I think forced reporting is a great idea, and a payment ban is an excellent idea. Here's why. A rational and responsible company that had invested wisely in its own IT infrastructure should not be under threat of a ransomware attack. If proper measures have been taken and they do come under attack, they should call on law enforcement to track down the adversary and call on public resources to mitigate the attack, all of which costs taxpayer money.
As it stands, companies have incentive to cover up attacks because they won't invest in proper security. To an individual company, that's shortsighted and costly; to the country, in aggregate, it's both a national security threat and a huge drain on public and private resources which end up going to the worst possible place - to bolster scammers abroad.
The government is well within its right to prevent large cash or crypto transfers overseas, even in normal circumstances. Ringing this bell will force more companies to take measures to shore up their rickety systems.
There are 6-figure jobs aplenty out there to go into ABC Valve Manufacturing, rip out all their Win95 boxen and tell them what to buy, set it up and secure it for them.
While I agree with the sentiment around not paying, I don't think it's as simple as that. Calling on law enforcement to "track down the adversary" is not easy, and when you track it back to a random Russian cybercrime group what can you do with that information?
A lot of these payments are not fortune 500 companies with unlimited IT budget, it's small or medium businesses with a 3 person IT team. Should they have proper off-site backups? Yes. Should we just let these companies go out of business until organizations learn their lesson? I would say no.
I really like the idea of making payment more difficult and mandating organizations to report these incidents. You're correct, companies do have the incentive to cover things up. Banning payment won't stop that.
I'm interested to see how people will circumvent this if the bill passes. If you pay a third-party company who "deal with the issue" on your behalf, all under legal privilege of course, would you still need to report?
> Should they have proper off-site backups? Yes. Should we just let these companies go out of business until organizations learn their lesson? I would say no.
Can you expand on that? Bad management leading to criminal interaction seems like something we'd be better off without.
An organization going out of business isn't just a case of bad management being eliminated.
I wrote that line thinking of the clients I've worked with who've been hit by ransomware and didn't realize IT were not doing their job until it was too late. In some cases it's a failure on their part - not investing enough time or resources and seeing IT as "the guy who installs windows". More often than not, they were assured it was taken care of. I don't expect a manager of a car dealership to know if their Exchange server is running recent patches. If companies like SolarWinds and Kaseya can get popped and compromise their downstream customers, think of the number of small MSPs causing that same issue every day. I don't think a business should go under with people losing their jobs because IT screwed up.
We would be better off without leadership who take no interest in security, and once a company is hit with a 100k ransomware bill you can bet they'll care going forward.
> More often than not, they were assured it was taken care of. I don't expect a manager of a car dealership to know if their Exchange server is running recent patches.
You're not wrong, but would the same dealership be as blasé about the assurances from their accountant that all their taxes are being paid?
Certainly no one can be an expert in everything, but regular audits from third parties of one's business at semi-regular intervals is prudent. We call in an external IT security auditor regularly ourselves to make sure we're not missing things and still following best practices.
>Certainly no one can be an expert in everything, but regular audits from third parties of one's business at semi-regular intervals is prudent. We call in an external IT security auditor regularly ourselves to make sure we're not missing things and still following best practices.
You're absolutely correct, up to a point.
As an InfoSec professional, I've been on both sides of such audits. Sometimes they're quite good. Sometimes they're awful. Usually, they're somewhere in between.
What's more, just because an audit has been performed (even a really thorough one), there's no guarantee that the recommendations will be applied, or even if they are, that they will be applied competently.
Leaving that aside and assuming that everything is done properly and thoroughly, regardless of all that hard work, it just takes one non-technical resource to click one link, and ransomware could be loosed on your network.
There are, of course, mitigations and, hopefully they are all in place and just the one desktop/laptop system is compromised.
All that said, many organizations don't have the time, money or expertise to properly secure their environment, let alone bring in outside auditors.
Medium/large companies with such resources should absolutely do all of those things. But the vast majority of companies in the US are SMBs who likely don't have those resources.
I'm not making a value judgement either way about the value of mandatory reporting, but I don't agree with your assessment.
I'm a one-man IT show for a few small- and mid-sized companies, and I had to manage an incident a few years ago where one of the companies was taken down for several days under a massive dDOS attack. This was accompanied by a ransom email to me. I disclosed the email to the company owner and he asked if we should pay it. I told him I wouldn't pay it if he ordered me to. I was sleeping on the floor for an hour at a time - the host handling the dedicated server basically said we had to go and threatened me that I would have to pay for their downtime, and the attack was large enough to shut down their connection to the transatlantic cable, so I had to fight around it for 48 hours while trying to quietly exfiltrate our data off the server through another one I had in Europe at the moments I could connect. I was contacted by the FBI and ultimately they found the assailants and one of the people behind it went to prison for a couple years; I got a judgment against him for my cost mitigating the attack (although it's symbolic, obviously. I'm sure I won't see a dime of it). He was just some schmuck in Florida.
TL;DR - if everyone refused to pay there would be no profit in it. And if everyone had to have IT staff who were competent, or worry about being fined for malfeasance, there would be no question of paying a third party to deal with something quietly. It's right and proper that authorities get involved. Even if they do find it's some troll farm in Russia, they can sanction and block in a way that small companies cannot. It's one of those situations where you stand together or die separately.
>if everyone refused to pay there would be no profit in it
Of course it's very saintly of you to refuse to pay, but often not paying is a very bad business decision. You can be sure that enough people will pay for your refusal to not make any difference.
It wasn't for saintly reasons; I saw clearly that it would do no good. If we paid, there was no guarantee the attack wouldn't come back the next day. It would solve nothing - actually, it would be worse because it would put us at their mercy. If we couldn't overcome it, get back online and block the next attack, then I didn't deserve my job and the company would have been better without me. Paying wouldn't make the problem go away, it would have made it infinitely worse for me.
Still, the GP's point stands. Especially as attackers create a "brand" and establish trust -- if a few quick searches show other people reporting that they paid and things were restored, then you can bet people will feel much more at ease with the idea of paying and actually being left alone after. When a business depends on it, when data loss is at play instead of just downtime, even more so. People will pay.
I think paying is a dumb move, regardless of the "brand" of extortionist you're dealing with. It just signals that you're a mark. It might briefly make an executive's life easier, but it'll come back and bite you.
I didn't refuse to pay because I thought it would be inspirational or set an example or bla bla bla. It was because I'm not a dumb mark, and I'm not going to let my clients be. And personally, I'd rather burn my house to the ground than let someone rob it.
>"And personally, I'd rather burn my house to the ground than let someone rob it."
That is your personal choice and you're more than welcome to go up in flames if that is what you wish. You should have no rights however to force your personal choice upon the others. They might have a different perspective.
Yeah, but this just completely detached from real life. Companies will always pay, even if you make it illegal, companies will still pay.
Will fewer companies pay? Sure. Does it matter? No. Ransomware gangs wouldn't go anywhere even if their average payments got cut down by 90%, and the stuff they might switch to (BEC) isn't going to go away either.
Maybe, but even if just a few don't pay, they will do other things. The attacks ransomware uses will become harder and harder to exploit. (already it is a lot harder than 20 years ago). More things will be invented to prevent them in the first place. Maybe formal proofs of all code? There are a lot of things that companies who aren't going to pay will start demanding of their vendors who they will pay.
> Maybe, but even if just a few don't pay, they will do other things
You're joking. There are already many who don't pay, payment rates could fall by 90% and it wouldn't slow them down a bit. You clearly have no idea how hugely profitable ransomware is.
If less companies pay, the ransomware operations will just scale up their customer support teams and further automate deployment. This really isn't going to be a problem for them.
> Maybe formal proofs of all code? There are a lot of things that companies who aren't going to pay will start demanding of their vendors who they will pay.
Haha. Funny. Have you ever worked with formal proofs in a software context?
> There are already many who don't pay, payment rates could fall by 90% and it wouldn't slow them down a bit. You clearly have no idea how hugely profitable ransomware is.
You misunderstand. Those who don't pay still have the problem. They will invest in solutions. Some (like good well tested backups) only affect them, but others like hardening software make it harder for ransomeware to get anyone in the first place.
> f less companies pay, the ransomware operations will just scale up their customer support teams and further automate deployment. This really isn't going to be a problem for them.
True. Though the less companies that pay, the more examples of not paying get out there and so the more likely it is other companies will get good protection for themselves.
Probably not enough to really affect profits too much, but still helpful to limit the amount of investment "big evil" can afford to do.
> Have you ever worked with formal proofs in a software context
Just a little bit. I'm looking to work with them more because for my area quality is important and we have reached the limits of what unit and manual testing can do. (but not the limits of other automatic code analysis which I'm also looking into)
>You misunderstand. Those who don't pay still have the problem. They will invest in solutions. Some (like good well tested backups) only affect them, but others like hardening software make it harder for ransomeware to get anyone in the first place.
Even those who pay are also investing in solutions, but the reality is that throwing money at this isn't going to make ransomware go away. Billions have been poured into this, and billions more will follow. What does that money get us? Mostly snake oil antivirus products, and big full page ads in the Economist for said snake oil products. I can't imagine that we're going to see significant results on a timeframe that you'd consider acceptable, maybe in 20 years.
>True. Though the less companies that pay, the more examples of not paying get out there and so the more likely it is other companies will get good protection for themselves.
>Probably not enough to really affect profits too much, but still helpful to limit the amount of investment "big evil" can afford to do.
Honestly, I think stories of companies paying out huge amounts has more of a chilling effect on ransomware than stories of companies refusing to pay. The huge ransom payment gives everyone a concrete number to be afraid of, a refusal to pay is a non-story unless it causes devastating damage to the company in question.
>Just a little bit. I'm looking to work with them more because for my area quality is important and we have reached the limits of what unit and manual testing can do. (but not the limits of other automatic code analysis which I'm also looking into)
The problem here is that you will never be able to produce a useful formally proven general purpose desktop software stack that would present meaningful advantages over current systems. Formal verification really only works for very simple pieces of software, and in any case, formal verification is only as good as the model you are verifying against.
We're not going to see formally verified web browsers, nor are we going to get a formally verified microsoft office suite.
very telling how the "real" people fight over how much they can deny any and all "saintly" motivations ; edit- apologies to noduerme who appears to have dealt with a serious situation respect .
second thought - here in the USA in the mid-2000s there were waves of identity theft and also mortgage fraud.. massive waves, very large numbers of accounts and even larger dollar amounts. I believe it was BANK-related employess and USA-based people who knew the credit system, performing quite a bit of all of that, with eyes open! the reputed phrase was "you wont be here, I wont be here" about the consequences down the road.
Sure, name-your-enemy Eastern Europeans are caught doing these things, outside of the reach of the casual US law.. but is it ONLY outsiders? or, you just dont know how badly your own money system employees are stealing from you now.
It's a "meme". Unless you refer to the really badly google translated screenshot, in which case yes, but I've now learned sufficient Russian that it's easier for me to read without.
>why do you have those screenshots?
I follow a bunch of these forums for intelligence gathering purposes. There are companies paying ridiculous amounts for a few of these screenshots and a little accompanying text, it's apparently called "threat intelligence".
There are countless reports, studies, Gov intel briefings, even whole books, all pointing towards Russia and neighboring countries being a huge exporter of these style of attacks. I'm not saying ALL ransomware is from that region, but the industry agrees that a huge percentage is.
Do you have something to the contrary, or is this just a hunch?
my interest in this is more on the "saintly" side, so please take all my comments as naive
It appears from a casual read of spy-versus-spy sort of documents, like tell-all books or dramatic movie scripts, that "false flag" is a standard play, since forever. Second, mysterious enemies that speak in unintelligible tongues, are the perfect cover for any institution failing its own constituents.
My experience in life is that money people are attracted to money jobs which then handle money with imperfect rules. Experience also says that business is often a dog-eat-dog world where company loyalty is repaid with termination or lower wages. When confronted with the dichotomy of "thats just business" alcohol and pain-killer abuse are common responses of an injured individual. Multiply that by thousands and mortgage pressure, kids college pressure, or just skid-row entrance behavior, and you get "corruption"
creative examples from the 2000s when aforementioned mortgage fraud ran like fire through the USA: a middle-aged immigrant meeting discreetly at a restaurant, discussing with a colleague a long-term siphoning and fraud scheme, gets back into their mid-range luxory car and goes to their suburban home in the USA; an alcholic single-mother forges a few signatures while on ordinary day duty with no one watching; an up-and-coming sales guy with a sports background wants to "level up" on their property purchase next year.
I do understand that non-US people, non-English speaking people, do run blatent scams. I myself have caught a PHP hook script on a server I ran, which pullled from some Bulgarian hacker board, an infection via a single ID number, like a menu. Of course that is true! but I object to fueling prejuidices by nationality, of people.. human beings.
Most humans are innocent of all of this activity. Yet, almost every single Western adult must have money in an account somewhere. The fundemental divisiveness of the Western monetary system, now under pressure from lockdowns, retirement and health problems, appears to me to be reaching East Germany levels, and I object to wholly and readily attributing this to "outsiders"
> Of course it's very saintly of you to refuse to pay, but often not paying is a very bad business decision. You can be sure that enough people will pay for your refusal to not make any difference.
And this is something where the law can help. Paying a ransom in these kinds of situations needs to be a felony. The punishment needs to be dealt to everyone who acted or knew and didn't report, and it needs to be harsh enough that even in the worst cases people would rather call the cops and report than risk it. (Or, at least some employee in the organization would report it and save their own hide than risk it to protect their boss.)
The ramsomware crisis is really bad now, and it keeps getting worse. It will not stop getting worse until the money dries up. Small businesses cannot be expected to have the level of IT knowledge that they absolutely can't be hacked. The reason they weren't victimized before at this level was that the money wasn't there. There are enough places in the world where the authorities will look the other way (or actively cheer on the criminals), meaning this will not end until the flow of money is stopped.
If you want to mitigate the losses caused by ransomware gangs, create a subsidized insurance system that helps the victims. Just, that insurance is not allowed to pay off the criminals, just help the business get back on it's feet.
Companies would still pay even if making ransomware payments was a felony. The ransomware gangs would not go away, companies would just have a bigger incentive to hide ransomware attacks.
These groups aren't going to go away even if 95% of companies suddenly stopped paying, deploying ransomware costs next to nothing. There's also a huge incentive for ransomware actors to punish this sort of regulation.
> The ramsomware crisis is really bad now, and it keeps getting worse.
How come everybody is crying about the "ransomware crisis", but you never hear about a "BEC crisis"? BEC losses are bigger than ransomware losses, and they keep getting worse.
> when you track it back to a random Russian cybercrime group what can you do with that information?
Having solid evidence of state-sponsored (or egregiously tolerated) criminal attacks on Americans is the first step to building will to launch (cyber) counterattacks, or at least credibly threatening them.
ABC Valve Manufacturing is running on a 6% profit margin. That cost wipes out their entire profit margin for the year. (They are competing against people in other countries without the same constraint.)
Now, perhaps this is an upstream problem. Perhaps the problem is that we have built systems that are nigh impossible to secure for small businesses. Perhaps we need laptop computers with no USB slots (no external keyboards.. no external mice.. no external monitors..) and no ability to install anything without going through an app store.
This company (that makes its own operating system) also will tell you exactly the systems you can use. Everything is certified by this company to be secure and you pay them a yearly protection racket fee to assume liability. In return, you have no control over your computer. Very strict internet filters are on these computers - no stack overflow, no hacker news, just the systems that the business has paid for.
This sounds dystopian to me. I'd hate to work there. However, that's literally the only solution I see for many businesses, because the current IT system is failing us.
This is of no utility until the DoJ and courts start punishing corporations for breaking laws and regulations in some meaningful way.
Right now, even egregious violation of regulations results in a trivial financial payment and the charges are put on the shelf - and forgotten about if the corporation "behaves." In theory. In reality, companies can keep breaking the law, violating those agreements to 'behave' - and the DoJ / courts never pursue the matter.
you seem to be mixing up reporting regulations with the "we both know you did something shady but it was likely not explicitly illegal back then, so let's not go to court and waste each other's time, but let's never try that, and for this courtesy you pay us a few billion USD, mmkay?" deferred prosecution agreements.
reporting regs are clear (clearer at least) than the other stuff.
The irony of all of this is that the finance industry is providing all the liquidity for bitcoin so that their ransomware payments are actually worth something.
There’s a vast industry of people supplying services to cash out illicit wire transfers. The complexity depends on the amount.
For individual amounts below 20-30k (craigslist scams, etc) you’ll be looking at personal bank accounts, usually created with fake IDs, but also sometimes using victims of various hiring scams. The fees you pay will largely depend on the country around 50% for US accounts, 20% or so for EU/UK accounts.
For slightly bigger amounts (fancier craigslist scams, BEC) up to a quarter million or so, you’ll see lots of pretty plain corporate accounts. The fees remain pretty much the same.
For the huge amounts (pretty much just BEC) like 5 million usd or more it starts to get complicated. At this point you begin to see offshore accounts for the first time, Hong Kong or just straight up PRC. But anything is possible, even US accounts can be arranged. Often someone will take over an existing business and their bank accounts, and then quickly run millions through them. At this level it’s hard to give an estimate on the fees, they are negotiable.
Ransomware predates crypto. It does not rely on crypto, crypto just has some superior characteristics which make it attractive to both legal and illegal ventures. Criminals regularly adopt new tech faster than businesses as they are naturally less risk averse. The implication that someone or some industry is acting antisocial simply because they utilize a tech that criminals also utilize is short sighted.
Sporadic instances of ransomware predate cryptocurrencies. However, ransomware didn't start becoming dominant until the early 2010s, with the rise of Bitcoin. Before then, building a botnet was the profit motive for most viruses.
Ransomware might end up costing in the hundreds of billions a year (according to some random security blog I googled just now, point is there's a lot of money at risk here). Are you implying that without an easier way to move wealth around criminals are just going to leave billions on the table? Seems unlikely given todays criminal landscape of global sex trafficking among other far more difficult crimes to pull off than moving fiat around undetected.
I'm sure it's just a vocal minority but this implication I keep happening across that ransomware would drastically decrease without crypto around seems rather obviously false. As mentioned, sex trafficking still exists in high quantities and possibly affects less money than ransomware. Certainly both types of crime move billions of dollars yearly.
edit: further - I would suggest trying to shame people out of their desire to buy crypto is as fruitless as the war on drugs. Crypto is here and it's here to stay. It's every bit as impossible (if not more) to regulate out of existence as drugs. If this is true, it seems rather toxic to blame (implied or otherwise) the prosocial players in crypto (which represent the _vast_ majority) for the bad apples.
> Are you implying that without an easier way to move wealth around criminals are just going to leave billions on the table?
That's what they did before that way to move wealth appeared.
And by the way, it didn't increase because bitcoin is easy to collect, but because it's easy to trace. Before bitcoin, the ransomware author would never actually decrypt the data after they were paid. That's the main difference that made the scam explode.
Anyway, yes, it's fruitless to argue people into not using bitcoin. It being the cause of something bad does not lead immediately to policy viability.
>That's what they did before that way to move wealth appeared.
What are you basing this on? It doesn’t line up with reality.
Zeus (and spyeye) gangs were very succesful in stealing huge amounts long before cryptocurrency was a thing. Sure, those techniques have evolved. BEC is easier, earns more money than ransomware. Yet, somehow, the evolution of BEC has no obvious link with cryptocurrency.
Before cryptocurrency, how was a ransomware attacker supposed to get paid without immediately getting caught by authorities? Bank transfers or checks don't work, because a bank account contains a bunch of contact information that law enforcement can access. Western Union or gift cards can work, but they have practical transfer limits, putting a cap on the amount of money an attacker can receive. There's always cash, but that requires the attacker to go to a specific place, which is very risky.
Ransomware attacks can certainly happen without cryptocurrency. However, there was no practical way for criminals to get multi-million dollar payouts previously. This payout potential changes the attack risks significantly. Few criminals will bother to target hospitals or gas pipelines if all they can get is a few thousand dollars worth of gift cards.
Google winlockers, they were plentiful before “ransomware” term became popular. Ransomware was already booming when cryptocurrency first hit the cybercrime scene after the Liberty Reserve seizure.
Gift cards were a common method of cashing out, you can anonymously cash out millions of those at around 80% of face value. IRS scammers still use gift cards for this reason.
> However, there was no practical way for criminals to get multi-million dollar payouts previously.
This is just bullshit. Read up on Zeus, SpyEye and various contemporary BEC gangs.
Read up on the craigslist scammers stealing billions selling non existent cars.
I'm not disputing that before cryptocurrency people made a lot of money stealing, scamming, and hacking people. And people will continue to do so as long as we have money and computers.
What's new is demanding millions of dollars in ransom against large companies and organizations. This is a fundamentally different scale then locking grandma's computer and demanding some iTunes gift cards. Without cryptocurrency, most "ransomware" relied on getting a small amount of money from a lot of victims. These high profile attacks rely on getting a lot of money from a single victim. That's what changed with cryptocurrency.
> Read up on Zeus, SpyEye and various contemporary BEC gangs.
I spent a bit of time reading up on those, and none of those seem like ransomware to me. Ransomware involves locking down a computer (or group of computers), then demanding a ransom to unlock it. That's a different attack then stealing bank account information or social engineering scams.
Do you have any evidence to suggest that cryptocurrency was the driving force here, rather than just natural evolution of ransomware operations? I don’t believe so.
Winlockers blew up right before cryptocurrency showed up, the early ones were very unsophisticated but hugely profitable. I believe they would have naturally evolved towards bigger payments even without cryptocurrency, it’s easier to process the occasional wire for $10M than to process tens of thousands of payments for $100.
I’ve never seen anyone actually familiar with the cybercrime market try to argue that cryptocurrency is a driving factor behind ransomware. You hear it from apparently highly qualified ”infosec professionals”, but most of those people have never interacted with this scene.
> I spent a bit of time reading up on those, and none of those seem like ransomware to me. Ransomware involves locking down a computer (or group of computers), then demanding a ransom to unlock it. That's a different attack then stealing bank account information or social engineering scams.
Of course, the point was about their ability to receive huge payouts pre-cryptocurrency. Ransomware groups wouldn’t have any trouble accepting tens of millions of usd by wire transfer, especially since they can penalize the company if the money doesn’t land.
I like the idea of a payment ban because it will force most companies to look at the systems that should be in place to prevent attacks. So many companies don't have working backups, and have not partitioned their systems in ways that prevent an attack (or accident, or corruption) from spreading from system to system. The disappointment is real when you tell the ransomware guy, "We're not paying. We just restored from backup."
>The disappointment is real when you tell the ransomware guy, "We're not paying. We just restored from backup."
Worked at a trucking company as a software dev and this exact thing happened. Got hit with ransomware attack but our IT team had daily backups of EVERYTHING. This was when ransomware was first "taking off" and they weren't even 100% sure if the attack was real.
I wish I got to see the ransomware's operator's reaction, but I honestly feel like they probably had enough people falling for it so I doubt they really got that upset.
The US stole money and resources from developing countries to get to where it is. Now the US is realizing they can get fucked as well. On a far far far smaller scale.
Watching the government and people freak out about this has been very amusing.
63 comments
[ 2.9 ms ] story [ 127 ms ] threadAs it stands, companies have incentive to cover up attacks because they won't invest in proper security. To an individual company, that's shortsighted and costly; to the country, in aggregate, it's both a national security threat and a huge drain on public and private resources which end up going to the worst possible place - to bolster scammers abroad.
The government is well within its right to prevent large cash or crypto transfers overseas, even in normal circumstances. Ringing this bell will force more companies to take measures to shore up their rickety systems.
There are 6-figure jobs aplenty out there to go into ABC Valve Manufacturing, rip out all their Win95 boxen and tell them what to buy, set it up and secure it for them.
A lot of these payments are not fortune 500 companies with unlimited IT budget, it's small or medium businesses with a 3 person IT team. Should they have proper off-site backups? Yes. Should we just let these companies go out of business until organizations learn their lesson? I would say no.
I really like the idea of making payment more difficult and mandating organizations to report these incidents. You're correct, companies do have the incentive to cover things up. Banning payment won't stop that.
I'm interested to see how people will circumvent this if the bill passes. If you pay a third-party company who "deal with the issue" on your behalf, all under legal privilege of course, would you still need to report?
Can you expand on that? Bad management leading to criminal interaction seems like something we'd be better off without.
I wrote that line thinking of the clients I've worked with who've been hit by ransomware and didn't realize IT were not doing their job until it was too late. In some cases it's a failure on their part - not investing enough time or resources and seeing IT as "the guy who installs windows". More often than not, they were assured it was taken care of. I don't expect a manager of a car dealership to know if their Exchange server is running recent patches. If companies like SolarWinds and Kaseya can get popped and compromise their downstream customers, think of the number of small MSPs causing that same issue every day. I don't think a business should go under with people losing their jobs because IT screwed up.
We would be better off without leadership who take no interest in security, and once a company is hit with a 100k ransomware bill you can bet they'll care going forward.
You're not wrong, but would the same dealership be as blasé about the assurances from their accountant that all their taxes are being paid?
Certainly no one can be an expert in everything, but regular audits from third parties of one's business at semi-regular intervals is prudent. We call in an external IT security auditor regularly ourselves to make sure we're not missing things and still following best practices.
You're absolutely correct, up to a point.
As an InfoSec professional, I've been on both sides of such audits. Sometimes they're quite good. Sometimes they're awful. Usually, they're somewhere in between.
What's more, just because an audit has been performed (even a really thorough one), there's no guarantee that the recommendations will be applied, or even if they are, that they will be applied competently.
Leaving that aside and assuming that everything is done properly and thoroughly, regardless of all that hard work, it just takes one non-technical resource to click one link, and ransomware could be loosed on your network.
There are, of course, mitigations and, hopefully they are all in place and just the one desktop/laptop system is compromised.
All that said, many organizations don't have the time, money or expertise to properly secure their environment, let alone bring in outside auditors.
Medium/large companies with such resources should absolutely do all of those things. But the vast majority of companies in the US are SMBs who likely don't have those resources.
I'm not making a value judgement either way about the value of mandatory reporting, but I don't agree with your assessment.
Edit: Fixed typo (word --> work).
Being dispersed. Those people are still around and will go to "work" for someone else
TL;DR - if everyone refused to pay there would be no profit in it. And if everyone had to have IT staff who were competent, or worry about being fined for malfeasance, there would be no question of paying a third party to deal with something quietly. It's right and proper that authorities get involved. Even if they do find it's some troll farm in Russia, they can sanction and block in a way that small companies cannot. It's one of those situations where you stand together or die separately.
Of course it's very saintly of you to refuse to pay, but often not paying is a very bad business decision. You can be sure that enough people will pay for your refusal to not make any difference.
So saintly? No way.
I didn't refuse to pay because I thought it would be inspirational or set an example or bla bla bla. It was because I'm not a dumb mark, and I'm not going to let my clients be. And personally, I'd rather burn my house to the ground than let someone rob it.
That is your personal choice and you're more than welcome to go up in flames if that is what you wish. You should have no rights however to force your personal choice upon the others. They might have a different perspective.
I agree that with DDoS extortion the situation is way more complicated, and the attacker will eventually move on if you don't pay.
> And personally, I'd rather burn my house to the ground than let someone rob it.
I think we can all agree that this is just plain stupid. Cutting off your nose to spite your face.
No we can't alI agree on that and I think you would be surprised. Personally I'd be seen with a gas can and a box of matches
Will fewer companies pay? Sure. Does it matter? No. Ransomware gangs wouldn't go anywhere even if their average payments got cut down by 90%, and the stuff they might switch to (BEC) isn't going to go away either.
You're joking. There are already many who don't pay, payment rates could fall by 90% and it wouldn't slow them down a bit. You clearly have no idea how hugely profitable ransomware is.
If less companies pay, the ransomware operations will just scale up their customer support teams and further automate deployment. This really isn't going to be a problem for them.
> Maybe formal proofs of all code? There are a lot of things that companies who aren't going to pay will start demanding of their vendors who they will pay.
Haha. Funny. Have you ever worked with formal proofs in a software context?
You misunderstand. Those who don't pay still have the problem. They will invest in solutions. Some (like good well tested backups) only affect them, but others like hardening software make it harder for ransomeware to get anyone in the first place.
> f less companies pay, the ransomware operations will just scale up their customer support teams and further automate deployment. This really isn't going to be a problem for them.
True. Though the less companies that pay, the more examples of not paying get out there and so the more likely it is other companies will get good protection for themselves.
Probably not enough to really affect profits too much, but still helpful to limit the amount of investment "big evil" can afford to do.
> Have you ever worked with formal proofs in a software context
Just a little bit. I'm looking to work with them more because for my area quality is important and we have reached the limits of what unit and manual testing can do. (but not the limits of other automatic code analysis which I'm also looking into)
Even those who pay are also investing in solutions, but the reality is that throwing money at this isn't going to make ransomware go away. Billions have been poured into this, and billions more will follow. What does that money get us? Mostly snake oil antivirus products, and big full page ads in the Economist for said snake oil products. I can't imagine that we're going to see significant results on a timeframe that you'd consider acceptable, maybe in 20 years.
>True. Though the less companies that pay, the more examples of not paying get out there and so the more likely it is other companies will get good protection for themselves.
>Probably not enough to really affect profits too much, but still helpful to limit the amount of investment "big evil" can afford to do.
Honestly, I think stories of companies paying out huge amounts has more of a chilling effect on ransomware than stories of companies refusing to pay. The huge ransom payment gives everyone a concrete number to be afraid of, a refusal to pay is a non-story unless it causes devastating damage to the company in question.
>Just a little bit. I'm looking to work with them more because for my area quality is important and we have reached the limits of what unit and manual testing can do. (but not the limits of other automatic code analysis which I'm also looking into)
The problem here is that you will never be able to produce a useful formally proven general purpose desktop software stack that would present meaningful advantages over current systems. Formal verification really only works for very simple pieces of software, and in any case, formal verification is only as good as the model you are verifying against.
We're not going to see formally verified web browsers, nor are we going to get a formally verified microsoft office suite.
second thought - here in the USA in the mid-2000s there were waves of identity theft and also mortgage fraud.. massive waves, very large numbers of accounts and even larger dollar amounts. I believe it was BANK-related employess and USA-based people who knew the credit system, performing quite a bit of all of that, with eyes open! the reputed phrase was "you wont be here, I wont be here" about the consequences down the road.
Sure, name-your-enemy Eastern Europeans are caught doing these things, outside of the reach of the casual US law.. but is it ONLY outsiders? or, you just dont know how badly your own money system employees are stealing from you now.
Try to find a not-russian site with as many people discussing this stuff. It really do be like that sometimes.
are you accustomed to talking like that? why do you have those screenshots?
It's a "meme". Unless you refer to the really badly google translated screenshot, in which case yes, but I've now learned sufficient Russian that it's easier for me to read without.
>why do you have those screenshots?
I follow a bunch of these forums for intelligence gathering purposes. There are companies paying ridiculous amounts for a few of these screenshots and a little accompanying text, it's apparently called "threat intelligence".
Do you have something to the contrary, or is this just a hunch?
It appears from a casual read of spy-versus-spy sort of documents, like tell-all books or dramatic movie scripts, that "false flag" is a standard play, since forever. Second, mysterious enemies that speak in unintelligible tongues, are the perfect cover for any institution failing its own constituents.
My experience in life is that money people are attracted to money jobs which then handle money with imperfect rules. Experience also says that business is often a dog-eat-dog world where company loyalty is repaid with termination or lower wages. When confronted with the dichotomy of "thats just business" alcohol and pain-killer abuse are common responses of an injured individual. Multiply that by thousands and mortgage pressure, kids college pressure, or just skid-row entrance behavior, and you get "corruption"
creative examples from the 2000s when aforementioned mortgage fraud ran like fire through the USA: a middle-aged immigrant meeting discreetly at a restaurant, discussing with a colleague a long-term siphoning and fraud scheme, gets back into their mid-range luxory car and goes to their suburban home in the USA; an alcholic single-mother forges a few signatures while on ordinary day duty with no one watching; an up-and-coming sales guy with a sports background wants to "level up" on their property purchase next year.
I do understand that non-US people, non-English speaking people, do run blatent scams. I myself have caught a PHP hook script on a server I ran, which pullled from some Bulgarian hacker board, an infection via a single ID number, like a menu. Of course that is true! but I object to fueling prejuidices by nationality, of people.. human beings.
Most humans are innocent of all of this activity. Yet, almost every single Western adult must have money in an account somewhere. The fundemental divisiveness of the Western monetary system, now under pressure from lockdowns, retirement and health problems, appears to me to be reaching East Germany levels, and I object to wholly and readily attributing this to "outsiders"
And this is something where the law can help. Paying a ransom in these kinds of situations needs to be a felony. The punishment needs to be dealt to everyone who acted or knew and didn't report, and it needs to be harsh enough that even in the worst cases people would rather call the cops and report than risk it. (Or, at least some employee in the organization would report it and save their own hide than risk it to protect their boss.)
The ramsomware crisis is really bad now, and it keeps getting worse. It will not stop getting worse until the money dries up. Small businesses cannot be expected to have the level of IT knowledge that they absolutely can't be hacked. The reason they weren't victimized before at this level was that the money wasn't there. There are enough places in the world where the authorities will look the other way (or actively cheer on the criminals), meaning this will not end until the flow of money is stopped.
If you want to mitigate the losses caused by ransomware gangs, create a subsidized insurance system that helps the victims. Just, that insurance is not allowed to pay off the criminals, just help the business get back on it's feet.
These groups aren't going to go away even if 95% of companies suddenly stopped paying, deploying ransomware costs next to nothing. There's also a huge incentive for ransomware actors to punish this sort of regulation.
> The ramsomware crisis is really bad now, and it keeps getting worse.
How come everybody is crying about the "ransomware crisis", but you never hear about a "BEC crisis"? BEC losses are bigger than ransomware losses, and they keep getting worse.
Having solid evidence of state-sponsored (or egregiously tolerated) criminal attacks on Americans is the first step to building will to launch (cyber) counterattacks, or at least credibly threatening them.
Because you're conflating routine cleaning with adversarial attacks. Which is beyond ridiculous.
Most commercial ventures do not have the resources to compete with a nation-state in cybersecurity - full fucking stop.
Let me paraphrase your argument:
Person: They bombed my fucking shop! The military blew it up!
You: God damn, you should take some responsibility. Why didn't you lock the doors?
It shifts the burden from the company to the authorities
Now, perhaps this is an upstream problem. Perhaps the problem is that we have built systems that are nigh impossible to secure for small businesses. Perhaps we need laptop computers with no USB slots (no external keyboards.. no external mice.. no external monitors..) and no ability to install anything without going through an app store.
This company (that makes its own operating system) also will tell you exactly the systems you can use. Everything is certified by this company to be secure and you pay them a yearly protection racket fee to assume liability. In return, you have no control over your computer. Very strict internet filters are on these computers - no stack overflow, no hacker news, just the systems that the business has paid for.
This sounds dystopian to me. I'd hate to work there. However, that's literally the only solution I see for many businesses, because the current IT system is failing us.
Comment suggested "calling on public resources to mitigate the attack" implying some sort of government funded program to upgrade old IT.
Right now, even egregious violation of regulations results in a trivial financial payment and the charges are put on the shelf - and forgotten about if the corporation "behaves." In theory. In reality, companies can keep breaking the law, violating those agreements to 'behave' - and the DoJ / courts never pursue the matter.
reporting regs are clear (clearer at least) than the other stuff.
Ransomware would keep going if cryptocurrency disappeared tomorrow, these people have the infrastructure to receive and launder huge wire transfers.
Even the far less sophisticated african groups manage that, read the Hushpuppi indictment for an example.
You can easily get thousands of US personal accounts at short notice if you need them.
For individual amounts below 20-30k (craigslist scams, etc) you’ll be looking at personal bank accounts, usually created with fake IDs, but also sometimes using victims of various hiring scams. The fees you pay will largely depend on the country around 50% for US accounts, 20% or so for EU/UK accounts.
For slightly bigger amounts (fancier craigslist scams, BEC) up to a quarter million or so, you’ll see lots of pretty plain corporate accounts. The fees remain pretty much the same.
For the huge amounts (pretty much just BEC) like 5 million usd or more it starts to get complicated. At this point you begin to see offshore accounts for the first time, Hong Kong or just straight up PRC. But anything is possible, even US accounts can be arranged. Often someone will take over an existing business and their bank accounts, and then quickly run millions through them. At this level it’s hard to give an estimate on the fees, they are negotiable.
I'm sure it's just a vocal minority but this implication I keep happening across that ransomware would drastically decrease without crypto around seems rather obviously false. As mentioned, sex trafficking still exists in high quantities and possibly affects less money than ransomware. Certainly both types of crime move billions of dollars yearly.
edit: further - I would suggest trying to shame people out of their desire to buy crypto is as fruitless as the war on drugs. Crypto is here and it's here to stay. It's every bit as impossible (if not more) to regulate out of existence as drugs. If this is true, it seems rather toxic to blame (implied or otherwise) the prosocial players in crypto (which represent the _vast_ majority) for the bad apples.
That's what they did before that way to move wealth appeared.
And by the way, it didn't increase because bitcoin is easy to collect, but because it's easy to trace. Before bitcoin, the ransomware author would never actually decrypt the data after they were paid. That's the main difference that made the scam explode.
Anyway, yes, it's fruitless to argue people into not using bitcoin. It being the cause of something bad does not lead immediately to policy viability.
What are you basing this on? It doesn’t line up with reality.
Zeus (and spyeye) gangs were very succesful in stealing huge amounts long before cryptocurrency was a thing. Sure, those techniques have evolved. BEC is easier, earns more money than ransomware. Yet, somehow, the evolution of BEC has no obvious link with cryptocurrency.
Ransomware attacks can certainly happen without cryptocurrency. However, there was no practical way for criminals to get multi-million dollar payouts previously. This payout potential changes the attack risks significantly. Few criminals will bother to target hospitals or gas pipelines if all they can get is a few thousand dollars worth of gift cards.
Gift cards were a common method of cashing out, you can anonymously cash out millions of those at around 80% of face value. IRS scammers still use gift cards for this reason.
> However, there was no practical way for criminals to get multi-million dollar payouts previously.
This is just bullshit. Read up on Zeus, SpyEye and various contemporary BEC gangs.
Read up on the craigslist scammers stealing billions selling non existent cars.
What's new is demanding millions of dollars in ransom against large companies and organizations. This is a fundamentally different scale then locking grandma's computer and demanding some iTunes gift cards. Without cryptocurrency, most "ransomware" relied on getting a small amount of money from a lot of victims. These high profile attacks rely on getting a lot of money from a single victim. That's what changed with cryptocurrency.
> Read up on Zeus, SpyEye and various contemporary BEC gangs.
I spent a bit of time reading up on those, and none of those seem like ransomware to me. Ransomware involves locking down a computer (or group of computers), then demanding a ransom to unlock it. That's a different attack then stealing bank account information or social engineering scams.
Do you have any evidence to suggest that cryptocurrency was the driving force here, rather than just natural evolution of ransomware operations? I don’t believe so.
Winlockers blew up right before cryptocurrency showed up, the early ones were very unsophisticated but hugely profitable. I believe they would have naturally evolved towards bigger payments even without cryptocurrency, it’s easier to process the occasional wire for $10M than to process tens of thousands of payments for $100.
I’ve never seen anyone actually familiar with the cybercrime market try to argue that cryptocurrency is a driving factor behind ransomware. You hear it from apparently highly qualified ”infosec professionals”, but most of those people have never interacted with this scene.
> I spent a bit of time reading up on those, and none of those seem like ransomware to me. Ransomware involves locking down a computer (or group of computers), then demanding a ransom to unlock it. That's a different attack then stealing bank account information or social engineering scams.
Of course, the point was about their ability to receive huge payouts pre-cryptocurrency. Ransomware groups wouldn’t have any trouble accepting tens of millions of usd by wire transfer, especially since they can penalize the company if the money doesn’t land.
Oh yeah, check this out https://twitter.com/malwaretechblog/status/14010033030858752...
Worked at a trucking company as a software dev and this exact thing happened. Got hit with ransomware attack but our IT team had daily backups of EVERYTHING. This was when ransomware was first "taking off" and they weren't even 100% sure if the attack was real.
I wish I got to see the ransomware's operator's reaction, but I honestly feel like they probably had enough people falling for it so I doubt they really got that upset.
Watching the government and people freak out about this has been very amusing.