38 comments

[ 3.0 ms ] story [ 32.8 ms ] thread
Wow they have that kind of money??

All the ham radio clubs I've been with have been living hand to mouth lol. Always having to beg everyone for money if something big needed doing.

Sad though that they wasted it on rewarding cybercrime actors.

Their insurer paid most of it.
Which brings up the other topic.

Is the insurance cheaper than the impact and costs of preventing it in the first place?

The article states that their insurance paid the ransom.
Technical debt has to be paid one way or the other.
Would it be crazy to make paying crypto ransoms a crime? I feel like it would help the situation, but I'm sure there is something I am overlooking.
Paying the ransom is already illegal in a lot of conditions and interpretations but I don't think it's ever actually been enforced.
It creates additional conditions for blackmail of the target. Some would pay, and then could be induced into future payments because they can now be leveraged for having committed a criminal offense.

A better law would be one that requires institutions above a certain size to create backups every 24hrs and maintain basic security practices to prevent this sort of thing.

Better?

I guess there are two ways you could implement this, the legal and the regulatory route.

The legal route would say that upon discovery of the lack of said backups, they would be subject to penalties. So if they get hit by a ransomeware attack, then while they are down, they get kicked. Pretty rough.

The regulatory route would say that every company above a certain size needs to document its policies around backups, and either standardize on a fixed set of backup techniques or have an auditor that verifies that the backup technique used by a company satisfies some set of requirements. The former approach means a ton of paperwork for the company to get the certification, and the latter approach means that the regulatory body has to be very large and have a great deal of subject matter expertise. All of this is fairly horrible.

I'm not sure that either of these would be "better" than making the payments themselves illegal. Not to say that such a law would be "good" either -- it basically means that companies will have to not involve the authorities because recovering their data is more important (and may be essential to the continuity of the company).

Bad as it is, the best solution here is probably to keep going like we're going -- law enforcement will try to hunt down the ransomers and bring them to justice (since this is already illegal), companies are incentivized to follow some sort of best practices around backups.

Is this standard? From my layman perspective, I would never pay a ransom because I can't see any possible assurance that they'll actually honor their end and/or quietly tampered/backdoored for future exploitation.

Is there a BBB for ransomware hackers that informs the insurance whether the deal will be honored?

Trust is established through interaction with the ransoming party. The interaction will be some version of a trial solution that will decrypt some subset of the locked systems to prove that they can in fact recover your systems.

I've been engaged on a few of these, my general impression so far is that the technical support you get from the ransomware gangs is better than the contracted support I get from Microsoft.

> better than the contracted support I get from Microsoft.

...that's a pretty low bar.

It seems to me that they'd have to be quite reliable and responsive to be able to routinely collect.

Is Microsoft's B2B support really that bad? I've never directly interacted with them, but from what I've heard within my org, they are at least fairly responsive and helpful when you're paying them millions for software.
Getting them to answer the phone? They are really good at that. Getting out of Tier 1 hell? Pretty frustrating and difficult. Getting them to fix the problem? Depending on your issue, it's either "Here is a patch" or "It's been added to backlog, early estimates are sometime in 2030s"
I've never worked for a business paying MSFT millions so I can't comment on that. As a business paying several hundred thousand I had no success getting any help with an issue with Windows Server (July 2021). My organization was willing to spend money but couldn't get anyone at MSFT to take it.
If your company has enough sunk into MS as far as infrastructure and MSDN Developer licenses and whatnot, you can and do get more attentive direct developer support for esoteric problems, legacy support and the likes.
>It seems to me that they'd have to be quite reliable and responsive to be able to routinely collect.

Nope, they rely on compliance to collect. So many compliance/regulatory schemes are like "Do you have vendor support on all your software, including OSes?" so you end up paying Microsoft money or paying Red Hat money.

Sorry; I was unclear.

I meant that the ransomware admins need to be reliable and responsive.

(comment deleted)
If the ransomware gangs made off with the ransoms, victims would stop paying them. Most victims pay the ransom (after negotiation) and the vast majority of ransomware operators provide valid keys/decryptors in return. It's a functional market, however warped.

There's no BBB, but, yes, insurance carriers keep notes on the different ransomware gangs.

> victims would stop paying them

Only if the victims are communicating with each other. It seems like most victims are not interested in publicizing their experience. These incentives might be even stronger if one got scammed for the ransom. It's not a good look.

The victims often have insurance and the insurers definitely pay attention.
Thanks for the answer, very interesting stuff.

I guess my next question is how do you establish that it's actually the group with the "good" reputation, and not just one claiming or pretending to be them?

You won’t get anywhere to complete certainty but the different gangs each have their own modus operandi. And of course it’s in their interest to act as enforcers and keep bad actors out.
They're mostly decent about getting the systems unlocked after you pay. The incentive for these groups is that if they become known as unable or unwilling to get you your systems back they're far less likely to get paid. A few years back I read an article talking about this exact problem where the groups were fairly active and responsive so that their victims are more likely to actually pay.
that's my question: if you were the ransomee, how do you establish that you're working with a "reliable" ransom group? Is there a BBB for ransom groups?

If so, how do you establish that the ransom group is actually the group with the good reputation?

I guess I'm intrigued by how you achieve all that when you're talking about the perpetrator of a crime that is obfuscating their identity.

They’ll be able to prove they can decrypt a few of your files first. That’s generally enough for most people to move forward with paying the ransom.

If they can prove they can decrypt, they have very little to lose by not releasing the decryption key after being paid.

Verification is an issue but if places do pay and they can't decrypt the victim is likely to talk about it. Also for this reason, like others have said, the ransomware tools have trial decrypts built in or the ability to generate a program/key that decrypt some of the files so that the victims can see that the attackers have the ability to decrypt some of their files. That requires zero trust and is more difficult than just having a single key that encrypts or decrypts everything.
(comment deleted)
Can someone explain why offsite, offline, multi-timescale backups don't help in these cases?