How do you transfer a monetary ransom to an organization operating within a country that is blocked from accessing western financial infrastructure?
You can't use USD bank transfers (you open yourself up to SEC and DoJ prosecution), you can't use gold (the logistics are near impossible), and you can't transfer assets (same story as above).
Crypto is unique in that it's both a virtual store of assets, and has infrastructure that can exist independent of western financial infrastructure
Right now most Russians want to get money out of Russia, not in. Assuming they need it in Russia, the can get paid the ransom to an account in Cyprus, and just swap deposits with a wealthy Russian trying to get rubbles out. Sadly, the obstacles in the financial system only work for law abiding citizens, criminals always find creative ways to circumvent them.
"In 2012, U.S. federal regulators hit HSBC Holdings with a $1.9 billion fine, along with $665 million in civil penalties, for significant lapses in its compliance and anti-money laundering (AML) systems. HSBC laundered over $881 million for Mexico's Sinaloa and Colombia's Norte del Valle drug cartels."
1. It is generally viewed as safer to keep large amounts of money outside of Russia. This is both because the Russian economy is bad, and because organized crime is a huge problem inside of Russia.
2. Russia and Russians have large shortages of things that can easily be bought outside of Russia. Once bought, they are fairly easy to smuggle back into Russia. But first you need to have money outside of Russia.
3. Russians like vacations. Getting yourself out of the country is easier than getting your money out of the country.
Airdropped cash in bags? Or a hawala network with Russian businessmen who want to get USD? I would say crypto certainly simplifies the operation considerably, but it is not strictly necessary.
It's tougher to get US business executives to sign off on paying with cash in bags due to the higher risk of criminal prosecution. That might have worked back when the casinos were mafia run but now most of them are publicly traded corporations subject to strict oversight.
There is generally no criminal prosecution for paying ransoms. There might be if the ransomware group is sanctioned but that would true regardless of payment method. If a public company paid a ransom via cash or by buying a bunch of bitcoin through an exchange they would still have to make the same 8-K filings and accounting changes etc.
There's something called "business email compromise" with annual losses about 10x that of ransomware. It relies on tricking companies into paying invoices to an attacker controlled bank account instead of their actual vendors' bank account. Google lost over a hundred million dollars to some Latvian guy who was able to pull this off by pretending to be Quanta Computer. There's also just bank fraud in the Zeus style where they transfer $200000 out of your account to some company in China or Bulgaria.
These scams are all still incredibly profitable despite relying entirely on the regular financial system. There is no reason to think ransomware would stop in the absence of cryptocurrency given that extensive infrastructure has existed and currently exists to "cashout" proceeds of fraud. And in the ransomware case it's even easier because the victim is willingly making the payment, and the attacker can just not give the decryption key if the victim trys to stop the payment in any way.
And yes, this scales. If you ever looked at the promoted stories on Snapchat a few years ago, you may have seen a user with the name "The Billionaire Gucci Master" living a very opulent lifestyle. That was all paid for with business email compromise money.
Yes, I am aware. I just think people here overestimate the reversibility and traceability of the traditional system. If you're a business and you're defrauded/hacked and don't realize within a week (usually even less time), five will get you ten that money's never coming back. It went to a mule who withdrew it as cash or wired it overseas. And there's no Reg E for businesses so your bank isn't going to help either.
And what does a likely ransomware payment look like?
In a lot of cases, it is an unexpected purchase of crypto.
Remember, large payments generally start and end in the financial system. The interesting bit is what is in the middle to make it hard for law enforcement to track down and stop crime.
Ransomware is from 1989 [1] and BitCoin is from 2008 [2] so quite trivially we'd still have ransom demands without crypto. You think those Somali pirates took BitCoin?
When you're requesting millions from a target the payment method becomes fungible; do you think MGM has a million bitcoin to give? No they go out and spend cash to get the bitcoin and then give it. If the attackers requested diamonds then instead you'd have to go out and buy diamonds and then give them.
Cutting off credit cards worked because the payment method was not fungible. If they didn't accept CC then they're not getting orders.
Hard disagree. Crypto is the only real way to move large sums of illicit money across the world. The people that attacked MGM aren't going to show up to accept cash or diamonds, and Steve Wynn isn't going to hop on a plane to Moscow with a duffle bag of nonsequential hundred dollar bills. Do you expect the crypto gangs to include a PO box number? Dead drop on a bridge Big Lebowski style? Of course not.
