385 comments

[ 4.3 ms ] story [ 269 ms ] thread
Once you pay 'em the Danegeld

You'll never be rid of the Dane

Meaningless stat without a baseline to compare against. How many who didn't pay were hit again?
If the attacker isn't paid for the first attack, why would she attack again? She's not doing it for the lulz!

I do agree with you that there should be more visibility for the "silent majority" of firms who operate their businesses responsibly, and therefore don't ever need to pay ransom.

Because second attacker might not be briefed by the first one.
If they actually have proper backups to avoid paying the first one, my guess is they are much more likely to also have the skills to prevent a second breach.
I agree on backups and actually working and robust restore system.

Cheapest way to avoid paying ransoms.

You can never be sure about 100% hacker safe but backup/restore system can be life saver

And also due to the attacks being cheap to run
If the victim doesn't pay the first time, they suffer consequences and next time might decide to pay instead.
ISTM we only hear about the tiny minority of "victims" who do "suffer consequences". Most organizations who get ransomed just shut off a bunch of unnecessary stuff, re-provision the necessary stuff with passwords turned off, restore from backup, and hire some security consultants.
I'm sorry but I have to ask: why assume the attacker is female?
It seems like "they're" would've been a better choice there, as there are a plurality of attackers in the world.
Probably trying to diversify pronoun usage. Would we be pointing this out if they said 'he'?
No, because for better or worse “he” is the default for a plurality or unknown gender in most (all?) romance languages, including English. Times and sensitivities change but “she” still connotes more knowledge than “he” so it’s bound to cause some confusion.
what was true centuries ago is no longer true. "he" is not gender neutral in English, in any sense of the term. it's only used as such in historical writing - languages evolve over time. "she" connotes as much knowledge as "he".
Language changes over time, yes, but also over space. Something other than 'he' might be default where you are, but not where I am.
English up until recently used male pronouns by default for everything but we have learned recently, thanks to our heroic Gender Studiers, that this actually perpetuates systemic sexist patriarchy. So the solution is to randomly use male or female pronouns, making language unclear and confusing--which helps fight the patriarchy.
The first time I saw this (using female pronouns for an unidentified person instead of "him/her" or "they") was in RMS's writings. So instead of using the indefinite/singular they, RMS would just say she/her. I thought it was an interesting way to hack language to break assumptions we have about gender, especially in technology.
I understand how this sort of off-topic snag can feel provocative, but please don't copy it into the thread where it can turn into an entire flamewar. There's nothing new in any of this at this point, and therefore nothing interesting. When there's nothing interesting, discussions turn nasty. Solution: focus on the interesting specific information and diffs in a post, and ignore the provocative bits.

https://news.ycombinator.com/newsguidelines.html

That's not for us to intellectually deduce, give the numbers. They have it. Is it 79%? 99? 1?

Maybe it's all automated shotgun based attacks and they don't close the holes and so the act of paying the ransom is statistically meaningless

This is shoddy journalism. Might as well just say "X%". It implies you shouldn't pay lest you fall victim again but they don't actually say that.

Things that implicate what they refuse to say is kind of suspect

The "journalism" has been shoddy from the start. This entire "Russians are pwning the electric company" meme has always been motivated more by politics, CYA, PR, and marketing than it has by anything real. TFA itself is a mail-it-in, paraphrase-the-press-release "effort". They actually link to the press release rather than the original marketing document; it's possible TFA's authors haven't read the latter! There's no guarantee the marketing document answers your question, but if you have an email address you don't mind getting spammed you could find out for yourself. [0] I don't have such an email address.

[0] https://www.cybereason.com/ebook-ransomware-the-true-cost-to...

The whole point of gathering statistics is that making up logic for what could be the case is generally a massive waste of time.
The attacks are likely automated. Like any computer virus.
It's likely the reinfection rate is high in both cases since it's so difficult to ensure every possible back door has been closed.
The most important line:

> 80% of organizations that paid the ransom were hit by a second attack, and almost half were hit by the same threat group.

The same group!

Makes sense to me. From what I've read, it's pretty clear the ransom payment is for a one-time ability to get your data back. It's not advertised as some sort of permanent opt-out.
Makes more sense if the group offered a subscription model for decrypting files encrypted by that group. Then you wouldn't have to keep paying the big lump sum.
A referral revenue sharing program for jaded employees would probably do well also.
...and if you pay for our Premium Level Service, we'll secure your systems against other criminal enterprises as well!
What Hackers Can Learn From The Sopranos.
That's a nice network you have there. It would be ashamed if something happened to it if you know what I mean.
Some groups will actually tell you how they got in and help you patch your systems.

Some groups will hack you AND also uninstall viruses emanating from other groups, or they will hack you and patch other flaws so that other malwares cannot take their spot. It's all game theory.

isn't that just plain strategy?
Game theory is more or less “plain strategy.”
Although I think false advertising would be the least of their worries if they decided to do it.
Everyone knows that once you find a loose slots machine, you keeping playing it.
You might come back next week, but if it just jackpotted it's empty right now.
That's so 1980s! Now, they update the balance on your Player's Card.
Not if the slot machine had an insurance company payout for them
Different groups have different policies. I believe some do actually add you to a whitelist if you pay and grant you at least a year or two before your immunity expires. (Maybe some do permanent whitelists? Not sure.)
Something something Norton Anti-Virus something.
It's right there in the small print. These companies sure know about that.
Where is the hacker's Honor... Cmon man
It went away when telling someone their system was broken stopped being treated a favor and started being treated as a crime.

