In theory there is no difference between theory and practice. In practice...
Paying ransom is bad, but it is bad for the commons and relieves one from a short-term pain point. Just like pollution, the cost will be paid from someone else later.
The thing I don’t get about these ransomware attacks is that bitcoin isn’t actually anonymous. On the contrary, it’s highly traceable. So we know what entities (exchanges) are conspiring with these criminals. Why isn’t the FBI going full untouchables on them? Granted if they are in China/Russia there are limits, but even there, we have tools.
They can wash the coins via converting to alts and back, especially at shady foreign exchanges that don't care about KYC/AML. I don't see how the FBI has any jurisdiction, or even whether this is big enough potatoes for them to devote significant time and resources to.
The US has a lot of tools at its disposal to make life difficult for foreign financial institutions. There’s no legal bar to using them here. I agree that no individual ransomware attack has yet been impactful enough to justify a national response, but cumulatively we are probably there.
What I don't get is the idea of trusting a criminal to live up to their promises if the victim pays up.
"They would lose a lot of reputation if they broke their side of the deal."
What reputation? Is there some sort of website where I can go read reviews of a ransomware gang? Even if there were, what's stopping the "bad" gangs from pretending to be the "good" ones? Trademarks?
Yup, the expected value of the key is P(valid_key) * savings_from_decrypting. So if you're known to negotiators as providing a valid key, it makes the likelihood of paying higher.
I negotiated for a friend in a small ransomware case. They paid $2k. Yes, reputation is important, I did some research to check whether others had successfully negotiated. If you get a reputation for not delivering nobody will negotiate with you. Likewise if you have a good reputation the amount of money people are willing to risk on getting their data back goes up, and that's good for business. It's also a reason why the ransomware was very clearly branded.
It's criminal but the principles of business still apply.
In our case I googled the email address that was left in every folder and read forums on how their users dealt with it. We negotiated $2k to $400.
My company bought a small business and it happened next day. A hole in RDP that was simply open to the internets. No backups, no failover, just a regular business, you know. Partially my fault, as this thing should have been evaluated/fixed before the deal. Convincing the owners that it wasn't me (I just got an administrative password) was a separate fun.
Yes, but multiply the ransom by multiple small, low ransom targets, as is commonly the case with groups taking a more diversified approach of targeting many small companies in the same attack type, partly depending on such small ransom demands to individually not even be reported to investigating authorities, and getting at least a partial ROI. This opposed to making a huge single demand from one large company that almost certainly causes your ransom attempt to trigger a police investigation and the not small chance of the company simply deciding not to pay, leaving you with 0 for that particular effort.
Even if there isn't, you can still probably copy and paste part of the ransomware message into Google and find stories of other people that interacted with them.
Aren't these criminals providing a useful service to society?
Corporations (and the governments that are supposed to set and enforce standards) are clearly failing to protect the data that is collected about people. These criminals are increasing the incentive for corporate data security.
The Equifax case is a good example of the problem. They leaked data on lots of Americans, who never agreed to their data being collected, they externalized an enormous amount of damage they created, and they are still in business. Government is clearly failing here.
I feel safer knowing that there are people out there, hunting down these unsecured caches of data.
> I feel safer knowing that there are people out there, hunting down these unsecured caches of data.
There's very little difference between maliciously encrypting someone's data once you have managed to establish code execution vs exfiltrating all of the data and then using any PII to open lines of credit.
For you as a consumer, the former doesn't harm you. The later has the ability to harm you quite a bit in ways that take months/years to sort out. Do you really feel safer because the criminals that cracked these systems flipped a coin that landed on the "extort our victim" side rather than the "free leads to customers of our victims" side?
Yes, that's the point. These organizations holding my PII haven't historically given half a damn if all my data gets exfiltrated or not. By electing to pursue the other side of the coin these attackers provide incentive for those companies to batten down the hatches, causing my PII to become more protected as a side-effect, thus leading to a greater feeling of safety.
I don't have any evidence either way so all I can do is appeal to common sense, but I can't imagine most of the organizations hit by ransomware didn't at least devote some extra amount of attention or resources towards IT security in response. At a bare minimum I'd expect them to at least patch the vulnerability that the ransomware used to infect their systems.
Are there any examples of orgs that have been repeatedly hit by ransomware over and over?
Working backups are not enough to insulate you from this threat. If you allow an attacker to remain within your systems long enough you might find they've encrypted all your backups!
1. The victim organization that has my data gets everything encrypted and is forced to pay a ransom.
2. The same happens, but the hackers also release the stolen data, including my PII.
3. The hackers just sell the stolen PII from the start.
As a consumer, I far prefer option 1. Maybe it will teach them to protect their system, and my PII, better.
If my PII is released somehow, well that's what used to happen anyway. So it not happening is an improvement.
Do you see banks getting robbed left and right and banks/governments not caring enough to take action against it? And is it being made your problem or the bank's problem when they do get robbed?
An analogy. Perhaps 20% of modern integrated circuits are dedicated to testing. Perhaps the same percent of GDP is spent combating crime. In a ideal world, we'd not need to waste all that silicon real estate on testing. And in an ideal world, we wouldn't be wasting resource on combating crime. But the world is not ideal.
Attackers fool humans into clicking on URL's leading to malware downloads, or with embedded or attached malware in emails.
Then when the payload has been installed on the victim's computer. The next step is to spread and also to get control of as many machines as possible in on the same and neighbouring networks. With the eventual goal of command and control.
When unimpeeded, these attacks now take 5-10 minutes.
From here they lay low, for months.. Then the shit really hit the fan when they take the domain controller infrastructure through a GOLDEN TICKET using KERBEROASTING attacks. Then Kansas is going bye bye. You better pray your competent IT leadership has taken steps to make IDENTIFY, DETECT, PROTECT, RESPOND, RECOVER dimensions (NIST framework) a reality across the technologies your company relies on.
MITRE defines a generic framework for hacking attacks:
- INITIAL ACCESS
- EXECUTION
- PERSISTENCE
- PRIVILEGE ESCALATION
- DEFENSE EVATION
- CREDENTIAL ACCESS
- DISCOVERY
- LATERAL MOVEMENT
- COLLECTION
- COMMAND AND CONTROL
- EXFILTRATION
- IMPACT
From here I recommend you read the MITRE ATTACK framework, great reading!
It is done in every possible way. The dumbest form your defenses will allow in is what you get. Can absolutely be done via downloads yes. Because they perform an impersonation attack on you, or use a supplier as an attack vector, and by impersonating a trusted user, they get you to open a file or similar.
Better finetune your email security, because humans are a hard problem. Loads of awareness, phishing drills and information sec training is needed.
Ransomware attacks will often wait after getting into systems, so that they can also encrypt live backups. Air gapped backups from sufficiently long ago will work, but not only is restoring to those usually a pain in the ass, but would also come with significant business cost... which may be more than the ransom. That's the goal, anyway.
The exact question is "in the last year, has your organization been hit by ransomware?". It reads a little vague to me -- is a visible unsuccessful attack the same as getting "hit by ransomware"?
Interesting article, but I would say this is squarely from the perspective of the less technical people involved: lawyers, prosecutors, management types, apart a little bit from Art who knows about the steps in unencryption and so forth—interesting, none the less.
My opinion about it is that many companies don't understand their systems (and yes, I do blame Microsoft, Apple and for that matter Salesforce or Oracle). However, many people don't understand their microwave ovens, myself included, so perhaps it's unrealistic to start that conversation and perhaps focus on the pragmatists, like Art.
Is anyone aware of the implementation of a system where documents are checked out for access, possibly with limitted read only access and only optionally write access? My thought is that documents would then be slotted into categories like unimportant, contains sensitive information, must not be lost and possibly have greater barriers to access based on these criteria.
reply