Hacker News new | past | comments | ask | show | jobs | submit login
Why the ransomware crisis suddenly feels so relentless (technologyreview.com)
61 points by MindGods 7 months ago | hide | past | favorite | 69 comments

Imagine the knowledge of a 0day (and how to fix it) as being the cure for a disease. Picture what withholding it would look like. In this year, if ever, people should realize how crazy dangerous and irresponsible this kind of behavior would seem if it happened to not be done with software.

So here's an idea: improve security by stopping the hoarding of 0days.

Built a company that buys 0days and doesn't immediately turn around to get them fixed? Too bad, this is a business model that leeches off everyone's insecurity and now deemed unethical like so many other seemingly-genius business plans. If you're that good, go find a different thing to do with your time.

Note that this applies to states too: in my book they're welcome to buy/incentivize 0day info, but only to then get stuff fixed ASAP. Any state that keeps a 0day "just in case" is failing to protect (among others) its own citizens.

This won't really work. Many governments and intelligence agencies will pay an extreme premium for 0days and basically hoard them for future use. How do you stop the CIA or NSA from buying 0days? How do you prevent foreign governments or actors from buying them?

The ability to inflict massive damage to a nations infrastructure is now part of modern weaponry. It's akin to asking militaries to stop buying weapons. We have basically split the atom here, we aren't going back.

If you don't want people hacking into your systems you need to go full Galactica, disabling networks and have stopgap measures on every critical device.

There's a great book that talks about this ecosystem (of buying bugs, vulnerabilities, and other 0days), among other cyber security related things:

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race


are there any companies hoarding 0days? I know the CIA does, but asking for ethical behavior from them seems like such a long-shot that it would make sense to decouple it from more achievable goals.

Zerodium is probably the most well known, but many Israeli cyber security firms will also buy them, hacking team out of Italy would. There are plenty of buyers but their customers are government so you don't really hear of them.

wow, I had never heard of them. what a sick business model. I guess in a world of 7 billion people, there's going to be someone willing to fill any niche.


I will only agree with you after exploits are declared to be munitions

To me at least, it doesn't feel relentless, and it's not sudden at all. It has been relentless for years now. I'm glad to see it getting more attention, finally, and more people are suddenly paying attention to the problem. This is a short and sweet look at the problem for people who are just now suddenly noticing the problem.

They say it’s the result of inaction, new tactics, criminals having safe harbor and ubiquitous connectivity .

I'm surprised they don't call out the "mostly unregulated cryptocurrency" stuff a bit more as a cause as well.

I suspect it was a little harder to demand a ransom when your options were picking up a suitcase of unmarked $20's or a gift card to Home Depot.

It's hard not to see this as ultimately a good thing for the world.

The market will not spend one dime more on security than is needed to maintain lines of business, and that includes things like perception of risk and mitigation.

If there is enough pain, whatever level of baseline security is needed to protect most orgs against these attacks will become the new standard.

And then this threat will be replaced by a new one.

I dunno, when I go to Mexico I don't look at the heavily armed guards outside of a bank and go 'gee, it's a good thing there is so much violent crime here otherwise we wouldn't have these armed guards here to protect us from it'.

The internet isn't like that. You can be attacked from one individual living in a mountain in another hemisphere.

It's bad when bad things happen, no one will protect against bad things happening unless bad things happen, so it's good when bad things happen.

I see it like a vaccine. A ransomware attack is generally not as bad of a damage as a real attack. A vaccine might make you feel kind of bad, but it's not as bad as the thing it protects against.

Plus, there's other benefits. Companies might at least think a bit more about storing data about people (their employees, customers, etc) if there's a risk of it being stolen in a ransomware attack. That's a win for privacy overall.

Couldn’t disagree more. If that would happen, why hasn’t it happened yet? There are pirates and terrorists too, and they don’t make the world better or safer, quite the opposite.

I think you're hinting at a Broken Window Fallacy [1] here. I disagree that these cybercrimes are a net positive for the world.

