wouldn't want to give credit to the randsomware group. I don't think signed messages of criminal organizations would make people trust them.

> Organizations should be legally prevented from being able to pay these ransoms and should instead receive funding to help them recover from the damages

Isn’t a simpler solution insurance? The insurance company becomes a specialist in pricing and reducing this risk. And the malware writers become, in effect, ersatz pen testers.

Like a ban, you’re reducing the incidence rate. Unlike the ban, you’re extracting a public good from the ransom era’ work in the form of better infosec.

Right now - a lot of hacked organizations may just say "it's not worth the payout" but if they are already paying insurance then of course they are going to tell the insurance company its important and ask for the ransom to be paid.

I think the bright spot of the ban would be that if it was legally enforced then all hackers would see this and quickly realize it wasn't worth the risk.

(Not sure if I'm for this 100% - but I think it is worth considering)

> if they are already paying insurance then of course they are going to tell the insurance company its important and ask for the ransom to be paid

Interesting point. If this kind of insurance became widespread, that would be great news for the attackers.

Insurance companies still have a lot of trouble pricing and selling cyber insurance. Ransomware is a bit of a outlier here, being the most popular category of cyber insurance and all, but it seems to still be difficult for insurers to price their premiums.

It's mostly because there aren't a lot of good measurements for assessing how likely a company is to get hacked / hit by RW (I'm not a believer in infosec through Q&A / self-assessment).

These are of course growing pains and especially for SMB some form of insurance + cybersecurity tooling basics will be the dominating approach to managing cyber risk.

Software purchasers in a lot of enterprise IT are contractually and legally required to carry such insurance in the US. The problem is that the organizations usually impacted are similar to people refusing to pay for car insurance - ones that keep trying to skimp on security so much for legit budgetary reasons (small town police departments come to mind) or because they are institutionally so incompetent and covering it up (Equifax) auditors and actuaries would have trouble pricing their insurance correctly.

> Like a ban, you’re reducing the incidence rate.

How does buying an insurance policy reduce the incidence of ransomeware?

The insurance policy would be tied to following some (infosec) best practices. In the best of all worlds, insurances would then check on their customers to make sure best practices are followed in the same way that we follow best practices for avoiding fires in terms of building construction and not having flammable materials lying around too much.

A major University not keeping backups of information worth $1M+ is grossly negligent. It's not like this is a private individual with a desktop (who of course should also have backups, but could be forgiven for not knowing that). I'm sure UCSF has a whole IT department; how could they allow this information to not be backed up to cold or offsite storage?

Not to defend anyone, but knowing universities as I do, the data in question were perhaps in the hands of a bunch of postdocs, and not subject to any centralized protocols.

It said it was servers that were compromised though, right? So you'd think there should be backups of the servers' data drives. I could understand if it were just people's desktops that they're not supposed to be storing sensitive stuff on anyway.

Assuming this is medical data collected as part of UCSF's research (which seems to be implied by the article), doesn't it become worthless once you know malicious actors could have edited it? In other words, the chain of custody was broken, so how can we trust the resulting papers?

I realize the perps say they just encrypted it, but if someone has root access to your computer, they can do whatever the hell they please.

Why would it be worthless? No medical trial gives you absolute proof of its results, it just increases your confidence the drug is safe or effective. It's vanishingly unlikely that a ransomware attack was actually targeted to get a new drug approved.

Now, it might be good to insist on a rigorous chain of custody or you'll reject the results, in order to better incentivize security. That's an approach that has parallels in criminal justice: in the US it's (in theory) not good enough for a cop to produce incontrovertible evidence you committed a certain crime, he also has to have come by that evidence lawfully. But if it was going to save my life, I'd rather see a new drug approved in a timely manner rather than get held back on a technicality.

One could take this line of thinking arbitrarily far. For example - how are you supposed to trust that authors of any paper, anywhere, always had authenticated, authorized, and controlled access to their integrity-checked data at all times during the entire span of their research?

The people I know who work with medical data do indeed follow protocols like this, involving for example hardware security tokens and encrypted, physically secured private servers. Though, I believe this is more to protect patient privacy than the data itself.

More generally, I'm happy to presume (as long as the data is password-protected, say) that scientific data that hasn't obviously been vandalized is trustworthy. However, in this case we have positive evidence of tampering, and therefore a good reason to be skeptical.

I clearly know different people... The people I know have all their important data in "Copy of Copy of Copy of Datav2 - FINAL.xlsx" saved in an email from a PhD student.

Do people perceive this to be more cost effective than backing up data?

What is the total cost in terms of down-time, failing audits, disclosing to customers and employees that control of their data has been lost? Would that loss be greater than a backup solution? Has it become taboo in 2020 to do backups that can't be tainted by attackers or dodgy automation? It was not a problem 20 years ago. What changed?

If it's cost, even a low end gluster cluster [0] or Ceph with an archive read-only share that has rsnapshot [1] diffs for 5 days would mitigate this, assuming you know within 2 or 3 days to sound the alarm. Rsnapshot would run on the server. People would just see multiple folders with the last 5 days of changes. The snapshots would not be writable by employees or malware. To further reduce cost, perhaps de-duplicate data with ZFS or VDO [2]. Everything mentioned here is open source and has multiple enterprise supported options that your engineering and IT staff are likely already aware of. If not, there are plenty of documents on integrating gluster into active directory.

[0] - https://www.gluster.org/community/

[1] - https://github.com/rsnapshot/rsnapshot

[2] - https://blog.delouw.ch/2018/12/17/using-data-deduplication-a...

This is quite surprising. I feel like often the victims of ransomware do not pay the thieves. Are there other high-profile examples of paying the perpetrators?

My university paid when they got hacked. I think it’s more common than is reported

The hospital system I worked at (in NJ) got ransomwared. It caused systems to go down for days.

An administrator told me the payout was something like $20M. (It was a very large hospital system.)


Sometimes even paying third-party security contractors to solve your ransomware problem instead of negotiating with ransomware authors might be paying ransom.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact