Alliance of 40 Countries To Vow Not To Pay Ransom To Cybercriminals, US Says (reuters.com) 52
Forty countries in a U.S.-led alliance plan to sign a pledge never to pay ransom to cybercriminals and to work toward eliminating the hackers' funding mechanism, a senior White House official said on Tuesday. From a report: The International Counter Ransomware Initiative comes as the number of ransomware attacks grows worldwide. The United States is by far the worst hit, with 46% of such attacks, Anne Neuberger, U.S. deputy national security adviser in the Biden administration for cyber and emerging technologies, told reporters on a virtual briefing. "As long as there is money flowing to ransomware criminals, this is a problem that will continue to grow," she said.
I hope they have offline backups (Score:1, Redundant)
Re:I hope they have offline backups (Score:5, Insightful)
That's why we need a law prohibiting paying the ransom, so that organizations will not pay it even when it's hard not to. They are funding the ransoming, and ensuring that it will happen more. They need to be funding security, not criminals.
Re: (Score:3)
Re:I hope they have offline backups (Score:5, Insightful)
It won't be the ransomware people that do it. It will be political organizations looking for street cred by massive data destruction attacks, order of magnitudes of scale larger than NotPetYa. However, not even the craziest malware organizations want to go that route yet, because there is money to made by data exfiltration, selling that data, ransomware, and extortion. They know that should data destruction even come on the map, it will be like the late 1990s when BIOS wiping viruses hit the scene, which causes businesses to actually give a crap about AV software because their expensive PCs and their expensive monitors could be fried.
Overall, for most companies, it is cheaper to pay the ransom via a third party proxy offshore than to keep backups of have decent security procedures.
Re: (Score:2)
Overall, for most companies, it is cheaper to pay the ransom via a third party proxy offshore than to keep backups of have decent security procedures.
I thought about that. I think the only way to catch a company going against the laws would be if they had to disclose that they got hit by ransomware, but magically they got all their data back. And in regard to the price, it's actually best for ransomers to not ask for too much, because the higher the amount is, the more the company will spend on beefing up security.
Re: (Score:1)
If ransomers go away how will organizations learn that they need to beef up their security and even put more money into IT?
Cyber insurance requirements
Re: (Score:2)
Even with a law, that is very easily skirted around, to the point where a law would be a bad joke:
1: Company gets attacked by ransomware.
2: Company pays offshore consulting company the ransom + a fee for their trouble.
3: Offshore consulting company pays the ransom, and hands the decryption key. The offshore consulting company then brags about their ability to find decryption keys as plausible deniability.
4: Company can say and pinky-swear that they would never, ever pay a ransom.
5: ?????
6: !
Don't for
Re: (Score:2)
The more steps they have to go through to pay a ransom, the more likely it becomes that there will be a record, a leak, a whistleblower...
Re: (Score:2)
It doesn't really require that many steps. Just a CFO saying, "I'll take care of this", then saying "ABC Ransomware Smashers have gotten the decryption key."
Re: (Score:2)
I completely agree. We also need to mandate write-protected or offline backups for businesses above a certain size. The EU KRITIS initiative is working in that direction, at the moment by a "regulation light" type thing for businesses that are important for society to function.
Re: (Score:2)
Yep. Remember the old saying (very American too): "Millions for defense, not one penny for tribute!" Or something like that.
Re: (Score:1)
That's why we need a law prohibiting paying the ransom, so that organizations will not pay it even when it's hard not to. They are funding the ransoming, and ensuring that it will happen more. They need to be funding security, not criminals.
They're victims of a crime. Should it be illegal for bank tellers or people walking down the street being robbed to give them the money/jewelry/phone if threatened because then robbers will know it might work and propagate robberies? I assume you would begin making exceptions for things like hospital systems whose services are ground to a halt. That list would quickly get prohibitively long. I think the economic devastation that would be downstream from the massive number of orgs that could otherwise not re
75% do pay (Score:2)
Re: (Score:2)
Ultimately this is going to end up being a cybersecurity arms race. We are already seeing that now with more costly tools that supposedly reduce the impact while newer and creative workarounds come into play. Windows XP still being active nearly a decade after retirement doesn't help matters because many times what causes these systems to fall prey is that one stupid system that was never updated.
Re: (Score:2)
>>Ultimately this is going to end up being a cybersecurity arms race. We are already seeing that now with more costly tools that supposedly reduce the impact while newer and creative workarounds come into play.
Seems like an arms race where one side is practically unarmed. Cheaper/easier to roll the dice on getting hit than to do the preparation and testing required to make your system secure (or a the very least, recoverable in a reasonable time frame).
Re: (Score:3)
It is easy to begin to believe users are the enemy. Back then I was introduced to the BOFH.
Re:75% do pay (Score:4, Insightful)
I've always thought that the solution is just to standardize on auto-snapshotting filesystems, with the deletion of snapshots to free up space requiring 2FA and perhaps physical locking mechanisms.
It wouldn't stop *everyone* from deleting their (uncorrupted) snapshots when presumably instructed to do so by ransomware, but it'd at least lead to thinking twice, and would stop the "mass, sudden everyone's-data-becomes-unrecoverable-at-once" attacks.
Re: (Score:3)
The ironic thing is that a lot of NAS appliances offer this for functionality. However, in order for the bad guys not to just purge the snapshots, the NAS appliance needs to not allow its admin functionality to be controlled by the main directory, it needs 2FA, and ideally, only a PAW (privileged access workstation) is used to access the NAS admin console, so malware on someone's daily driver computer and account cannot leap to the PAW and thus access the consoles there.
Re: (Score:2)
I've always thought that the solution is just to standardize on auto-snapshotting filesystems, with the deletion of snapshots to free up space requiring 2FA and perhaps physical locking mechanisms.
It wouldn't stop *everyone* from deleting their (uncorrupted) snapshots when presumably instructed to do so by ransomware, but it'd at least lead to thinking twice, and would stop the "mass, sudden everyone's-data-becomes-unrecoverable-at-once" attacks.
The problem is, if the snapshots are stored on the same system, they can be vulnerable to the same malware attack. Backups need to be isolated off-site to be secure.
Re: (Score:2)
Not if the malware doesn't have the privileges to delete them. Privileges that could be locked down to the hardware level (not just the OS level, let alone the user level)
Drone strikes (Score:2)
Ultimately this is going to end up being a cybersecurity arms race. We are already seeing that now with more costly tools that supposedly reduce the impact while newer and creative workarounds come into play
Missiles or extraordinary rendition might be a good addition to our cybersecurity toolbox. Take a few ransomware gang members out with extreme prejudice and make them look over their shoulders forever as an example to others. Sure, they will be safe in China or Russia, but make it very clear it will never be safe to leave.
Re: (Score:3)
I was in a BSides talk this weekend and I don't remember the source for this statistic but they estimate that 75% of ransomware victims do pay the ransom. It's generally sized to be a worthwhile payout but less than a complete disaster recovery expense. So generally speaking having the govt entities decide they won't pay will not stop anything, but it might drive private business to be more of a target.
You should do a full disaster recovery anyway - how could you be sure they hadn't left something malign behind? That said, for e.g. heavy industries getting the machinery up and running faster might still be worth it.
Backup [Re:75% do pay] (Score:2)
You should do a full disaster recovery anyway - how could you be sure they hadn't left something malign behind?
So, they would need to infect your system, then wait for one backup cycle before doing the ransom demand.
Re: (Score:2)
From far away, it seems like a law making it illegal to pay the ransom would be the way to go. Seems like a game theory problem to me. Each individual victim is better off paying, but collectively we're all better off if no one pays. I get that a few companies/nonprofits/individuals are going to suffer more than they would without such a law, but surely it wouldn't take long for criminals to move on to a different racket.
I can understand why there's not a similar law for paying kidnapping ransoms in the
Re: (Score:1)
Re: (Score:2)
There are whistleblower laws that give whistleblowers part of the fine that the government collects from companies for wrongdoings. In the case of something as binary as paying a ransom, how do you keep the individuals who work for you from blabbing, when they can easily prove that it happened and stand to collect enough money to never need to work again? It might be hard to enforce this with some small businesses, but my guess is that a one person plumbing business is unlikely to be targeted by ransomwar
Re: (Score:3)
" Seems like a game theory problem to me. Each individual victim is better off paying, but collectively we're all better off if no one pays."
Yes, the same with hostage takers, just kill everybody the hostages included, nobody will do the hostage-taker job anymore.
