206 comments

[ 3.3 ms ] story [ 220 ms ] thread
Why would a university have so much cash laying around? Oh yeah, it's in the business of making money with a side effect of MAYBE educating people. SO DAMN WRONG. Time to hit the RESET button in the higher education system in USA.
While I agree with you, is half a million dollars really that much money for a university to have? Not to mention that U of U is not private; they’re publicly funded by the state.
U of Utah has an operating budget of nearly $5 Billion so having a couple hundred grand in cash isn't exactly a lot.
Aren't public universities much cheaper than private ones?
For the most part, that’s true for in state tuition but the costs up if you’re out of state or international to the point they can rival many private institutions.
The article states the ransom was paid by an insurance provider. Cyber insurance is actually not uncommon these days, and is presumably a normal part of their annual budget.
Yes, I often wonder about two things:

1) How much is the actual insurance rate for such a guarantee?

2) Which kinds of checks the insurance provider makes on the security of the setup, I mean in a much more common car theft case the insurance provider requires that the user has not left the keys in the car and that the car was locked (evidently balancing the risk against the "normal" provisions the car manufacturer has implemented and on "correct standard procedures" by the final user).

Both questions are related and the answer is "it really depends." Small business cyber insurance can be a few thousand dollars a year. I'm sure you can get a better rate (and at some scale it probably becomes almost required) to have pen tests and third-party audits and formal certifications.
Thanks, I know that "it depends", but a few thousands a year is just a (vague) number, as well as how much small is the small business is to be agreed upon and - very likely - small businesses are "easy wins" for insurance companies, not because they have better security, but rather because they are very unlikely probable targets.

I wondered about what would be rates (order of magnitude) and on what they would be calculated.

To give you an example, AFAIK if you were to get insurance, so called "Contractors All Risk" for a building project, you could expect anything between 0.7 and 1.5 % of the value of the project, on average around 1.1-1.2 % over the usual 5-6 years of duration, with the lower end about (relatively) low risk projects (roads without particularly complex contructions and normal houses) and the higher end on (relatively) high risk ones (roads with bridges, tunnels, skyscrapers).

These can be negotiated a bit, based on experience on past projects, internal safety and quality assurance procedures, but the order of magnitude remains in that range, but in case of an accident/claim, not entirely unlike the car theft example, but much more complex, you need to prove that you followed all safety and employment regulations, respected building codes, that machinery was efficient, etc..

In the case of IT, rates for a given firm/institution would depend on the invoicing or on the amount of personal data?

I mean, you can make 1,000,000 US$/year with 10,000 customers (personal data) at 100 US$ each/year or with 50 customers at 20,000 US$ each/year.

And what kind of "good practice" would you need to prove (if any)?

I'm sure it depends on revenue, the amount of personal data, and the nature of the business. I don't know how the rates are calculated but I've helped fill out the paperwork on a few applications and it's not dissimilar to what you might have to go through to become an approved technology partner with a Fortune 100 company. Do you have a disaster recovery policy? If so, when was it last tested? Do you get pen tests? What was the result of the last one? Are there any open items? Describe the technical access controls around customer data. Describe the physical security measures in place around your servers and IT infrastructure.

Keep in mind that you don't need to necessarily "prove" things that can be checked later. The insurance company is happy to take your word that there's no PCI card data on your network and cash your premiums. If there is and it gets stolen in a hack they simply won't pay out.

>Keep in mind that you don't need to necessarily "prove" things that can be checked later. The insurance company is happy to take your word that there's no PCI card data on your network and cash your premiums. If there is and it gets stolen in a hack they simply won't pay out.

Yep, this is exactly what I expect, similar to the original car theft example:

"Ahh, you left the car unlocked, sorry, you cannot be reimbursed as you didn't exercise the expected diligence"

Part, not all. They did have to pay a portion.
Like any entity that wishes to not fail miserably at the next recession universities have cash reserves and investments. It'd be rather stupid of them not to since their income can be impacted by outside events (cough covid cough) and they wish to survive long term (more so than corporations). To that same effect donations go into an endowment which allows for stable long term income to be generated.
Just think, they could have paid two engineers to fortify their systems against such an attack and still saved lots of money.
How do you know they weren't already paying at least two engineers to fortify their systems?
Hmm. I’m guessing not having backups means they may have been paying one person but also giving that person way too many responsibilities such that they couldn’t focus on doing a backup well.
They did have the backups, the ransomware was paid for (maybe) not having the stolen data published/sold.

>The university said its staff restored from backups; however, the ransomware gang threatened to release student-related data online, which, in turn, made university management re-think their approach towards not paying the attackers.

Even worse, because we can totally trust data can't be copied or released once an extortionist ransom is paid to malevolent hackers. I am sure this ransomware gang is on the up and up and operating in a good faith to honor the agreement. In a few months we may see "University of Utah pays another $457k to the same ransomware gang".
It is not in the best interest of the ransomware gang to ignore their part of the bargain. If that second headline happens, it will be a signal to every one of their future victims that they will not honor agreements and you're better off not paying them.

This is why the vast majority of encryption-based ransomware puts a lot of effort into ensuring they really can decrypt your files after you pay them.

I see very little chance of gang successfully identifying itself to the victim in a credible way.
Public keys seem to work pretty well. I haven't a clue as to why a gang can't use public key encryption.
Ransomware extortion artists have already been proven to be hit or miss when it comes to following through on what they promised. The whole concern about releasing this data to the internet is that it'd end up in the hands of bad actors, but uhhhh the damage is already done if the bad actors already have the data. Do the students really feel comfortable that only one gang of nefarious hackers have their data?
The ransom was paid by an insurance provider, so they were at least doing something to acquire coverage.
Part of it. They covered the rest.
probably insurance is cheaper than hiring sec experts
Insurance coverage is common. Depending on coverage amount may require independent audits.
The fact they have backups is litterally at the top of the article...
Wups!

I assumed ransomware was always a class of attack wherein non backed up data was at risk.

This seems like a failed ransomware attack where the university just got unencrypted information stolen that they didn’t want released.

>a class of attack wherein non backed up data was at risk

Ransomware is just the act of preventing access to data, with the access being reinstated after paying a fee to the attacker. Generally accomplished by encryption. Whether or not the victim has mitigations, backups, etc. holds no relevance to the class of attack.

>This seems like a failed ransomware attack

It's not really a failed ransomware attack. The attack was successful (they were able to encrypt some data), followed by successful reinstatement of access to the data by using backups, followed by successful extortion by the attacker.

How do you know those two engineers aren't $457k richer now?
Plenty of places have more than two engineers and still paid ransomware. This is like any other cyber-crime, which is to say it happens all over, it's not always publicized, and it's very hard to stop.

I watched a couple of presentations on security recently and just felt like we are all in a losing battle. There are always more bad actors, they get better and better, and they are a lot more motivated than any security team you can put together.

Just think, one of your own unscrupulous employees could be bribed to infect your own systems to get ransom kickbacks.
They paid 457k for not having backups.
They had backups. They paid $457k for a pinky promise not to release private data.
Oh wonderful.

Now we will see more of these types of attacks.

To be fair, it's a pinky promise where the attackers know that if they ever break one of these promises, nobody will ever pay them a dime again.
tbh that's not necessarily the case since the attackers are anonymous. It's just they don't actually have much incentive to release the records once they've collected their blackmail money.
They can just change their name next time.
It is not its own reputation that this particular attacker is able to defend, it is the reputation of anonymous attackers in general, which depends mostly on how other attackers behave, not how this particular attacker behaves.

So the incentive to keep its promise is only weak.

So, we can only assume that, if we follow the money far enough, we would almost surely find this "gang" is connected to one or more administrators at the institution.
> "The university's cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom"

I was looking to dunk on them but it seems that what they did wasn’t entirely unreasonable. The article further states that they paid to protect student data.

Where did the money come from if not from "tuition, grant, donation, state or taxpayer funds"? And if they have another source of funding, this still means the money is missing to fund things in the future that now they have to use "tuition, grant, donation, state or taxpayer funds" for.

They also send a clear message that ransom ware blackmail is a great business model. I think that is more than enough reason to dunk on them.

No you don't understand, they didn't use that money, they used different money! Nevermind that money is fungible.

Unless they set money in the budget every year for "Ransomware Insurance Shortfall" this is 100% "tuition, grant, donation, state or taxpayer funds" at some point in the chain.

It was partly covered by insurance.
We're talking about the part that wasn't.
Even the insurance policy that distributed the payout was ultimately paid for with those funds.
Plus obviously insurance simply means they're using tuition money to pay for ransoms, but all the time, not just when they're threatened.
If they're spending it all the time anyway, why shouldn't the payment have been made?
Which came from insurance premiums paid by the university.
which was paid for with tuition, grant, donation, state or taxpayer funds
Which will continue to pay for the now-increased ongoing premiums.
Utah's higher education system has what I think is a very stupid tuition hierarchy. It seems that tuition is set by the state legislature and cannot be modified by the individual school. But schools can set other fees. So they have this concept of "differential tuition". That is some arbitrary amount that they choose to charge for a particular class that is the difference between what tuition would be if they could control it and the amount mandated by the legislature.

You may have paid all your tuition and still owe the university tuition. Got a tuition scholarship from the university? Better check the fine print. Full-tuition or half-tuition doesn't necessarily mean what you think it means. It might only cover one of the definitions of tuition. Each class can have multiple tuitions of arbitrary amounts and you have to pay them all; your scholarship does not have to cover them all.

Oh, and it is impossible to know how much to budget for a 15-credit hour semester unless you provide a specific list of classes taken.

So, "didn't come from tuition" is an ambiguous statement from a Utah school.

From football game ticket sales... duuuh
(comment deleted)
I think I'd agree with the end of the article. If the only reason you're paying them is to prevent a data leak, what's to stop them from accepting the ransom and still leaking the data?
Hacker has a reputation to maintain.
Except there's not even any claim or confirmation about which group performed the attack, though one is suspected according to the article.
What is to stop them from acting like a blackmailer and going back for more later? Technically all they need is for giving money to "help" short term to maintain their "reputation". It is a danegelt situation.
Can one detect a ransomware infection early by watching copy-on-write snapshots on a file server?
You can, the company I work for makes a product that does exactly that.

It's very much a last line of defense way of detecting attacks because it means the attackers are already in and already have access to whatever workload is being protected.

https://www.rubrik.com/en/products/polaris-overview/polaris-...

Disclaimer: I'm just an engineer (not a sales person/pr/...) and all my comments on HN including this one are entirely my own views/not the companies views.

There are various strategies. One way that is fairly common is to have canary files that, when modified, trigger alerts and other automated action (locking out the account that did the modification, for instance).
Veeam One can alert you to possible ransomware if there is simultaneous high write rate and high CPU usage on a VM.
Not all ransoms are about denying the owner use of their data. Some ransoms are about publishing copies of the data.
It's good to be aware that this entire thing wouldn't have been possible without Bitcoin.
It's good to be aware that this entire thing wouldn't have been possible without encryption.

I'm sorry, I'm not sure I'm seeing what point you're trying to make. Are you trying to say that Bitcoin is bad?

Bitcoin was sold to me as freedom, from governments, from banks, etc.

But now I have come to realize that a completely unregulated payment system is very dangerous.

To be clear, Bitcoin is not "bad". Humans are bad and this is why we can't have nice things.

In what way did you buy into Bitcoin? I don’t understand what choice was presented to you.

If you’re referring to why people like it, those things can all be true despite criminals also using it.

Bitcoin is more regulated and more spied on than most forms of payment. To turn a large amount of Bitcoin into dollars in a bank account, you have to go through extreme AML/KYC checks. I can go to a gas station in California and send $1000 in cash to someone in Turkey who could receive cash and walk out a few minutes later. A briefcase full of cash is not regulated at all and can be used to settle debt or pay taxes, unlike Bitcoin. The only advantage of Bitcoin is not requiring the risk of physical presence, which has to be <1% of all crime. Also, unlike cash, Bitcoin by design retains a full immutable public ledger. The criminals can mix their coins, but it'd still be possible (although computationally expensive) to recreate a chain of transactions going back to the original ransom. In the future if Bitcoin is to become used in commerce more, it should be expected that these dirty transaction outputs would be worth less than clean ones or not accepted, like dollar bills cut in half taped together.
If a chemical plant sets up in an area then pollutes the environment during the course of business, it is required to clean up the mess. Known risks are required to have mitigations ready, and sometimes-expensive procedures must be followed to ensure safety.

Bitcoin (and everything like it) is very much at the "Pollute the environment with whatever the hell I want" phase of its existence. That should change.

Bitcoin should be taxed to recover the externalized costs it imposes -- basically, compensate the victims of bitcoin-enabled crime.

Is only a small fraction of bitcoin usage related to crime? No problem -- the tax will be very low.

We don't have a tax to compensate the victims of crimes enabled by cash, gift cards, Western Union, wire transfers, etc. Sorry, but I'm still not seeing the point being made here.
Encryption is the only way to achieve a specific goal (hiding sensitive digital information from other viewers).

Bitcoin is one of many ways to achieve a specific goal (transferring money between entities over the internet) and it has one significant drawback, it is difficult to regulate, track, etc.

Governments need to have a good idea of where money is going, at least they need to know that more than they need to know what people are saying to each other

The whole point of Bitcoin is that you don't get to decide whether I can use it.
Devil's advocate: ransomware is good. The financial incentives around it directly encourage this variety of hacking. It's an involuntary "bug bounty". And IT security becomes something more than a "nice to have" for these institutions, which it never would have before.

$450k? Universities know all about paying to learn. That's cheap, and they won't make the same mistakes again.

Crime reduction is good. Therefore crime is also good because it incentivizes crime reduction.
murder is good because it discourages people from engaging in behavior that may cause them to be murdered
Is this not the rationale behind the death penalty?
Actually, depending on the cost of mitigating this sort of disaster in the future, they may learn the lesson that it is simply less expensive to pay the ransom.

The criminals doing these sorts of things are businesses too, the are unlikely to price themselves out.

Nonsense, it's not like it's one criminal group behind this or like these people are building a sustainable business model. Pay and ignore approach doesn't work at all long term.
Well, that is a decision every institution needs to make by themselves, of course. At least now there is a visible price tag attached, rather than trying to hide behind misuse laws ("it's ILLEGAL to access our systems in that way!")
Markets in everything: The price of ransomware will reach equilibrium when the cost of paying the ransom becomes equal to the cost of paying for cybersecurity. Then we're back to "to pay or not to pay" once again being a merely moral/ethical issue.
What about the fact that payed ransoms prove a viable business model? And I bet hackers can hack faster than unis can secure themselves
$450k is about tuition for 56 instate or 17 out of state students. Basically peanuts. The U is $8,048 for Utah residents and $25,361 for out-of-state students. It has a total undergraduate enrollment of 24,743
So about a quarter of a percent of their tuition income? That's pretty massive, considering this is an unexpected cost.
On the contrary: if recovery is cheaper, easier, and faster than prevention then why bother with prevention?

If you think there's a 10% chance of incurring $1m in ransomware costs over the next 12 months, and reducing that probability to 5% will introduce an ongoing annual expense of $100,000 what's the sensible decision from a financial perspective?

