US To Give Ransomware Hacks Similar Priority as Terrorism

The U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack and mounting damage caused by cyber criminals, a senior department official told Reuters. From the report: Internal guidance sent on Thursday to U.S. attorney's offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington. "It's a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain," said John Carlin, acting deputy attorney general at the Justice Department.

Last month, a cyber criminal group that the U.S. authorities said operates from Russia, penetrated a pipeline operator on the U.S. East Coast, locking its systems and demanding a ransom. The hack caused a shutdown lasting several days, led to a spike in gas prices, panic buying and localized fuel shortages in the southeast. Colonial Pipeline decided to pay the hackers who invaded their systems nearly $5 million to regain access, the company said.

Heavily Regulate Cryptocurrency

[Anonymous Coward]

Cryptocurrency has only made it much easier for ransomware to work. Before they could only request depositing some money in a bank account located in some shitty country with poor rule of law somewhere.

Re:

[Narcocide]

Computer viruses that didn't ask for money have still done plenty of damage. Until they start giving all hacks at least the same priority as basic theft, trespassing, or vandalism, people are still gonna keep losing money on this shit one way or another.

Re:

[OrangeTide]

Financial incentive does build up the scope and scale of attacks. It's probably not a good thing for most of us that writing malware is a viable career choice.

Re:

[sg_oneill]

Well its now same priority as "terrorism".

So yeah, powerful disincentive. They wont be fearing a cop turning up threatening to take their fingerprints. They'll be fearing an anonymous security contractor in flipflops and 3 day growth waterboarding them in an egyptian black site.

Re:

[MobileTatsu-NJG]

Same argument could be made for credit cards or Paypal.

Re:Heavily Regulate Cryptocurrency

[rsilvergun]

Not really. Credit cards and PayPal are both heavily regulated. Try doing some money laundering with either of them and you won't get very far. Most money laundering goes through regular Banks. Citi periodically gets caught assisting with money laundering and pays a small fine. But crypto makes it even easier. You don't have to worry about your bank occasionally catching you doing it and then everybody going to jail. As long as you're careful not to tie your name to a wallet you're pretty safe. And because there's so many cryptocurrencies you can layer them on pretty thick.

Re: Heavily Regulate Cryptocurrency

[e3m4n]

I suppose it depends on the level of laundering. If I keep putting cash into paypal and claiming im doinng side work its fine. As long as I pay taxes on that income, which is the basis of laundering, they dont know if I am selling weed or collectible driftwood carvings.

Re:

[rsilvergun]

As soon as you do it for more than a few bucks the feds will be knocking on your door. So yeah, your itty bitty weed service will be fine, but if you try to run a real weed business off it (or if you're, say a foreign power funneling money into American political campaigns) they'll catch you.

Re: Heavily Regulate Cryptocurrency

[e3m4n]

No joke, I was introduced to a woman who made Tamales the old world way. They got Medicaid, claimed my sisters kid as their own for earned income credit, and got EBT. She made $100k a year in cash selling tamales to day laborers and such out of a Dollar General next to a Greyhound station. She could have easily claimed it as paypal income and paid taxes but then no EBT, EIC, and Medicaid. Not sure i would call 100k a year as itty bitty if someone used that ruse as a front for selling weed. What would the fe

Re: Heavily Regulate Cryptocurrency

[ArmoredDragon]

Actually in the criminal underworld, HSBC is THE place to go if you need to wash your money

https://www.investopedia.com/s... [investopedia.com]

They've been caught very blatantly participating in money laundering so many times that you'd figure they would have lost their charter in the US by now, but nope. They're too big to jail because they're too big to fall.

Re: Heavily Regulate Cryptocurrency

[ArmoredDragon]

*fail

Re:

[Yo Grark]

I think you had it right the first time.

Yo Grark

Re:

[ArchieBunker]

This from the website that used to post the DeCSS code in defiance of court orders.

Re:

[Anonymous Coward]

There's a big difference between violating copyrights, especially when you would have never paid for the crap in the first place, versus fucking over power plants, hospitals, etc. which affects society at large dumbass...

Re:

[ArchieBunker]

Bitcoin is fucking over power plants and hospitals? Ransomware is a symptom of bad security practices and Windows.

hahahah right?

[oldgraybeard]

like that will really help! Maybe they should assign it to the VP problem solved.

Least Privileged Model

[Archangel Michael]

When are are we going to learn from our mistakes and start taking a proper approach to protecting our systems?

Good IT is expensive. Bad IT is costly (-- We are here).

1) Business systems should be running ONLY applications needed to do the job, and no others.
2) Business systems networks should be isolated from operations networks. Air Gapped as needed
3) Systems that need access in / out should be properly firewalled, including blocking entire countries/regions as needed.

It is much easier to do nothing and pay the BITCOIN bills when they come in. But it isn't cheaper.

Re:Least Privileged Model

[aitikin]

It is much easier to do nothing and pay the BITCOIN bills when they come in. But it isn't cheaper.

It isn't cheaper in the long run. But in this quarter, where we haven't been ransomwared, it's way cheaper. That quarter over there 9 months down the road may very well be someone else's problem so why should I waste company money on preventing that quarter from having that issue when I may not even be here anymore.

Yay MBA mentality!

Re:

[oldgraybeard]

Bingo! short term vision only

Re:

[Nehmo]

It is much easier to do nothing and pay the BITCOIN bills when they come in. But it isn't cheaper.

It isn't cheaper in the long run. But in this quarter, where we haven't been ransomwared, it's way cheaper. That quarter over there 9 months down the road may very well be someone else's problem so why should I waste company money on preventing that quarter from having that issue when I may not even be here anymore.

Yay MBA mentality!

backup, Problem Solved

Re:Least Privileged Model

[lactose99]

...until you realize your org hasn't tested backup resources/processes to this needed extent, like ever, and now its an emergency once again.

Backups have unfortunately become a red-headed stepchild for many companies, a checkbox for the auditors and little more.

Re:

[John Cavendish]

Exactly, this quarter savings will generate a nice bonus for the decision maker, once the s. hit a fan, he/she will jettison on a golden parachute for a new position or a nice retirement.

BTW, wasn't this Colonial Pipeline ransom only for their financial system, so that they were not able to charge customers, so they decided to stop pumping?

Re:

[CubicleZombie]

Colonial Pipeline was air gapped (as far as I know). It was their billing system was hacked, so they turned off the spigot for fear of not getting paid. Two wrongs don't make a right, but they sure make a 50% spike in gas prices.

Re:

[oldgraybeard]

"billing system was hacked" a back end vendor to vendor billing system was connected to the public internet how? and why? A shining case of IT failure? or management designed failure? Who is running that company? Are they still running the company?

If we "really" treated it the same as terrorism...

[DarlMcBrideBankrupt]

Let the world take note that Liechtenstein is fucked next time Russian hackers do something.

seal team 6 treatment?

[sdinfoserv]

sounds fair to me....

CYBERPUNK DYSTOPIA, HOORAY!

[Thud457]

Good.
Maybe they'll finally drone strike that bitch Rachel from card services

I welcome the War on RansomWare

[dist_morph]

It will be fought with equal success as the War on Terror in Afghanistan. Maybe we can stop leaking our own attack tools as a first step...

So shit the NSA has known about for years

[Snotnose]

but couldn't be bothered to tell the affected companies because, well, other countries have the same vuls and we'd rather be able to hack them at our leisure than have those holes fixed, has led to a run-on sentence implying maybe, just maybe, the NSA really screwed the pooch on this one.

But rest assured, nobody responsible will be held responsible, and any head that rolls will be those morons who hit the alarm but weren't higher enough to actually make a difference.

this is nothing less than SOCIALISM!

[retchdog]

The free market has found a comfortable equilibrium where insurance companies can help the so-called "victims" negotiate in exchange for a nominal subscription fee. This way, both parties benefit and grow, and the insurance industry employs more people. It's a win-win-win!

Mewling liberal communists might try to claim that one side are "criminals", when really both sides have been incentivized by market conditions. We should celebrate the productivity of humanity with $, not criminalize it!

Extra Judicial Killings

[doug141]

Drone strikes, CIA covert ops on the table now.

Re:

[tigersha]

While am not against Tomahawking the living hell out if these fucks there is the small problem of them being on Russian territory. And cruise missiles violating their airspace might attract the professional interest of the Red Army.

Context

[ytene]

To a greater or lesser degree, this situation has been brewing since at least 2014... [ When Russia invaded Ukraine and annexed Crimea].

Historically, before the breakup of the USSR into discrete states, there was a significant migration of ethnic Russians into what is now Ukraine and in particular the east of that country. Many living in Eastern Ukraine consider themselves Russians, not Ukrainians.

After February 20, 2014 [the date of Russia's invasion] the West [the US and Europe] imposed a raft of sanctions on Russia. This has included limiting the abilities of wealthy, politically-connected Russians to get money out of the country, limiting the ability of Russia to purchase the technology to help them exploit arctic oil and other minerals and so on.

If you look here [wikipedia.org], you can see that Russia's GDP is 11th in the world, behind Italy and Canada. In fact, based on GDP alone, Russia would no longer be eligible, for example, to be a member of the G8.

Since 2014, Russia has been conducting multiple campaigns in an attempt to circumvent the sanctions. They make use of "Oligarchs" - i.e. puppets that are hand-picked and approved by Putin to be "fabulously wealthy" and trade internationally, with the thinking being that behind each of these puppets there is a route to get funds and goods past the sanctions line imposed by the west.

But the other tactic that Russia has been engaged in, with growing tenacity, has been, for want of a better term, "mischief-making". Their concerted effort to undermine the mechanisms of government in the United States has been both extensive and wildly successful, beyond their wildest dreams. Whether you want to point to the relationship between Putin and former President Trump, or the way that Russia tried to inject hundreds of millions of dollars into Kentucky for Mitch McConnel [until the plan came apart at the last election] (see here [bloomberg.com]), or the ludicrous idea that Putin would allow Russian citizens to carry firearms and have a Russian NRA, or whether you want to point to the almost endless string of ransomware criminals, there's a pattern here.

All of these initiatives are designed to harm the United States and her allies - particularly Europe. They are designed to fracture and break up alliances [witness former President Trump and his attacks on NATO]. They are designed to cause harm to western interests.

There's a reason that so many of these cyber criminal gangs operate inside Russia with impunity. In fact, earlier this year security researcher Brian Krebs wrote an interesting piece [see here [krebsonsecurity.com] - though I'll concede I haven't attempted to find corroboration for his claims] that some of the most dangerous malware strains today have a "do not install" list that includes most of the former Soviet states.

This is not by accident. Now, it's up to you whether you want to believe that this is because Putin and the Russian government are willing to turn a blind eye to the Russian organized cyber criminal gangs because they tacitly approve of the way the gangs attack the west, or whether you want to ratchet up the conspiracy theory to the idea that these "cyber criminal gangs" are in fact Russian government hackers... but there does seem to be a growing suggestion that ransomware is being supported, to a certain extent, by the current Russian administration.

Of course, there's a huge problem with discussing and trying to understand what is going on here, which is simple. Neither Russia nor the United States are going to public admit that they are even now engaged in cyber warfare campaigns against each other. And with news of successful cyber attacks likely to be suppressed in Russia, we may not know if Uncle Sam is

THIS. IS. NOT. HARD!

[slashmydots]

Make it a felony to pay a ransom. Done. It ends. No more attacks in the US. They're not going to do it if there's a 0% chance of getting paid.

Re:THIS. IS. NOT. HARD!

[ytene]

Unfortunately, I don’t think that would work for two reasons

Firstly, you are treating the victims like the criminals. Not a great way to start.

Secondly, in many cases, time is a critical factor. What if lives are on the line? What about all the hospitals and doctors’ surgeries that have been infected? Now what?

Sadly, we’re all debating the consequences of having inherently insecure computer systems. If we are really serious about ending the threat of malware, we need a ground-up rethink on pretty much all our current OS platforms. A bitter pill, to be sure. But we simply won’t get to “secure” with our current infrastructure, because it is inherently impossible to do so.

Re:

[Canberra1]

Embarrassment is the cure. Let everyone in the chain of sloppiness have a permanent stain on ther CV's, and their works, risk plans, and outcomes put up on public display for all to see. Names. Professional qualifications. Who approved. And who raised concerns. A lot of unqualified people are trying to wing it, by an iron fist on unnecessary/ just in case expenditures or adequate oversight. The same ones that think smoke alarms and fire safety is a waste of time. That attitude will change when they are incl

Re:

[Ferocitus]

Embarrassment is the cure. Let everyone in the chain of sloppiness have a permanent stain on ther CV's, and their works, risk plans, and outcomes put up on public display for all to see. Names. Professional qualifications. Who approved.

And the institution that awarded all of them their MBAs.

Re:

[ytene]

Unfortunately, this too will not survive an encounter with human nature.

The dual challenges it would face would be ignorance and arrogance. In some cases people are going to be too ignorant to understand the risks the are taking. Stop and ask yourself how many people today use a computer without understanding how it works.

But by far the biggest problem here would be the number of people that do have a working idea of the risks and are still willing to play the odds. Fact is that far too many people wo

We tried that, and found an issue

[raymorris]

We tried that for about a decade. If anyone funds out you were hacked, it's a big embarrassment. Solution - don't let anybody find out.

