Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Businesses Security The Almighty Buck Technology

Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers (propublica.org) 88

As ransomware attacks crippled businesses and law enforcement agencies, two U.S. data recovery firms claimed to offer an ethical way out. Instead, they typically paid the ransom and charged victims extra. From a report: Proven Data promised to help ransomware victims by unlocking their data with the "latest technology," according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica. Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

The payments underscore the lack of other options for individuals and businesses devastated by ransomware, the failure of law enforcement to catch or deter the hackers, and the moral quandary of whether paying ransoms encourages extortion. Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the U.S. such as Russia and Iran.

This discussion has been archived. No new comments can be posted.

Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers

Comments Filter:
  • If the end users were led to believe no ransom would be paid, there may be a civil or criminal fraud case against the company that paid the ransom.

    If the final recipient of the money was known to be on any "prohibited-to-do-business-with" list and anyone along the chain 1) knew it or should have known it and 2) knew or should have known that payment would wind up in that person's or entity's hands, then there could be more serious charges. I'm thinking about future cases where the ransomware is widely know

    • If the end users were led to believe no ransom would be paid, there may be a civil or criminal fraud case against the company that paid the ransom.

      If the final recipient of the money was known to be on any "prohibited-to-do-business-with" list and anyone along the chain 1) knew it or should have known it and 2) knew or should have known that payment would wind up in that person's or entity's hands, then there could be more serious charges. I'm thinking about future cases where the ransomware is widely known to be tied to terrorists or other organizations or individuals that are on a United States "don't do business with them" blacklist.

      I'd be pretty pissed if the company I paid to fix my shit just paid the ransom and pocketed the difference.

  • by Excelcia ( 906188 ) <slashdot@excelcia.ca> on Wednesday May 15, 2019 @01:58PM (#58597820) Homepage Journal

    I have to say, I have mixed feelings about ransomware "victims". I feel like it's akin to leaving my wallet somewhere, with PINs written in sharpie on all my cards, not reporting the cards stolen, then being upset that someone cleaned out my account. If you are making proper, weekly backups then you're just not really vulnerable to ransomware. If you're not making proper, weekly backups then you're already dumb and I almost think that getting hit by ransomware is akin to stupid tax. Maybe it'll prompt you to be a little smarter about your online practices and more disciplined about your backups.

    That being said, the ransomware payments do benefit criminals and terrorists, hence the mixed feelings. Maybe I should get into ransomware attacks and then donate the proceeds to a good charity. Best of both worlds.

    • weekly? Some people and places make very high value information daily. We're not talking about your porn collection and vacation photos here....

      • weekly? Some people and places make very high value information daily. We're not talking about your porn collection and vacation photos here....

        Fair enough, but the sentiment is the same. If you are daily generating data that is of greater value than the cost of paying someone who uses its loss to extort money from you, then your data is of the kind of value that necessitates daily backups. If you are not doing backups on a schedule that is commensurate with the volume and value of data you are generating, then you are being negligent. It's that simple. You are inviting crime. The more people that leave their houses unlocked, the more criminals

      • Daily?!
        If you are in any financial transactional envionment, if you are not doing 15 min incremental backups off your database you are about stupid.

      • He's talking about users and their own personal information, not companies and their sensitive data. Obviously the more important the data the more frequently you back up.

      • by darkain ( 749283 )

        As I've mentioned elsewhere: just use a copy-on-write file system like ZFS with snapshots. Hell, if your business is generating that much data, you could snapshot every minute if need be. I have this in one deployment. Snapshots are created every minute with a 2-hour expiration. Hourly snapshots are created with weekly expiration. Daily snapshots are created with no expiration. Every snapshot is pushed to an off-site location right after it is created.

        • ZFS isn't feasible for everyone. A daily, incremental backup tool like rsync is probably sufficient for most people's needs.
          • by darkain ( 749283 )

            Considering that modern NAS systems use ZFS now, it is fairly trivial to do. These stories are not about "normal" users either, these are businesses that are most likely using a centralized server for storage anyways. So why not use a solution that not only stores data, but also secures it? This is called risk management.

            Rsync isn't a solution. If a file becomes corrupt or encrypted via these malware attacks, what happens? Rsync will simply copy the local broken file over the remote good file, and then you

    • by Bigjeff5 ( 1143585 ) on Wednesday May 15, 2019 @02:21PM (#58598014)

      It's an unexpected failure point. Most people aren't computer experts, or security experts, or anything in between. They know how to do what they need to do and not much else. They don't necessarily even realize that their data even needs protecting. It's there on their computer, after all, what could happen to it?

      People don't usually get backup religion until they lose a lot of important data. Ransomware is just another reason to get backup religion, and people still won't get backup religion unless they or someone they know well are affected by not having good backups.

      • Non-companies, aka average persons, should just do one of these things.

        1. Email your most important files to yourself, so whatever email system you have will keep a copy... I'm thinking like gmail or something.

        2. Copy important things to one of your two thumbdrives, and rotate them. Do it weekly. Buy new ones every year.

        3. Get some sort of system to do real backups, but this is probably complicated.

    • I feel like it's akin to leaving my wallet somewhere, with PINs written in sharpie on all my cards, not reporting the cards stolen, then being upset that someone cleaned out my account.

      It's more akin to you drawing up the tenancy agreement for your rental property yourself, then being upset that you're being screwed by your tenant, without legal recourse because your contract is full of holes. The message being: some stuff is complex, full of pitfalls and best left to the experts. Many people make what they feel are "proper" backups: weekly copies of their important files to a drive kept offline or even offsite. They might even have thought about the eventualities to guard against: fir

      • Of course once the ransomware hits, the weekly copy will get overwritten with the encrypted files...

        So there has long been a rule not to overwrite the most recent backups with the newest backup, but rather the oldest backup with the newest backup, primarily to avoid hardware failures. That rule now applies as a way to attempt to avoid this failure mode as well.

        But isn't it time for backup software to proactively watch for a ransomware infection? Backup software will by definition touch every file. Backup software typically tracks every file in order to enable incremental backups. Backup software typic

    • I used to think that way ... until I did get hit by a ransomware. I figured they got in via a vulnerability in Windows 7, since only my Windows 7 machines got hit. My Windows 10 and Server 2012R2 machines were not breached. I was lucky, I had backups and managed to recover without loosing anything significant, but still it took weeks to scramble and rebuild machines from images, some dated a while back, reapplying updates, etc... It was a huge wake up call, and I have since begun to harden security even
    • Don't give Anonymous any more stupid ideas (assuming they even still exist).
  • by CrimsonAvenger ( 580665 ) on Wednesday May 15, 2019 @02:18PM (#58597984)

    ...as to whether any of these aliased employees are the guys doing the ransomware?

    Be funny if it turned out they're getting the ransoms they demanded, plus a little extra by pretending to "fix" the problem....

    • by e3m4n ( 947977 )

      Sorta like symantec writing half the virus’ in the 90s while being the lead antivirus company. Sometimes it was just to habe an ‘extensive’ library of definitions. Other times im sure it was job security.

      • by sad_ ( 7868 )

        Sorta like symantec writing half the virus’ in the 90s while being the lead antivirus company.

        citation needed.

  • by slack_justyb ( 862874 ) on Wednesday May 15, 2019 @02:21PM (#58598012)

    For those who rode/ride the BitCoin train thinking "Oh yea, anonymous payments". You might be interested in this quip from the story.

    Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four of the payments. Sent in 2017 and 2018, from an online wallet controlled by Proven Data to ones specified by the hackers, the money was then laundered through as many as 12 bitcoin addresses before reaching a wallet maintained by the Iranians, according to an analysis by bitcoin tracing firm Chainalysis at our request. Payments to that digital currency destination and another linked to the attackers were later banned by the U.S. Treasury Department, which cited sanctions targeting the Iranian regime.

    And this is something I've pointed out time and time again about BitCoin. You're anonymous to simple scans, but someone with enough fire power and time can absolutely track you down in BitCoin. The anonymous argument with the qualifier of "completely" is just a bunch of bull.

    • by bspus ( 3656995 )

      All it tells me is they did a piss poor job hiding their tracks. Shuffling the amount among a dozen addresses is not laundering by any means, except against amateurs.

      They could have signed up to an exchange that requires no KYC, deposit the bitcoin there (log in through tor) and withdraw it either in bitcoin again or preferable a different currency altogether, even on specializing in truly anonymous payments.

      But even they withdrew it in btc again, it would come from a different exchange address and would be

    • by gweihir ( 88907 ) on Wednesday May 15, 2019 @03:14PM (#58598424)

      Bitcoin is not even designed to be anonymous. I mean, every transaction is out there in the open, forever. The only "anonymity" you have is that your wallet is not immediately identifiable as yours, but that is it. Make one use of the wallet that can be traced to you and any anonymity you ever had is gone, retroactively.

  • What about security that does not suck, backups that work and putting everything important on a version control system? You know, the minimal measures anybody with half a clue already has in place?

    Sure, these people are criminals. But this is entirely a crime of opportunity, the victims here just have no sensible protection at all. But that, they create the criminal opportunity and are partially to blame for the problem. Of course, something as utterly stupid as _paying_ the criminals makes things massively

    • Of course, something as utterly stupid as _paying_ the criminals makes things massively worse.

      Making this illegal should be one of the first steps. Basically, you should treat an encrypted drive as a crashed drive or a fire. Paying a ransom should be prosecuted for what it is which is knowingly giving money to a terrorist organization. The penalty should be sufficiently large that it is never worthwhile to pay a terrorist's ransom demand. Something like a penalty of 10x what the data is worth to the company and/or actual "aiding and abetting a criminal" charges.

      • by gweihir ( 88907 )

        I agree. Completely. Usually, I am pretty much against making things illegal, but the people that pay harm others and that is just not acceptable.

  • Comment removed based on user account deletion
  • Comment removed based on user account deletion

As of next Thursday, UNIX will be flushed in favor of TOPS-10. Please update your programs.

Working...