Out of curiosity, are these hackers still demanding ransom money in Bitcoin, or say any traceable cryptocurrency?

I remember encountering similar scenarios before and they all seem to want the money in a Bitcoin address.

Why not Monero, or an alternative if there is any, which I guess makes moving the funds around much more stealthily? Please correct me if I'm wrong.

For smaller scale ransomware bitcoin was and still is very popular because its the easiest crypto to buy and use. So if your average target is a non-technical home or small business user bitcoin will net you far better returns.

Ransomeware still often includes live phone support and other features targeted at helping victims purchase and send bitcoins because its still a difficult and unfamiliar task for the average person.

That's so disturbing. I can't imagine going through a phone call with "tech support" trying to figure out how to send bitcoins knowing the whole time that the support person is the one who is extorting ransom from you.

It also seems like an opportunity to escalate the scam to the next level. Go to this site (controlled by the scammer) and enter your credit card to send bitcoin. Now they have your credit card too.

This is how I feel on the phone with comcast. It's just business
They're still usually asking for bitcoin.

A few months back REvil/Sodinokibi switched to Monero, but I think they're the only strain to do so.

no one is getting arrested or caught in spite of the traceability, unless the hacker is dumb enough to just deposit the BTC on an exchange immediately. The btc is split up and sent through mixers and laundered into thousands of tiny pieces and after a few years or so forgotten by anyone trying to track it.
Are they not just hiding in places which don't care about these kind of things?
All the tiny pieces could be traced in an automated way. It’s probably the lack of regulation that lets exchanges get away with not implementing better anti-laundering mechanisms.
And going after those tiny pieces would involve a lot of other people who are innocent
(comment deleted)
That's not how tumblers work. There's no way to link the input and output addresses when you go through a tumbler.
You could refuse to transact any tumbler output.
Some exchanges are refusing tumbled input. That said, it seems most of the time if you complain enough and provide more id they do anyway.
> after a few years or so forgotten by anyone trying to track it.

Help me with this, as I simply do not understand this 'forgetting' bit. Are you saying that a police agency, say FBI, is incapable of writing a (trivial?) program that tracks the coins, for as long as it takes to close the case?

> I simply do not understand this 'forgetting' bit

Statute. Of. Limitations.

Also, detective/prosecutor raise+promotion incentive structure. Cold cases don't get headlines unless it's some mass-murderer-rapist-satanist.

I have to say I think ransomware is one of the most interesting "business" practices. The trustworthiness of the criminals is huge because if they have a track record of providing the decryption key, you may as well pay.

In a logical extreme you could start adding features like "Give us the info of people you know and for every one we successfully extract a ransom from we'll give you 10% off your ransom."

It's interesting to think about at least.

There was a story published by ProPublica[1] reporting on this sort of progression from the side of people negotiating to pay the ransoms. Here's a small excerpt, but I think the whole thing is worth a read:

  Storfer learned quickly never to use the term “hacking.” Instead, he would assume his correspondent “thinks they’re a businessman,” Storfer said. “I’d say: ‘Look, we can’t afford this [ransom] at this time. Do you mind providing your product [recovery key] at a lower rate?’ And it worked,” he said. “They’re doing a job where everyone hates them, so feeling like they were respected made them work with us. I like to think empathy goes a long way.” 

  The rapport sometimes reaped discounts. “We were able to get a $5,000 ransom lessened to $3,000 because they knew we could deliver it exactly when we said we were going to get it to them,” Storfer said.
[1]: https://features.propublica.org/ransomware/ransomware-attack...
Reads like someone bragging about being incompetent. I'm sure the foreign language native attackers who call themselves "Evil Corp" would respond to "non-business" negotiations as well. They don't want your data deleted, they want money.
Reminds me of some of the stories in Never Split The Difference, where the author was a hostage negotiator for the FBI who would reduce ransoms (on human hostages) from millions to in one case, a few thousand. He relayed a similar reasoning, at the end of the day they want to get paid and a dead person is worth $0 (and potentially the swat team coming in).
Yes. In the few times I have interacted with criminals doing something that essentially everyone agrees is wrong -- not just people violating laws that many disagree with, but really unambiguously bad stuff -- they have all consistently had some strained story (that I think they truly believed, at some level) for why what they were doing is OK. It's really sobering to see in person, and deeply undermines the faith one has in one's justification for one's own behavior.

There was a story a while back, perhaps on HN, discussing the results of an academic survey of prisoners (in the UK, I think). They consistently evaluated themselves as more honorable than the average person on almost every dimension.

I don't think many admins would respond to a security breach by taking bribes to break more laws. But maybe they would, and help us clear out these incompetents.
Or even insiders helping ransom businesses infect a company with money. Seems unlikely, but not impossible, especially if the ransomware folks can find and make a significant offer to the insider.

I would think the biggest impediment to insiders doing this would be how to successfully hide and use the money, if it was a lot.

Wish one of these was publicly traded onchain. We almost have the level of privacy necessary to own the shares anonymously and distribute profits adequately too.

I think you could do it by issueing the shares as a zkAsset using AZTEC, and any ransom paid in btc could be transposed to renBTC on Ethereum, deposited into zkSYNC and distributed to all shareholders proportionately in the zkSYNC, that distribution transaction wouldn't be recorded onchain (although maybe zkSYNC has some ability to monitor transactions) and shareholders can withdraw their dividend at their own will.

But otherwise they can just convert the BTC to XMR first, and reintegrate that however they want.

I think one of the only ways to stop ransomware would be to setup a team distributing the ransomware, extracting fees from the victims and then -not- providing the keys. A few high profile cases of this should be enough to destroy confidence that paying a random will work.
This is brilliant. Destroy the credibility of the criminals.
And a bunch of people's data.
By becoming a criminal yourself? The cure seems to be much worse than the disease.
The ransomware guys will wise up, and use different keys to encrypt different parts of your database. They'll then request some fraction of the payment, in exchange for decrypting part of your DB, as proof that they do have keys.
Couldn't you also just plant some "shills" who claim that this happened to them and they lost all their data?
Yes, this'd probably be a better idea.

But the issue is there are many different ransomware gangs and malware families. We'd probably start seeing a twisted form of corporate PR from most of them. "We're not like the rest. We abide by a strict code of ethics and believe fair and honest dealing is paramount to our reputation and customers' trust in us. We will never add hidden charges or 'alter the deal'. Rest assured that your keys are stored securely and will always be delivered to you within 4 hours of payment. That's the CryptoLockDeluxe guarantee."

It reminds me a lot of piracy in EVE Online, where pirates' reputation for allowing ships to carry on after paying the random was considered a big deal.

Everytime a new group pops up, then you start planting stories using their name and the same promises.
A better way would be to charge the university with funding a criminal enterprise.
Paying ransoms of any kind has never been considered illegal simply because they are "funding a criminal enterprise". Outlawing random payments is certainly one viable attach on the enterprise, but it requires new legislation (and you better be prepared to levy some serious punishment on victims, which is hard to stomach).
If that became a big business model, then we might start getting meta-criminals:

1. They infect a major institution with ransomware.

2. They demand, and successfully receive, a major ransom.

3. They DON'T immediately release the key, despite the ransom being paid. Instead, they issue an open demand for ransoms to be paid to a random Bitcoin address from other major ransomware groups.

4. The meta-ransomers only release the key to the original victim if they receive sufficient ransoms from other ransomers.

The meta-criminals would essentially be ransoming the credibility of ransomers. If the ransomers don't pay up, then the meta-ransomers will chip away at their credibility.

That doesn't sound like it would work amazingly well.

First thought is that the 'meta-ransomers' would probably only get one or two shots at such an action working before the major groups make some sort of statement (and even perhaps provide some sort of way to 'authenticate' that it an attack is from one of of the more 'trustworthy' ransomware groups.)

Second thought is that it would have to be a gutsy group of rogue actors or group of rogue actors. A lot of these underground folks still know each other one way or another and this would probably be considered a big 'f--- you' to the rest of the community. Bridges would be burned, unspoken agreements in the sphere may be violated. You could even see the ransomers quickly turn their efforts to exposing the meta-ransomers.

On the other hand, it could become an 'arms race' as the meta and non-meta ransomers start trying to shut each other's ransomware down

This doesn’t work because a ransomware group could just sign their message. I wouldn’t be surprised if they do already
You could look at it as an unsolicited security audit of your system and the ransom as a contractor's fee for a job well done.
You really can't blame them much, they had backups. University doesn't work like corporate, you have thousands of student who change every year, do their projects for which they require lot of access; you can't lock everything dangerous, can't have any sensible BYOD policy, ... It's really hard to lock up everything while not limiting students too much. With organization like this, that sort of incidents is unfortunate but inevitable.
We sometimes refer to a public university as having a museum-like security posture. They have to be open to the general public, have to allow in visitors, yet guard things at the same time. It's not at all like strict corporate IT security. It's a fine line to walk. If you've never done this sort of security work before, it can seem odd and foreign for awhile.
Public universities and their security budget are highly underfunded. They can’t afford to invest heavily into security.
Is it that they can't afford it? Or is it instead that they would need to reprioritize some of their spending to invest into security?
They had backups: good for them.

But they also had unencrypted, sensitive information sitting on their networks.

What if it were a federal criminal offense to pay ransom? With long prison sentences for any individual convicted of participating in or having knowledge of a payoff? And the government was serious about tracking down and prosecuting anyone who did so? Nobody would pay ransom, and, at least in countries with such a law, these extortion gangs would stop bothering.
If the ransomers are terrorists, then it is a crime to pay them. This has been a challenge when Americans are kidnapped overseas and their families wants to pay the ransom but are warned that doing so is illegal.
There are fairly easy ways to get around this. Everyone says they never pay ransoms, but they mostly do. It is not a ransom, but you hire some cousin to do a not existing project etc. These things happens in parts of the world where transparency is not a top priority.
How does this fool even a semi-competent lawman? “Oh, officer, I never bought drugs. That’s totally illegal. I just left money in a box that my cousin picked up, and a few days later the drugs just appeared there. Totally not, myself buying drugs, though!”
Because for drugs, the semi-competent lawman goes after you. If it's for my child's life, there's no point going after me. I'd go to prison for life for that. You can't apply prison as a deterrent, you can't use it to prevent me from harming others, and honestly, you can relate to me.
It’s not about fooling anyone, it’s about maintaining enough plausible deniability.
It is often (always in the cases I was involved with) with government involvement so there is no risk of being investigated afterwards. This is just the way it works so everyone can say they don't pay bribes and still save lives.
Ultimately the goal is that nobody gets kidnapped. One way to ensure that is to ensure ransoms can't be paid, by threatening criminal penalties to anyone who pays a ransom.

Of course this means if your child is kidnapped, you have a choice between going to jail, or receiving one finger or toe per week in the mail for the next half-year or so. (That is, if you're a generally law-abiding citizen who doesn't know the ins and outs of money laundering and you're pretty sure you'll get caught. If you think you can make the payment and get away with it, this changes your calculus.)

When your kid is horribly murdered as a result of your unwillingness to break the law, it's a cold comfort that the law's wise policy will theoretically eventually save hundreds or thousands of others' kids from the same fate.

I find it fascinating that it's illegal to pay to help a child who's in physical danger of being tortured / murdered, but apparently not illegal to pay to prevent simple doxxing. It seems like it ought to be the reverse, the law should show mercy to an individual person trying to save the life of their relative, but be more strict when it comes to a large business or institution trying to prevent merely economic or informational harms.

Then they just wouldn't admit to being attacked. Companies would still pay ransoms, but we wouldn't know about it.
I mean that's like saying "banning insider trading/securities fraud won't work, because people will still do it". Yeah, they might, but I find it hard to believe that an executive is loyal to their company to the extent that they'll risk year of jail time for it.
Trading is a public act. Cooking the books to hide a payment by some random corp is orders of magnitude more obscure than trading in securites.
(comment deleted)
Or ban crypto under current KYC and other anti-money laundering laws.
My understanding is that companies often pay another company to pay the ransom for them, with it billed as "professional services" or other such. If there were laws against paying ransom, they'd need to be quite comprehensive, or loopholes would be found.
At this point the government agency should perform some of those attacks, extort the money, make it public and then delete the data so the victim is out of data and the money.

Paying ransoms is terrible for the world. We will have more attacks on more targets. There needs to be heavy incentive to not pay.

^ things that will get you instantly unelected
No one was up to admitting it happened in the first place.
It's not like advocating for strategies that work and make the world a better place get you elected anyway. It's all about making feel good promises anyway. Maybe you can convince someone already elected in their last term to actually implement it.
When you pay ransom for physical possession you get your possession back.

When you pay ransom for lost data you get a copy of your data back. The culprits still have the data, but they likely don't have a use for that data.

But this is the worst kind of ransom.

You already have the data, you're paying ransom to make sure the culprits don't use the data, but the culprits still are in possession of the data and they can use the data next year, or two years later, or demand more payment next year.

What in the world?

(comment deleted)
>The culprits still have the data

It'd be too hard/expensive to exfiltrate the data once it gets large enough, without much added benefit. They just encrypt it in-place.

Well it's exactly what happened here.

> The university said its staff restored from backups; however, the ransomware gang threatened to release student-related data online, which, in turn, made university management re-think their approach towards not paying the attackers.

The university is paying them not to release the data, but it has no way of forcing them to delete it.

This shows how bug bounties are pitifully small and inadequate. Stop thinking that a $10k reward will prevent hackers. Either pay-up for sec experts or be prepared to pay-up through extortion or having your site exploited, and it will cost way more than 10k.
Or have a bulletproof recovery plan
Disk clones to the rescue!
Is this the right way to look at it?

That's like saying CVS security guards are pitifully small and inadequate. Yeah, you're right, they aren't going to stop a proper robbery... but stealing is illegal and shouldn't be happening either way. Same for hacking.

They have security guards?
Many stores do, not just CVS.
Yeah - come to downtown SF and see. :)
Is this because of prop 47?
I have no idea. I honestly don't remember what things were like 6-8 years ago.
If CVS security guards had to guard against every burglar in the world, including ones who would just as happily go after bank vaults, then the situation would be comparable, yes.

If, that is, the burglars could automatically try and burgle every commercial establishment and home in existence, succeeding, with zero effort expended, if the security guards in question were insufficiently vigilant.

Actually it's the exact opposite. Bug bounty programs have constantly proven to be among the most effective ways of increasing a company's security, no matter how "pitiful" the payouts are. The overwhelming majority of people, when they find an exploit, are going to to do the right thing and report it, not sell it to the highest bidder. Increasing the bounties isn't really going to help, considering there's always going to be a hacker group or government entity willing to pay more.

Of course the programs aren't going to be a replacement for real product security teams, but they were never meant to be.

This seems like the market for risk at work. Just as in drug trafficking, more money tends to go to parties that take on more risk. In this case, that's the criminals doing the extorting. So unless the security researcher wants to engage in illegal activity themselves, they probably aren't going to get anywhere close to the extortion dollar amount by just selling their exploit to criminals. At best they'll probably get something close to a large bug bounty, or maybe a few times that.

When setting bug bounty payouts, the company should be looking at what security researchers are likely to get when selling an exploit to criminals, not the actual extortion dollar amount (assuming that most security researchers are not willing to personally engage in illegal activity themselves, which appears to be the case).

However, when evaluating the value that a bug bounty program brings to the company, they should absolutely consider these typical extortion amounts.

> This seems like the market for risk at work. Just as in drug trafficking, more money tends to go to parties that take on more risk. In this case, that's the criminals doing the extorting. So unless the security researcher wants to engage in illegal activity themselves, they probably aren't going to get anywhere close to the extortion dollar amount by just selling their exploit to criminals. At best they'll probably get something close to a large bug bounty, or maybe a few times that.

This doesn't strike me as a very accurate assessment of the situation. There are already markets where people can buy and sell exploits: researchers don't have to get their hands dirty to get paid for their exploits.

You've missed my point.

I'm saying that the market value of actually performing an illegal act of extortion is higher than the market value of a zero-day, either on one of these markets or via bug bounty.

I'm arguing that the price is different because of the risk of getting caught and going to jail, not that there isn't a market for security researchers to sell exploits to criminals without otherwise getting their hands dirty.

Exactly, you need the risk adjusted prices to match up. Getting paid a bug bounty isn't very risky, so the price is always going to be lower than selling or using the exploit yourself.

That being said, I still think bug bounties are too low, even when risk adjusting.

I also don't think they're empathizing with what it would actually be like to sell a zero day.

Taking the certain $10k is the better deal over hunting for a shady buyer on shady sites who might send you some bitcoin if the deal even pans out or if they even pay. That's a lot more work and uncertainty while they act like it's just the choice between which lever to pull. A bird in the hand…

Plus, by having a bug bounty program, it indicates that they're going to be reasonable and accepting of outside bug reports. In the absence of such a program, one can't be sure that a bug report isn't going to result in angry phone calls from tech-illiterate people accusing you of hacking them.

I recently found a compromised server on a university's network. I wasn't going to cold call them to report it because I had no idea how Betty answering the phones would react. Instead, I sent it to an IT contact that I knew personally. I knew that he didn't have anything at all to do with this, but that he would know who to get it to.

For what it's worth, with regard to .edu's specifically, you can always report any security-related issues to REN-ISAC [0] via e-mail or telephone (anonymously, if you'd like). The "watch desk" is staffed 24 hours a day.

If the .edu is one of their 668 member institutions [1], they have designated security contacts at the .edu that they can directly get in touch with -- and, in many cases, can even wake somebody up at 3 a.m., if/when it's warranted!

Even if the .edu isn't a member, though, they'll almost certainly have an easier time getting in touch with someone with a clue that they can pass your report along to.

---

[0]: https://www.ren-isac.net

[1]: https://www.ren-isac.net/membership/MemberList.html

But if the bounties are 20x as high then surely it will draw more whitehats to the market. A security engineer who is working at Netflix or Visa making over $200k or whatever will not work late nights for a $10k bounty but he might for a $500k bounty.
Companies like Google and Facebook have paid up to $50K for single bug reports. Ultimately the problem is that regardless of the effort you put in your earnings are likely going to be $0, due to the sheer amount of randomization and luck involved, which makes it unlikely that anyone will leave their full time job for it.
I don’t think anyone will quit their job for it but it will influence the decision of “play flight simulator or hack on targets”
In theory yes, but there’s going to be serious diminishing returns. At what point does doubling the reward no longer double the number of person hours you’re incentivising to work on the problem? At what point does doubling it increase the effort expended by less than 10%? Compared to spending that money on your own research teams, where the Cost/effort your buying is likely to be much closer to linear.
On the contrary, for low-probability payouts like lotteries, doubling the reward more than doubles the number of people who play. Almost nobody would play a lottery that gives you a 1 in 50 chance of winning $5, but plenty of people play lotteries for a 1 in a billion chance of $100 million.
Actually you are both right. Bug bounty programs are extremely effective because they find serious vulnerabilities for vastly less than the damages you would expect if they were exploited. However, the fact that the bug bounties are so low indicates that the prevailing security is atrocious.

To explain, generally speaking a bug bounty is going to the smaller of:

1. Cost of Discovery since that is the amount someone would be willing to find bugs at otherwise they are losing money on each bounty they get.

2. Cost of Damage (risk-adjusted) since that is the most a company would be willing to pay.

The reason for this is that as long as the Cost of Discovery is lower than the Cost of Damage (up to ROI), it is reasonable to keep paying the Cost of Discovery since you are paying less than the risk-adjusted harm. But, there is also no point paying significantly more than the Cost of Discovery as long as people keep reporting problems as fast as you can fix them since there is no real reason to pay to get more problems than you can fix. So, to first order the bug bounty for a certain type of problem reflects the cost of discovery of that type of problem.

Circling back to the original point, we see problems that can cause millions in damages getting bug bounties on the order of $10K. This means that, to first order, million dollar attacks only cost $10K to execute which results in a crazy high ROI in the 100s. With an ROI in the 100s, it should be no wonder that such attacks have been increasing in frequency given their sheer profitability. The fact that bounties are so low for such critical problems is a major indictment on the prevailing level of security in the industry.

> 1. Cost of Discovery since that is the amount someone would be willing to find bugs at otherwise they are losing money on each bounty they get.

This is probably the biggest issue in terms of incentives to a researcher. You're either finding the bug by accident or out of curiosity, or you stop short of basically losing money you would otherwise earn going a paid audit.

Actually, this level payment is roughly optimum value extraction by the parasites at a level that still makes the company feel like they did the right thing by skimping on their security. Because if the chance of incidence * damage < the cost of mitigation then they'll be more than happy to let it happen again.

500K once every 20 years or less beats 50K annually handsomely. Never mind the fact that once you lose control of your data you can never be sure you got that control back, that's somebody else's problem.

People are not very good at threat modeling, estimating chances of things happening to them and estimating the damage resulting from an incident. We collectively are not good at ensuring that the companies where these things happen get dealt with properly.

These kind of hacks were not possible before Bitcoin and the trend clearly just started. I don’t think it’ll be one hack every 20 years if they don’t fix their security.
Fair point, the frequency will probably go up. Also, they are now on the records as being (a) not capable of keeping their stuff secure and (b) willing and able to pay up which is blood in the water for the sharks.
Aren't scammers using Apple gift cards?

Bitcoin isn't the issue here.

When you have the pressure on the target, you can make the pay in whatever currency you'd like and there will always be one.

It's much harder to launder $100mn with gift cards. That's easy with Bitcoin.
To be pendantic technically they were before and likely easier (unless they didn't have their records computerized but universities were early adopters there) but there wasn't much of a point in doing so. Grade tampering would be far more likely.

The black hat hacker "ecosystem" has also professionalized from doing it for kicks to doing it for the dough.

I feel certain that they will be paying a lot annually for security after this.
so many ransomware locking down governments and companies these days, it's impossible to be 100% secure over internet 24x7, but how about a decent backup scheme, so that if someone locks down the data, you can get back online without decrypt that? it seems to me, as long as you have daily incremental backup in place, you should have no fear about those ransomwares?
In this case, they had a backup and restored from that.#

The attackers also only encrypted about 0,02% of the systems, but the university paid because the attackers threatened to make the stolen data public.

I don't get it. How can a public University even pay ransoms in practice? What do the statutory auditor say? What does the IRS say?
The ransom was to prevent the data from being publicly released - they restored from backup.
I do not know anything about bug bounties but I do know that selling backup solutions is super super hard.
As an idea: crowdsourced bug bounties. If software companies aren't willing to offer sensible incentives, corporations (who often have far more money at stake) should fill in the gaps. If someone built a platform to allow e-commerce/finance/other web companies to (collectively) fund a $500,000 bug bounty for an exploitable bug in an SSL library/Linux/Android/STM32/whatever project they rely on for security, it might encourage many more white hat hackers to pen-test the platform...
No. Because even a sec expert can’t guarantee there won’t be some kind of breach. And then what? Pay an expert AND get ransomed?

Better to throw it to a free market and let people find bugs for peanuts.

You're correct, there have been companies that quietly paid a million+ just to avoid litigation. It can cost certain companies tens of millions just to deal with a public security breach.
> Either pay-up for sec experts ..

It's next to impossible to measure 'sec expertise'. This would only go far if the security expert gave a warranty on their service which we know is never going to happen.

Besides which, the thing that would save this companies is mostly obvious and any half-decent security officer will do them. The difference being buy-in from senior management.

https://www.cyber.gov.au/acsc/view-all-content/publications/...

Would you rather have:

1. $10,000

2. Half a million dollars with a 50/50 chance of spending significant time in federal prison

I wouldn't even attempt to hack American companies in a country with an extradition agreement. It's a different situation, but Ross Ulbricht got 2 life sentences.

It's a great way to have people work for free. Imagine applying for a job as a security auditor, only to be told your wages are reliant upon the system being insecure. If you do happen to save us $457k, we'll give you $10k, but if you give us the piece of mind that we're really after here, not a single bean!
There is no way those 450k are not being traced right now like a hell, most likely it was allowed just because investigation said so, its matter of time now
Interesting discussions here about the actual costs and value of finding the bugs that enable these problems. There's basically very little cost to the companies in most cases that have vulnerabilities.

It's absolutely crucial, in my opinion, that we pass laws making paying off criminals illegal.

There are arguments here that paying off via insurance or other 'secondary means' are somehow shielding the institutions. It's morally wrong, and I suspect in reality it's technically wrong to make these payments. It's just wrong. There is the problem that at least some of these ransomware groups are in countries like Russia that don't care to really prosecute them. We need to stop this, make it clear it's not acceptable, fight with our usual means against money laundering. Pretty much every company company in the western world is vulnerable to these problems, every public school, and behind the scenes lots of people are vulnerable.

> "The university's cyber insurance policy paid part of the ransom, and the university covered the remainder. No tuition, grant, donation, state or taxpayer funds were used to pay the ransom," University of Utah officials added.

Can anybody elaborate more on this ? What are the other resources than tution/grant/donation/state/fund to earn money ?