All the good guys shut up, and so you're left with the criminals who then exploit the flaws instead.

Coming soon: ransomware with subscription business model
I up voted you for the lulz, but I'm actually unsure if this isn't the basic "legitimate" business model for everyone anyway.
I'm not so unsure - that's what make's it funny
“Up next on ‘You Won’t Believe It’, viruses were created by the antivirus industry”
That's already a thing

"SCHWIRTZ: What DarkSide does is they're a ransomware creator. So they create the program that is uploaded into a victim's computer system that locks down their data. But what they do is they basically contract out to these affiliates who are other hackers. And these are the people that are responsible for actually penetrating the victim's computer services. And what they do is operate basically on a subscription service. You, as an affiliate, can sign on to DarkSide services, in which case you get access to their malware, their ransomware to use for a fee that operates on a sliding scale depending upon the size of the ransom."

https://www.npr.org/2021/06/10/1005093802/inner-workings-of-...

I think they meant the ransom as a subscription service, not malware to franchisees as a service.
Yeah, the data remains permanently encrypted but you can access it. You pay X dollars per month for that access. They even provide protection against other gangs as well as offsite "backup" themselves. Plus your business can be an infection vector for other enterprises and individuals. The actual fees start low...
I think it is, actually. Well, not advertised; but these big ransoms, they can be negotiated. And one of the victim company's requirements will be that if I pay, then you agree to leave me alone.

I think these negotiations are fine, if you're just buying time to gather your backups; I've assumed the payouts were made by insurance companies, so go ahead - buy a zero-value promise from a gang of crooks, if you want.

But your org has been rooted (at best, you can't prove it hasn't). Compromised systems can't be really be cleaned, they have to be reinstalled from scratch, if you want to have confidence in them.

And an attack can be stored in data - which you're about to restore from backup. That's a problem I have faced, and I chose to ignore that threat. No choice - I didn't know how to address it then, and I still don't now.

My half-baked opinions about ransomware are largely based on watching this documentary: https://www.bbc.co.uk/programmes/w172wx9056p6bd6

> And one of the victim company's requirements will be that if I pay, then you agree to leave me alone.

I'm curious how one would enforce that. From the fact that the ransom got paid in the first place, we can establish that there's no legal body that's able and willing to exercise any authority over the ransomware group. So it's not like you can sue them for breach of contract.

Perhaps you can rely on the honor system? Though, given this is a group of professional extortionists we're talking about, if you choose to go that route, you may be at elevated risk of getting what you deserve.

It's a matter of reputation.

If a ransomware group has a reputation of not actually delivering the unlock upon payment, or of re-infection shortly afterwards, the decision to pay them becomes harder to defend.

A sticky problem indeed. I'm sure their sock puppet budgets must run into the tens of dollars.
I don't know that you can even reliably identify what ransomware group you're dealing with. They seem to use similar software, wallet addresses can change, people can claim to be some group they aren't, etc. And they probably identify potential victims with similar methods and tools.
How would the statistics then be gathered that half were hit by the same?
You sure some ransomware crooks don't provide contracts to their clients?
It makes you think about how many of those are inside jobs and/or compromised employees. In the case of colonial, it would seem highly likely given it was a credential compromise, but then again secure passwords are a known weakness
That group's name? The NSA.
"threat group" is odd phrasing, is it really the same actual group?
I'm shocked at such unethical practices by the hackers. I expected better from a group of terrorists.
I'm kind of reminded of the mafia and their protection rackets. Obviously, you never could trust criminal organizations. At the same time, if you're a medium-sized corporation or small business and they have your important data, and you know you could pay to get it back, what do you do? I can imagine they really have some people by the balls, metaphorically speaking. They could drive you bankrupt.

I hope the authorities find a way to go after these people, but it's obviously got to be difficult, because they might well be in China or Russia. It would take some international cooperation that's probably impossible right now.

In the meantime... Switch to Linux, have a competent offsite backup strategy...?

Unless the attackers revealed their exploit, it probably wasn't fixed and they just got in again the same way.
I would leave a backdoor too if I was them (maybe not what they did)... I wonder how many paid for a 2nd and 3rd time...
Wonder what percentage of those that were hit had someone actively looking to get back in. Maybe 20% learned their lesson and improved their security. I wonder how many iterations of this will it take for most companies to learn that leaving your doors unlocked in a shady neighborhood/the internet is a bad idea.
if it were me, I'd leave webshells or other backdoors to let myself back in if they didn't do proper cleanup. Especially if they paid, I have a "known good" customer.
What would be the incentive not to? Honor among thieves?

You know they’re vulnerable to the attack (the hard part?) so why not keep doing it until they shore up their defenses.

Short term you benefit from the second random. Long term, you may make people less likely to pay your ransoms.
I mean, of course! This is like classic sales book play. Your previous "costumers" are almost always less effort to dollar than new prospects.
Were I an evil criminal, I'd include a backdoor in the restore image I gave them, so that I could attack the same people again.
Shouldn't they improve their security?
About half did. From the article...

> After an organization experienced a ransomware attack, the top 5 solutions implemented included security awareness training (48%), security operations (SOC) (48%), endpoint protection (44%), data backup and recovery (43%), and email scanning (41%). The least deployed solutions post-attack included web scanning (40%), endpoint detection and response (EDR) and extended detection and response (XDR) technologies (38%), antivirus software (38%), mobile and SMS security solutions (36%), and managed security services provider (MSSP) or managed detection and response (MDR) provider (34%). Only 3% of respondents said they did not make any new security investments after a ransomware attack.