Payment networks are obviously not an option. Visa and her peers are not going to deliver the funds.
The only thing left is crypto. In fact it is the only use case where crypto is the preferable solution. I'll quote Stephen Diehl: "Any application that could be done on a blockchain could be better done on a centralized database. Except crime." [https://www.stephendiehl.com/blog/nothing-burger.html]
Also, the first paragraph of your first link (the Wikipedia page for "Ransomwware") literally ends with "... and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult." Crypto and ransomware are absolutely intertwined in 2023, and have been for well over a decade.
> The people that attacked MGM aren't going to show up to accept cash or diamonds, and Steve Wynn isn't going to hop on a plane to Moscow with a duffle bag of nonsequential hundred dollar bills.
Well not Steve Wynn personally but I mean how do you think the Somali pirates got paid? They literally airlifted them cash. USA does the same thing with Iran as well ...
When you get into the millions spending a dozen thousands on transaction fees is worth it if the transaction otherwise wouldn't occur. Removing BitCoin probably will reduce something like Petya which only wanted ~$300 but it absolutely will not stop MGM or hospitals from being attacked for millions.
> Payment networks are obviously not an option. Visa and her peers are not going to deliver the funds.
SWIFT will absolutely transfer the funds; social engineering to receive wires you're not supposed to is a lucrative crime (i.e. "CEO Wire Fraud"). VISA probably just won't because they'll find a transaction of that much with no collateral as a huge risk.
> Also, the first paragraph of your first link (the Wikipedia page for "Ransomwware") literally ends with "... and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
I'd rather trace a difficult to track currency with a public ledger (BitCoin) than an impossible to track currency without a public ledger (USD).
> Well not Steve Wynn personally but I mean how do you think the Somali pirates got paid?
Parachute:
> >TME: Can you tell us about how you would arrange for ransom deliveries?
> We developed a special mechanism that allowed us to drop the ransom out of an aircraft by parachute. The pirates would collect the money after it fell into the water, take it to the ship, count it and then leave. At that point another team that we had already pre-positioned would board the ship, cross load supplies, help the crew get it underway again and escort it to the nearest safe port.
Once that's done you'd probably go to the 'standard' techniques that (e.g.) drug lords would use with cash. Assuming it wasn't spent on hookers and blow:
Just responding to each of the points, rather than the whole argument from the thread:
> Well not Steve Wynn personally but I mean how do you think the Somali pirates got paid? They literally airlifted them cash.
Again, cash is not an option for the scale of the operation that modern ransomware represents. According to a United Nations-backed report, Somali pirates made between $339 million and $413 million in ransom profits between 2005 and 2012. The highest ransom on record was $13.5 million, paid in April 2011. It should be noted that in 2011, Bitcoin's price rose to $32 on June 8, but then plummeted to $0.01 within a few days. The price of Bitcoin peaked at $30 in June 2011, but then dropped to $5. Bitcoin finished the year at $4.70. Not exactly a viable alternative at that time.
Now compare those 8 years to any recent year's ransomware take. "Total ransomware revenue fell to at least $456.8 million in 2022, down nearly 40% from the $765.6 million extracted from victims in 2021."
But ok, back to the present: are you suggesting that a US company would/should/could just charter a flight into Russia? That everyone, including the US and Russian government, knows has millions of dollars of cash sitting on-board? And you think this wouldn't hit any snags? If you have an above board way to solve this then there are a number of cartels would love to hire you. Hell, not even the ransomware gangs would be comfortable with this arrangement, as bigger crime syndicates with better connections to the Russian state would be all but guaranteed to intercept the flight. And good luck getting the US government's blessing to send cash into a place like North Korea, who is very active in the ransomware space.
> SWIFT will absolutely transfer the funds; social engineering to receive wires you're not supposed to is a lucrative crime (i.e. "CEO Wire Fraud").
Does SWIFT accept applications from known ransomware gangs? What about accepting applications from fly-by-night operations located in former Soviet states with no institutional history? Don't be ridiculous.
And how does stealing funds being sent to someone else help you when you are trying to get funds sent directly to you? Are you suggesting that MGM would collude with the ransomware gangs to send funds via SWIFT to a 3rd party, such that the gang would be expected to intercept them thus satisfying the ransom? Or are you suggesting that SWIFT would knowingly transfer money intended for cybercriminals to some 3rd party, with the expectation that the gang would intercept the funds? This is just getting silly.
> VISA probably just won't because they'll find a transaction of that much with no collateral as a huge risk.
Visa won't because they aren't going to risk their business with functioning governments to collect some transaction fees to do work for known criminals doing public crime.
> I'd rather trace a difficult to track currency with a public ledger (BitCoin) than an impossible to track currency without a public ledger (USD).
Not sure what the point of this statement is, except that it seems to buttress the text you didn't copy, namely "Crypto and ransomware are absolutely intertwined in 2023, and have been for well over a decade", which is about as non-controversial as they come. As an aside though, plenty of organizations actually have a lot of success tracking that "impossible to track currency without a public ledger (USD)". In fact, here is some information about tracking the cash given to Somali pirates: https://www.cnn.com/2013/11/02/world/africa/horn-of-africa-p...
>Crypto is the only real way to move large sums of illicit money across the world.
This is not even remotely true. Crypto is definitely the best licit way to move value around the world, so sure, it also is the best way to move illicit value around the world. But look at any Illicit Financial Flows report [1] and you will see that crypto is still marginal.
A million bitcoin? Absolutely not, that would be 1/19 of all bitcoin ever created and would be worth nearly 28 billion dollars. MGM's market cap is less than 13 billion dollars.
A million dollars worth of bitcoin? Probably, and even if they didn't it would be trivial for them to get.
I want to pick on this, because its both true and untrue, depending on how far back you look at this illegitimate business. Ransoms did not use crypto at first, but they are now the de facto payment. Antiquated ransom payment via gift cards, MoneyPak, Western Union, etc. are all still viable options for gangs.
While Russian gangs do have a lot of involvement, I don't think these particular casino hacks were attributed to any Russian group. Scattered Spider is attributed and is believed to be 19-22 year old's from US and UK: https://en.wikipedia.org/wiki/Scattered_Spider
So basically a bunch of young Western men participated in the social engineering. But the real computer knowhow and methods of getting paid trace right back to Russian criminals who are willing to work with them.
Perhaps they were first figured out because of crypto, but now that the genie is out of the bottle they can't be regulated away. They'll continue to be possible even if the government of a victim nation cracks down on Bitcoin.
As long as:
1. Computers are complicated, it will be possible to trick users into running software that does things they don't want, and
2. Factoring numbers is harder than multiplying numbers, it will be possible to use asymmetric cryptography to encrypt those files, and
3. Money can be sent across international borders, because rich countries want to buy cheap stuff from poor countries, and
4. Jurisdiction ends at national borders, so Russian gangs won't get prosecuted for receiving money from American/European victims,
ransomware will continue.
Sure, Viagra spam stopped working when credit card companies cracked down because while someone will send $100 over a credit card in the privacy of their home, if you make it too difficult they're going to give up.
But the corporate ransomware model doesn't cease to work if instead of having your negotiation team turn the corporation's cash into Bitcoins they instead have to go to Western Union and turn it into rubles. We're talking about a $100M transaction, heck, you could charter a plane to Russia and it would be a rounding error in the end.
> But the corporate ransomware model doesn't cease to work if instead of having your negotiation team turn the corporation's cash into Bitcoins they instead have to go to Western Union and turn it into rubles. We're talking about a $100M transaction, heck, you could charter a plane to Russia and it would be a rounding error in the end.
Do you seriously think that:
A. Any western union on the planet keeps $10m cash on hand or even 10% of that?
B. The US would even allow western union to participate?
Crypto is absolutely a requirement for this racket to work.
I thought I'd heard that the initial compromise was social engineering to get some initial access to a tech person's account. ? All your 4 points stand, but social engineering may be making a comeback too.
I'm personally waiting for the first public reports of criminal gangs using Chat GPT to automate spear phishing at scale.
I'm sure it is happening already, but the victims are keeping it quiet. The use case is too obvious. Identify key people in an organization from the website, Linked In, etc. Find them on social media. Find their less technical friends. Compromise the friends' accounts in various ways. Then send targeted phishing attacks to your real target. With every step of this automated by LLMs.
If we're going to blame crypto, then you also need to blame the NSA first, EternalBlue being leaked was the starting point for most of these.
https://en.wikipedia.org/wiki/EternalBlue
I was at a MGM property in Vegas this weekend and it was still not fully functional. Most things worked but there were little quirks all over the place. For instance one morning some of the food vendors weren't able to charge to rooms, but others were.
Probably offer free parking for LV locals and members of their Casino. I don't see why they wouldn't charge non-members or people out of town. If you can't afford the $10-15 to pay for parking then the likelihood of you going in there to blow your money is reduced.
It's actually a great filter: it makes sure that people are already financially committed and keeps away tourists that don't want to spend.
I don't know if it would stop it, but without cryptocurrencies, it would certainly be much less. Laundering USD is significantly harder than laundering Bitcoin.
> Laundering USD is significantly harder than laundering Bitcoin.
What exactly do you think people "launder" Bitcoin to? Why would it be harder to launder dirty USD than Bitcoin?
The end goal is the same, clean money you can use for any purpose. With USD, you only need to nestle it into a clean business that doesn't get scrutinized. Add in a step between with Bitcoin and suddenly it becomes harder.
I think the main issue is that with USD you need a dirty entry point that could compromise you at the moment of transfer, rather than with Bitcoin where you can chose the exit point whenever you want, and the entry is less risky. But still, adding Bitcoin to mix further complicates and adds risk to the overall process.
> without cryptocurrencies, it would certainly be much less
Isn't the (estimated) USD black market without cryptocurrencies vastly bigger than the black market of Bitcoin already, has been since forever and seems to continue to be like this for the foreseeable future?
I think laundering is the wrong term. You are right that obviously you need to launder it, now matter the currency. But the path of the money is easier to conceal with crypto than with bank transactions, because in crypto there's a large amount of potential middlemen that don't follow any KYC regulations.
Of course you can do the same thing with USD by using cash. A package of cash mailed to a fake address (where your courier receives the package from the mailman) is as untraceable as anything you can do with crypto. It is however more effort and potential risk.
"Transferring USD to a hostile nation is significantly harder than transferring Bitcoin. Crypto's ratio of criminal to legitimate use-cases is tiny compared to USD, and continues to shrink."
Yes, GP was a layperson using "laundering" imprecisely as a proxy for "using for state-sponsored criminal activity."
Your rebuttal, while pedantically correct, does not refute their larger point that Bitcoin greatly aids ransomware.
Furthermore, I'd argue it is easier for ransomware groups to transfer large values of illicitly-gained Bitcoin across borders without the possibility of interception by authorities. This is a key step in international money laundering.
I sometimes wonder if there's a paid US government campaign to slander crypto. Because I can't see how otherwise tech literate people can't understand the obvious upsides of such a system and keep blaming it for unrelated things.
I’m tech literate and very much not paid by the US govt
From my point of view I rag on crypto because I’ve yet to see it produce any real world value outside of scams, frauds, and illegal activity.
Traditional finance is slow and cautious on purpose. Having to deal with each country’s laws, regulations, and individual sovereignty is very much a real thing. A platform like venmo could do instantaneous cross border payments today if it were only a technical problem. But it’s not. It’s a human problem that arises from countries governing themselves with their own banking and finance laws.
Now, if your argument is that we should ditch countries sovereignty and ignore laws to make finance quicker, easier, and more private; then that’s argument I can understand. I don’t agree with that argument at all, but if that’s an opinion of someone I can see why an anarchistic point of view could resonate.
I totally agree, but would like to point out that this hasn't always been true. At first, bitcoin was a legitimate but obscure currency. I have receipts for selling used computer parts on Bitmit. Bitmit shut down in November 2013. Very quickly after, the remaining legitimate online marketplaces disappeared. Bitcoin started as a real world solution and has fully regressed into a joke.
BTC was never a real solution outside of a few SV hacker bros buying VPNs, hosting, or computer parts with it.
How many burritos did you get at 7/11 via BTC payments? I bought a car during COVID -- there weren't any places for me to pay for it with BTC. My mom didn't, and won't, use it for anything.
That like 5 dudes in San Fran bought or sold a house with it is really just exceptions proving the rule.
>Now, if your argument is that we should ditch countries sovereignty and ignore laws to make finance quicker, easier, and more private.
Are you taking the view that all laws are just? If not, then you must admit that crypto has some value where it helps to route around unjust laws (e.g. many people on this site consider the war on drugs unjust and ineffective).
Absolutely not. But the view I'm taking is that current laws must be respected. It's on the legislature and judicial branches to determine which laws to introduce/repeal and which laws may not be constitutional.
IMO it's absolutely not a valid path forward to have citizens selectively choose to ignore/evade certain laws that they personally deem unjust
Crypto is a joke in search of a problem that has attracted a cult of personality ("obviously detractors are just the US government!")
In its entire lifespan the uses of crypto (by and large) I've seen went something like
- Curiosity for edge-case nerds
- Buying drugs on Silk Road
- HOLY SHIT I SHOULD PUT MY RETIREMENT IN THIS I'LL BE A BILLIONAIRE!
- Buying ugly monkey jpegs
This is ignoring all the absolutely monumental abuse of the entire sphere it generated and just trying to name the major "uses" over the last decade-plus
The only novel use case that has impacted my life is friends trying to move money out of failing countries without detection. There’s no coincidence that this scam operates the same way. Sick of the crypto bros denying the other side and blaming humans or computers.
Another noteworthy newspiece of large loss caused by a cybersecurity incident came from Clorox*:
> the incident had disrupted portions of the company's IT infrastructure... The company expects a loss per share of between 35 cents and 75 cents in the quarter ended on Sept. 30, and for net sales to fall by 23% to 28% from a year earlier. It had reported profit of 68 cents per share in the year-ago period.
Still, you see CISOs fight tooth and nail to get a couple million approved for boosting cybersecurity posture.
Clorox had been hit once before and had high levels of turnover & outsourcing. Not surprised it happened again. Most of their infra was 100% outsourced to HCL / Tata / Cognizant / etc., or their Mexican / Filipino equivalents. You get what you pay for.
As any competent security executive would tell you, even if they had a unlimited budget, complete management support, all recommendations followed, and total control over business process short of utterly crippling operations, the cost of hiring a hacker to completely breach the best possible form of their system would still be less than 1 M$.
Oh, but what about the banks? Yeah, those are the security executives who personally told me and my colleagues that when asked. They literally have 100 M$ budgets up to 1 G$ budgets and they said that. The problem is not money, the problem is that commercial IT security technology and vendors do not work against professional, financially-motivated threat actors.
I disagree. With sufficient buy-in and money, you can make your systems extremely difficult and costly to attack, making the economics of an attack not worth it.
I’m willing to bet that a place like MGM has utterly abysmal security. You don’t see regular attacks against top-tier companies because a lot of them invest a reasonable amount.
You're not wrong, but reading the autopsies of most of these 100M dollar incidents suggest that having a slightly above average detection posture would eliminate most of the damage.
Sure, in many of the post-mortems you can see that the attack probably only cost something like 10 K$ to execute. If their team did everything right they could literally make it 100x more secure. But that still only brings it to 1 M$. That is completely and utterly insufficient to stop the financially-motivated professional organized crime that are actively attacking them. This is not about theoretical attacks and threat actors, these are the people literally attacking them right now that they can not stop, that cause the most damage, and that can perform these attacks economically at 1 M$.
To use the Caesar Entertainment incident that happened just before as a example, they purportedly paid a 15 M$ ransom. Is raising the cost to attack them from 10 K$ to 1 M$ really going to stop someone from collecting the 15 M$ payday? Oh no, I will only make 14 M$ instead of 14.99 M$, no point in attacking them. No, that is ridiculous. Making it harder is not a solution, you need to make it unprofitable.
If it is profitable you will eventually be hit by a incident and that incident can be unboundedly bad all the way up to completely destroying your business. In addition, your susceptibility is not random. A targeted attack will succeed and will be wildly profitable to perform no matter what you do. This is not a "I need to outrun you, not the bear" scenario. The bear is very hungry and can catch both of you; it will eat the fatter and tastier one, not the slower one. Then it will catch and eat the other one. Your only protection is being less tasty so you get eaten last.
You need to make it unprofitable and no extant solution available today in commercial IT can make it unprofitable for financially-motivated professional attackers. "Best practices" are maybe 1-10% of the way to minimally adequate; we need solutions 10 to 100 times better than the current gold standard to get there. Yes, I said times, not percent. We need a 1,000% to 10,000% improvement to get to the minimum bar. Until then, buckle in since things are just getting started; we are in for some real wild times on this ride.
That is... tough. Do you want to know what you can do for yourself, or what society can do to fix the problem?
If you are considering for yourself, then there is the short term and long term view.
The short term view is that the cost of compromise is still low. As I said in a sibling comment, the cyberattack industry is still going through growing pains, so from a practical perspective, if you chart out the rate of cyberattack growth, you still have maybe 5-10 more years of coasting before things become a existential-threat sort of problem if you are running a big business. For instance, MGM made 14 G$ in revenue last year, 100 M$ is a pain, but not life threatening. With 5 more years of sophistication they can probably make that 1-3 G$ and then you are in for a real world of pain.
The long term view is to assume that every element of your system that is network connected is easily hacked. Then you need to redesign your system and processes around that assumption. All of the conveniences of network connectivity are going to be liabilities. With careful thought you can probably reorganize your systems around this assumption for a relatively modest impact to operations. This will not protect you per se, but it will make your business processes more robust. The usual thing you lose by minimizing system connectivity is that latency gets worse, but you can usually mitigate this with more batch processing. Your turnaround time gets worse, but your bandwidth stays the same. There are costs to redesigning your business processes like this, but they are a lot less than the hecklers claim since you will not use the exact same processes that assume low latency always-connected systems, you will change your processes to better suit the new normal. Unfortunately, I can not give you much more than a high level view here because it is very business specific.
If you are considering society, then the core problem is that the incentive structure is all messed up. Software deployment has no requirements on fitness for purpose and software companies can basically just lie about software security with total impunity are just two of the obvious problems.
Unlike basically every other industry, where your product has to nominally work, software basically has no expectation or requirement of working no matter the use case. You can use whatever crappy software you find to run a nuclear power plant and nobody bats a eye. That is ridiculous. Deploying software that is unfit for a use case should not be allowed. However, the definition of fitness depends on the use case and the criticality, no one size fits all set of requirements works. This is like how we have different standards for toys and bridges. This is how literally every other industry works. The EU Cyber Resilience Act supposedly has some of this, but I have not read it directly to comment on the specific implementation they did.
The other problem is that software companies are allowed to basically just lie about software security. Have you ever heard any company say anything other than "our product is secure" or "we have the most secure {X}"? These are meaningless terms. I propose that if you want to advertise security, you can say a dollar amount "our bank is secure against 15 M$ attacks", but then you need to put up a bug bounty for that amount. You want to lie and say 1 G$ when you know it is 10 M$, go ahead, you are going to lose your shirt. Also, to handle the consumer product angle you could divide the number by the number of devices or some fraction thereof. Yeah, 10 M$ might sound like a lot to a regular person, but if they can hack all 1 M of the units then they only need to get 10 $ per unit to make it worthwhile, so you really only have 10 $ of marginal security for your device.
I did not really directly answer your question though. If you really need to increase your security to the required level, then there is not much you can do. There is nothing currently available on the market that can do that and none of the current vendors is able to solve the problem. Basically anybody using the same old tired cybersecurity pitches is just selling you junk and anybody with a new spin on it is also probably junk. If you want real verification demand robust auditable test suites, unrestricted red team tests, formal specifications, and proofs of correctness. Those are basically impossible to fake and none of the clowns will be able to provide a semblance of those. Unfortunately, basically everybody is a clown, so all that will really happen is that you will find that there are no viable vendors.
Sorry I can not be of much help. The industry is a wasteland right now; we need to nurture solutions before we can use them.
I find this hard to believe, given the current state of the world. If it were really as easy as hiring a hacker for <$1M to hack any given company then hundreds would be hacked every week. There are an awful lot of businesses that would pay a sizable ransom rather than let their business be destroyed, or have a large amount of funds that can be stolen, or have valuable data.
I think the reality is more that most well prepared companies can be hacked, but that it takes a lot of resources, and that there are a number of companies with atrocious security that can be hacked with a moderate amount of effort.
First of all, tens to hundreds of companies are being hacked every week. The exact numbers are hard to exactly determine since they are not required to disclose the information. Here is a publicly available report on the state of ransomware in 2023 [1]. Of 3,000 respondents 66% were hit by a ransomware attack in 2023. So right there we have ~2,000 successful attacks which would be ~40 per week, just from the companies directly surveyed. The rates are consistent across company size, so if we assume it is representative of large companies then over the probably tens to hundreds of thousands of companies with over 50 M$ in revenue, that would be tens of thousands of successful attacks per year averaging out to hundreds to thousands per week. And that is just ransomware.
Second of all, 1 M$ of hacking resources is like one or two person-years of skilled hacking labor. The counterfactual scenario you are considering appears to be tens of thousands of companies being hacked for 10 M$ per for a total of 100 G$ of revenue per year. Do you realize what you are expecting there? You wonder why 18 year old hacking nerds could not bootstrap a 100 billion dollar per year business (more than the estimated revenue of the entire illegal drug trade in the US and similar to the revenue of Facebook) with no venture capital and train and hire 10,000 skilled hackers (nearly a entire Google's worth of software developers) in under 10 years? Give them a break, 10 years after Facebook was founded they only made 12 G$/year and you are expecting some kids with no support structure to do 8x that while bootstrapping. For the world to look like your counterfactual, they would need 1,000% YoY growth for a entire decade; that is ludicrous.
I hope it is now clear that the reason everybody is not being hacked all the time is because there has not been enough time to grow into that yet. They are trying really hard though. Look at that report again. The mean ransom payment doubled from 2022 and the rate of high end payments quadrupled. In some other reports (that are behind signup walls), the number of attacks has been tripling YoY and the mean payment/ask has been tripling YoY for the past 5-10 years. That growth curve looks like a wall. The 18 year old hacker nerds who started these criminal enterprises 10 years ago are now 28 year old business people with 10 years of experience under their belt and have access to real organized crime support structures. This is why the attacks are growing so quickly, this is a greenfield opportunity that everybody is rushing to exploit as quickly as they can, but there are real limits to training talent and bootstrapping. Give them some time, we'll get there.
The financial impact will continue until culture and budgets improve. The folks making these decisions are not sophisticated and competent in risk management.
EDIT: @RugnirViking, my brother in christ, I agree with everything you said about culture.
Is it a given that the loss isn’t covered by insurance?
There’s always a balance of risk and the cost of mitigating risk.
One way to mitigate risk is simply buying an insurance policy which in many cases may be cheaper than paying a security firm to protect yourself proactively.
Cyber insurance often includes things like coverage for a PR firm to help regain as much reputational damage that may have been incurred.
Many cyber insurance plans also includes coverage for paying ransoms.
(I’m playing devils advocate somewhat, buying insurance to protect against cyber is something companies should do alongside of taking a proactive approach to securing systems)
I am responsible for negotiating a cyberinsurance policy for a fintech, and the marketplace is drying up due to risk repricing. If it was my money, I wouldn't be backstopping anyone getting underwritten unless I can plug directly into their controls and observability systems to confirm their risk posture, as well as have an internal (to the insurer) IR team. I'd probably also require quarterly IR tabletops and red teaming without prior notification required. Less around process and attestation, more about real world validation.
Typically when applying for cyber insurance you submit a questionnaire which includes questions like “do all endpoints us AV” and “Do you use IDS on your network” etc, etc.
To a certain extent insurance shouldn’t need to verify controls if they’re able to have a company fill a questionnaire, and if their answers aren’t accurate the insurance carrier can use that as a basis for denying the claim.
I would hope any federal program (if one comes about) works similarly. “We will only cover incidents if we can verify after the fact that you had these controls and mitigation measures in place prior to the attack”
I cannot share our broker and insurers, but the process is no longer as simple as a questionnaire. They are asking to see systems and evidence, and frankly, I do not blame them.
> I would hope any federal program (if one comes about) works similarly. “We will only cover incidents if we can verify after the fact that you had these controls and mitigation measures in place prior to the attack”
Mostly the gist of my public comments. If you obtained cyber insurance under false pretenses, you not be getting federal dollars. But also, questionnaires alone are no longer sufficient (imho). Really want to prevent a repeat of FEMA. Incentives matter.
Just curious, are you able to share the coverage range for that level of diligence? My anecdotes are based on a $4m policy that costs around $10k/yr. It would make sense if there’s much more diligence for policies 10-100x larger.
full on SOC 2 and SSAE-18 investigations when my last job asked for it.
they couldn't complete some of those, and eventually just punted for lower levels of coverage. cost to meet their requirements exceeded the cost of the lower + coverage and expected loss. Cue the Fight Club recall scene.
The problem is the risk landscape is shifting under the policies. 5 years ago, ransoms were 100 K$ on the high end. Now they are 10 M$. The number of ransomware attacks per year has been tripling(!) year over year for the last few years. So, compared to five years ago, the probability of a claim against a policy increased by 30,000%.
Every single policy written 5 years ago is underwater and every single policy with a large coverage amount is so hilariously underwater that there is a good chance that they will ruin the insurer and all of their re-insurers. For instance, the courts recently ruled in favor of Merck for a 1.4 G$ claim due to the 2017 NotPetya cyberattack [1]. That alone was more than the premiums of the entire worldwide cybersecurity insurance industry in 2015 [2]. It is to the point where, from what I have heard recently, the cybersecurity insurance vendors have largely given up writing new policies with more than a few million dollars worth of coverage.
They want to stay in the business so they are ready when the risk landscape stabilizes, but profitable policies need the premiums to be tens to hundreds of times higher than the standard backward looking actuarial models would suggest. So, if your competitors are dumber than you are, they will give policies with ridiculously lower premiums, not realizing they are going to be bankrupt in a few years. The only way to write a competitive policy in that environment is to take a loss, but limit the coverage to bound the loss to something survivable. Then you hunker down until the risk landscape stabilizes and everybody writing dumb big policies dies allowing you to write new policies with correct, vastly higher, premiums.
> The folks making these decisions are not sophisticated and competent in risk management
Aren't they pretty good at financial risk? isnt that like their only job a lot of the time?
Idk it seems to me it must be possible to make a good argument for this stuff - How do cybersecurity consulting firms pitch to clients? Could McKinsey etc get in on it?
It's just hard internally because a lot of the time it requires the culture to have been there from the beginning. Changing the culture if it's not present already is like trying turning a supertanker with a desk fan. People resent loss of freedoms, and operational restrictions prevent getting everyone to understand the whys
"The company's shares fell 2% in extended trading after the outlook was released."
That's a pretty mild impact. Multiply that with the low probability of this actually happening to a given company, and taking the risk doesn't sound sooo bad. Obviously it went wrong in this case, but it's hard to tell from the outside if that's because they did bad risk management or because they got unlucky on a calculated risk.
What they will get for $100/hour is a highly skilled, experienced, hard-working, and deeply corrupt freelance sysadmin who will take them for almost as much as the ransomware mob did.
The people running this casino don't seem all that bright. Unless that ad was a joke, in which case I guess I shouldn't be talking...
It's from a job posting that circulated last week:
Job Description
Arganteal seeks an onsite Red Hat Linux System Admin "RHEL SysAdmin" in Las Vegas, Nevada for immediate work starting 9-21-2023. This role will be helping the MGM Grand Casino to build its net new IT environment after the recent ransomware hack.
Candidates must be willing to work everyday until the new IT environment is fully stood up.
We are open to people who will only work a grand total of 7 days!
Expected Dates of Service 9-21-2023 through 10-15-2023
Hourly Rate: $100.00 per on 1099
Location: Onsite at MGM HQ in Las Vegas (absolutely no remote work)
Visa Status: Must be US Citizen (no Green Cards or H1b visa candidates will be accepted)
Working Hours: Expect to work 10 hours per day 7 days a week
> Expected Dates of Service 9-21-2023 through 10-15-2023 ... Hourly Rate: $100.00 per on 1099
That's a contract worker? So what's gonna happen is this poor soul is going to build out some hacked-together junk as quickly as possible, get replaced, and the replacements will have no idea how anything works. Some time down the line, a server isn't going to get a critical update because nobody even knows it exists, and this will all repeat again once the hackers find it. :)
I thought maybe it was some regulatory/gaming license sorta deal. But I'm looking at job listings for things like working on casino ATMs, repairing slot machines, and even a job listing for Revenue Auditor where the job description covers auditing slot machine drops, annual casino revenue, etc. None of these have US Citizen as a requirement. Seems very suspect, honestly. But I dunno how these things work on casinos.
> "We have no evidence that the criminal actors have used this data to commit identity theft or account fraud."
I see this type of message on so many statements about breaches. It seems like one of those things that can be said even when the potential usage in question would be extremely likely, because even if every marketplace for this stuff is advertising "identities stolen from MGM" for sale, that alone isn't "evidence" that it's actually what it says on the tin. If someone purchased it and showed their purchase to MGM, would that be sufficient "evidence" for them to not make such a statement?
Crazy to think about what you can do with 100m in terms of security. You can start multiple companies around securing your infrastructure with 100m. It's insane.
MGM did about $13 billion in revenue last year and while things certainly sucked they were still making money while things were down. Slots weren’t running but table games were up and gaming isn’t the majority share of where they make their money. Room fees make more. Food and beverages make more. Entertainment makes slightly less than gaming. 100 million isn’t out of the question.
Rumor was that Caesars was hit by the same group, and paid the ransom.
As a reminder, these attacks are overwhelmingly carried out by Russian gangs, and are only possible because of crypto. See https://www.lawfaremedia.org/article/ransomware-problem-bitc... for more.