I don't know. Seems to be easier (read "cheaper") to run shitty software and not train people well, so this doesn't happen in the first place.
It's not like Ransomware is some god-given thing that just happens.
There's a case in Germany right now where the critical Confluence bug was simply not patched for two weeks after the notice that there's a critical bug/exploit. Now the systems are down and everybody's wondering how that could probably have happened...
'If you have prepared staff and software you are not going to be affected'
All of it is true, no discussion here.
But that's not how real world works. Complex systems, large staff of various skills, temporary access for temporary fix that becomes an established feature because there is something else more important, people leaving and so on.
That's how a <insert boring item> company ends up with their DB not backed up or backed up locally so that's encrypted in the attack too.
And you need info on orders, deliveries, and money etc RIGHT NOW!
You can't protect against the 80 year old Marthas who IS GOING to click the link regarding her 10,000,000$ payment from the Nigerian prince. She IS GOING to download and install the bank transfer program, and she is going to compromise the entire network.
You can't get rid of the Marthas because the Marthas have been here 30 years and hangs out with everyone from the company on weekends, and probably knows more about the business than anyone even if you wanted to get rid of her.
Worse, it's not just ancient Marthas. A high percentage of younger generations—including those who grew up with desktop computers, so you can't just say "oh it's the iPhone's fault"—use computers essentially by rote and habit, without a conceptual understanding of much of it, and I don't mean in a theoretical CS-type sense, but more like plugging in a USB drive and knowing one specific place on one specific kind of window, reached by clicking one particular icon to find it in, and being totally lost if it's not there and/or concerned or confused if it's got a different name than the totally different USB drive you used last week, versus having some sense of what happens when you connect a disk and the sort of place you might be able to find it. It's the difference between "I get there by clicking this, then that" and "I get there by opening my file manager and navigating to what I need". They're saying the same thing, but one implies some understanding, and a resultant resilience and flexibility in use of the computer.
The former are following a script with most everything they do, while the latter have enough understanding to think in categories of behavior and to predict or explain things, at least a little, which doesn't make them immune to phishing, but does make them significantly harder targets. The latter sort are less common than one might hope, even among those younger than Martha, though, which becomes clear if you talk to people who work in non-technical offices—bearing in mind that all but the oldest workers are now mostly Gen X and Millennials, with only a few raised-on-phones Gen Z so far.
Overall, I'd say all signs point to every general-purpose desktop operating system being a usability and security disaster for at least half the population of non-oldsters.
Ransomware won't stop even if you don't pay up. Just destroying the target by data loss can be a sufficient reason for any attacker. No payment needed.
This is wildly incorrect. For criminal groups who intend on making money, that payment is needed on a certain subset of victims are they can’t stay in business.
I am a shady company who wants to take down a competitor. I can hire a hacker who'll do the dirty job for me and then get paid in cold hard cash.
Or a nation state actor can decide to attack an enemy country's infrastructure.
So they were going to destroy data anyway, so this isn’t what outlawing ransom payments is meant prevent because it can’t. It will prevent ransomware for profit if no one pays.
He’s not blaming the victims for getting attacked by ransomware. He’s blaming people who then pay the attackers. That’s a separate issue. People can be both victims and perpetrators of separate offenses, subject to criticism. I.e. being a victim of one thing does not render you blamless for all your subsequent actions.
Those who pay the attackers might have no other choice. Sure they should have taken backups. But right now they don't have any. What else can they do?
Maybe government can enact laws asking to maintain backups regularly in critical industries.
They can take the hit and live without their data, thereby making the world safer for the rest of us. Focusing only on their own personal problem is the definition of selfishness.
No. In that moment your biggest problem is that all your data is inaccessible. That you don’t have backups reduces options since it precludes that solution, but another one exists: pay the ransom.
> Maybe government can enact laws asking to maintain backups regularly in critical industries.
That's a step in the right direction, but we need more.
If you're critial industry and get ransomwared there should be hefty fines for everyone involved from the top down.
Also there should be hefty fines for any data leaks that are a result of ransomware attacks.
Companies will start moving when getting ransomwared due to low security standards is a major impact on your financials and not like some "put 50k aside for data hostage situations".
The article is a bit long, but I think the most salient parts are:
> Consider, for example, Section 2339(B) of the material support statute, which makes it a crime for a person to provide material support or resources to a designated foreign terrorist organization. [...] But, at its core, it’s a ban on the giving of something of value to a designated overseas group. There is no exception in the law for circumstances like ransoms, though nobody has ever been prosecuted for material support in a situation involving, say, a kidnapping or hostage taking. So if Hamas or Al-Qaeda got into the ransomware business, it would already be a crime to pay the ransom—though it’s not clear whether the government would ever use its enforcement discretion to bring such a case.
> [big list of similar laws]
> Each of the aforementioned authorities is a piece of a legal puzzle that allows the government to target individuals and organizations in certain contexts. But these authorities are generally not well suited to be effective against current ransomware payments in general.
> Generally, most of these laws, like the FCPA, will not apply, because the offending party often has only a tenuous connection—or perhaps no connection at all—to a government official. Even if it does, a prosecutor would have to prove that the payer knew this, which seems improbable.
It seems to fall into this weird gap where it isn't clear if it is more like paying a ransom, paying for an IT service, or more like paying a bribe to continue doing business.
Then the payment will be done by "underground payment processors" with a hefty extra fee. It wouldn't solve the problem I think, only shift the path an organization has to take.
Partly already true. You can’t pay criminals in OFAC listed countries (https://sanctionssearch.ofac.treas.gov/) Now, the issue becomes how do you know? And what happens when it’s your businesses existence vs breaking the law?
Break the law. Every time. The fines are minuscule, and you'll likely be able to settle with the government without actually admitting wrong doing. There's also no personal consequences for the decision makers.
Corporate accountability is laughable. So just break the law, get your small little fine, accept no wrong doing, and move on.
> unless you're critical to national security, the bottom line is: you're on your own here
Ransomware attacks are now pervasive. I'd argue that even though most individual victims are not critical to national security, society as a whole is under attack. This makes it a national security emergency in my view.
The same can be said for drugs, homelessness, corruption, social media, and literally anything. Society as a whole is under attack by these things, and the costs it pays for them are much higher than ransomeare.
I expect the 80% figure to be rather inflated, unless they are talking about attempted attacks and not just successful second attacks, but paying the ransom in no way means you won't be attacked again.
Though thinking about it, if it were only attempted attacks I'd expect the figure to be 100% - criminal types are not known for leaving a potential easy mark alone! If they don't re-attack themselves then they could at least sell or swap to another group information about the potential target (or another group could just catch news on the grapevine).
A ransomware attack is as if your building burned down. If you have not practiced what you will do in case of a fire or flood, you will be offline for weeks.
Reading things like "Ransomware attacks are now pervasive" makes me think very few organizations have practiced what to to do despite it being "pervasive."
It isn't easy and it isn't enjoyable. Simply rehearsing restoring a system from a disk failure is stressful and often enough the user finds backup won't restore properly. But you don't know where the pain points are until you rehearse in a controlled environment.
IMO, the next major war won't be fought with missiles and bullets. No democratic government will want to mass-murder citizens. I think the next major war will be cyber.
We've seen what hackers are capable of with Colonial Pipeline. We've seen the damage that can be done by taking out Texas' energy grid.
By targeting infrastructure that directly affects citizens, adversaries can influence the democratic process.
If China is able to take out the internet infrastructure in a city like Seattle, people are going to look for someone to blame. That person would likely be whoever is in charge of the country at that point.
> Shah's experience is different to most others this writer has talked to in that he doesn't see repeat attacks
The idea of repeated attacks and leaked data when the ransom is paid is delusional.
Yet somehow this idea persists.
I'm not sure if the average person believes it or just the ones who speak loudest. But it's seems an example of the masses believing something both illogical and not true. A bit like torture not working, the ability to mess with peoples brains is scary.
Oh, and of course make sure it can't happen in the beginning.
reply