We tried it, and we discovered that disincentives to open discussion of threats is counter-productive.

We don't have it all figured out yet, but we have learned that it works MUCH better when I can post for my counterparts at other companies "we got hit, but thankfully didn't have any significant damage because it was caught just in time. The bad guys got in through a rogue R

Re:

[dargaud]

Embarrassment is the cure. Let everyone in the chain of sloppiness have a permanent stain on ther CV's, and their works, risk plans, and outcomes put up on public display for all to see. Names. Professional qualifications.

Then all the blame will fall on the understaffed, under-budgeted IT employees who had no time and/or formation to build a bulletproof network. And whose security measures were circumvented at the 1st opportunity by higher ups on 'special request'.

Re:

[Canberra1]

Incorrect. Ordinary overworked staff never get to see the risk plan, never get to vet recovery procedures, never get sign and certify all is well. That is done at C-suite levels, and if they are listed on a stock exchange, higher than that. Often the execs will pay a consultancy firm to write these things and they sign that all boxes are ticked. Right now there is a game going on in Security. There is the big head of security (usually without expertise) then the Operational head of IT security who assumes A

Re:

[dargaud]

I agree with the sentiment, but "We fired out IT staff, it was their fault" is so much simpler in practice... :-(

Re:

[DrMrLordX]

You aren't really jailing them for saving someone's life though. You're jailing them for putting those peoples' lives at risk in the first place.

As it stands, nobody is held responsible legally for running critical infrastructure off an insecure and publicly-exposed network. As a side-effect, nobody is held responsible for feeding ransom money to criminals, either. I think slashmydots is actually correct. If you did make a felony of paying a ransom, you'd get the people high up the executive chain that

Re:

[slashmydots]

Being that careless about security and staff training should be illegal. Wait, isn't it? Isn't it negligence or something?

Re:

[ytene]

What about a scenario in which a zero-day is exploited to infect the organization you work for with malware. If you take the absolute line that permitting the compromise of your employer's systems is somehow criminally negligent, who is liable for this? You? The developer? The employer? The vendor of the compromised code? Is the law going to expect you to patch a vulnerability that nobody knew existed?

Re:

[slashmydots]

And what about the more statistically likely scenario that Cheryl from accounting opened a fake invoice PDF because she doesn't know what file extensions are.

Re:

[ytene]

But in your latest reply, we find the root of the problem.

As you suggest, it might be “more statistically likely” For the scenario we are contemplating to be caused by operator error, but are you therefore suggesting that you are happy to impose a criminal penalty for human error?

Perhaps more importantly, what about the minority of cases were the root cause of the problem is something other than lack of cyber training.

I’d prefer that we didn’t turn this in to a circular deba

Re:

[vux984]

We could do this to stop all kinds of things. Just make it a felony to sell drugs. Just make it a felony to buy prostitutes. Just make it a felony to subvert elections! THIS IS NOT HARD!

Re:

[mark-t]

There's not a zero percent chance, just a lower percent chance.

Some people will definitely still pay, they just won't tell anyone about it.

Re:

[joe_frisch]

It sounds simple, but its not. What if its an electric or water utility and a million customers have lost service? What if its Jeppesen who provide navigation data for aircraft and all commercial air traffic is grounded? Or a hospital that has lost patient medical records. The problem is that some attacks can do tremendous damage.

Can't track unreported events

[Canberra1]

This will fail. You can't track unreported events. You can't track ransoms paid. You cant track anything if it is not reported, and the incentive to not report is very high. Mandatory reporting, severe fines, and directorship disqualification/jail time is required. The cure is not to pay ransoms - to dry up their money. Mandating quality software would be a start, and punishing vendors who 'sat' too long before acting. None of 'lets prioritize these critical CVE's bullshit'. None of head in sand shot saying

Well that must mean

[Anonymous Coward]

That must mean that they're going to fund them, give them weapons, and call them allies, until they no longer want to do Americas dirty work, then they'll become terrorists and need to be wiped out?

Talk is cheap

[billd10]

Elevating the status of this is not the same as giving them a dose of their own medicine. Another case of the government talking instead of doing.

Hack Putin

[herbierobinson]

We need to turn the hackers on Putin: Offer a presidential pardon and US citizenship (via National Interest Waiver) to anyone who can prove they hacked Putin and got at least $1,000,000. Sign this petition. [chng.it]