US School Agrees To Pay $8,500 To Get Rid Of Ransomware (softpedia.com) 138
An anonymous reader writes: Earlier this week, the media was abuzz with the case of the Hollywood hospital that almost shut down its operations because of a ransomware infection, which it eventually paid. Something similar happened around the same time in a South Carolina school district when ransomware shut down an elementary school's servers. The school had to pay $8,500.
Re:habit? (Score:5, Interesting)
It would be better if it became the habit to spend money on security. That $8500 would have gone a long way towards decent security measures.
One wonders, though, what an elementary school district needs with 25 servers (or more; tfa says 25 were affected). What was so mission critical that it was worth paying cash to get back? Why not just format the affected machines, reinstall, and be done with it? The database that says litte Timmy got a B last year just aren't mission critical.
Re:habit? (Score:5, Interesting)
One wonders, though, what an elementary school district needs with 25 servers
There are a lot of federal dollars available for things like "computers in the classroom" and "cops in schools" that don't really make much sense, but, hey, it's free money, and can't be used for anything else. The elementary school that my kid attends has a $250,000 Cisco enterprise system that handles less traffic than the $39 Netgear router that I have at home. A federal grant paid for it, and on top of that, Cisco made a nice donation to the enrichment program, so it was a no-brainer.
Re: (Score:2)
...Why not just format the affected machines, reinstall, and be done with it? ...
It could be an inside job too.
Re: (Score:2)
What if they were to just format the affected machines, restore from the latest backup prior to the intrusion, and be done...
Oh, wait.
Re: (Score:2)
Re: (Score:2)
Assuming it encrypted the stuff for 6 months, then refused to hand it over when you ran a DB query, etc.
If it's offering up unencrypted data for 6 months then you have 6 months of unencrypted data to work from until it locked the thing last week.
Re: habit? (Score:2)
Several thousand employees perhaps. School Districts are big employers who also have lawyers, accountants, business analysts, and shared drive and applications too just like the private sector.
Re: (Score:2)
It would be better if it became the habit to spend money on security...
Also, on VERY frequent offline backups using increasingly cheap mass storage options. And possibly even duplicate server racks. Get a call from your neighbourhood data extortionist? Take the servers offline, patch the hole, restore from backups or switch over to the second rack, and tell the extortionists to fuck off.
Re: (Score:2)
"It would be better if it became the habit to spend money on security."
And backups. $8500 buys a pretty decent box to run Bacula on.
Re: (Score:2)
Or a reliable backup system.
One of our senior management got hit by one of these, and since he had access all the different network shares, did quite a bit of damage.
Something over 37,000 files restored from the backups later and no ransom had to go anywhere.
Re: (Score:2)
It is not a good idea to pay extortionists (Score:3)
You start paying, they find more targets, make their scam more professional, etc. At the moment, these are still common criminals, as can be seen by the low sums demanded (completely out of proportion compared to the damage done), but that will now change.
The good thing is that Bitcoin is not really anonymous, unlike the common wisdom. With a bit of lick these people will be identified. The bad thing is that it will take some time and by then others will have copied the scam.
Re: (Score:3)
But for this bitcoin doesn't need to be anonymous it just needs to be non-seizable most don't use paypal or cc merchant accounts anymore because they get frozen before they can do anything with them.
Bitcoin doesn't get seized, frozen, revoked or invalidated. So despite being trackable its a better choice because they are unlikely to loose access to it after they've received it.
Re: (Score:3)
it just needs to be non-seizable
Start marking the bitcoins 'paid' as ransoms like this as 'dirty', and get as many vendors as possible to ban 'dirty' bitcoins'.
A user notices that X amount of his bitcoin has been marked dirty and unacceptable, and he has to sell it at a loss is going to get pissed at where he got it from - and probably implement checking for dirt himself. Then the anonymizers and places that accept ransom bitcoins for laundering will have regular users start avoiding them, etc...
Re: (Score:2)
You mean like people do with counterfeit bills?
Re: (Score:2)
Pretty much - People only don't bother checking when the rate is low enough to not matter.
Re: (Score:2)
"The good thing is that Bitcoin is not really anonymous, unlike the common wisdom. With a bit of lick these people will be identified. The bad thing is that it will take some time and by then others will have copied the scam."
So why is the all-seeing, omnipotent NSA not able to nail ransomware hackers? I've heard the excuse that ransomware was below their level of concern, but now governments are being targeted, and this has already included police agencies. My take is that the NSA cannot see as much as it
Re: (Score:1)
It's the public who have ascribed god like powers to the NSA not the other way around. In the rush to condemn NSA intelligence operations the capabilities and intentions needed to be exaggerated in the extreme. Of course distortions and out right lies are acceptable when attacking the NSA because they are evil incarnate that need to be closed down so any means to accomplish this goal is allowed. The ole "the end justifies the means" is the guiding mantra of today's social justice warriors. And any other o
Re: (Score:2)
Maybe but damn they are experts on droids and iphones. Good for something I guess just not much of anything else.
If that were so, why are they desperately wheedling for Apple to bail them out of their inability to crack an iPhone?
Re: (Score:3)
The NSA does not claim to see as much as people think. I once asked somebody mid-high in the NSA this question and he said "If we really could do what people think we can do, then the world would look differently." Entirely convincing.
Your second mistake is that identification of such criminals is a fast process. It is not. Ask again in a year or so.
Re: (Score:2)
That is exactly the point: History proves nicely that the NSA has rather strong limits.
Of course for people deep in paranoia (you seem to be), the NSA is the all-seeing, all-knowing entity that everybody needs to be deeply afraid of. Here is a hint: That idea has been used throughout history to control people and make them self-censor by chilling-effects. Usually it was called "God". This has worked well on many people, despite its obvious invalidity.
Back in the real world, the NSA TAO (Targeted Access Orga
Re: (Score:2)
Re: (Score:2)
Let's say you traced the bitcoin transaction to Russia or Ukraine (which is pretty likely). What are you going to do if the local sovereign government refuses to extradite? I wouldn't be at all surprised to find the NSA knows who these people are, but we're not ready to go to war over the odd $8500.
Re: (Score:2)
Just hire local mafiosi to do some "wet work."
Re:It is not a good idea to pay extortionists (Score:5, Insightful)
You start paying, they find more targets, make their scam more professional, etc.
That isn't all bad. In the past, insecure systems were hijacked and used as spam-bots, so the cost of the insecurity was borne by others. At least with ransomware the cost is borne directly by the bozos running MS-Windows on their servers.
Re: (Score:2)
Well, yes. And as they will now scale up their attacks, the problem will get a lot more pressing. Still, not paying them would have also had an effect in that direction and this will hit a lot of people that are actually not responsible for the IT screwups.
Re: (Score:2)
"And as they will now scale up their attacks, the problem will get a lot more pressing."
At some point they'll step on the wrong toes and find themselves floating face down in a pond somewhere.
Re: (Score:2)
I doubt it and even if it happens it will not matter. Otherwise we would not have crime, now would we? Threatening violence has never reduced crime to any significant degree. Criminals do not expect they will get caught. The whole idea law enforcement is based on is rather seriously broken.
Re: (Score:2)
Re: (Score:2)
I do not disagree. The technical sophistication is also a sign that these are not complete beginners. But there is one other thing: They do not make a lot of money at the moment, but this type of attack does scale. They now got validated. They will try hard to get a lot more targets in the near future.
Bet it goes like this... (Score:1)
"The school's IT staff said the ransomware penetrated their network through an older server running outdated equipment."
And proceeded to propagate through their network through newer servers running outdated equipment...
Re: (Score:2)
Re: (Score:1)
Yup.
Is this what we want to be teaching? (Score:1)
Do we really want to be teaching children to negotiate with terrorists?
Re: (Score:2)
But there is good news too! We can be unpussified by following a few simple steps: http://www.welivesecurity.com/... [welivesecurity.com]
Re:Is this what we want to be teaching? (Score:5, Informative)
Do we really want to be teaching children to negotiate with terrorists?
The obvious way around that is to stop calling everyone who breathes a "terrorist".
Re: (Score:2)
We almost have tourist defined as terrorist too but Egypt is farther along in that aspect than we are in the US
http://news.antiwar.com/2015/0... [antiwar.com]
Although I think we will have that figured out within the next 10 years.
Shame on them (Score:1)
It should be illegal to pay ransomware criminals.
Re: Shame on them (Score:2)
It IS illegal to pay criminals for their activities. We should be trying these decision makers for funding terrorism.
Re:Shame on them (Score:4, Insightful)
It should be illegal to pay ransomware criminals.
Especially if, as in this case, they are being paid with tax dollars. I can understand an unprincipled individual or private company paying ransomware, but for a government entity to pay off criminals with public funds is vile. If this was legal, we need to change the law. If it was illegal, the decision maker should be prosecuted.
Re: (Score:2)
So instead of complaining that they paid off a criminal, you can complain that they spent more tax-payer money than was necessary and demand that the decision-maker be prosecuted.
Horry County school district (South Carolina, US) (Score:4, Interesting)
Horry County school district (South Carolina, US). Got it! Thanks for the tip ;-)
At least banks and other victim institutions keep the whole thing secret. Great idea to render it public.
Another funny part in TFA:
Coincidentally, when the ransomware incident happened, the school's administration was looking into hiring an outside security provider.
What if it wasn't coincidental?
Re: (Score:2)
Anyone else read that as Horny County?
Re: (Score:2)
Not me, I first thought it was a misspelling of "Whory".
TCO? (Score:2)
So when are we going to start including ransomware into the total cost of ownership?
Have any technical articles been posted on what all of these 'servers' were running?
Re: (Score:2)
Have any technical articles been posted on what all of these 'servers' were running?
Well, take a guess...
Re: (Score:2)
Re: TCO? (Score:5, Informative)
$8500 is cheaper than paying a decent SysAdmin. These criminals know at what point to price their services so that these institutions can continue putting their clients at risk.
Re: (Score:2)
$8500 is cheaper than paying a decent SysAdmin.
School administrators have no way of telling a good sysadmin from a bad sysadmin. Either would have a salary+benefits of over $100k/year, which few schools can afford. Schools can get federal grants to buy equipment, but salaries come out of their own budget.
Re: (Score:2)
School administrators have no way of telling a good sysadmin from a bad sysadmin. Either would have a salary+benefits of over $100k/year, which few schools can afford. Schools can get federal grants to buy equipment, but salaries come out of their own budget.
Assuming each school needed a full time sysadmin, which they most likely do not. $100k to pay an admin to keep an eye on a portion of the schools in the school board is far more reasonable. And would then come from the board's budget, not the school.
Re: (Score:3)
I live in SC, many sysadmins are paid $40,000-$50,000/yr in this area. Especially those working for low-budget school systems or smaller organizations.
Re: (Score:2)
I live in SC, many sysadmins are paid $40,000-$50,000/yr in this area.
Once you add in benefits, pensions, overhead, and management, $50k is $100k. Burdened employment costs tend to be higher for governments, and even higher for public schools.
Anyone heard of (Score:2)
Once you add in benefits, pensions, overhead, and management, $50k is $100k. Burdened employment costs tend to be higher for governments, and even higher for public schools.
Software As A Service ?
Re: (Score:2)
Re: (Score:2)
Hell, $8500 is probably cheaper than paying some contractors to test the security of your network. $8500 is peanuts to a hospital running 25+ servers.
Re: (Score:3)
That assumes they only get hit once.
This is a good reminder (Score:3)
For me to do my offline backups.
What's the attack vector? (Score:3)
Re: (Score:2)
Re: (Score:2)
"Phishing is the most common,"
A stat from several sites I work with - about 200,000 people in all.
Phishs are spotted and ignored by 97% of users - but that last 3% are a major problem
We've even had secretarial staff disable antivirus systems giving warnings about infected attachments in order to open things "because it might be important"
And no, they can't be fired.
The real question in all this: (Score:3)
Is anyone going to learn from these unfortunate incidents? There is no excuse for there not being decent security precautions and procedures in the IT department of any organization, and there likewise is no excuse for there not being adequate incremental backups of critical systems. Basically this school and the hospital in Hollywood were sloppy, and criminals capitalized (literally) on their sloppiness.
Re: (Score:1)
"shitposting"... Fine verb!!!!!!!
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
There is something to make good out of this very bad habit: those, that were certainly cornered into making pay terrorists, have to recognize need to submit any decryption tools they were provided with to the people, fighting terrorists of that kind. That including analysts of the BleepingComputer community, makers of security tools, Kaspersky is one that springs to mind in regard to providing decryption utilities for public. Traces of communication and funds have to be professionally investigated as well,
Re: (Score:2)
There is no acceptable answer in just paying ransom, funding terrorists for their next gigs.
First of all there is little to no evidence that these were 'terrorists', not in the current-events sense of the word, it's just cyber-criminals, could be anyone really, could be some edgy teenagers looking to score some cash any way they can. Secondly, if you're saying we need to comply with anything and everything that the police (local LEOs, FBI, NSA, CIA, etc) demand of us, just because they demand it, then I have two choice words for you which I will uncharacteristically refrain from using on you, and
Re: (Score:1)
It is about professional and most efficient handling of the given circumstances. We are mostly professionals gathering here. Teenagers are not very likely to have balls for arranging that scale of operations with the quality needed.
I am not going to deal with your opinion just because it bears very little in the above-mentioned light of professional stance.
Re: (Score:2)
I am not going to deal with your opinion just because it bears very little in the above-mentioned light of professional stance.
Same to you, buddy.
Re: (Score:1)
You can widen the use of the word, deriving from what terror is associated with:
ORIGIN late Middle English : from Old French terrour, from Latin terror, from terrere ‘frighten.’
Take a look at the meanings of terrorize, for your next.
If digging a little, you would quickly find, that "the definition of terrorism has proven controversial".
This gives you no good ground to tell that you know better than others what the word means.
Re: (Score:2)
Re: (Score:2)
it's much cheaper to take your chances and pay the very affordable ransom instead
I find that to be an extremely cowardly attitude to take, and a completely unnecessary and irresponsible one to boot. It's a don't-give-a-damn attitude and I find it reprehensible; if someone worked for me and took that sort of attitude towards the problem, they'd be fired on the spot.
No (Score:2)
Good! (Score:2)
i hope you know / this will go down (Score:3)
God dammit, when I heard my elementary school got hacked I thought I was finally going to be able to get out from under the pernicious shadow of my Permanent Record!
When I was at school... (Score:2)
Windows and offshoring (Score:2)
Several decades ago, America used to be concerned about Security. Now, it is a joke.
Re: (Score:2)
An *elementary* school? (Score:1)
Re: (Score:2)
You could fit a typical student record on a 3x5 card ... suck it up and just tell the crooks to go pound sand.
Assuming that payroll wasn't handled by one of the servers affected...
Re: (Score:2)
You could fit a typical student record on a 3x5 card ... suck it up and just tell the crooks to go pound sand.
Assuming that payroll wasn't handled by one of the servers affected...
Housed in the elementary school, instead of at the district level?
In any case, if they can't piece together what they were paying people ... sheesh.
Everyone keeps talking about security, but .... (Score:2)
... what about good backups?!
Just last week, one of my co-workers attended a Cisco seminar where they were peddling an "all inclusive" system to try to stop malware, and especially ransomware. It involved software you had to load on all of the clients, server-side software and special firewall type gear, all to try to "proactively stop ransomware from phoning home or uploading content anyplace". The price tag, obviously, was pretty steep as well.
Pulling his buddy, who worked at Cisco, aside for a minute, he
Re: (Score:2)
Give it time, and they'll figure a way around that, too. Off the top of my head, I'd say ransomware writers could put a delay in their software, before it does anything - say 6 months after it finds a new system. By that time, the ransomware will be all over the backups. Then what?
Computers down because of ransomware infection? (Score:1)
older server running outdated equipment. (Score:2)
older server running outdated equipment. Well the Republicans failed to fund the IT newer hardware and software.
Re: older server running outdated equipment. (Score:4, Interesting)
Apt-get upgrade doesn't require any new funding, not even new hardware, this isn't hardware failing, this is incompetence succeeding.
Re: (Score:2)