Given 0-day vulnerabilities and supply chain risks, I'm going to take a little bit of poetic license and say it's impossible to stop ransomware attacks, certainly with commercially viable levels of investment in infosec. You can mitigate some of the exposure, but the level of validation required to continuously guarantee that those mitigations are intact and effective.

So attacks will continue, the level of impact will hopefully be reduced along with the commensurate justifiable ransom payment.

maybe, but most ransomware attacks aren't via zero-days but via simpler means. Also ransomware infects a whole network and so part of the cause is systems that allow that.
Looks like ransomware criminals are going for the subscription model.
Hardest part is to find subscribers, from then on the milking process is easy. Leaving the joke aside, does this mean that the systems remained unprotected after the initial ransom was paid or that they continued to threat leaking sensitive data?

Paying the ransom a second time would guarantee nothing. Neither was paying the first time either.

If they were caught in the first place and paid up, the attacker presumably learned enough about the infra to find another way in? Or it was social engineering.

Like, is a company who runs its IT infra on Windows XP and pays the ransom likely to switch to the latest and greatest, no expenses spared, in a total and utter overhaul of all their systems? Or will they only try to patch the holes that were already revealed and gloss over the rest? Blame it on the intern, all that.

To unsubscribe you have to talk to a sales representative and send in a fax.
Just click that innocent looking unsubscribe link at the bottom of the email. Case solved!
Once the criminals start maintaining their own backups of victims data and helping them restore from rival attacks, they can successfully call themselves a mob.

Somehow, that's a quite believable scenario.

https://en.wikipedia.org/wiki/History_of_firefighting#Rome

Fire fighting in Rome had a similar premise.

Free market in action.
Doesn’t mean the free market doesn’t work. Asking people to pay before putting out the fire could be seen as a pay per use model. While a government run service funded by tax dollars could be seen as a subscription service that price discriminates on income tax rates.

In both cases it’s the market at play.

Free market requires strong property rights, as private property is a legal fiction which otherwise does not exist enough to sustain a market.

This is instead a dysfunctional government approaching anarcho-individualism.

I think wikipedia got the details wrong there. Crassus didn't offer to buy the burning buildings, he offered to put fires out. At least, that's how I understood it years ago and that's what Wiki's own source shows-- http://www.trivia-library.com/b/richest-people-in-history-ma... .

edit: Actually, Plutarch wrote that Crassus did buy the burning buildings.

That's interesting - I definitely have heard it taught the way Wikipedia has it. But I suppose some website here or there doesn't really count as much of a source when we're talking of events so far in the past. Maybe someone can provide a primary source or two?
Hmm, I dug further. The story probably comes from Plutarch (Lives), "[Crassus] would buy houses that were afire, and houses which adjoined those that were afire, and these their owners would let go at a trifling price owing to their fear and uncertainty"[1].

Plutarch was closer to Crassus than I am so I guess I can't argue.

[1] https://penelope.uchicago.edu/Thayer/e/roman/texts/plutarch/...

The privately owned fire brigades in NYC 100 years ago weren't much better. The free market at work:

https://www.youtube.com/watch?v=9zoXk1vnmcg

The real Bowery Boys would sometimes sabotage other companies' insured buildings by setting the fires.

https://en.wikipedia.org/wiki/Bowery_Boys

Setting fires on other peoples' property is not "the free market at work".
But the rest of it was. The part in the first half of my message and the linked video is entirely free-market.

Also, please do the work to expound on your claim.

> do the work to expound on your claim

A free market system requires protection of property rights. Arson violates property rights, and so is not free market.

What type of market is it when there is no regulation to protect rights, whether property, natural, or civil?
Anarchy is one. Communism is the other, as you have no property rights.
These are political systems, not economic systems.

When I hear people describe a free market, the respect for property rights is sacrosanct yet many also push back on regulation. This confuses me. Regulation typically seeks to ensure rights are respected.

I think they can start calling themselves the corporate IT department.
Perhaps the red team, there is more to IT than backups
> they can successfully call themselves a mob

Or Backblaze's evil twin.

(comment deleted)
If only organizations would backup their own data. Then they could just restore and avoid paying.

I have a backup device of my own at home and that's the one I have to use. The company I work relies on some MSFT service that is pretty inflexible and won't back up the entire machine.

Backup is only part of the picture, one needs a proper disaster recovery strategy that is tested and updated. Otherwise it could turn out that backups exist, but it'd take half a year to bootstrap the company back into function using them. Backing up and restoring one PC is trivial, doing the same to 10000 PCs and another 1000 of interconnected software systems is a whole different business.
Many people’s backup routines aren’t good enough.

Some of these guys encrypt over a period of time which is long enough to exceed the backup rotation. Their code decrypts on request, until the trigger day, when it posts the banners and deletes itself.

Maybe corporations should make it standard practice to have cold storage backups that are physically disconnected from the network (by humans) in a rotated fashion. Backup A is physically disconnected on B days and backup B is physically disconnected on A days.
Or stored an a cloud storage provider that supports S3-style object lock.
That's why you have a combination of rotating backups, say 7, one a day, and non-rotating permanent backups, say once a week.

Also, one should use "append only" backups (such as tape), or a disk drive designed to be append only with hardware write enables.

