This article makes the point that law enforcement agencies take the stance that paying a ransom further encourages this behavior from hackers.<p>In the case of state or public institutions like this, would it be advisable for legislatures to make it illegal for state entities to pay ransoms, and then very publicly announce these laws? I.e. can/should we make credible, public commitments in advance to not pay ransom, or to remove that choice from the organization-level administrators? Would this make these organizations less appealing targets?<p>"Sorry, we are not authorized to pay you any ransom due to SB-XYZ. If you can get several hundred thousand signatures from CA residents to petition for a referendum to overturn this law, we may be able to pay you a ransom after ... well not the upcoming election but maybe the one after that."
Previous discussion here:
<a href="https://news.ycombinator.com/item?id=23659590" rel="nofollow">https://news.ycombinator.com/item?id=23659590</a><p>And discussion from years back when they outsourced all of their IT:
<a href="https://news.ycombinator.com/item?id=12870150" rel="nofollow">https://news.ycombinator.com/item?id=12870150</a>
Email your congressman/woman: Paying extortion fees cybercriminals should be illegal - and severely so. With the stroke of a pen, a law making the practice illegal would immediately allow every institution and corporation in America to say, "We cannot pay your fee no matter how hard you press us, as we would face jail time if we did so."<p>Would gangs still try to extort people? Of course. But large institutions would no longer be a target, because their internal controls would prevent the payment of extortion fees. Small organizations might still pay fees, but the potential take for gangs would be reduced remarkably.
> And an anonymous tip-off enabled BBC News to follow the ransom negotiations in a live chat on the dark web.<p>So, that "anonymous tip-off" was obviously from the hackers, right? I guess the other option is a "whistleblower" at UCSF (would anyone else know about it?), but the hackers have a lot to benefit from everyone knowing about it, so next victim thinks "Gee, respected institutions like UCSF are willing to pay the ransom and didn't have the capability to recover otherwise, we should probably just pay the ransom too".
So the bad guys used a public ledger (Bitcoin) to get paid? Why aren't the hackers asking for cryptocurrencies using zero-knowledge proofs like ZCash or Monero? Bitcoin? What's their plan next?<p>I'm not saying you can't get away with this (there are coin "mixers" and decentralized exchanges) but still, this leaves lots of traces left and right.<p>For example we saw a lot of people getting busted recently while they thought they were smart using cryptocurrencies, including a money launderer ring... And they were using mixers, decentralized exchanges, people located overal several countries/continents and whatnots if I recall correctly. Yet: all busted.<p>For all we known in six months the headline could be: "Hackers who extorted 1.14M USD from UCSF arrested by Interpol"<p>Besides that: what happened to offline backups? How exactly are hackers coming for cloned, unplugged, HDDs/SSDs stored on shelves / bank safes? (I know several companies doing just that as offline backups)<p>I hope this serves as a wake up call to companies/institutions either not doing backup properly or outsourcing to incompetent companies not doing backups properly (the latter being not really excusable).
Seems like randomware negotiation has become a professional service. See: <a href="https://www.prnewswire.com/news-releases/groupsense-launches-ransomware-negotiation-services-301139570.html" rel="nofollow">https://www.prnewswire.com/news-releases/groupsense-launches...</a><p>The negotiations here were similar to the ones CWT had, albeit a little less courteous: <a href="https://www.reuters.com/article/us-cyber-cwt-ransom/payment-sent-travel-giant-cwt-pays-4-5-million-ransom-to-cyber-criminals-idUSKCN24W25W" rel="nofollow">https://www.reuters.com/article/us-cyber-cwt-ransom/payment-...</a>
US Treasury announced recently "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments."<p>I wonder if these will reduce these kind of payments in the future, which seemed to really be ramping up.<p><a href="https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf" rel="nofollow">https://home.treasury.gov/system/files/126/ofac_ransomware_a...</a>
Filesystems that make this possible are the real crime against sanity. Most of the data would be stored on network shares, and the ransomware pulls the files, encrypts them, stores them back to the network share overwriting the original copy. Madness. Yes disk space isn't cheap, until you see the alternative.<p>We have a basic network filestore at Fastmail, it's not even a key part of our offering, but it stores up to 30 old copies and if you keep overwriting it does exponential backoff so you have the oldest copy in the past 2 weeks, plus one from a week ago, plus one from 3 days ago, etc up until a bunch of very recent copies. Ransomware would have to be running for 2 weeks to wipe out all the original files - and during that time the massive increase in disk usage would alert operations to something going on!<p>Likewise our email server software does integrity checks during replication between machines and won't perma-delete anything for a week after it gets expunged - and message content is immutable after writing, so changing anything is creating a new record and expunging the old one.<p>It costs extra space - but being safe against a client virus like this encrypting all the data on network shares isn't rocket science, and the network filesystem vendors who don't default to data safety are as much to blame as anybody for this still being a problem in $CURRENT_YEAR.
It really bugs me when I hear of institutions paying these ransoms.<p>Regardless of the damage, I'd just take the bullet, fix my security, and not pay. Be consistent in this, and keep it up for a while. Long term: no more extortion for anyone.
Enterprises generally go too far in the direction of restricting data access and copies of data, making themselves more fragile. They should outsource custodianship of data or do like what aws etc do, proper backups and fail tolerance.
Hi, I'm not sure if my comment will be read since there are a lot of them already, but what would the best move be for a medium-sized company in this situation?<p>Hypothetically, the fees won't be as astronomical like in UCSF's case but the importance of the data being held in ransom will still be the same. Should they take the risk of getting their financial/healthcare/IT data uploaded to the public if they don't pay the fee?
Can’t NSA (or FBI) track down these attackers, or help decrypt the data?<p>At least then it makes a useful service for the public, also clears doubts on its crypto capabilities.
And what about backups ? Is it cheaper to pay ransom then reinstall and copy data ? And then cut off f* internet until some security is in place ??<p>If that ransomware uses something like flash for persistence why not ask some jury to enforce hardware manufacturers to stop enabling worse and worse viruses ? Floppies, cd autoplay, usb, firewire, thunderbolt, 5G networking - everything exploitable right from the factory.
Attacks like this make me think there's a real ($1+ billion opportunity) business in making an tech-first insurance company for security incidents.<p>Write insurance policies to major companies. But as a pre-condition for getting under-written you have to submit to periodic security review by legit security pros. Failure to adhere to security recommendations means your policy gets dropped.
These are acts of war by foreign entities against US citizens, hospitals, and governments. The lack of military response is dumbfounding and unacceptable.<p>The NSA is recording every byte of data crossing our borders, and also much internal traffic, and they are unable or unwilling to track down these perpetrators?
A more capitalist solution to the random ware problem could be ransomware insurance ideally mandated. You get hit and the company pays. But your premium rises the next time and till forever. You can get premium incentives to do audits and update software.
Lower premiums show up in the balance sheet as profit and therefore there is immediate incentive to act on security issues. The insurance company has enough incentive to track the victim that some action might get taken.
Pretty remarkable that this data was worth at least a million dollars to UCSF, but it apparently wasn't worth paying for backups, or hiring IT staff who aren't idiots.
It's hard to empathize with a corrupt entity that makes billions a year from swindling students and patients, all while maintaining a non-profit status. Par for the course with universities and large hospitals. Profit focused corruption leads them to not paying a good IT team.