Ransomware attacks are now pervasive. I'd argue that even though most individual victims are not critical to national security, society as a whole is under attack. This makes it a national security emergency in my view.
— Dane-Geld, Rudyard Kipling
I expect the 80% figure to be rather inflated, unless they are talking about attempted attacks and not just successful second attacks, but paying the ransom in no way means you won't be attacked again.
Though thinking about it, if it were only attempted attacks I'd expect the figure to be 100% - criminal types are not known for leaving a potential easy mark alone! If they don't re-attack themselves then they could at least sell or swap to another group information about the potential target (or another group could just catch news on the grapevine).
If a business from country X could not legally pay, then what would be the point of attacking any company from country X?
The article is a bit long, but I think the most salient parts are:
> Consider, for example, Section 2339(B) of the material support statute, which makes it a crime for a person to provide material support or resources to a designated foreign terrorist organization. [...] But, at its core, it’s a ban on the giving of something of value to a designated overseas group. There is no exception in the law for circumstances like ransoms, though nobody has ever been prosecuted for material support in a situation involving, say, a kidnapping or hostage taking. So if Hamas or Al-Qaeda got into the ransomware business, it would already be a crime to pay the ransom—though it’s not clear whether the government would ever use its enforcement discretion to bring such a case.
> [big list of similar laws]
> Each of the aforementioned authorities is a piece of a legal puzzle that allows the government to target individuals and organizations in certain contexts. But these authorities are generally not well suited to be effective against current ransomware payments in general.
> Generally, most of these laws, like the FCPA, will not apply, because the offending party often has only a tenuous connection—or perhaps no connection at all—to a government official. Even if it does, a prosecutor would have to prove that the payer knew this, which seems improbable.
It seems to fall into this weird gap where it isn't clear if it is more like paying a ransom, paying for an IT service, or more like paying a bribe to continue doing business.
Corporate accountability is laughable. So just break the law, get your small little fine, accept no wrong doing, and move on.
We've seen what hackers are capable of with Colonial Pipeline. We've seen the damage that can be done by taking out Texas' energy grid.
By targeting infrastructure that directly affects citizens, adversaries can influence the democratic process.
If China is able to take out the internet infrastructure in a city like Seattle, people are going to look for someone to blame. That person would likely be whoever is in charge of the country at that point.
Reading things like "Ransomware attacks are now pervasive" makes me think very few organizations have practiced what to to do despite it being "pervasive."
It isn't easy and it isn't enjoyable. Simply rehearsing restoring a system from a disk failure is stressful and often enough the user finds backup won't restore properly. But you don't know where the pain points are until you rehearse in a controlled environment.
| Winston Wolf |
| Fixer, Cleaner, Ransomware Negotiator |
Oh, and of course make sure it can't happen in the beginning.
That's a step in the right direction, but we need more.
If you're critial industry and get ransomwared there should be hefty fines for everyone involved from the top down.
Also there should be hefty fines for any data leaks that are a result of ransomware attacks.
Companies will start moving when getting ransomwared due to low security standards is a major impact on your financials and not like some "put 50k aside for data hostage situations".
They can take the hit and live without their data, thereby making the world safer for the rest of us. Focusing only on their own personal problem is the definition of selfishness.
In this case the victims are enabling a whole cottage industry of crime.
Very brave of you to risk other people's health.
It's not like Ransomware is some god-given thing that just happens.
There's a case in Germany right now where the critical Confluence bug was simply not patched for two weeks after the notice that there's a critical bug/exploit. Now the systems are down and everybody's wondering how that could probably have happened...
"Won't happen here" is easier than taking care.
'If you have prepared staff and software you are not going to be affected'
All of it is true, no discussion here.
But that's not how real world works. Complex systems, large staff of various skills, temporary access for temporary fix that becomes an established feature because there is something else more important, people leaving and so on.
That's how a <insert boring item> company ends up with their DB not backed up or backed up locally so that's encrypted in the attack too.
And you need info on orders, deliveries, and money etc RIGHT NOW!
What do you do?
You can't get rid of the Marthas because the Marthas have been here 30 years and hangs out with everyone from the company on weekends, and probably knows more about the business than anyone even if you wanted to get rid of her.
The former are following a script with most everything they do, while the latter have enough understanding to think in categories of behavior and to predict or explain things, at least a little, which doesn't make them immune to phishing, but does make them significantly harder targets. The latter sort are less common than one might hope, even among those younger than Martha, though, which becomes clear if you talk to people who work in non-technical offices—bearing in mind that all but the oldest workers are now mostly Gen X and Millennials, with only a few raised-on-phones Gen Z so far.
Overall, I'd say all signs point to every general-purpose desktop operating system being a usability and security disaster for at least half the population of non-oldsters.