In the case of state or public institutions like this, would it be advisable for legislatures to make it illegal for state entities to pay ransoms, and then very publicly announce these laws? I.e. can/should we make credible, public commitments in advance to not pay ransom, or to remove that choice from the organization-level administrators? Would this make these organizations less appealing targets?
"Sorry, we are not authorized to pay you any ransom due to SB-XYZ. If you can get several hundred thousand signatures from CA residents to petition for a referendum to overturn this law, we may be able to pay you a ransom after ... well not the upcoming election but maybe the one after that."
In early years, this generally led to better outcomes for European citizens, but as time wore on, it's come to a point where the terrorists actively avoid kidnapping Americans and prefer Europeans. Assuming the these types of hacks are explicitly targeted, I imagine we'd see a similar dynamic play out.
And these are just _some_ of the terrestrial missions, to say nothing of air operations.
France's Army is small, but it does most of Europe's fighting, and is generally regarded as accomplishing a lot with very little.
Edit: You might appreciate this mini-documentary about operation Serval. It's in English.
You can have all the laws you want in words on paper, but if they're not enforced, for all practical purposes, they don't exist.
The people who enforce the FCPA must be understaffed or undermotivated or underfunded because I've worked for several companies that regularly paid bribes as part of doing business.
One example: I worked for a large media company that would send TV crews to cover stories in Mexico on a fairly regular basis. Almost every time the crews tried to return to the United States, the Mexican border personnel would seize their very expensive gear. The only way to get it back was to pay a bribe.
This was so common that everyone was told to just mark it down on their expense reports as "Airport tax." I only found out about it when I started asking why I kept seeing "Airport tax" on expense reports for trips I knew were done in cars.
The law is about bribes for "obtaining or retaining business". It's one thing if you were paying a bribe to say, a local minister to get exclusive access to some sort of scene...
But low-level crooks pretty much sticking you up and you try to buy your stuff back from them under the guise of "government business" is not the kind of thing FCPA is about. It's for concerted attempts to pay off foreign officials to strengthen your business.
Which surely still happen, but not in the manner you're describing. FCPA violations wouldn't be the sort of thing that "everyone" is told about.
“We didn’t hand duffel bags of money to the perpetrator group’s courier, we hired a professional external individual security consultant to handle the situation”
By very loose analogy, either when playing chicken, or when you and a person walking towards you both repeatedly veer in the same direction to avoid collision, one tactic is to very conspicuously cover your eyes. The other person can then see that you will not re-correct based on their behavior. Though I know this option exists, I have never successfully used it. It's always difficult to truly intentionally commit to limit your options to respond to future circumstance.
Same concept applies, and in my experience it seems to work. Though this was before the era of phones (and people not looking where they're going regardless)
If it is a legal requirement of my job to do the right thing, I'm gonna do the right thing.
If you want to stop the hackers, make it a Federal crime to pay anyone. In that environment, there would be no circumventing the restriction at all.
That means that money laundering laws are up against a dedicated adversary with resources, while laws preventing ransoms... not so much.
Of course, with cyber insurance, incentives for the insurer may lean towards dedicated circumvention.
If ransoms weren't being paid, criminals would find other ways to monetize the data. "Honest" ransomware is actually good for the public in the sense that should the ransom be paid, the data is indeed destroyed by the gang. Make ransoms impossible and they will start selling the data or monetizing it in other ways (identity theft, card fraud, etc), at the expense of the public.
Given that we can't eradicate this kind of crime entirely by improving security, I think ransomware is the least bad option in the sense that it punishes the offending company while minimizing the risk of the data being leaked which would hurt the data subjects themselves (the public).
There is nothing to guarantee that attackers will destroy the data and not further exploit it even if you pay them. Improved security isn't going to fix the problem, but we can make it less profitable and make that profit more difficult. If our policy is to pay we're just making it highly profitable with very little effort on the part of the attackers. If we refuse to pay, they will have to pour over our data looking for what may or may not be valuable to anyone, spend time searching for those people who might pay them for it, and then spend time convincing them to pay enough to justify their time/efforts.
We should be refusing to pay and making sure we've got backups of our own stuff so that we'll never have to.
Their business model relies on them being honest. If they don't follow through on their promise of destroying the data they'll kill the ransomware market entirely. So far, I haven't heard of major instances where ransomware gangs didn't fulfil their part of the bargain.
Truthful at least, "honest" isn't a word I'd use for these types.
> So far, I haven't heard of major instances where ransomware gangs didn't fulfil their part of the bargain.
The point is that you wouldn't. They can't publish the data or publicize its sale, but (if they were willing to invest the time) they could still sell it privately, or use it themselves to further attack/exploit you without you ever being able to trace anything back to them directly. They could wait months or years if they wanted and still find value in it (bait for use in spear-phishing for example).
see... the issue i see with making it illegal for state entities to pay ransoms is that you tie the hands of the victim without any guarantees that law enforcement will help and help in a timely manner. i see this as a lose, lose situation.
Hackers can target state entities for other reasons, but no rational hacker would do it for the ransom, since there won't be any ransom paid.
The FBI can simply say "We'll never catch the hackers, but if you pay them you'll go to jail". It accomplishes the same goal of reducing the reward for hacking to zero.
just cause they can't get a ransom, doesn't mean the data it's valuable as they can still sell it on the black market to carders and other gangs.
it's very ignorant to think that just because you cut off one area of revenue for these gangs that the problems will stop.
Shotgun attacks aren't discouraged if some X% of their targets can't/won't pay the ransom.
Smart attackers do extensive research on their targets before performing the attack.
Similarly, I can appreciate the logic in making American companies less likely to be targeted by ransom hackers, even if it means some companies are hit harder in the short term.
That's how governments operate. Every time a government "sneezes" is harms some companies and benefits others.
Making it illegal for them to pay just means that they can't look after that interest. Why would that be a good thing to do?
I don't think it will have any effect on privacy. The hackers say they will delete the data, but how can you trust them?
Then again you have people who do it just for the lulz (err...meows?) -> https://news.ycombinator.com/item?id=23957510
We've banned voluntary actions with externalities in the past.
>Making it illegal for them to pay just means that they can't look after that interest. Why would that be a good thing to do?
You only have the criminal's word to stand on when they claim to delete data. It's far too easy to simply hang on the to troves of collected data and wait for a rainy day.
I believe this is discussed in Schelling's book "Strategy of Conflict", which I've never read but has been much discussed online. Indeed the article I've linked specifically mentions this case.
Whether or not trusting the judgement of administrators over the judgement of law enforcement is the best way to handle these situations is an open question.
I'm not sure I trust public university administrators to do much beyond stimulate the local construction economy and wider investment banking industry.
Edit: Also https://news.ycombinator.com/item?id=12870150
Would it be moral/societally good to write and distribute this software? If it became prevalent enough, it would damage the ransomware model as people would be much less likely to pay if they thought there was a significant chance of payment not fixing their issue.
Another option is: forbid bitcoin and other cryptocurrencies.
Greyhat is even a bit of a stretch. It's like Dr. Doom. He has good motives but he's still the bad guy.
Who do you prosecute?
Would you close the University to huge harm to the students and researchers?
Never understood the power of anonymity...
You would charge the people who recorded the outcome of the vote and did the killing with murder, and you would charge everyone who participated in the vote while knowing one of the outcomes was illegal with conspiracy and failure to report.
And discussion from years back when they outsourced all of their IT:
Would gangs still try to extort people? Of course. But large institutions would no longer be a target, because their internal controls would prevent the payment of extortion fees. Small organizations might still pay fees, but the potential take for gangs would be reduced remarkably.
> Despite the U.S. no-concessions policy, U.S. citizens continue to top the list of nationalities kidnapped by terrorists. This may be explained by the prominent role and perceived influence of the United States and the ubiquity of U.S. citizens around the world. Nationals of the United Kingdom, which also has a no-concessions policy, are second on the list.
> While a no-concessions policy may not deter kidnappings, it may affect the treatment of hostages in captivity and determine their ultimate fate. According to a 2015 study published by West Point, Americans held hostage by jihadist groups are nearly four times as likely to be murdered as other Western hostages (Loertscher and Milton, 2015). The no-concessions policy may be only part of the reason. Another factor would be the jihadists’ intense hostility toward the United States.
> While the U.S. no-concessions policy has not deterred
kidnappings, there is some evidence that political concessions and ransom payments appear to encourage further kidnappings and escalating demands.
> And although it did not produce any demonstrable decline
in kidnappings of U.S. citizens, a 2016 study published in the European Journal of Political Economy argues that, without the no-concessions policy, there would have been even more kidnappings of U.S. nationals (Brandt, George, and Sandler, 2016).
My take: Arguably, part of the reason the policy has not been successful in preventing kidnappings is that most of Europe does pay ransoms, and Europeans versus Americans are not always easily distinguishable. Even if the policy hasn't directly stopped kidnappings, it probably has stopped them indirectly, by avoiding funding kidnapping organizations. Europe has spent hundreds of millions of dollars in ransoms to terrorist organization, and Qatar allegedly paid close to a billion dollars in ransom. This has to fund further efforts.
The major ransomware operations are targeted and the hackers do research the victims. They use spear phishing, so they need to know their victim. Unless the ban is universal and consistent so that hackers can modify their behaviour before they hack a target, there is no point in doing it. The US treasury announcement about not paying ransoms is just such a pointless terrible idea.
Irrespective of laws, what does the extortionist have to lose? There's always a chance the victim will pay up under the table.
As long as even one victim will pay, then there is no incentive to stop hacking.
This dynamic is covered in the literature on K&R. https://rusi.org/publication/occasional-papers/closing-gap-a...
So, that "anonymous tip-off" was obviously from the hackers, right? I guess the other option is a "whistleblower" at UCSF (would anyone else know about it?), but the hackers have a lot to benefit from everyone knowing about it, so next victim thinks "Gee, respected institutions like UCSF are willing to pay the ransom and didn't have the capability to recover otherwise, we should probably just pay the ransom too".
So we already know the university was not being transparent and open about it. When I say "whistleblower", I mean someone who secretly gave the BBC the info and remains secret because they weren't supposed to and would be disciplined at work for it.
The university has PLENTY of incentive to obscure facts here, because the official line is that it's immoral to pay hackers like this (it encourages future hacks, law enforcement says not to do it), and because it reveals them as having made IT mistakes that led to a ransomware takeover where they decided their best/cheapest recovery option was to pay up (instead of restoring from backups etc). It does not make them look good to have paid up, that's plenty of incentive to not want the BBC to report it.
Also, having spent many years working for universities, I think it's kind of cute that you think they "have to operate in a transparent manner." Would that it were true.
They got hacked, it makes them look incompetent. People might call for some of the staff to be fired for not having security or backups.
Prospective students, research participants, etc. might hesitate to go to UCSF if their data's going to be exposed.
Also, they paid the ransom. Funding sources from alumni to state legislatures might hesitate to give more dollars, if the university's using its money to pay off extortionists as opposed to improving education or lowering tuition.
The university has lots of reasons to hide what happened.
I'm not saying you can't get away with this (there are coin "mixers" and decentralized exchanges) but still, this leaves lots of traces left and right.
For example we saw a lot of people getting busted recently while they thought they were smart using cryptocurrencies, including a money launderer ring... And they were using mixers, decentralized exchanges, people located overal several countries/continents and whatnots if I recall correctly. Yet: all busted.
For all we known in six months the headline could be: "Hackers who extorted 1.14M USD from UCSF arrested by Interpol"
Besides that: what happened to offline backups? How exactly are hackers coming for cloned, unplugged, HDDs/SSDs stored on shelves / bank safes? (I know several companies doing just that as offline backups)
I hope this serves as a wake up call to companies/institutions either not doing backup properly or outsourcing to incompetent companies not doing backups properly (the latter being not really excusable).
I imagine they chose Bitcoin because it's the most liquid - they can just tell their victims to go to Coinbase or any cryptocurrency exchange to acquire it. If they ask for Zcash, the options are a lot more slim.
I've heard, though I have no way to verify this, that some ransomware gets installed and just writes copies of itself for a while before really activating. The copies get backed up, and if you restore from backup you restore them and they get activated.
The negotiations here were similar to the ones CWT had, albeit a little less courteous: https://www.reuters.com/article/us-cyber-cwt-ransom/payment-...
I wonder if these will reduce these kind of payments in the future, which seemed to really be ramping up.
We have a basic network filestore at Fastmail, it's not even a key part of our offering, but it stores up to 30 old copies and if you keep overwriting it does exponential backoff so you have the oldest copy in the past 2 weeks, plus one from a week ago, plus one from 3 days ago, etc up until a bunch of very recent copies. Ransomware would have to be running for 2 weeks to wipe out all the original files - and during that time the massive increase in disk usage would alert operations to something going on!
Likewise our email server software does integrity checks during replication between machines and won't perma-delete anything for a week after it gets expunged - and message content is immutable after writing, so changing anything is creating a new record and expunging the old one.
It costs extra space - but being safe against a client virus like this encrypting all the data on network shares isn't rocket science, and the network filesystem vendors who don't default to data safety are as much to blame as anybody for this still being a problem in $CURRENT_YEAR.
Regardless of the damage, I'd just take the bullet, fix my security, and not pay. Be consistent in this, and keep it up for a while. Long term: no more extortion for anyone.
It's irrational to "bite the bullet" if the damage is significantly greater than the ransom.
Sure, it's better in the long term, but not for the person/organization being ransomed.
It's not irrational. It's called doing the right thing.
That's called being selfish. One would expect an institution like UCSF to act for the benefit of all of society and not like a six-year-old grabbing all the Easter eggs at the hunt and saying, "I got mine!"
I am sure you would agree that gender-based abortion, deforestation, and infinite copyright periods could be seen as "rational" to people in certain societies and certain economic situations. It doesn't mean that we should let such actions go without comment.
Doing the right thing isn't always rational from a direct comparison of objective metrics.
It can take a lot money (well spent, so that's fine) and time (which can be devastating) to recover the compromised system.
Hypothetically, the fees won't be as astronomical like in UCSF's case but the importance of the data being held in ransom will still be the same. Should they take the risk of getting their financial/healthcare/IT data uploaded to the public if they don't pay the fee?
At least then it makes a useful service for the public, also clears doubts on its crypto capabilities.
If that ransomware uses something like flash for persistence why not ask some jury to enforce hardware manufacturers to stop enabling worse and worse viruses ? Floppies, cd autoplay, usb, firewire, thunderbolt, 5G networking - everything exploitable right from the factory.
Why do you think there is so many "increase your sales" products and so very few "backup" products?
Write insurance policies to major companies. But as a pre-condition for getting under-written you have to submit to periodic security review by legit security pros. Failure to adhere to security recommendations means your policy gets dropped.
Really all these audits do is validate your security. If they find something at a price point then you are probably vulnerable at that price point. Think of it like a live-fire test of a bulletproof vest against a gun. If a bullet goes through then you probably can not protect against that. If it does not go through, you still can not be certain that it actually does provide comprehensive defense against that gun and bullet, but it is at least not totally ineffective. In the current state of the industry, any competent audit will find multiple critical vulnerabilities at these price points. It is like shooting an airsoft pellet at a "bulletproof vest" and seeing it pierce through. It is so fundamentally flawed that testing against a real gun (better offensive specialist) is kind of meaningless since to actually solve the problems you already need to completely redesign everything. Unfortunately, most companies who get such audits done think the takeaway is that the places the airsoft pellet went through must be the only problems, so if they just patch them up then everything else must be good because nothing pierced those other pieces instead of realizing that observable quality defects in one place probably means there are many unobserved quality defects in other places.
Security is an org problem as much as a tech problem. Trying to estimate likely security risks caused by orgs is... complicated. You would blow your margin in assessment costs alone.
Besides, can you imagine a board asking the CEO why they're buying insurance with the infosec budget instead of, y'know, ensuring infosec?
The NSA is recording every byte of data crossing our borders, and also much internal traffic, and they are unable or unwilling to track down these perpetrators?
Also, assuming the NSA has a copy of every byte of network data ever sent through the USA, that's a LOT of data. Processing that takes time.
I hate comments like this. It seems quite prevalent in the software dev field to constantly shit on other developers while having 0 information about what the source of the issue was.
And reading the poor spelling and grammar in the negotiations makes me wonder if that’s somehow related.
I don't think we can assume that the IT outsourcing directly affected their vulnerability to this attack.
EDIT: The CIO or whatever the title is makes $460K per year so they should for sure know to have and be responsible for proper backup/restore functionality.
dd if=/dev/random of=/dev/sda
Specifically for an institution like a medical facility or financial institutions, there are hardened appliances; sometimes referred to as vaulting appliances, that enforce anti-tampering to the point that the system administrators can't even delete data. You set a policy that requires multiple specific people using MFA to authenticate and authorize the deletion transaction. These are not cheap, but it's a lot cheaper than paying out a ransom and the down-time of rebuilding everything and the loss of reputation and loss of trust by board members and investors. These appliances have the bonus of enforcing many of your audit requirements around data retention and destruction.
To your example though, yes, it's not fun to manage fleet-wide, but you can boot up both Windows and Linux into ram and have network filesystem overlays that patient data could be written to. The SAN/NAS/Ceph clusters can then do backups locally and have anti-tampering in place. This is non trivial to set up correctly. That would be more resilient than depending on backups, but is much more work up front. For Windows, look into Windows 10 LTSC . It can operate in a Kiosk mode and boot into memory or have hardened security options to minimize attack surface. Most Linux distributions can do this as well. Ceph can do both transport and filesystem encryption now. I will leave out the Linux examples as I doubt this is where these institutions are getting into trouble.
 - https://docs.microsoft.com/en-us/windows/whats-new/ltsc/what...