Hacker News new | past | comments | ask | show | jobs | submit login
Confessions of a Ransomware Negotiator (theregister.com)
96 points by belter 8 days ago | hide | past | favorite | 52 comments

> unless you're critical to national security, the bottom line is: you're on your own here

Ransomware attacks are now pervasive. I'd argue that even though most individual victims are not critical to national security, society as a whole is under attack. This makes it a national security emergency in my view.

The same can be said for drugs, homelessness, corruption, social media, and literally anything. Society as a whole is under attack by these things, and the costs it pays for them are much higher than ransomeare.

That if once you have paid him the Danegeld, you never get rid of the Dane.

— Dane-Geld, Rudyard Kipling


Quite literally if you are not careful: https://www.cbsnews.com/news/ransomware-victims-suffer-repea...

I expect the 80% figure to be rather inflated, unless they are talking about attempted attacks and not just successful second attacks, but paying the ransom in no way means you won't be attacked again.

Though thinking about it, if it were only attempted attacks I'd expect the figure to be 100% - criminal types are not known for leaving a potential easy mark alone! If they don't re-attack themselves then they could at least sell or swap to another group information about the potential target (or another group could just catch news on the grapevine).

I wonder about whether governments could make it illegal to pay ransomware.

If a business from country X could not legally pay, then what would be the point of attacking any company from country X?

Then the payment will be done by "underground payment processors" with a hefty extra fee. It wouldn't solve the problem I think, only shift the path an organization has to take.

No it wouldn't, no executive at any company would risk federal time and money laundering charges if it was made illegal.

That's what throw-away shell companies are for...

Ah yeah HSBC Bank would never...

That's what Michael Cohen is for.

I believe it's already illegal ("know your customer", maybe they are terrorists). But ransom payments are tax-deductible nevertheless.

Lawfare has done a little on this.

(Article) https://www.lawfareblog.com/ransomware-payments-and-law

(Podcast) https://www.lawfareblog.com/lawfare-podcast-how-can-congress...

The article is a bit long, but I think the most salient parts are:

> Consider, for example, Section 2339(B) of the material support statute, which makes it a crime for a person to provide material support or resources to a designated foreign terrorist organization. [...] But, at its core, it’s a ban on the giving of something of value to a designated overseas group. There is no exception in the law for circumstances like ransoms, though nobody has ever been prosecuted for material support in a situation involving, say, a kidnapping or hostage taking. So if Hamas or Al-Qaeda got into the ransomware business, it would already be a crime to pay the ransom—though it’s not clear whether the government would ever use its enforcement discretion to bring such a case.

> [big list of similar laws]

> Each of the aforementioned authorities is a piece of a legal puzzle that allows the government to target individuals and organizations in certain contexts. But these authorities are generally not well suited to be effective against current ransomware payments in general.

> Generally, most of these laws, like the FCPA, will not apply, because the offending party often has only a tenuous connection—or perhaps no connection at all—to a government official. Even if it does, a prosecutor would have to prove that the payer knew this, which seems improbable.

It seems to fall into this weird gap where it isn't clear if it is more like paying a ransom, paying for an IT service, or more like paying a bribe to continue doing business.

Ransom payments are tax-deductible? If true that is nuts! Do you have a source?

"Hit by a cyberattack? Your ransom payment to hackers may be tax deductible."


Partly already true. You can’t pay criminals in OFAC listed countries (https://sanctionssearch.ofac.treas.gov/) Now, the issue becomes how do you know? And what happens when it’s your businesses existence vs breaking the law?

Break the law. Every time. The fines are minuscule, and you'll likely be able to settle with the government without actually admitting wrong doing. There's also no personal consequences for the decision makers.

Corporate accountability is laughable. So just break the law, get your small little fine, accept no wrong doing, and move on.

IMO, the next major war won't be fought with missiles and bullets. No democratic government will want to mass-murder citizens. I think the next major war will be cyber.

We've seen what hackers are capable of with Colonial Pipeline. We've seen the damage that can be done by taking out Texas' energy grid.

By targeting infrastructure that directly affects citizens, adversaries can influence the democratic process.

If China is able to take out the internet infrastructure in a city like Seattle, people are going to look for someone to blame. That person would likely be whoever is in charge of the country at that point.

The "businessmen" are probably more comfortable dealing with criminals looking for money than their own IT folks looking for money.

A ransomware attack is as if your building burned down. If you have not practiced what you will do in case of a fire or flood, you will be offline for weeks.

Reading things like "Ransomware attacks are now pervasive" makes me think very few organizations have practiced what to to do despite it being "pervasive."

It isn't easy and it isn't enjoyable. Simply rehearsing restoring a system from a disk failure is stressful and often enough the user finds backup won't restore properly. But you don't know where the pain points are until you rehearse in a controlled environment.

I doubt I would get approval for the resources needed to do a full restore rehearsal and I know we have gaps.

I’m adding this to my business card. “Ransomware Negotiator”

  |                                         |
  |              Winston Wolf               |
  |                                         |
  |  Fixer, Cleaner, Ransomware Negotiator  |
  |                                         |

What a perfect reference hahahaha

A generational issue. Middle age business men vs. a new generation.

Ransomware obviously only works if people are paying. Just stop that and it will go away.

