The solution is always the same, step up the enforcement.
There's a delightful video, "The Barbary States - The Final Yarrs" which shows the end of piracy in the Mediterranean. The European sea-going states and the United States had been paying tribute to the Barbary pirates to sail cargoes past Gibraltar and into the Mediterranean Sea. That video claims that tribute was the biggest single expense of the United States Government in its early years.
After the War of 1812, the United States had a moderately powerful navy. Congress decided to go to war against Algeria. Commodore Stephen Decatur was sent with a fleet. They won. Then the fleet went onto Tunis. They won. Then on to Tripoli. They won. The US paid no more tribute after that.
It got even worse for the Barbary pirates. The European powers now saw the pirates could be crushed. In 1816, the British and Dutch sent a fleet. Someone from the Algerian navy shot at it. The fleet shot back. Most of the Algerian navy was sunk. Eventually, France conquered and annexed Algeria, and Spain conquered Morocco.
For train robberies, see, of course, Butch Cassidy and the Sundance Kid.
The REvil crowd has managed to get to the point where the rather large US anti-terrorism community is focused on them. That usually doesn't end well.
If a corporation is unable to pay a ransom then the incentive to do the ransomware attack immediately drops.
Cracking down on perps would be nice, but is not feasible.
What such an idiotic, short sighted policy would do is to encourage corporations to pay the ransom in secret. This only strengthens the hackers because now law enforcement has no idea who is being hit, when, and with what malware.
But hey… our society moved on, so you’re right about that: you can definitely live with it.
The total value of the stock markets didn't seem to suffer from Covid-19. But people have.
Maybe your point is that unrestricted ransomware shouldn't affect GDP? I'm honestly not sure. Doesn't there have to be a limit? Civilization depends on trust. Sometimes there are critical points.
1. Green energy requires too few employees per gigawatt compared to coal
2. It would be irresponsible to pursue a policy of a sharp correction toward affordable housing prices because it would push too many elderly into poverty
Right now it's apparently cheaper to pay a ransom than it is to implement sane security and backup procedures. That needs to end.
Yes, security and backup measures are critical and companies SHOULD be scrutinized for those things especially if you deal with mission critical data/information. But that has nothing to do with Ransomware Gangs.
This sounds reasonable at first, but I think it might be leaning on anthropomorphizing a corporation a little much.
I think of them more as a machine, or a biological cell or microbe.
While it may be a machine optimized for survival, I'm not sure that they all are or that they must be.
An organism can self-destruct if that's what it's programmed to do.
And an organization in theory should be able to maintain processes that result in orderly self-destruction in certain circumstances, where it's appropriate in the wider society.
After all, companies typically go bankrupt rather than devolving into gang warfare, right?
A "humans first" society should not be prioritizing the survival of human created organizations above all else.
If paying in secret is a crime, with whistleblower opportunities, then paying in secret is not so easy. Forbidding payments will massively decrease the value of doing the attacks and reduce the number of them.
The anti-yakuza strategy suggested here probably wouldn't fit as a solution for attacking ransomware.
The perps don't give a shit about what is legal and illegal. They target preys that are vulnerable but have critical functions (e.g. a Hospital network). It is not just about individuals. If a Hospital Network gets attacked and has serious consequences, they won't do a board meeting to discuss "Gee, paying ransomware is illegal. We must say No. ".
I am not advocating that people should just pay but we cannot punish the victims even if the victims were careless (bad security practice etc).
Pretty much the reason wallets are worthless is that if you snag one, all you get are plastic cards that are going to get cancelled in the next minutes/hours.
S3/Azure/Backblaze are really cheap and just work.
Forcing people to be whistle blowers is not a scalable enforcement plan. Very few people are willing to be one.
We need to legislate with the goal of corporate transparency not for more hidden behavior.
A company currently performs a simple mathematical equation when deciding to pay a ransom. Does the reputational and financial cost of not paying the ransom outweigh the price of the ransom? In a world where ransom payments were illegal, then those same companies would also have to include the legal penalties and probability of being caught as part of that equation.
Obviously, some companies would still see a net benefit in paying the ransom, but fewer would, so less ransoms would be paid.