With a de-duplicating backup system like Borg, you can keep more backups in the same space. borgbase.com provides append-only and 2FA, which keeps your backups secure.
There is also the threat of leaking private data. Companies which collect PII could be liable if it's proven they were negligent.
If only organizations would backup their own data. Then they could just restore and avoid paying.

This is commonly suggested, and entirely useless.

What the ransomware groups do is put a time bomb on the computer, then leave it to trigger on a future condition. Your backup will backup the time bomb, and the second you restore it, it also goes boom. And therefore your backup is a perfect copy of your data but entirely useless.

One should still be able to just mount the disk and not boot the OS associated to browse through the files? Not fully automated but at least some solution and maybe worthwhile for smaller businesses
This is not entirely useless as you still have a backup of the data, you just need to restore it without the "time bomb".
Good luck finding the time bomb. See also my above comments about ways that they can corrupt data.
That assumes the backup couples the data and compute together, like a system image or something. If the backup is just data and is somewhere else, you can just rebuild the compute infrastructure from a known secure state (which arguably may require rebuilding the entire compute environment).

Even if your backup does couple the data and compute together, if it's simply time based (not sure what other event you could use really, perhaps some pure probabilistic function), then it seems like you can just trick the environment that the time is something else to get back in.

The real underpinning issue is that this stuff breaks the state of the infrastructure and the business can't afford the downtime to go around and repair these issues.

If you have your infrastructure build out mostly automated, that automation is backed up, and critical data is backed up, then you can reasonably sidestep these issues (I supposed a real thorough breach might integrate the ransomware in this very automation system but it should be reasonable to root out). The other issue is of course if the intruders threaten to release private data (empkoyee and customer PII, financials, so on). There's also business integrity but that doesn't really seem to matter anymore.

First of all the goal is to make people not trust their backups. So they study and target the systems that do backups and restores. If you are separating data from systems, they have a number of tricks. One is to have the backup system corrupt data in subtle ways. Sure, you have a backup. But you can't trust it. And they make sure that you KNOW you can't trust it by pointing you at some easily verifiable corruption...and not letting you know what ELSE they changed.

But as for an event to use, what they can do is have the machine check a remote URI to see whether it should let the system run, and if it should then set itself up to lock things at a specified time. In order to restore that you need to have it starting on a network with networking to a system that has the attacker's private key to sign the request. This is not an environment that you are able to create.

The data corruption approach is devious and something I hadn't considered, but I also feel like it eliminates much of an attacker's advantage. The more extensive the corruption, the more likely it will draw attention, possibly to the ransomware itself, so an attacker would want to keep this to a minimum. In turn, a victim would probably choose to live with minor data corruption over paying a ransom, or at least I'd expect the payout threshold to greatly diminish vs the scenario where 100% of the data is held hostage.
Any source to support this assertion? Never heard from any professional security reporting that they actually do that, and sounds very Hollywood. Most cases I've heard about are dumb simple - just encrypt everything you have write access to and ask for money. You don't need a complex operation when a simple one brings the same amount of cash. These people aren't making a movie, they are making money, and less they have to work for it, the better. Simple is always cheaper and more efficient, in crime too.
How do you go about testing your personal backups? I find my own desktop is harder to verify than a server with automated tests
What I do is see if it can be read by an independent system. For example, many dvd players can read media files plugged into a USB port. Put some media files on your backup drive, and see if your dvd player can read them.
You have to have backup. You can't trust professional crooks, because - well - they're crooks.

If you are penetrated, it's not so easy as just restoring your data from backup. You have to sterilise the machines you are restoring to. And you have to sterilise the data you want to restore. CM automation can deal with the system sterlisation, but I don't know how to sterilise data without using human judgement.

Don't get penetrated.

The criminals already do often recommend firms to manage the payment and recovery process.
For a second there, I thought you were going to say they can call themselves a backup service.
If only there were organizations who weren't criminals at all and who could be paid by a company to maintain backups of the company's data.
It's a crowded marketplace, anybody who wants to succeed in there needs some growth hacking. Where in this case "growth hacking" hacking literally means hacking.
If only managers would perceive the money spent to pay such organizations as a necessity rather than burned cash
As randomware attacks become more prevalent I suspect managers’ impressions will change!
Why not just the prices up?
I wonder if this hurts their reputation.

If they earn a reputation of coming back for seconds...

Two things:

People fix things faster to prevent double dipping.

People opt to not pay the initial ransom if they’re going to be taken hostage again.

It’s a kind of tragedy of the commons where the commons are the potential victims.

It doesn’t even have to be the same attacker. The attacker could just as easily sell the info to another attacker.

Plus, if the original vuln used to gain access is still open, there’s no reason why somebody else doesn’t find it later.

Which vulnerability did the attackers use to gain initial access? Do the attackers disclose this along with decrypting the data? And are you sure they didn't leave a sleeper Trojan behind for later?
A few months ago one chat between hackers and the company was leaked. The hacker actually explained how to fix the vulnerabilities. On mobile but it should show up in google (think it was posted here on hn also)
This assumes the blackmailer is trustworthy.
They're becoming a file encryption service. No one can steal your files either because they will just get encrypted trash.

Though I suppose those thieves could also pay for the encryption key, or just go directly to the "service provider" for a paid copy.

I'm looking forward to one of them going public in a country where ransomware is legal lol, seems like they've got really solid ARR.
How the hell do people got hit with ransomware anyway? Do they not have offline nightly backups of critical data?
See my post in the peer thread.
I wonder if there are like Russian mob investors in these cybercrime "startups" and they also have to make decks that show YoY revenue / user growth. Lmao!
Well, to my understanding, fronting money in drug deals for a cut and interest is a common model crime already, so I would say it's more likely than you think. The only difference between VC funding and bankrolling the mob is one is legal.
Well beating up someone to death will bring you money once, beaing someone multiple times will bring you more money.

Ransom gangs are business oriented.

Meh, it looks like the ransom businesses have customer retention problem if only 80% stay.
Pay or not - you gotta fix security.

Outsourcing it to el-cheapo, offshore middlemen is not going to cut it.

I believe that's a big part of why governments don't negotiate with terrorists and police just stall for time in real world ransom cases.
Except that is a terrible analogy and has everything to do with a poor security culture on the firm's part because IT is treated as a liability rather than an asset.
I think the analogy is apt since both paying terrorists and ransomers is counterproductive.

If you pay the terrorists they just do it again. If you pay the ransomers they just do it again. And the payment increases their capabilities.

I think, except for rare conditions where a temporary need exists, it’s a net negative to pay.

But I think the security flaws that allow random ware typically are a sign of institutional incompetence so it makes sense they would also be incompetent to pay, and pay again, and pay again. Rather than to prevent the attack or to correct the flaw that allowed the attack.

This is an interesting dance. Which company has paid the most? Is it on the jira board every monday "remit darkside for db access"
I mean they just proved that they are willing to pay the ransom. If they are also unwilling or unable to clean up their shop and keep it from happening again, it surely will.
It is almost like the groups hacking them are providing a good service. If they get hacked once, shit happens. But if it happens multiple times then someone should probably answer for it.
(comment deleted)
"We don't have money in the budget for backups. But we do have money in a different budget for ransom payments!"
The responsibility lies at the nation-state level, and the clear decision is for Governments to ban the formal exchange of cryptocurrencies.

As soon as this occurs, ransomware events will collapse since the ransoms will become unpayable.

The negatives of cryptocurrencies (ransomware enablement, chip and electricity shortages, scams) clearly outweigh the positives at this point.

Cryptocurrencies are decentralized. It would have to be banned literally every country in the world for them not to be able to use it and convert to a non-digital currency. Good luck with that.

And I'm sure they'd just invent or go back to some other method -- possibly riskier and more violent -- so they can continue to ransom money from people.

> Cryptocurrencies are decentralized. It would have to be banned literally every country in the world for them not to be able to use it and convert to a non-digital currency. Good luck with that.

The effect would not come from the criminals being able to cash out, it would come from the company not being able to cash in. If cryptocurrency were to be banned and public exchanges were closed purchasing cryptocurrency to the tune of millions of dollars worth becomes practically impossible for a regular company without connections in the space. If the company is not able to pay the ransom, the entire venture is pointless.

> And I'm sure they'd just invent or go back to some other method -- possibly riskier and more violent -- so they can continue to ransom money from people.

Sure, there will be other methods of transferring some amount of money. To the tune of millions of dollars, though? Unlikely. Cryptocurrency enables these companies to pay ransoms of this amount. Without cryptocurrency you might be able to ask for a 50K ransom instead of a 5M ransom, but that reduces your payout by 100X. 5M is enough to retire from. 50K is less than the yearly wage these people can make.

It's not like ransomware didn't exist before cryptocurrency, we know what ransomware without cryptocurrency looks like. What cryptocurrency changed is the scale of the payout. Instead of getting a few thousand dollars in gift cards the hackers are now rewarded with millions in bitcoins. It is hard to deny that the change in incentives caused by cryptocurrency is the primary driver behind the huge increase in ransomware attacks in the last few years.

Crypto can work peer-to-peer even with fiat echanges shut down.

Sure, it would be more difficult if crypto is illegal, but I think because of the difficulty of getting it, crypto prices would skyrocket.

Everyone will also move to using the privacy coins too. So, banning crypto might actually be beneficial for it as it would incentivise crypto projects to improve privacy and decentralization even more.

A ban won't stop people from using it or developing it in their homes.

> Crypto can work peer-to-peer even with fiat echanges shut down.

Sure, nowhere in my post do I deny that an underground market won't exist. In fact, I directly hint to the fact that it will exist. What matters for this problem is how easy it is to buy $X million worth of bitcoins for a company. Currently this is easy. If you have $X million in your bank account, you can go to one of these exchanges and buy $X million worth of bitcoin.

With the exchanges shut down, how would a company buy $X million worth of bitcoin? Where do they go? How do they not get scammed while doing so? It's not like companies can easily move $X million to another country where it would be legal to buy crypto either. After all, if they could move money in a bank that easily, crypto would not be required at all for the purpose of ransomware. They could just move the $X million directly! People use crypto for ransomware because it is not so easy to move money of this magnitude.

> Sure, it would be more difficult if crypto is illegal, but I think because of the difficulty of getting it, crypto prices would skyrocket.

That seems unlikely. A bank run seems the most likely scenario with a massive drop in price being the result, even if only a few high-impact regions would make it illegal (e.g. the US and EU). Regular people and large investors would cash out almost immediately upon hearing the news. Why would regular people want to own an illegal currency that they cannot trade for anything besides maybe drugs on the black market?

The reason the majority of people own crypto now is not because of the utility - it is because there are legal crypto exchanges that they can use to trade them back to the actual currency that they use (generally dollars or euros). If people have to go through illegal networks in order to perform these exchanges (and remember, exchanges for fiat money would be illegal and hence risky) the entire value proposition is lost.

> Everyone will also move to using the privacy coins too. So, banning crypto might actually be beneficial for it as it would incentivise crypto projects to improve privacy and decentralization even more.

I wouldn't even propose banning cryptocurrencies entirely. Shutting down the exchanges and banning the trade of cryptocurrency for fiat seems more than sufficient for this purpose. Cryptocurrencies can continue to exist on their own and perhaps find a use/purpose of their own. The back-and-forth exchange for fiat is what is problematic.

This might even be good for cryptocurrencies as a platform, as the focus would shift back to the underlying technology and its use cases rather than the investor crowd that doesn't give a shit about the technology and only cares about making a quick buck.

> A bank run seems the most likely scenario

Sure, there would be an initial bank runk, but a ban would also have unintended consequences such as making coins more scarce, thus unintentionally driving speculative demand and cause people to turn to the black market, especially if there are bank runs on fiat itself (I know, extremist, but you never know - I've personally eyewitnessed a national currency imploding once).

> This might even be good for cryptocurrencies as a platform

I guess we have something we agree on. Also a ban would encourage more activism and push cryptocurrencies to their full potential (of side-stepping the bans by going to fully decentralized exchanges and peer-to-peer) and weed out a lot of the snake oil in the space.

Do I see a ban to be successful for what what it intends to do? Maybe temporarily, but in the long term it will fail and backfire.

If you believe banning cryptocurrencies will suddenly stop ransomware, then I have a bridge to sell you.
There is an easy fix here: make it illegal for companies to transact in crypt currencies. Then they would have no way of paying a ransom without engaging in illegal activities. This would destroy the ransomware business model.
Then you hire the services of brokers that don't have the same compunctions about transacting in crypto. And even if you were to magically erase all cryptocurrency from the earth, it wouldn't still stop ransomware, or the same state sponsored actors would gravitate towards even worse things.

It's like nobody has learned a thing from the war on drugs, my point being: you deal with the root cause of the disease (infosec in most companies and even government offices is a joke and bad people have taken notice), not playing whack-a-mole with the symptoms (crypto use) that hint towards systemic decay.

The root cause is the blackmailers/thieves committing the crime, not that the crime was easy. Addressing the root cause might include things like improving education and reducing poverty. That in combination with a bam on paying ransoms would likely reduce these crimes.
There was ransomware before crypto currencies. There will be ransomware after crypto currencies.
There was? How did it work? Bank transfers?
Ever heard of corporate kidnappings?
Yes, actually, people overestimate the reversibility of wire transfers. And before cryptocurrency, there were still shady money services such as Liberty Reserve or Perfect Money with little qualms about their habitual clientele.
(not saying I think this is a solution, but...)

If the goal is to stop companies from paying ransom, then why not just make that illegal?

Better yet, add a 200% tax on top of ransom payments. That will tranfer the profits to the government. The attackers will know that the ability to pay is cut to 1/3.
In the theoretical universe where banning crypto is possible, yes it would stop almost all ransomware of the scale we see reported in news today.

There's just no other form of payment which would work for them. You can't easily go "can I have $50k worth of giftcards" and on the receiving side you can't easily validate or sell millions of them without tanking the value. Any kind of wire transfer would expose the source immediately at that scale. There's only so much money you can move through services that give you kickbacks of various kinds. What else is left?

Basically unless ransomware teams know of a new really good way of laundering money without a trail, or are happy to take a massive pay cut, that would be the end of most of their operations.

>...theoretical universe where banning crypto is possible...

Money grows on trees, there, too.

I'll bet you dollars to donuts that if you made crypto illegal, there's still a whole lot of countries that won't give a shit and the problem will only get worse.

All these situations are nebulous and complicated, something as simple as legally banning crypto is not going to solve the problems.

Suitcase full of gold coins delivered somewhere in Russia would be an easy replacement for crypto coins.
That doesn't sound easy at all.
This view is similar to saying things like "The terrorists and the media have a symbiotic relationship and the media is responsible for enabling terrorist attacks, therefore let's ban the media".
Ah yes, we should outlaw the ability for people to send money to each other and have civilization take the burden of incompetent corporations that can't be bothered to follow basic infosec practices (let alone whatever product they are selling in the first place is probably garbage and has no value beyond monopoly).
The ransom side is already a crime, and it being labeled a crime doesn't stop it from happening. Laws don't prevent crime.
Anyone else think we should make it illegal to pay ransom?

These people are just financing the next generation of cyber criminals.

Once people stop paying, people will stop attacking.

I think we should actually legalize ransomware. By that I mean create a government-ran national bug bounty program. All companies of a certain size are automatically included in it. Bounties are awarded based off severity, and bounties are paid for by fines to the companies hit.
Interesting idea. But what you're describing is absolutely not "ransomware."
Yes, because criminals definitely follow the law.
No, you become a criminal by paying. You continue not being a criminal by not paying.
No. Not with profit margins that high compared to operational cost, it would not be an effective deterrent. They will just continue to hit as many targets as possible. You would end up punishing the victims. What if they target some really critical infrastructure, where it would be rational to just pay and then fix the holes? Seek exemptions from law for each?

But it would be very interesting to see if the ransomware gangs can devise a scheme that gives the payer plausible deniability.

“Never negotiate with terrorists” is a simple and clear mantra, and as most clear and simple concepts it hides a lot of assumptions.

One of them is you are ready to lose the hostage in the worst case scenario. That’s how the police sees it, because the society benefits more from being firm in individual cases than losing a few of its members that might not come back anyway.

That’s a hard one to swallow, hard enough that govs also sometimes can’t follow the mantra and just pay the ransom.

It’s crazy hard to get people to sacrifice themselves for the better good, it’s yet a bigger ask for corporations who already screw the public day in day out.

Never negotiate with terrorists is only a thing because it puts you in a stronger negotiation position.
And it's just posturing. I'm sure the US negotiates with groups it labels as terrorists through backchannels.
Literally every government says this publicly, and then negotiates privately.
From the perspective of the individual, there is no greater good than defending one’s self.
Hardly. There are many philosophies that argue that the greatest good lies with how we interact with the other.

And on a purely primal level it's common to prioritize one's offspring over one's self. I think most cultures recognize this intuitively.

I’m not arguing philosophy. I’m arguing how absurd the statement “it’s crazy hard to get people to sacrifice themselves for the better good” is, as if OP would sacrifice his or herself for anyone here they didn’t know.

What a grand delusional statement, like the sibling comment here. It’s literally arguing moral superiority while ignoring pragmatic reality.

Maybe you watch a little bit too much television, but there are plenty of spouses out there who would, for example, not want their wife to die in childbirth if they had the option.

If you don't see the chasm between "people should sacrifice themselves for the greater good" (which I'd generally disagree with, particularly if you're not defining what the greater good is) and "there is no greater good than defending one’s self" then I can't help you.
(comment deleted)
What an absurd statement, to just say unequivocally, ignoring the plenty of philosophies and ethical systems have disagreed entirely with that.
Yeah, totally absurd. Would you sacrifice your life for the strangers on this forum? Let me guess, no? Huh, wild.
Wait, so you think that defending anonymous strangers from the internet is an exhaustive set of circumstances where one might risk their life?
(comment deleted)
I tried to put it in a neutral way, and I think it’s a far from a black and white issue.

Not to go too sideways, but hostage (with humans, not data) situations are typically about other people. When you’re the target, it’s not your life on the line, but your loved/valuable ones. So you’re not defending just yourself, you actually have to care about at least someone else to have it happen to you. And some care about a lot more than just their loved ones, they’ll also think about their friends, family, sometimes the rest of the society.

Everyone is different and there is no absolute best, but let’s at least recognize it’s complex and there’s lots of ways to think about it.

I mean couldn't government pay the ransom and then go great lengths to track the suspects and send special forces after them? Surely US govt. has the ability to track almost anyone.

Having US govt. on your ass should a decent deterrent.

Just take a look at how hard FBI came down on cartels and individuals who were involved in killing Enrique Camarena. Cartel leaders were arrested in Mexico and several individual in the US.

That introduces a scale problem. Even for the US.
It appears that some of the major ransomware gangs are operating from Russia and are tolerated by the government, as long as they don't hit domestic targets.

The US cannot really send special forces there without risking a massive escalation.

I'm sure the US has hundreds of spies and personnel in Russia at any point in time.

But sending a spy to a software developers house and assassinating them probably isn't going to stop the problem - more people will spring up doing the same.

We might not though. We don't even have a main diplomat there.

Russia has always been notoriously hard to spy on.

I would not be surprised if there was only a handful of well placed assets and most of the spying being done electronically.

No, but the people operating in Russia like to travel elsewhere, and do.

Also, the US and allies can enforce Russian AML laws as written on paper. If, say, the UK freezes all of Oleg Deripaska's assets there, Vova will absolutely get the message. We're not going to bring down the Russian government with military force for a million different reasons, but doing it with sanctions and prosecution is a totally different story.

When they do US gets them. That happens from time to time, if you watch the news, you notice there are guys caught periodically who thought it's time for a nice vacation in Spain resting from their criminal activities... only to be picked up in the airport. However, the smarter ones stay put inside Russia and those are hard to get.
Best example was when VW's Oliver Schmidt was arrested in Miami as he was changing planes. He was in trouble from the emissions fraud scheme.
Yup, for example that credit card frauder who went to the Maldives..
The US government has negotiated with the Taliban (a formally designated terrorist group) for prisoner exchanges.

https://www.bbc.com/news/world-asia-50471186

The "don't negotiate with terrorists" is itself a negotiation tactic meant to lower the attack surface of any entity.

It's the sort of thing you say publicly, but then privately you settle with your adversary.

Absolutism is never a useful tactic.

Yes, but getting your opponent to believe you will take an absolute position is often the most useful tactic.
> Absolutism is never a useful tactic.

That sounds pretty absolutest.

I absolutely never always disagree, most of the time.
Everything in moderation, especially moderation.
Taxation works exactly like this.

You might even want to establish an isolated society, but if you try, good luck dealing with the IRS.

I don’t think this mantra was ever anything more than a meme. LE always negotiate, this mantra is designed to just better their negotiating position
> “Never negotiate with terrorists” is a simple and clear mantra, and as most clear and simple concepts it hides a lot of assumptions.

This has nothing to do with that idea.

The reason the orgs paid the random once was because they had a severe lack of backup and other data safety protocols in combination with a vector to be infected (from all what we know, the latter is common and difficult to avoid): paying the ransom is likely their only choice to maintain the business.

It is not surprising at all that these orgs can and will be infected again, and will continue to show a lack in the security and data safety departments, and so they will continue to pay ransoms.

It's sort of an inverse survivorship bias: if you get infected once because you're susceptible, you're likely to get infected again unless you fix your susceptibility.

It has from a certain angle: For society/the internet as a whole it might be better for no one to pay the ransom at the cost of some of them perishing. The ransomware attacks would become unprofitable and would eventually stop. But to assume any organization wouldn't pay the ransom if its survival depends on it is obviously unrealistic.
I think that mantra does work here.

I would be totally fine with legislation making it illegal to pay in the case of ransomware attacks. Some companies might be completely destroyed by an attack that they can't pay off, but that is for the greater good of society: if criminals know companies have a low probability of paying since they're legally barred from doing so, they're less likely to target them.

When they hit a hospital, what is the hospital supposed to do? Not negotiate, for some "greater good" and let patients die?

https://threatpost.com/ransomware-hits-hospitals-hardest/162...

They’re supposed to back up their data and set up proper contingencies. By failing to do so, they are already putting patients lives in the hands of the encryptors.
Yes. Of course they were supposed to do so, then. But they didn't, and now they've been hit. Now, in the real world, what are they supposed to do: pay, or hold out and let the patients die as punishment for the hospital's mistakes?
Let the patients die. That’s on the hackers hands, not the hospital. Additionally, you’re making a huge assumption that the hackers are willing to escalate themselves to mass murders, which is a big leap most criminals aren’t willing to take.
> Of course they were supposed to do so, then. But they didn't, and now they've been hit.

In order for this to be a useful tactic, there needs to be no defection. The only way there can be no defection is if the legislature prohibits defection.

At that point, the hospital is on notice that they have to apply adequate security measures against this kind of attack. For instance, hospitals normally have power supplies that are capable of getting them through foreseeable blackouts. If they're going to rely on computer systems in the treatment of patients, they had better make sure they're secure. Right now, today, it isn't a surprise.

And the hackers are on notice that they are effectively killing the patients. The hackers are after the money. If the threat of death will get them the money, they're all for it. If it won't, they'll move on to a country where it does work.

I am sure an IRL hostage situation alrrady happened at an hospital, so we could have the answer in a variety of cases.

My opinion would be the hospital should open up to the police and accept their fate whatever the outcome. The gov./police makes the calculation of the impact of X people dying a very public way, the Y amount that is requested, and the ton of other wildcards (e.g. can we catch the gang now ? after the ransom is paid ? void the ransom some way afterwards ? limit the number of death in other ways ? what will the other victims take away fom this case ?).

At the end of it there should be a custom approach to that specific situation and not some blanklet policy application.

This also assumes a cooperative and somewhat decent police force, which might not be the case everywhere (but then I think we're screwed anyway)

Until your own child or spouse is held hostage or sequestrated. You will negotiate.
"“Never negotiate with terrorists” is a simple and clear mantra, and as most clear and simple concepts it hides a lot of assumptions"

The word 'terrorists', for one. It's mostly used to mean 'my opponents' these days.

What we are facing with ransomware is not insurrectionists or protestors, but gangsters. They make their living by stealing from people, cheating them, and threatening them. Many insurrectionists are honourable people that you can safely make a deal with. There is no gangster with that property.

Take backups, test the recovery procedure, don't make bargains with gangsters.

> who already screw the public day in day out

And then everyone clapped at the high-brow analysis.

It’s not really about sacrificing people for the greater good. Negotiating has high externalities that include future murders. Like all externalities, the involved people don’t give a shit.
Does it really surprise anyone that criminals would (re)target a place that paid out quickly and made their "jobs" easier? The aim is to get paid as quickly as possible with the least complexity and move on to the next target, is it not? If you're a freelancer and you have 10 clients and 8 always pay within 14 days of invoice and the other 2 let it drag on 90+ days and having to send out "reminder" letters, who do you favor doing business with?
According to a study by Cybereason, which sells endpoint protection software.
One has to wonder if Cybereason measured the 80% figure from their own clients - endpoint protection is the lowest form of security.

Alternatively, Cybereason are probably in a really good position to snarf passwords and then parallel construct an attack from a third party who gives a few major individual shareholders a kickback.

Does endpoint security even work?

Ransomware attacks are multi-round games.
There is no honor among thieves.
(comment deleted)
See also: why people who want to pay to not see ads are ideal ad targets.
The amazing part is they allowed themselves to get hit again. You'd think these organizations would tighten security after the first one...
Once they are in, who knows what back doors the installed
(comment deleted)
I wish this said how many of those hit again also paid again. I find it easy to believe that you could be hit twice in a row despite your best intentions, but hard to believe that you'd need to pay the second time if you had established a backup solution.
Rudyard Kipling explained this:

---

But we've proved it again and again, / That if once you have paid him the Dane-geld / You never get rid of the Dane.

--- https://www.poetryloverspage.com/poets/kipling/dane_geld.htm....

By paying, you’ve just proven that you are a profitable target to hit.

I'm from Dublin. We didn't pay the Danegeld, and in retaliation they built a city.
Could you explain that a bit? :o
Danes/Vikings established Dublin, and Irish urbanism generally. They're like our Romans.

I was just throwing some complexity into the Danegeld narrative.. not sure what it means in terms of the metaphor. Maybe ransomware hackers eventually build operating systems?