Imagine the knowledge of a 0day (and how to fix it) as being the cure for a disease. Picture what withholding it would look like. In this year, if ever, people should realize how crazy dangerous and irresponsible this kind of behavior would seem if it happened to not be done with software.<p>So here's an idea: improve security by stopping the hoarding of 0days.<p>Built a company that buys 0days and <i>doesn't</i> immediately turn around to get them fixed? Too bad, this is a business model that leeches off everyone's insecurity and now deemed unethical like so many other seemingly-genius business plans. If you're that good, go find a different thing to do with your time.<p>Note that this applies to states too: in my book they're welcome to buy/incentivize 0day info, but only to then get stuff fixed ASAP. Any state that keeps a 0day "just in case" is failing to protect (among others) its own citizens.
To me at least, it doesn't feel relentless, and it's not sudden at all. It has been relentless for years now. I'm glad to see it getting more attention, finally, and more people are suddenly paying attention to the problem. This is a short and sweet look at the problem for people who are just now suddenly noticing the problem.<p>They say it’s the result of inaction, new tactics, criminals having safe harbor and ubiquitous connectivity .<p>I'm surprised they don't call out the "mostly unregulated cryptocurrency" stuff a bit more as a cause as well.
I've been writing about the insecurity of Windows, MacOS and Linux since 2005[1], nothing is sudden about this.<p>We still collectively haven't learned the need for Capability Based Security[2]. I give it 5 more years before people finally catch on.<p>[1] - <a href="http://mikewarot.blogspot.com/2005/08/secure-computing.html" rel="nofollow">http://mikewarot.blogspot.com/2005/08/secure-computing.html</a><p>[2] - <a href="http://evlan.org/concepts/capabilities/" rel="nofollow">http://evlan.org/concepts/capabilities/</a>
Outlaw crypto. Ransomware would go away overnight, the electricity would no longer be wasted, people could afford to play videogames again. The only downside is the collapse of a no-value asset bubble.
Until you hold these companies and their management directly responsible: It will continue.<p>The issue here is the same as it has always been: Cost cutting, poor management, poor oversight, and laziness. We have infrastructure sensitive industries being hit and in the years preceding the hits full of heavily reported ransomware incidents zero audits were conducted that flagged these problems, backups strategies weren't reformed (i.e. they have no offline backups), network onioning wasn't utilized, and other basic 101 security strategies weren't employed.<p>All we hear over and over is "they're CRIMINALS," "they're in [foreign country]!" but ultimately that is a distraction; there will <i>always</i> be criminals, and they will always operate beyond the reach of the law. What matters is mitigating their ability to do damage which we absolutely can and should do.<p>If senior management started being fired and companies heavily fined this problem would magically disappear (or its impacts substantially reduced, like a two-day outage while they restored offline backups instead of multi-week). This isn't because criminals stopped being criminals, it is because this is all just a symptom of a <i>different</i> problem: Corporate responsibility, or lack thereof.<p>Congress should take action, fund mandatory audits on private infrastructure companies and impose large fines on companies & senior executives that cause widespread disruption. Even the threat would be highly effective and the pocket-books would magically open to pay for security professionals and fixes.
I think we're seeing two things: increased reporting because of increased interest and an actual uptick in actual ransomware attacks. The rate of attack isn't necessarily increasing with the rate of increase in reporting but both are up YoY.<p>For increased interest, the Colonial Pipeline shut down had huge far reaching affects beyond the cost to the company. News of the situation reached beyond tech wonks. It also impacted tons of people not directly related to CPC.<p>To the uptick in successful attacks, the increase in working from home probably has a lot to do with it. A virus that wouldn't make it past an enterprise firewall will more easily hit some user at home. They then connect to the corporate VPN for work and bridge past a lot of firewalls and IDSes. Companies they might have decent network security are poking a lot of holes to handle people WFH that never had previously.<p>Joe from Accounting that's a wiz in Excel but falls for every phishing e-mail that hits his inbox is a <i>bigger</i> problem WFH than when at the office. He's a match in a powder mill when he connects to the corporate VPN from his malware riddled home PC. Was he not supposed to install totallylegitzoominstaller.exe from totesthisiszoom.ru?
I may have an extremely pessimistic view of things, but things aren't going to change until the incentives have changed.<p>This is nothing new, or surprising if you look at human nature. The big issue with security these days is that bad behaviors are not just common practice, in many cases they are incentivized. Many companies have pushed the risk into cyber security insurance policies, or if they haven't they can create massive paper "losses" when a cyber incident happens. Prior to ransomware, if companies were smart, they can actually make money off a cyber incident, versus spending money to prevent an incident.<p>I would say the tipping point for many executives was in that realizing that the Equifax breach (one of the biggest in history up to that time) had literally zero impact to their businesses long term. The company was focused on monitoring credit and many would have assumed the company would have a responsibility to secure its data.<p>Unfortunately this was a light bulb moment for many execs and the light bulb wasn't a good one for their customers or society at large. They basically found out that data breaches don't really matter and if you weather the storm there is very little impact to your business. Yes your customers lose their data, but if you need to minimize overhead costs, why spend a ton of money on a security program that doesn't have a guarantee in stopping it anyway.<p>Fast forward to 2021, with crypto being so ubiquitous and realizing that companies have largely forgot or shut down their Business Continuity Planning (BCP) programs they stood up after 9/11, bad actors are having a field day. Actors were very active stealing DBs and trying to extort people, but they largely found that people just either didn't believe them or didn't care.<p>With ransomware, they basically prevent the business from doing <i>anything</i> and that is something that is just not something that can be ignored like data theft/extortion attempts. If someone steals your customer ACH information from your accounting database, no big deal, but if you can't accept payments from your customers... They are literally not making money.<p>I have worked in information security for ~20 years and I don't believe that there will be any improvements until there are major changes to the incentives that customers have to protect their customer information/data. If anything the ransomware threat is one of the few things actually causing many companies to invest in their security programs.
The article hits some spot on notes. The other missing piece is just how non-technical organizations can be out of their depth when it comes to the lifecycle of IT hygiene, vulnerability management and training its staff to be security minded. A mid-size school district really has two options to secure itself: get the expertise in house, which could result in easily exploitable gaps, or spend non-trivial amount of budget working with endpoint protection vendors. I can imagine it's hard to explain to a rural school board that you either do this now, or pay majorly later.<p>Luckily for everyone, the endpoint protection market is evolving rapidly, and these solutions do work. Big Game Hunters aren't super humans, they exploit the things that on-the-ball IT teams and endpoint security vendors can easily fix: unpatched vulnerabilities, misconfigured endpoints and mismanaged credentials. Unluckily for everyone, the threat actors, for the reasons laid out in this article, are evolving too. And on top of that there's no shortage of vulnerabilities either.<p>I expect things to get worse before they get better. But do I expect Big Game Hunting to be a major problem in 15 - 20 years? I don't think so, because eventually every IT device in most any organization will have some type of cloud connected security baked into its cost. Do I think there's a likelihood it will be worse in 2-3 years, most likely yes.
How much do companies and governments buying back their data and secrets in these attacks push up the prices of the cryptocurrencies used for the ransoms? What % of ransomware attacks are not reported to the media?
I'm definitely in favor of blaming Trump and Russia, because we <i>certainly</i> can't blame:<p>- tech companies for selling software and hardware riddled with security flaws<p>- the legal system for absolving said companies from any liability whatsoever<p>- customers who are unwilling to pay more for reliability, security, or recoverable backups<p>- those who pay the ransoms, ensuring steady income for criminal extortionists.