Same thing as when a hospital is attacked, just let the patients die, more important is that the boss shows principles and not paying.
So are they gonna prosecute Caesars Entertainment? (Score:2, Interesting)
This was a massive transfer of capital from an American business to a criminal organization and they did it for no reason. All they got for $30 million is promise from a telegram account. Caesar's ransom payment was not eth
Re: (Score:2)
So are they gonna prosecute Caesars Entertainment?
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
That was not ransomware in the traditional sense. This was social engineering that lead to extortion. There is a huge difference.
Stupidity is not a crime. You can argue the people stealing the data were wrong...but this was not a brute-force or something off the 0Day CVE list. Ultimately you want to see one person who probably made an honest mistake go down for a mistake. You want to see a whole company go down for protecting themselves.
Punishing the innocent people is not the solution. You're either tellin
Re: (Score:2)
Don't you think the transfer of $30 million to a terrorist organization was probably already illegal under current laws?
It'll affect government agencies (Score:2)
It'll shrink an already competitive marketspace.
Also pledge to ban crypto payments (Score:2)
Re: (Score:2)
Oh yeah...because prohibition works. It really does. Look at all the laws we have that are obeyed by every single person. Look at how morally upstanding our corporations are.
Keep drinking that Kool-Aid.
Does it make any true difference? (Score:2)
Unless this becomes law and applies to everybody, it only applies to public IT infrastructure. It doesn't prevent private organizations from paying ransoms.
That We Know Of (Score:3)
A guy I know who is a 40-yr veteran of pipeline-industry logistics told me that his contacts said that USG paid close to $1B in ransom on behalf of the Colonial Pipeline when it was clear several days in that it would be weeks to restore.
And just two months in to a new administration that's a bad look and could have become an economic calamity.
I don't know where the off-books Bitcoin came from, but assuming this happened on the down-low it's going to be known to the governments and criminals but not the press. Not sure that's a 360 win.
Re: (Score:2)
If you think that the economic effects would have been bad, consider how big of a PR disaster that would have been for the new administration. Guess which problem the politicians involved considered more important.
Change Of Policy (Score:1)
I remember when this started the policy was "we can't help you. just pay it". Now they want to stop it?
Should tell you how stupid our government is. You won't stop an unregulated market using unregulated "securities". Never. When it comes to the bottom line companies would rather pay the ransom if it was the lesser of the damage. I can't wait for large corporations to get ransomwared and the only legal recourse they have is to just eat the loss.
Hopefully there's enough corrupt people in government listening
I Got News For Them (Score:2)
That is the dumbest fucking thing I've ever heard. I guess they forget that when the countries that want to see us eliminated and dead know we're refusing to pay the ransom...then we will go back to the good ol days of hackers just wiping out corporate systems without delay. Just wipe out the systems and be done with it.
They won't do a goddamn thing about the root of the problem and just go at the offshoots. Not going to work. You ban crypto and rather than trying to collect they will just destroy.
This is o
Re: (Score:2)
The problem is that if the bad guys do start doing data wiping, companies will actually start thinking about security. Ages ago, in the late 1990s, companies didn't care about viruses, until data wipers and viruses which would blow out monitors (which were expensive) and brick computers (also relatively expensive for the time) were commonplace. When that happened, companies went with AV software, ensured stuff came from stamped media or known sources, and actually worried about security for a bit.
The bad
MICROS~1 Windows Malware (Score:3)
Spend the money on backups! (Score:1)
Ransomware is business innovation (Score:2)
The true innovation of ransomware is that it has dispensed with this costly demand creation phase. They focus customer attention to immediately recognize the need for their product - the d
Problems (Score:2)
The problem with IT security and data, is the low 'cost' of data: This means economically speaking, prevention is not better than a cure. Ransom-ware will remain a profitable crime until that attitude disappears.
The more PII companies hold and are legally forced to hold, the more incentive criminals have to attack. This is a catch-22, trying to catch criminals (via tracking and data-matching) and monetize personal information, attracts criminals who also want to monetize that information.
International
Won't someone think of the starving hackers (Score:2)
Paying ransom should be illegal (Score:2)
Paying ransom to these hackers should be illegal. If it's illegal to pay ransoms, the hackers are likely to look for a company to hack that isn't subject to such laws.
As long as we don't label it ransom it's fine. (Score:2)