It seems to me like you're trying to use 'war on drugs' logic on ransoms. The key difference is that companies don't want to pay ransoms, but do so out of necessity.
It’s like prostitution, if it’s illegal you find that most sex workers are the most vulnerable in society. When it’s not, sex workers can be anyone who doesn’t want to drive 6 hours for Uber on the weekend for extra cash.
Making it illegal to pay just isn't feasible for practical business purposes.
Probably similar for beef suppliers, although I didn't read any media about what systems were impacted there. Assuming some of the labelling or other food safety things were impacted, you would need an FDA waiver of some sort.
Even a perfectly patched Windows instance can't be reasonably protected against an user executing an attachment of an email that then goes ahead and encrypts all files writable by the user. The only option is to ban the user from anything executable and interpreters as Apple does on their iDevices, but we all rightfully and regularly complain about that one.
As for vulnerable software: I agree, some pressure on Microsoft to open-source or at least provably audit their software would be nice - but it's rare to have a definitive attribution on how a piece of malware entered your organization, at least not in places where record-keeping and retention is restricted by laws like the GDPR.
It's high comedy to me that 90+% of ransomware is targeted at Windows, and yet beyond the year 2020 you can still find corporate-speak in the wild that all basically boils down to a hare-brained assumption that the corporate vendor will in some way be liable if the customer suffers a breach.
When in fact the largest of software vendors sits in plain sight, obviously liable for poor designs that invite these breaches, and no one has held them to account for it.
Not having tested, well scoped, and reasonably frequent backups for business critical corporate operations is gross negligence.
But by all means, let's limit the minimum liability for software vendors for such scenarios to "costs of downtime and effort for reinstalling backups and getting everything up again": That should provide an incentive to make backup procedures effortless and have the systems make some noise if they aren't backed up (with regular recovery testing etc).
As it stands, software vendors say "users are to blame" as if their shitty software isn't enabling ransomware, users say "can't do anything about it, we're down for the next 6 months" as if ransomware is some force of nature (or act of God or whatever), when both positions, while not entirely untrue, are mostly lazy.
Make high-quality, audited backups a legal requirement, or offer strong incentives for it, and much of the problem goes away. Companies may be able to outsource it, which arguably just shifts the attack vector elsewhere, but you would hope people who specialise in backups are better at it than their amateur clients.
I’m not saying it’s easy, just that this is the thing to do when you’re attacked.
Hacking wars are lukewarm. A hot war seems like it will involve a lot more drone strikes -- which might not be significantly better than the last century, but terrifying nonetheless. And until it comes home, I don't think Americans will fully appreciate how our government (hence, our nation) is perceived a terrorist organization abroad.
They had the opportunity to search within unlocked computer and devices. Found money.
I would have expected a sweet homelab with lots nd lots of hardware to try the ransomware on, in a more "bachelor" environment.
No one has actually stopped REvil hacking operations. There's been a lot of drama with their affiliate programs that are probably not government related. This Reuters article is giving the government a tiny little more credit than it deserves.
Here is an article with some more information:
"The server was compromised, and they were looking for me," 0_neday wrote on a cybercrime forum last weekend and first spotted by security firm Recorded Future. "Good luck, everyone; I'm off." 
For the same reason they don't go after local business in Russia, because of the 'cost'.
Russian doesn't gain anything from having it's citizens attack US hospitals.
Extreme option: Follow the precedent Russia has set, synthesize some Novichok, and have someone pay them a visit.
FBI, Cyber Command, Secret Service, Russian run Group-IB, DoD and spokesperson for the White House National Security Council seen in the background doing high fives and congratulating themselves on "Mission Accomplished".
[ Powered by nginx ]
[ Powered by Fedora ]
There's a lot of evidence REvils was sent from the future to stop a coming cyber-war that wipes out much of humanity due to systematic unpatched issues across the world that multiple nation states collected and used at once wiping out supply chains killing billions.
It all fits, imagine if REvil's "Colonial Pipeline that led to widespread gas shortages" was in the hands of North Koreans or from a solar storm.
Which does beg the question who really is currently attacking REvil. It stands to reason future nation states also might send people back in time to keep things unpatched and they would already know Biden has Alzheimers.