107 comments

[ 2.8 ms ] story [ 184 ms ] thread
lol this is Royal Mail, not Google. It's not like it has $80 million sitting around. Maybe they should have been more flexible. That's usually how you negotiate: start with a lot and work to something smaller that the counterparty will agree on. Done-in by greed and got $0, which they deserve. Shows how even the rules of negotiation applies to dark markets.
All about BATNA.
(comment deleted)
Royal Mail is still a very large corporation and could have paid. BUT they simply did not think the amount was worth paying, I suspect both in term of the direct consequence if the data were published (which the hackers apparently did in the end) and in term of PR, reputation, etc because they couldn't have kept the payment secret (too big).

So IMHO the issue was miscalculating leverage.

This could be a loss for the criminals or a way to build reputation so the next victim is more likely to pay up.
There is one more point: by not paying they develop a reputation that they are not worth attacking. The next criminal org might just skip attacking them. If everyone follows this examples the criminals will give up.
It depends because the costs of running the malware operation are way less than 80M. At this point they are just going for the lulz.

the hackers already threatened going nuclear by releasing files and letting Europe fines their 0.5% which is more then 80M.

This is not over and Royal Mail is in a lose/lose situation here

Royal Mail was privatised because 1st world state postal systems have to subsidise the postal systems of 3rd world countries.

Its an international agreement which has come back to bite the UK because China is still classed as a 3rd world country.

Lets just say the globalist's who set the rule's are finding their rules are now not so good.

The US has a similar agreement with China.

"The new 1969 agreement included terminal dues, the receiving postal agencies would charge the country of origin for delivering the post on by-weight basis.

To be blunt, shipping from China to USA (and most of the rest of the world) is much cheaper than shipping domestically in USA because the terminal-dues are much too low and account only for the total weight of the post, not for the number of items.

For example, in 2013 China paid $1/kg (or $0.50/lbs)[1] to have post delivered in USA. This is MUCH lower than domestic pricing, especially if it’s light-weight objects.

As an example, I just ordered a new wristband for a watch I own from China. I just weighed it, and it weighs 78 grams. That means China would pay less than 8 cents to have this wristband delivered anywhere in USA.

By comparison, sending the same weight in a domestic letter in USA[2] would cost 92 cents, or a factor of 11.5 more.

Reality is that this agreement now acts as a massive subsidy to especially China who produces a lot of low-cost low-weight products and can now deliver them to customers worldwide for a price much lower than local companies can.

This situation will persist until the relevant agreements are renegotiated. I’m frankly surprised that hasn’t happened already.

[1] https://archive.is/20121212225536/http://www.upu.int/en/acti...

[2] https://www.stamps.com/usps/postage-rate-increase/

https://www.quora.com/How-is-China-able-to-offer-free-worldw...

But the postal strikes during the winter months is timely as well. Will the cold winter months break their spirits or just turn this into a virtual signalling exercise to the rest of the world and the UK to start demanding higher wages much like we see with the Reddit AntiWork getting news organisation attention.

Those Spooky Hackers from Russia..... Is this what Trump called Fake News?

I've seen how security services can burn a stock market listed company for an agenda knowing the public have short term memories for some things, and share prices recover.

> China would pay less than 8 cents to have this wristband delivered anywhere in USA

lol why even bother? After recent inflation, 8 cents is so close to zero we may as well give them free delivery.

Why does international post TO China still cost so much then?
It's because when you ship internationally, you only pay for the domestic leg (e.g. in America) and not the terminal leg (e.g. in China). Your shipping costs to China cost so much because you have to pay the American rate, while people in China shipping to America have to pay the Chinese rate.
Some countries are cheaper for some things than others, that's why so many jobs from the west were offshored to parts of the world with inferior legislation, inferior infrastructure and inferior currency's.

Every country has their own currency, and some currency is more expensive than other currency's, so 1 British pound can buy 1.2 US Dollars, 1.12 Euros, 161 Japanese Yens and so on. The British pound is also the oldest central bank currency in the world.

So when someone buys something made abroad, they are buying into Child Abuse and Slavery.

Unfortunately, our Govt's also force people into this situation by putting things like govt services online when considering how much of todays tech is made in country's with questionable legal frameworks.

And all the while is also draws attention away from the financial system that cant make its mind up, how its going to evolve to fulfil its social contract and obligations with the public because some people cant relinquish power masquerading as knowledge.

Its all chicken and egg situation stuff.

I think it was privatized because of right wing and neoliberal ideals. When is that not the reason?
I think you're referring to the Universal Postal Union's terminal dues, which are transfers between countries to compensate for last mile delivery imbalances. While it's true that China is in Group 2 and the UK is in Group 1 (out of 4 total groups) when calculating terminal dues, the UK is actually a net winner because it pays less to deliver mail than the amount it receives in terminal dues [0]. The UPU definitely causes distortions in the price of international shipping but it's hard to pin the privatization of Royal Mail on this issue.

[0] https://ideas.repec.org/h/elg/eechap/14533_20.html

I live in a small suburb north of Houston, and they were hit with a ransomware attack in late December. They still aren't fully operational.
https://techmonitor.ai/technology/cybersecurity/ransomware-r...

Council was hit with ransomware, they went back to pen and paper for everything. They lost track of who lives there and when moved out. They kept resending overdue bills to addresses threatening debt collects to people who moved out. The council said they will still collect council tax once they are operational and it's your responsibility to have money ready for such situation. Even now there are comments on /r/UKPersonalFinance people complaining on getting incorrect bills.

Good luck!

How is it even legal to pay ransoms? Surely this is transferring money to criminal enterprises. If it is not illegal it needs to be made illegal.
Why would it not be legal? If I was a hacker, the existence of a law prohibiting businesses from paying cyber ransoms would not deter me. If a company wanted to follow the law and refused to pay the ransom the hackers asked of them, the hackers could follow through and delete or irreparably corrupt their files. The potential upside, that they pay the ransom, is significant, while the downside, that they don't, doesn't mean much. They'll just keep probing for targets. What are they gonna do? Arrest them? In all likelihood, they're hiding behind multiple VPNs, working from a virtual machine, from a country without an extradition treaty.
The argument seems implausible as it assumes that hackers would persist in deleting data, whereas in reality, they would probably shift their focus to other targets such as private companies that lack similar prohibitions. It is unclear what incentive they would have to continue hacking public companies if they cannot profit from that?
> It is unclear what incentive they would have to continue hacking public companies if they cannot profit from that.

The intent would be to put pressure on national legislatures to repeal laws that make paying ransoms illegal. Smart ransomware groups don't care about targets that can't afford to pay. So any "inability" to pay is either the result of stubbornness or a law, both of which can change if enough pressure is applied. Of course, the solution is for businesses to harden their systems enough to resist these sorts of intrusion in the first place.

Company pays Cyber Insurance which contracts 3rd party in Panama/SA/Israel to pay the ransom and report back the decryption key.

Completely legal.

Note too that the threat of the law may be enough motivation to stop payment. Insurance in particular is already starting to look at how hardened your IT systems are as part of your coverage.
If paying ransoms become illegal in many countries, it would be very hard to find targets willing to break the law and pay ransom, making it less attractive of an attack.
Companies and people pay bribes all the time. But since it's illegal to it's kept secret.
True - but if it's made directly illegal it will still have some effect on the number of victims willing to. It won't solve it, of course.
I don't think this is correct. There is very little cost, and risk, in conducting ransomware attacks. So even the odd chance of finding a target willing to break the law and pay up would be worth it. And in the long term, black hat groups could put pressure on national legislatures to amend the law by following through on their threats and deleting or releasing the files they've encrypted. One can imagine a not so far fetched scenario where entire industries are held hostage by a small group of anonymous individuals demanding to be paid or else, and legislatures capitulating and amending the law, because the alternative, to lose - lose, as in, complete bankruptcy - entire industries and corporations would be too costly in comparison. Black hats could even compel legislative changes by credibly threatening to compromise the personal data of politicians themselves.
I think this is a little far-fetched - I'd like to believe something (legislator comes clean, fed govt investigates more thoroughly as it is a direct threat to our democracy, etc) would stop that from happening. Worse has happened, though.

I do believe that if the "market" for victims shrinks, naturally the number of ransomware attackers will shrink - sure, ransomware is "easy", but perhaps there's easier cybercrime to be committed with better odds. (I'm not sure how likely this is - I bet the ransomware scene is nowhere near saturated)

Surely it would still depend on the normal economic calculations of the involved parties, like the penalty for paying a random, the likelihood of getting caught paying a ransom, and all the existing calculations like the value of the data to the victim, the penalty and risk of getting caught for the ransomers themselves, etc. You don't just get to say "making it illegal will destroy the incentive to do it," and if it doesn't work you can't just keep increasing the legal penalties until it starts working.
This is true. It is a financial decision. The costs options are:

* pay enough in IT to run an up to date, secure system

* pay enough in ransom to get your files

* eat the cost of losing your files

Adding a possible fine to the middle one means the cost of the top and bottom ones can be higher. Either non-paying option makes the business of running ransomware schemes less viable.

it is.

depends on jurisdiction, but if the ransoming organization is a sanctioned entity, it may be considered an illegal sanctions violation.

for instance, the US OFAC has issued this statement warning companies to not pay ransoms: https://home.treasury.gov/system/files/126/ofac_ransomware_a...

royal mail is in the UK, but the UK has its own sanctions regime with similar penalties.

edit: the UK OFSI has issued a similar warning this month

https://assets.publishing.service.gov.uk/government/uploads/...

Should we also make it illegal to get mugged? Make it a crime to be murdered?

Making the payment of ransom illegal just means you never hear about ransoms again.

In general you are allowed to do something illegal if your life is in danger. That is if I'm kidnapped I'm allowed to pay what is otherwise a bribe to go free.

So we should make getting mugged illegal, so long as the law is clear that the illegal part only applies if you have a reasonable way to get away from the mugging without paying. I'm not sure how you can be mugged and yet have a reasonable way to get away without paying, I leave that question to the reader.

You don't turn victims of crimes into criminals as well. This shouldn't need to be said.
> I'm not sure how you can be mugged and yet have a reasonable way to get away without paying, I leave that question to the reader.

What if you're skilled in hand to hand combat? Or what if you're familiar enough with firearms to notice the mugger's weapon looks fake? Would you then be legally required to attempt to fight back? Would a judge need to estimate your probability of dying, and if it was under some threshold you would be punished for not attempting to fight?

While ridiculous, I bet it would probably result in less muggings...
As I understand it, it is indeed illegal in most countries.

What happens in practice is the victim hires a 'data recovery specialist' company, provides them the encrypted files, and ask them to decrypt them with their magic algorithms. The data recovery specialist coincidentally is paid a little bit more than the ransom. The specialist then contacts the hackers, pays the ransom, decrypts the files, and provides them back to the victim. Specialist, victim and maybe also law enforcement do their utmost best not to ask/explain how exactly the files were decrypted, citing e.g. trade secrets or an accidental key leak in the malware.

The data recovery specialist generally hires a contractor, who hires a contractor, who ... , so ransom money trail passes trough plenty of jurisdictions to darken the trail.

(comment deleted)
Any sources on that?
Certainly not 100% of cases but very common:

"As ransomware attacks crippled businesses and law enforcement agencies, two U.S. data recovery firms claimed to offer an ethical way out. Instead, they typically paid the ransom and charged victims extra."

https://features.propublica.org/ransomware/ransomware-attack...

What if ransom is paid but the attackers do not fulfill their end?
This is possible of course, but it would reduce the willingness of people to pay bribes generally. Also I guess it might cause the victims to take more desperate measures, possibly get more attention by law enforcement somehow.
Always a good question. A group of security people with experience in the scenario was trading about it on a conference a while ago. I far from knew everyone in the group.

Always a risky answer, of course, especially from some random person on HN. But in this case, it makes sense, and a 'long arm', international treatment is a general solution for powerfull entities needing to break a law.

I don't think you'll find anyone going officially on record as breaking the law, however. Most companies won't even let it leak they're a victim.

So the data recovery specialists are providing money laundering as a service (MLaaS)? ;)
Sure, that would be fine if the govt. is willing to help cover the loss of business. This is not without precedent, like 2008 and 2021 bailouts.
That's weird. It's like saying it should be illegal to give your wallet to a mugger.
It’s more like the mugger already has your wallet, but says they’ll give it back if you make a $1000 donation to their criminal organization, going around normal law enforcement.

I’d guess that’s also illegal, but IANAL.

It is not very similar I think — in a mugging the “don’t pay” downside is violence, possible death. In a ransomware situation, the victim is basically making an economic decision — is the cost of losing their files greater than the cost of the ransom.

The cost of dying is basically infinite, the cost of paying the ransom can be shifted up and down with fines until it is high enough to disincentivize paying.

I don’t know. A mugger could make other threats too that aren’t direct bodily injury or death. It could be “pay me money or I’ll burn down your restaurant” (that’s more like a protection racket than a “mugging”). That’s pretty similar to the threat to one’s livelihood that many of these ransomware attacks constitute.
Yeah, that’s more of a protection racket. Mugging is essentially by definition backed by the threat of violence I’m pretty sure. Possibly a bluff of course!
It's also orders of magnitude cheaper to just restore from backup.

I can't imagine their S3 bill is above 80 millions...

That's not how ransomware works. They typically wait 3-6 months before making the demand, your backups will contain the infected files.
Crazy that none of the major companies hit by ransomware haven't thought of that...
The prospect of a world in which victims are transformed into criminals is profoundly dystopian.

Such laws run the risk of fostering a climate in which individuals frequently transgress established legal boundaries, with the authorities given free rein to target anyone they please on a whim.

This would inevitably lead to a breakdown of the rule of law and a culture of lawlessness that would imperil the rights and liberties of all citizens.

"Preventing large monetary transfers to organized crime inevitably leads to a culture of lawlessness and imperils all citizens" is certainly an interesting take, I'll give you that.
The alternative is a moral/philosophical claim that there are no situations where dealing with organised crime is acceptable.

This is patently absurd, as there exists not only situations where its reasonable but an imperative to deal with organised crime.

Such as?
Hackers gaining control of air traffic systems and threatening to shut them down or threatening to open dams during peak monsoon season?

Hackers gaining control over the space station and not only threatening the lives of the crew but also threatening to send it back to earth targeting a high population area.

If Russia were to physically disrupt a country's social services by force, it would be an act of war. Here they have disrupted a British social service without force by state sponsored hacker terrorists, rendering harm in the physical world. The line gets blurrier.
> If Russia were to physically disrupt a country's social services by force, it would be an act of war

If the Russian STATE did this yes. But we don't generally consider the act of citizens/organizations/criminal enterprises within a state as a state action unless it's clearly state sponsored. You definitely could make that argument, but it's not a given.

For example, we don't consider the 3000 British people fighting alongside Ukraine against the Russians [1] to be part of the UK state, so their fighting isn't an act of war either.

[1] https://news.sky.com/story/ukraine-war-3-000-british-volunte...

Plausible deniability only gets a country so far. In historical terms state-sponsored terrorism has warranted military action when the severity evolves enough. It's hard to consider British soldiers fighting for Ukrainian sovereignty in the same realm as disrupting children's hospitals. [1][2] I had read that one of the attacks had disrupted imaging systems and prevented diagnoses from being reached, delaying treatments.

[1] https://www.healthcareitnews.com/news/fbi-disrupts-hive-rans... [2] https://therecord.media/canadas-largest-childrens-hospital-s...

I have no doubt that the Russian government has been taking its cut from criminals deploying ransomware in their country, and only going after criminals who don't provide their share. Even more so with Russia trying to fund an ongoing war where they are losing a lot of equipment and men.
Its so crazy to say something like "i have no doubt" about something you don't seem to have any experience or expertise in
Since it was privatised it's no longer a social service, but a private corporation.
Not true. It's a privately run and public-service. Another example is electricity.
In this case data has been stolen, not encrypted and the ransom is about not making the stolen data public. The services that Royal Mail offers, have not been disrupted in the sense that they cannot continue to provide their services to their customers.
I bought some candy from Amazon that was shipped by Royal Mail, and it never arrived. Amazon told me to take up the refund with Royal Mail, with no instructions how to do so. Anyone know how I can get a refund from Amazon/Royal Mail for the candy they never sent?
Dispute the transaction on the card used for payment.
> Amazon told me to take up the refund with Royal Mail

In most jurisdictions, at least in Europe (and I think the US, but feel free to correct me if I'm wrong), you take it up with the merchant as they're the ones who hire the delivery service. Your contract is with the merchant, and if they fail to provide the product for whatever reason—such as the delivery service not following through—then they're the ones who are responsible for making you whole.

If Amazon refuse to refund, then your recourse if to take them to court. It sounds like it's a small enough purchase that small claims would handle it.

It’s not your problem. The seller is legally responsible for the delivery. Chat with Amazon again and remind them. Or consult with Citizens Advice if you need help.

Amazon support eventually refunds basically anything if you are persistent enough.

Maybe, but in one specific occasion I know of, the client was told not to contact support anymore for a refund. I think it's a different retail landscape now to what it was in 2020-2022.
Sounds like they were not persistent enough.
It doesn’t matter what they were told. It’s Amazon’s legal responsibility. And with enough reminding, they would refund eventually.

I’ve gotten refunds for parcels lost in 2020-22 even if I was denied them initially. It’s Amazon’s strategy to deny initially.

Email jeff@amazon.com pleading your case.
(comment deleted)
Anecdotal, but I've just heard someone getting refused to be refunded because instead of a phone, the return carrier delivered a bunch of batteries. Now the end client is without a product, and without money, with basically no recourse. Probably best to document the whole return process, that's just the world we live in right now.
> Now the end client is without a product, and without money, with basically no recourse

They can sue in small claims.

Unsurprised. Just work your way through Amazon support and get to a human. If they tell you no, just do it again. Eventually you'll get to someone who will just refund it. Also only ever buy crap on a credit card. Just waving "chargeback" gets you a refund most of the time anywhere.
Why is ransomware still a problem? Is it that difficult to make off-site backups every hour? Storage is cheap. There are many air gapping options for backups, too.

It sounds like a case of normalized deviance, for which the management should be held accountable.

As much as I don’t like victim blaming, I think it’s beyond incompetent to still not backup your data in 2023 as a government org.

They're not a government organization. Haven't been for almost 10 years
Ah, that’s true, looks like it has been privatized. But the government originally retained a significant stake in the company even after it was made publicly traded. Not sure about it today. Interesting point.

Though I think it’s even worse if a publicly traded company fails to protect its data and falls prey to the extortion. Don’t they have a fiduciary responsibility to their shareholders? It seems wrong to waste their money due to incompetence at such basic infosec.

Government orgs are more difficult to hold accountable for losses than PLCs.

>Is it that difficult to make off-site backups every hour? Storage is cheap. There are many air gapping options for backups, too.

I'd imagine that often your backups get encrypted as well, early enough that the data loss to the last good backup becomes unacceptable.

Yes, there would still be minimal loss. But not enough to be extorted over.
Many ransoms now are for the leaking of the info, not the destruction of the info.

With huge GDPR fines for data leaks in Europe, the criminals are using the legal system as their 'threat'.

In this case it’s encryption but interesting point.

GDPR fines come from not following basic data protection practices, not for the breach itself. Also, a lot of reputational damage of the leak comes from bad infosec (case study: LastPass). If the customer data is reasonably protected, there isn’t much motivation to pay ransoms.

Companies have data breaches all the time. Even a start-up I worked in in GDPR times had a data breach, and an extortion attempt. But all customer PI data was encrypted and only ever in plaintext on our end in an ephemeral way. The data was worthless, we never paid ransoms. We bought some darknet monitoring service for some fake canary user data, but nothing ever came up in 4 years after the breach. No ransom was ever paid and honestly, the data breach was on our minds for 10 days max.

This is not hard to do, it was done by two business guys who listened to infosec podcasts and read infosec articles online. Specialists in the area that I’m sure all of these ransomed big businesses can afford can definitely do much better data protection.

I don’t think companies are sued/prosecuted for GDPR non-compliance or any damage done to their customers if hashed blobs get leaked. Assuming the hackers even bother to leak them, because what are they going to say in the forums they sell the data on? “I have unknown encrypted data about some hashed usernames from company X”? Maybe one day in the far future that data will hold some value, but not today. I would more easily see investors suing the management for paying ransoms instead of doing even rudimentary data protection.

> Why is ransomware still a problem? Is it that difficult to make off-site backups every hour?

Because unless you actually restore your system from backups regularly, you don't actually have backups.

Setting up a system wherein you restore from backups regularly requires, time, effort and money. None of which you are likely to receive for a "mere backup system".

I do auditing of backups and recovery.

It is crazy the number of companies that do not have appropriate visibility of what they're backing up. If the backups are immutable and if they have ever tested their ability to recover the environment.

And when I say the environment I mean all necessary components of the environment, not just applications, but their databases, Active Directory/Domain, DNS, DHCP, File servers, virtual infrastructure (VMware/HyperV).

In a virtualized environment the backup of these components is made easier, but you still need to understand what makes up your environment in order ensure you're backing it up appropriately.

Sometimes they have backups, but once they're forced to test them, realise they weren't backing up the right components or simply couldn't recover from those backups.

It's a big, risky exercise to perform, but important.

This ransom is not about encrypted data on the victims hard drive. Instead they have stolen data and money has to be paid so the attackers would not make the stolen data public.
Why does a corporation not have offline backups to supposedly mission critical files?
You’d be horrified to learn how incompetent nearly all people are at using software.
It's fucking ridiculous to hit the postal service, providing a practically-free function to a lot of people who really need it, and operating at barely even (in US and Canada too, so I imagine other countries are similar).

The ransomers sound like kids, "speculating that the directors personally held 100m of crypto"? What a disgusting amateur job.

You seem to think criminals would stop to evaluate the public good of a large UK company with yearly revenues of 12B GBP before blackmailing them for 80M USD. And you claim they are the amateurs?

(Of course these criminals are disgusting.)

Royal Mail is a private company, it was sold by the UK government for about £3b 10 years ago. It's now worth about £2b.
It's also f-ing ridiculous they were so irresponsible as to not protect their computers. F** these ransomers for the terrorist they are!
To all those naysayers that claim there is no present use for "cryptocurrency", we present "use of crypto for untraceable ransom payments". One could almost imagine regulating crypto for public policy reasons.
Ransomeware has hit the NHS and I have colleagues who had their CT scanners locked.

I don’t think the ethics of the operation are high on the list of considerations.

Is it really "ridiculous" to hit a crucial service provider in an enemy state, which local law enforcement is guaranteed to not punish them for, if they aren't outright funding the hackers.

These attacks happen all over the West, you only know about this one because the negotiation was leaked. Lots of public service providers are targeted, such as universities for example. The actual scandal is that this gets hushed up, if the people knew the scale of these attacks they might think we're in a sort of digital war.

So now that all NFTs and such are out, ransomware is the only application of cryptocurrency that has persisted, right?

And cryptocurrency is the main enabler of the ransomware attacks as well.

I really hope that the Royal Mail releases an 'El Risitas' style video recounting the hackers' thought process here.
Well, this sucks. I'm waiting for medicine to be delivered to continental Europe from Scotland through Royal Mail. Apparently their international packages are being delayed by a lot right now. Really hope this doesn't affect the operations too much and they'll be able to continue delivering in full capacity ASAP.