[1] https://en.wikipedia.org/wiki/Parable_of_the_broken_window

The big change from what I've seen is the systemic, business-like approach by the ransomware gangs. It's not script kiddies randomly poking at IP addresses any more, but small businesses running with proper planning both operationally and financially.

On the contrary, every media piece I've read about ransomware mentions cryptocurrency in menacing terms (connected to criminals), many implying cryptocurrency is the cause of this new wave of attacks.

Of course, lamenting the fact that cryptocurrencies exist isn't getting us any closer to a solution to the problem, but ¯\_(ツ)_/¯ media gonna media.

But cryptocurrency is what led to the scaling up of these attacks.

It also seems like there's more publicity recently when one happens, both from the victims and the ransom holders.

I wonder what percentage of the ransom demands remain private and unknown.

Hard not to notice gas shortages across the east coast.

They "imply" it because it is 100% true. Cryptocurrency is the cause of the rise of ransomware.

I've been writing about the insecurity of Windows, MacOS and Linux since 2005[1], nothing is sudden about this.

We still collectively haven't learned the need for Capability Based Security[2]. I give it 5 more years before people finally catch on.

[1] - http://mikewarot.blogspot.com/2005/08/secure-computing.html

[2] - http://evlan.org/concepts/capabilities/

Regarding your second link, I'm curious about your thoughts of wide implementation in case I'm misunderstanding:

For a general user, this may just turn into the equivalent of "Terms and Conditions" acceptance. Most just blindly accept them because we're focused on the end-action. The same seems to go for allowing apps access to much of our phone data. In that sense, it doesn't really mitigate user risk (but does give legal cover). Is there any evidence that general users will "see something fishy was going on" enough to actually change behavior?

Wallets, the kind that fit in your pocket, containing cash, the folding kind of money, are an example of capabilities that are widely used.

People don't just hand over their wallet, they chose the amount to tender in a transaction, which is the most they could lose.

If someone asks me to hand over my wallet, I know I'm being robbed.

In a capabilities based system, you pick what files to give to an application, instead of the application showing you a dialog and then getting them itself. As far as the user is concerned, the UI doesn't even need to change.

It is my long held belief (2005!) that capability based systems are the only way out of this nightmare.

The big thing I think that needs to happen for this to stick is for the UI to make sense. There has to be some obvious and convenient way for me to provide the things the application needs, without it being a pester-box with an OK button.

Some of that already exists on desktop OSs but seems to have been abandoned. Drag and drop file loading is commonly available but applications still seem to insist on file dialog workflows. Drag and drop saving even exists in RiscOS and ROX-Filer. But how do we abstract other resources like cameras, keys, contacts, network ports, or money? Is it as simple as having drag-and-drop-able representations of those things? Do I drag $5 out of my virtual wallet into Steam? My bank password from a virtual keyring? Connect a virtual cable to the application window from an icon representing my camera?

Sadly, the desktop metaphor itself is out of fashion as everyone went insane when the iPhone came out, so I expect it will be a lot longer than 5 years before any of this is explored in any depth.

> But how do we abstract other resources like cameras, keys, contacts, network ports, or money?

Android has some of that figured out. For instance, instead of getting a permission to use the camera directly, an application can use a camera intent, which will pop up the camera application (which does have that permission); when the user takes the picture, the original application will receive something somewhat similar to a capability which can be used to access that picture (and only that picture). The same idea can easily be extended to contacts (use an intent which pops up the contacts application, which then return something somewhat similar to a capability to access the contact chosen by the user), and so on.

>People don't just hand over their wallet, they chose the amount to tender in a transaction, which is the most they could lose.

This is a good analogy for the tech-minded, but I think it may not be as applicable to the non-tech-savvy. To many general users software is an abstract black box unlike a tangible wallet which they intuitively have an understanding of the contents.

When most people take their car to an auto mechanic they aren't prepared to say, "When you plug in your computer, only access the wheel speed sensor data and anti-lock braking software. Don't touch the fuel-mapping, car speed, infotainment, or GPS data." All they want is their car to drive again. They may not know enough of what's going on under the hood and, I suspect, would be more likely to blindly sign over whatever data the mechanic says they "need".

The Car is a great analogy for Windows, MacOS and Linux. You can't limit what a person will do once you hand them the keys.

We need wallets, not cars.

The major flaw in our operating systems is that processes run by the user have access to everything the user has access to. This was fine back in the 80s, but today, you as a user can’t trust the code that you are running to do only what it says it’s doing.

If filesystem access permissions were invented today rather than 50 years ago, they would probably look a lot like permissions on iOS: user would need to affirmatively grant the process access to specific files or directories. No blanket read/write access to everything the user has. Same with networking. The user should have control over what kinds of inbound and outbound connections the process is making.

Newer versions of MacOS are doing this with filesystem permissions to an extent, and apps like Little Snitch make it pretty easy to control network connections, though they do cost extra...

I worry that bolting on capabilities will repeat the Windows UAC like fiasco and we'll lose another decade before finally clearing this mess.

This is definitely what we need. However, about ACL security, can't capability based access be emulated by having many virtual users each with the access to capabilities needed for a particular program? Why can't we use this now to do capability based security?

If you were to globally set all permissions to the filesystem, network stack, clock, etc to NONE, and then make exceptions based on the users choice, it in theory would work.

In practice, however, no.

Outlaw crypto. Ransomware would go away overnight, the electricity would no longer be wasted, people could afford to play videogames again. The only downside is the collapse of a no-value asset bubble.

Outlaw torrenting while you're at it

General purpose computing seems to be the real issue here. Might as well ban it while we've got the chance. If people want to compute something, they can use their brains!

In seriousness though, banning cryptography would appear to have many more serious consequences than the elimination of Bitcoin. Free speech would take a big hit for starters.

If the concern is regarding the waste of electricity, then why not apply a tax on energy equivalent to the associated negative externality? That way everyone who wastes electricity will be charged equivalently, and the government won't have to determine which use cases are "useless." (Personally I think mining gold for jewellery is almost as useless as mining Bitcoin -- both certainly have an aesthetic beauty to them.)

> In seriousness though, banning cryptography [...]

I think, when they say "ban crypto", they mean "ban cryptocurrencies".

I, too, find it deeply unfortunate that some cryptocurrency nerds have suddenly decided that a term that has for a long time been used to refer to cryptography should now suddenly be understood to refer to cryptocurrencies excusively, but it's not the first time I witness this misunderstanding.

Until you hold these companies and their management directly responsible: It will continue.

The issue here is the same as it has always been: Cost cutting, poor management, poor oversight, and laziness. We have infrastructure sensitive industries being hit and in the years preceding the hits full of heavily reported ransomware incidents zero audits were conducted that flagged these problems, backups strategies weren't reformed (i.e. they have no offline backups), network onioning wasn't utilized, and other basic 101 security strategies weren't employed.

All we hear over and over is "they're CRIMINALS," "they're in [foreign country]!" but ultimately that is a distraction; there will always be criminals, and they will always operate beyond the reach of the law. What matters is mitigating their ability to do damage which we absolutely can and should do.

If senior management started being fired and companies heavily fined this problem would magically disappear (or its impacts substantially reduced, like a two-day outage while they restored offline backups instead of multi-week). This isn't because criminals stopped being criminals, it is because this is all just a symptom of a different problem: Corporate responsibility, or lack thereof.

Congress should take action, fund mandatory audits on private infrastructure companies and impose large fines on companies & senior executives that cause widespread disruption. Even the threat would be highly effective and the pocket-books would magically open to pay for security professionals and fixes.

I think we're seeing two things: increased reporting because of increased interest and an actual uptick in actual ransomware attacks. The rate of attack isn't necessarily increasing with the rate of increase in reporting but both are up YoY.

For increased interest, the Colonial Pipeline shut down had huge far reaching affects beyond the cost to the company. News of the situation reached beyond tech wonks. It also impacted tons of people not directly related to CPC.

To the uptick in successful attacks, the increase in working from home probably has a lot to do with it. A virus that wouldn't make it past an enterprise firewall will more easily hit some user at home. They then connect to the corporate VPN for work and bridge past a lot of firewalls and IDSes. Companies they might have decent network security are poking a lot of holes to handle people WFH that never had previously.

Joe from Accounting that's a wiz in Excel but falls for every phishing e-mail that hits his inbox is a bigger problem WFH than when at the office. He's a match in a powder mill when he connects to the corporate VPN from his malware riddled home PC. Was he not supposed to install totallylegitzoominstaller.exe from totesthisiszoom.ru?

I may have an extremely pessimistic view of things, but things aren't going to change until the incentives have changed.

This is nothing new, or surprising if you look at human nature. The big issue with security these days is that bad behaviors are not just common practice, in many cases they are incentivized. Many companies have pushed the risk into cyber security insurance policies, or if they haven't they can create massive paper "losses" when a cyber incident happens. Prior to ransomware, if companies were smart, they can actually make money off a cyber incident, versus spending money to prevent an incident.

I would say the tipping point for many executives was in that realizing that the Equifax breach (one of the biggest in history up to that time) had literally zero impact to their businesses long term. The company was focused on monitoring credit and many would have assumed the company would have a responsibility to secure its data.

Unfortunately this was a light bulb moment for many execs and the light bulb wasn't a good one for their customers or society at large. They basically found out that data breaches don't really matter and if you weather the storm there is very little impact to your business. Yes your customers lose their data, but if you need to minimize overhead costs, why spend a ton of money on a security program that doesn't have a guarantee in stopping it anyway.

Fast forward to 2021, with crypto being so ubiquitous and realizing that companies have largely forgot or shut down their Business Continuity Planning (BCP) programs they stood up after 9/11, bad actors are having a field day. Actors were very active stealing DBs and trying to extort people, but they largely found that people just either didn't believe them or didn't care.

With ransomware, they basically prevent the business from doing anything and that is something that is just not something that can be ignored like data theft/extortion attempts. If someone steals your customer ACH information from your accounting database, no big deal, but if you can't accept payments from your customers... They are literally not making money.

I have worked in information security for ~20 years and I don't believe that there will be any improvements until there are major changes to the incentives that customers have to protect their customer information/data. If anything the ransomware threat is one of the few things actually causing many companies to invest in their security programs.

> [...] until the incentives have changed.

I think it's not only individual incentives, it's also the incentive structure of whole ecosystems.

The way we write software nowadays (or even do other business processes) includes so many complexities and therefore potential attack vectors that I doubt anyone anywhere doesn't have gaping security holes unless they're writing code on airgapped systems where every component is thoroughly vetted or something. Just take a look at the crazy amount of (transitive) dependencies that any average web app (frontend or backend) has nowadays, or all the different infrastructure components.

The article hits some spot on notes. The other missing piece is just how non-technical organizations can be out of their depth when it comes to the lifecycle of IT hygiene, vulnerability management and training its staff to be security minded. A mid-size school district really has two options to secure itself: get the expertise in house, which could result in easily exploitable gaps, or spend non-trivial amount of budget working with endpoint protection vendors. I can imagine it's hard to explain to a rural school board that you either do this now, or pay majorly later.

Luckily for everyone, the endpoint protection market is evolving rapidly, and these solutions do work. Big Game Hunters aren't super humans, they exploit the things that on-the-ball IT teams and endpoint security vendors can easily fix: unpatched vulnerabilities, misconfigured endpoints and mismanaged credentials. Unluckily for everyone, the threat actors, for the reasons laid out in this article, are evolving too. And on top of that there's no shortage of vulnerabilities either.

I expect things to get worse before they get better. But do I expect Big Game Hunting to be a major problem in 15 - 20 years? I don't think so, because eventually every IT device in most any organization will have some type of cloud connected security baked into its cost. Do I think there's a likelihood it will be worse in 2-3 years, most likely yes.

How much do companies and governments buying back their data and secrets in these attacks push up the prices of the cryptocurrencies used for the ransoms? What % of ransomware attacks are not reported to the media?

I'm definitely in favor of blaming Trump and Russia, because we certainly can't blame:

- tech companies for selling software and hardware riddled with security flaws

- the legal system for absolving said companies from any liability whatsoever

- customers who are unwilling to pay more for reliability, security, or recoverable backups

- those who pay the ransoms, ensuring steady income for criminal extortionists.

4 popups before you can read the article, new record

Because media has a narrative to push.

… which would be?

These are criminals, often state sponsored criminals, that are carrying out literal acts of war against US infrastructure.

So what’s the “media’s narrative” here?

The main narrative is the usual war mongering. You're doing it in your post.

These are criminal actions, as they're not endorsed by the state.

But it doesn't have to reach the scale of war to be bad. The broader narrative is We Have To Do Something. And that Something is always grant the government more power. Why is it a good thing, for instance, that we're taking "unprecedented" steps?

The US has been dealing with ransoms, piracy, extortion since its founding. "From the halls of Montezuma, to the shores of Tripoli," the latter was one of our first expeditions to deal with piracy.

As there is plenty of precedent for dealing with this stuff, we should be very skeptical when the government insists it needs new powers.

fork over more powers to the surveillance state

I don't see why the media would want that. They are finding out that the previous "surveillance state" secretly scooped their phone records.

End Bitcoin.

Good! The world will be better off once we're no longer wasting gargantuan amounts of electricity & processing power on a speculative "currency" that people hoard.

What stake does "the media" have in bitcoin? It's a fun story to write about.

News died. There's no ad-supported news anymore. Anything taking that format is no longer selling ad space to survive. They're selling your opinion.

The modern media that takes the form of news isn't news. It's public relations for corporate and government interests. Whenever a story like this "suddenly feels" anything it's being manipulated by those interests.

Yes, and the sooner the better.

Bitcoin is causing massive damage in so many parts of life. Environmental damage, ransomware, fraud, semiconductor shortages.

End it now. Stop the madness.

They're trying to explain away inflation causing high meat and oil price

What atual proof have you seen that it's state sponsored besides the media and government telling you it is?

What would you suggest? You've already dismissed the two largest sources of information. It's actually remarkable that these two sources actually agree on a point.

I suggest you not just blindly believing whatever they say unless they provide real solid evidence. Take it into consideration as a hypothesis but don't just assume it's the truth. They have agreed on many points in the past and have been completely wrong.

Real solid evidence of that nature only comes about once a Snowden.

"The world is ending because cyberattacks" or something, whatever to get the panic levels up in the public, because hey, panic sells views.

Attacks have been ongoing for literal years, but we had a nice war on terror and then a recession to keep banging on about in the news to keep the advertising dollars flowing.

Should be fun for you to reconcile this worldview when we have a digital 9/11.

It’s crystal clear that this is a matter of when, not if.

I for one will not be keeping my head in the sand.

Yes informing people of what's happening is a conspiracy. Best to keep people ignorant.

Cyber-attacks like this have been happening for years without getting reported on. Who was keeping people ignorant then?

Home Depot Cyber attack from 2014: https://www.usatoday.com/story/money/business/2014/11/06/hom...

And Goodwill in 2014: https://www.usatoday.com/story/tech/2014/09/03/goodwill-stor...

And JP Morgan: https://dealbook.nytimes.com/2014/10/03/hackers-attack-crack...

Target cyber attack from 2013: https://www.nbcnews.com/business/business-news/target-settle...

2014 had at least 3 major cyberattacks covered by the mainstream media. I'm sure there are more, but I don't have Lexis Nexus or whatever to do that kind of research; just google.

Edit: And that target cyber attack got TONS of coverage. I remember it quite well. Everyone was talking about it at work. So this stuff didn't fly under the radar.

The impact of them was much, much smaller.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact