> Printers on the City of Dallas network reportedly began printing out ransom notes on Wednesday morning.
This makes the "Tech enthusiast vs. engineers"[0] meme much more funny.
On a more curious note, what prevents companies hit with these from wiping computers and restoring data from a clean backup and fresh system installs for workstations? Is there something in the attack that prevents this? or is the issue about the data being publicly released?
> what prevents companies hit with these from wiping computers and restoring data from a clean backup and fresh system installs for workstations?
honestly, it's probably that they simply don't have any clean backups and / or a good restore process; most organizations don't, and ransomeware recoveries for local governments over the years reinforces this.
In general, nothing. But before you restore backups (if you have any that weren't encrypted) you may want to determine the exact time at which you were compromised, or else you'll be restoring potentially tainted backups. Depending on how well you're organized that alone will take weeks, especially considering that your logs may be encrypted as well. Sometimes you don't even know how to contact everyone, because your comms are down, too.
I think it keeps getting easier to make stay resident attacks but from a game theory PoV it doesn't make sense to a ransomware maker to be known for charging over and over until people refuse to pay.
I remember spotting a ransomware attack halfway through my first week of employment at a job, and I wasn't even in an IT job. It felt like a scene out of an action movie. <ahnold>"UNPLUG DA SEHVERS, NOWWWWWW!"</ahnold>
Terrorism requires a political objective. This is some combination of theft, ransom, extortion, or sabotage, unless there's reason to think Dallas in particular was targeted for political reasons.
True. But the actual meaning of "terrorist" doesn't count for much these days. Like "heathen", "witch", "Jew", "Nazi", etc. in earlier eras, "terrorist" is mostly a "maximal pejorative" - used to label people who don't get "until proven guilty" legal rights, nor human rights, and who it is socially sanctioned for ~anyone to hate, torture, murder, etc.
generally this is correct, but this kinda misses the point as to why terrorists are treated as they are.
Not saying it is correct, but usually when they are overseas they are treated as enemy combatants (not to mention, if they aren’t US citizens then US rights don’t technically apply).
You wouldn’t hold your fire in a battle because you need to have a judge determine whether an enemy army is guilty. That’s sort of the idea with foreign terrorist organizations.
Admitting that the modern Laws of War are too-often broken, or twisted far beyond their intent...but shooting at a uniformed enemy soldier, during an actual battle, while making reasonable efforts to avoid hitting civilians, Medics, etc. - that is a very narrow set of criteria. 99.999% of humanity is neither on nor near that battlefield, to plausibly be targeted, nor be victims of errors and shell fragments.
Vs. "use live ammo" against ransomware crooks? That sounds like a recipe for yet more "a week after our missiles obliterated his house, we realized that the real ransomware crooks had been using his hacked old cablemodem as an extra relay" lethal screw-ups.
I wasn’t advocating for using this against ransomware hackers. Just that the idea that it’s not so black and white about terrorists and rights like innocent until proven guilty.
You're moving the goalpost to include severity or terribleness. It doesn't make it more or less heinous, but part of the definition of terrorism includes motive.
It's just like how a world leader's jilted ex-lover killing them for personal reasons doesn't make it an assassination just because they're a world leader.
Beyond the PR exercise, what would that actually change? I'd guess that ransomware operators generally don't use their real names. Nor physical addresses. Nor operate out of countries willing to extradite to $Victims_Country. Nor ...
Then what? We launch drone strikes against some random city overseas?
Honestly, the only hope is to attack the revenue model, and unfortunately, there's too much money tied up in cryptocurrency to do it without substantial collateral damage.
The big question get raised again, how do we get the non-tech savvy to be safe from cyber threats? Banks and tech companies have high security because they know what they are dealing with, pipelines/schools/hospitals/emergency services continue to be easy targets and things we need to pay money quickly for to get back.
Banks and tech companies do not have high security. There are exactly zero deployed commercial IT systems that can prevent a targeted attack by a financially motivated threat actor who stands to gain $11M from a successful attack. In fact, even at the $1M, low end of the ransom demanded in this case, is very unlikely you would find any company who could prevent complete compromise of their critical systems.
The problem is that every single cybersecurity solution in the standard commercial IT space is snake oil. Microsoft, Mandiant, Google, etc. do not know how to make a system secure against this level of threat actor. Despite that, they insinuate that their systems are effective so that they can swindle the non-tech savvy to purchase their solutions.
So, the actual big question is, how do we get the non-tech savvy to be safe from the cybersecurity companies? Until then they will keep flushing money down the drain and be unable to find real solutions in a sea of bullshit.
Maybe true, but I meant good security practices. It’s way easier to find a school or government agency that keeps passwords in plain text in code comments or emails than it would be at Meta.
"Good" security practices mean very little when you are subject to attacks with a financial incentive of $1M. It matters only in the sense that you are the bottom fish in the barrel which is only relevant when dealing with opportunistic attacks sprayed indiscriminately for low upside and if people are not going to eat every fish in the barrel. That was the threat landscape 15 years ago when the hackers were kids asking for $300 to get startup funds. Now the hackers are grownups running mature industrial farming operations seeking to maximize absolute profit and are attacking everybody who is profitable. Increasing the cost to hack from $10K to $100K does not stop them from wanting to profitably harvest you for $1M. Yes, you may have decreased their ROI by a factor of 10, but you only decreased their absolute profit by 10%.
That only matters if the hacking market is not saturated the market which is no longer true. More than 80% of the firms report they have been hacked [1], and as the director of the FBI has said [2] "I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again." As it turns out, only being able to outrun your friend instead of the bear only helps when there are 2 of you and 1 hungry bear instead of 2 of you and 50 hungry bears.
Right but your perception of who is the “bottom fish” is wrong.
The worst tech company is not the bottom fish, schools and hospitals are. You can hold medical records and pipelines hostage and get just as much money as holding Google info hostage.
And I don’t think the “evitabile be hacked” approach is helpful. The harder you make something to hack, the more hackers may turn to other forms of income. Sure we will never be free of them, but the more resources they have to put in to be successful, the less there will be.
Why is there less piracy in the Caribbean? Are there less able-bodied men? Certainly not. It’s harder to get away with robbery on the open seas. (At least off of US shores).
You will inevitably be hacked if you use prevailing commercial IT solutions, period. The absolute "best" solutions they can muster can not make it hard enough to deter financially motivated attackers and the existing attackers already have enough resources to invest to exploit the opportunities that are beyond the limit of the "best" solutions. They can invest anything up to $1M to get $10M paydays like clockwork. If you could do that would you stop before exploiting the entire market? A rhetorical question because that is literally what is happening right now. All raising the cost of attacking every company to the "best practices" limit of $1M is kill all the new entrants and maybe slow the growth rate of the incumbents.
Is there some value in doing that? Sure. But all you are doing is slowing the growth, not fixing the problem. At this point the only way to fix the problem now that there are mature incumbents is to make the upper-end attacks unprofitable or at least make them require more startup capital than they can invest in new exploitation opportunities. This requires making the systems secure against teams of highly skilled attackers with tens of millions of dollars to spend and years to design a successful attack. Literally nobody in the commercial IT sector believes that is even possible but they aggressively insinuate that they can solve your cybersecurity woes.
It is all total bullshit. Literally every single one of them is peddling snake oil, but people believe it solves their problems so they do not need to look any further. The problem will only get solved when they realize they are totally screwed and nothing that the cyber(in)security vendors can sell them will fix it. Only if you understand that your computer systems are trivial to hack by motivated attackers will you do things very differently than if you do not know the truth. It might even lead you to try finding a real solution, but at the very least it will change your behavior to better account for the reality of your situation.
Sell them products that are secure by default. Unfortunately many of them are stuck with Office and Active Directory, so that's a bust. Even if it had secure defaults, it makes it incredibly easy to create huge gaping security holes without realizing.
Happened to the small suburb in North Houston I live in. Police computer were off-line for a few weeks, and it took them 3 months to even bill for water/gas/garbage.
This makes the "Tech enthusiast vs. engineers"[0] meme much more funny.
On a more curious note, what prevents companies hit with these from wiping computers and restoring data from a clean backup and fresh system installs for workstations? Is there something in the attack that prevents this? or is the issue about the data being publicly released?
[0] https://www.reddit.com/r/homeassistant/comments/alru1y/tech_...