Oh, and of course make sure it can't happen in the beginning.

That's victim blaming. Even if we don't pay up, people will still spread ransomware just for shits and giggles. The cat is out of the bag.

He’s not blaming the victims for getting attacked by ransomware. He’s blaming people who then pay the attackers. That’s a separate issue. People can be both victims and perpetrators of separate offenses, subject to criticism. I.e. being a victim of one thing does not render you blamless for all your subsequent actions.

Those who pay the attackers might have no other choice. Sure they should have taken backups. But right now they don't have any. What else can they do? Maybe government can enact laws asking to maintain backups regularly in critical industries.

> Maybe government can enact laws asking to maintain backups regularly in critical industries.

That's a step in the right direction, but we need more.

If you're critial industry and get ransomwared there should be hefty fines for everyone involved from the top down.

Also there should be hefty fines for any data leaks that are a result of ransomware attacks.

Companies will start moving when getting ransomwared due to low security standards is a major impact on your financials and not like some "put 50k aside for data hostage situations".

> What else can they do?

They can take the hit and live without their data, thereby making the world safer for the rest of us. Focusing only on their own personal problem is the definition of selfishness.

Would you let your company that earns millions for a ransomware that is asking tens of thousands of dollars?

If your company that owns millions doesn't have a backup of the mission-critical data somewhere, you have a bigger problem.

No. In that moment your biggest problem is that all your data is inaccessible. That you don’t have backups reduces options since it precludes that solution, but another one exists: pay the ransom.

Continuity is part of regulation in some industries, yes

“That’s victim blaming”


In this case the victims are enabling a whole cottage industry of crime.

Ransomware won't stop even if you don't pay up. Just destroying the target by data loss can be a sufficient reason for any attacker. No payment needed.

This is wildly incorrect. For criminal groups who intend on making money, that payment is needed on a certain subset of victims are they can’t stay in business.

I am a shady company who wants to take down a competitor. I can hire a hacker who'll do the dirty job for me and then get paid in cold hard cash. Or a nation state actor can decide to attack an enemy country's infrastructure.

So? If their goal is destruction what does that have to do with ransomware? They can do that whether paying the ransom is legal or not.

Deception? It can confuse the target about the motives of the attack.

So they were going to destroy data anyway, so this isn’t what outlawing ransom payments is meant prevent because it can’t. It will prevent ransomware for profit if no one pays.

Could you try to cure cancer next?

It's unnecessary. You just have to make sure to not develop it first.

Even when it shuts down hospital ERs?


Very brave of you to risk other people's health.

Thanks I'm cured.

I don't get why they don't just restore from backup. S3 has been around for more than a decade at this point.

ha! That is brilliant idea, how come nobody ever though of it before?

I don't know. Seems to be easier (read "cheaper") to run shitty software and not train people well, so this doesn't happen in the first place.

It's not like Ransomware is some god-given thing that just happens.

There's a case in Germany right now where the critical Confluence bug was simply not patched for two weeks after the notice that there's a critical bug/exploit. Now the systems are down and everybody's wondering how that could probably have happened...

"Won't happen here" is easier than taking care.

'If you dont pay it will die off'

'If you have prepared staff and software you are not going to be affected'

All of it is true, no discussion here.

But that's not how real world works. Complex systems, large staff of various skills, temporary access for temporary fix that becomes an established feature because there is something else more important, people leaving and so on.

That's how a <insert boring item> company ends up with their DB not backed up or backed up locally so that's encrypted in the attack too.

And you need info on orders, deliveries, and money etc RIGHT NOW!

What do you do?

You can't protect against the 80 year old Marthas who IS GOING to click the link regarding her 10,000,000$ payment from the Nigerian prince. She IS GOING to download and install the bank transfer program, and she is going to compromise the entire network.

You can't get rid of the Marthas because the Marthas have been here 30 years and hangs out with everyone from the company on weekends, and probably knows more about the business than anyone even if you wanted to get rid of her.

Worse, it's not just ancient Marthas. A high percentage of younger generations—including those who grew up with desktop computers, so you can't just say "oh it's the iPhone's fault"—use computers essentially by rote and habit, without a conceptual understanding of much of it, and I don't mean in a theoretical CS-type sense, but more like plugging in a USB drive and knowing one specific place on one specific kind of window, reached by clicking one particular icon to find it in, and being totally lost if it's not there and/or concerned or confused if it's got a different name than the totally different USB drive you used last week, versus having some sense of what happens when you connect a disk and the sort of place you might be able to find it. It's the difference between "I get there by clicking this, then that" and "I get there by opening my file manager and navigating to what I need". They're saying the same thing, but one implies some understanding, and a resultant resilience and flexibility in use of the computer.

The former are following a script with most everything they do, while the latter have enough understanding to think in categories of behavior and to predict or explain things, at least a little, which doesn't make them immune to phishing, but does make them significantly harder targets. The latter sort are less common than one might hope, even among those younger than Martha, though, which becomes clear if you talk to people who work in non-technical offices—bearing in mind that all but the oldest workers are now mostly Gen X and Millennials, with only a few raised-on-phones Gen Z so far.

Overall, I'd say all signs point to every general-purpose desktop operating system being a usability and security disaster for at least half the population of non-oldsters.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact