UK To Ban Public Sector Orgs From Paying Ransomware Gangs (bleepingcomputer.com) 50
The United Kingdom's government is planning to ban public sector and critical infrastructure organizations from paying ransoms after ransomware attacks. From a report: The list of entities that would have to follow the new proposed legislation includes local councils, schools, and the publicly funded National Health Service (NHS).
"Ransomware is estimated to cost the UK economy millions of pounds each year, with recent high-profile ransomware attacks highlighting the severe operational, financial, and even life-threatening risks. The ban would target the business model that fuels cyber criminals' activities and makes the vital services the public rely on a less attractive target for ransomware groups," the UK government said.
"We're determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change. By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware," Security Minister Dan Jarvis added.
"Ransomware is estimated to cost the UK economy millions of pounds each year, with recent high-profile ransomware attacks highlighting the severe operational, financial, and even life-threatening risks. The ban would target the business model that fuels cyber criminals' activities and makes the vital services the public rely on a less attractive target for ransomware groups," the UK government said.
"We're determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change. By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware," Security Minister Dan Jarvis added.
Hopefully (Score:2)
Re: (Score:3)
offline backups. In most recent randomware attacks the attackers have also attacked and encrypted or destroyed the backup systems. If you use your cloud's systems for immutable backups you have a decent chance, but actual regular offline backups on tape or even just USB hard drives will gvie you a much much better chance
Re: (Score:3)
Re: (Score:3)
And restore them regularly. You don't have a backup if you haven't tried restoring it.
A backup isn't done until it's tested.
Re: (Score:2)
A backup isn't done until it's tested.
Great comment. It also won't be done in most situations if it isn't somehow automated. It also (quite likely) won't survive if it isn't offsite.
Re: (Score:2)
Offline backups are of course a very good thing, but even some simple things would greatly reduce your need to ever have to use them. For example, having your fileserver use a snapshotting filesystem and not run any remote-access tools (such as SSH), so snapshots can only be deleted in-person. Unless the hacker has a zero-day exploit for e.g. NFS or the server's operating system, that's a pretty safe setup.
Again, you still want offline (and off-site!) backups on top of that, but that's really something th
Re: (Score:2)
A sufficiently sophisticated attacker could p
Re: (Score:2)
Re: (Score:2)
Largely agree, but two problems here
1) If your office burns down (flood / earthquake / war etc) you are only left with what is offsite
2) if your randsomware starts encrypting everything in the right way with a key held in memory (and restored on demand by them for as long as they want to hide) for long enough they can manage to get the data stored in your backups to be encrypted.
I think we should probably separate three things
- the archive system, which allows recovery of the other systems by storing time b
Re: (Score:2)
Yeah, if you're banned from paying it only makes sense together with legislation requiring minimal security standards like backups, offline storage etc. If ransomware encrypts your crucial systems (and you have no backups) and you aren't allowed to pay, then your only other options are to rebuild everything from scratch, which will likely be a lot more expensive and cause massive service disruptions, or cease operations altogether (and since the law is targeted at "crucial infrastructure organizations", not
Re: (Score:3)
Yeah, if you're banned from paying it only makes sense together with legislation requiring minimal security standards like backups, offline storage etc. If ransomware encrypts your crucial systems (and you have no backups) and you aren't allowed to pay, then your only other options are to rebuild everything from scratch, which will likely be a lot more expensive and cause massive service disruptions, or cease operations altogether (and since the law is targeted at "crucial infrastructure organizations", not really an option). On it own, the most likely outcome is that people will just stop reporting ransomware attacks and/or start hiding ransom payments as other expenses.
If you make it illegal to pay ransomware, what is the business model?
Now we speak of backups and backup testing. It is utter lunacy to not have backups, and people/companies have been following that bit of idiocy since forever.
Finally, does anyone still use tape backups and more? I'm curious, since I never had a successful restore from tape.
Re: (Score:2)
Finally, does anyone still use tape backups and more? I'm curious, since I never had a successful restore from tape.
Funny enough, I just read And now for our annual ‘Tape is still not dead’ update [theregister.com] about the continuing development of LTO tape systems, with LTO-10 coming out shortly with 36TB capacity, so someone's using them :D.
Re: (Score:2)
software platforms Phil Goodwin offered similar sentiments. “Continued growth in LTO tape shipments shows the important role...
Apparently the market for tape is growing.
Re: (Score:2)
Wow, this quote from the article:
software platforms Phil Goodwin offered similar sentiments. “Continued growth in LTO tape shipments shows the important role...
Apparently the market for tape is growing.
I hope they have it working better. Granted, I'm just going off of personal experience, but I switched our department over to Time Machine after failed tape restorations. IT guys shrugged their shoulders, and I had to reconstruct as much as possible from everyone's desktop computer.
Re: (Score:2)
Re: (Score:2)
Common story. I wonder if tape backups are used only because of some regulation somewhere, like fax machines.
My guess is that they have the advantage of a huge amount of backup possible, Certainly when I was dealing with the issue, drives weren't keeping up with data.
Re: (Score:2)
Finally, does anyone still use tape backups and more? I'm curious, since I never had a successful restore from tape.
Funny enough, I just read And now for our annual ‘Tape is still not dead’ update [theregister.com] about the continuing development of LTO tape systems, with LTO-10 coming out shortly with 36TB capacity, so someone's using them :D.
I mean, I suppose that for volume, tape has an advantage, just mount a bigger spool of it. I don't think I would bet the farm on it though.
Re: (Score:2)
If you make it illegal to pay ransomware, what is the business model?
The business model becomes "wreck havoc on companies that are prohibited by law from paying up, to send a message to other countries to not pass such laws" followed by attacks on companies in those countries, accompanied by a "we've got a deal you can't refuse" ransom-payment offer.
Re: (Score:2)
You must have had bad tape backup systems. I've seen multiple successful restores from backup tapes.
Re: (Score:3)
It's a Prisoner's Dilemma. It's to an individual organization's best interests to pay, but it's to the government as a whole's best interests that nobody can pay, to reduce the incentive to infect their systems in the first place.
Re: (Score:2)
If you are banned from paying, just hire a third party consultant for the price of the ransom + something on top of that. The third party pays the ransom, the main company has plausible deniability and can state they never would pay anything. If there is an audit, just feign surprise that the third party did that, and that would be the end of the investigation.
Re: (Score:2)
Exactly!
Note this about the public sector, which is a little different in that their should be a lot more transparency, and that would make not reporting and illegally paying much more difficult (well you'd hope) but in the more general case yes telling people they can't pay just creates perverse incentives.
They way this stops is when governments treat these incidents as the acts of terrorism they are. If some foreign gang showed up and burned down/bombed something like a hospital, bank, municipal governmen
Re:Hopefully (Score:5, Interesting)
Years ago, "protection rackets" used to be a much bigger problem, often leveraged by the mob. Vinnie would stop into your shop and "make you an offer you couldn't refuse". Pay them monthly "protection money" or goons would come by and smash up your business.
There's a very clear parallel between that and "ransomware" of today. Instead of smashing up your shop, they smash up your computer system. But they do it in a way that they can fix, IF you pay. So the threat comes AFTER the damage instead of before. But otherwise it's the same thing, it's just a reverse-"godfather offer"
It's also got lots of additional benefits for the attackers - it's hard to trace, and easy to do remotely, even from another country. It's very convenient and low-risk for them. So the law needs to approach this from the receiving end, not the sending end, to choke it off. A bit like bribery, it's illegal to OFFER a bribe, but it's equally illegal to ACCEPT a bribe.
It pisses me off every time I see a big outfit pay off ransomware gangs. "one big job" pays their bills and hackers for another six months, AND fund them to upgrade all their hardware and support systems, so they become a MUCH bigger threat for the rest of us. You are funding a criminal organization that is harming the public.
"But my business was crippled, we had no choice, we were going to go bankrupt!" What happens when your busines burns to the ground because you didn't install sprinklers? You go bankrupt. That's what I expect you to do. You made your bed and now you get to lay in it.
So lets flip the script. Vinnie walks up to you as you watch the flames and says hey bud, if you loan me $20k I'll organize a bank heist and rob that little bank over there and your cut will be big enough to rebuild your business. Deal? So you consider funding a criminal gang to help you recover from the consequences of your own bad choices, in a way that will end up harming others. Is that legal? Of course not. It's also incredibly selfish of you, and you're transferring your (well-deserved) problem to some other random innocent people. You'll be indirectly-responsible for the damage they do, but you'll just turn a blind eye to that since you get your business back. You had no choice, right? You HAD to pay them off, right? Just keep telling yourself that.
Paying off ransomware groups absolutely should be illegal.
Understandable but in practice, not sustainable (Score:3)
It's all very well to push this, rather like "we do not negotiate with terrorists". But the damage that cyberblackmail can inflict is much larger than almost any terrorist attack. What are ministers going to do when a cybergang takes down the path lab messaging system (again), or an even worse attack on a hospital system, and the choice is quite literally between paying the ransom and people dying? Of course, public services should harden against attacks as much as possible, including offline backups etc, but it's an arms race and prone to human failure and budgets are inevitably limited and the gang only has to win once to win big. Plans need to be rooted in realism, and I'm not convinced this position can be sustained in the circumstances of a major attack.
https://www.bmj.com/content/38... [bmj.com]
Re: (Score:2)
So what you're saying is we have a risk that can't be closed in one way (paying), so we need to manage it by closing it a different way (backups / business continuity plans).
Hardening is the wrong approach. Step 1 is to have a disaster recovery plan, step 2 is to invest in preventing the disaster.
Re: (Score:2)
I’m saying the risk can only be partly mitigated, and mitigation involves multiple actions, not one alone. Backups & BC plans and DR plans are all helpful but it would be foolish to think they are going to entirely prevent the risk of a successful ransomware attack. And by “hardening”, I meant everything that reduces the chance of an attack being effective, so that would include BC/DR (but of course also preventative actions such as anti-phishing, security training for staff, reducing
Re: (Score:2)
I suspect you may have thought that by hardening, I meant “harden your heart” or “take a hard-headed approach of refusing to pay”. I didn’t. I mean t the technical sense of “make the attack less likely to succeed” which includes both prevention and mitigation.
Re: (Score:2)
I suspect you may have thought that by hardening, I meant âoeharden your heartâ or âoetake a hard-headed approach of refusing to payâ. I didnâ(TM)t. I mean t the technical sense of âoemake the attack less likely to succeedâ which includes both prevention and mitigation.
It also means hardening the humans using the system. Ransomware attacks are generally targeted at humans. If it means more phishing tests to inboxes, and remedial training for those who consistently fail, so
Re: (Score:2)
My point is the goal shouldn't be to prevent. The goal should be to have continued business operations even with an ongoing ransomware attack. This is what that kind of policy is promoting. Backups + business continuity plans.
I'm reminded of DHL during the NotPetya attack on the logistics world. They stopped processing packages. But... they had to rent entire warehouses in Rotterdam to store parcels which were coming. How were parcels coming when logistics companies were down? Well because the Port of Rotte
Re: (Score:2)
So what you're saying is we have a risk that can't be closed in one way (paying), so we need to manage it by closing it a different way (backups / business continuity plans).
Hardening is the wrong approach. Step 1 is to have a disaster recovery plan, step 2 is to invest in preventing the disaster.
Why not all three? There are more nasty actors than just ransomware. Some of them want your data, but don't want you to know they have it.
Re: (Score:2)
It's all very well to push this, rather like "we do not negotiate with terrorists". But the damage that cyberblackmail can inflict is much larger than almost any terrorist attack. What are ministers going to do when a cybergang takes down the path lab messaging system (again), or an even worse attack on a hospital system, and the choice is quite literally between paying the ransom and people dying? Of course, public services should harden against attacks as much as possible, including offline backups etc, but it's an arms race and prone to human failure and budgets are inevitably limited and the gang only has to win once to win big. Plans need to be rooted in realism, and I'm not convinced this position can be sustained in the circumstances of a major attack.
https://www.bmj.com/content/38... [bmj.com]
Then pay up and shut up is the answer. Maybe cut to the chase, contact the ransomware thieves and pre-pay them whatever they want, kind of like Mafia protection money, and make it a cost of doing business.
What is the business model for the bad guys if you won't pay? If it is illegal and you pay, you become the bad guy too.
Re: (Score:2)
Some threat actor groups are pretty sophisticated in offensive operations; but the quality of their decryptor tools and the 'support' side of the equation is often pretty variable; and, no matter the tools, the logistics of
Re: (Score:2)
Totally agree. Prevention remains better than cure. But you need robust escalatory paths for when things do go tits up
Re: (Score:2)
One thing to remember is that, depending on the attacker and the details of the attack, it's often the case that paying also doesn't allow a particularly quick restore(even if you are doing the crazy risky thing of just slapping what got owned back into production and calling it good).
The restored data probably has some interesting things added to it for future money opportunities. Less impediments to getting into the data for the next opportunity.
And that's the thing about paying ransoms which are just blackmail. It isn't just a one time thing. If you pay up once, you'll get to pay up many times. https://www.hipaajournal.com/t... [hipaajournal.com] https://securityboulevard.com/... [securityboulevard.com]
So if the idea is to pay the threat actors, just something that is a CODB, better be prepared to keep paying. And ke
Re: (Score:2)
If you are the CEO of a hospital system, you may be the bad guy if you pay, but you may be a lot more damned if you don't, especially if it leads to patient harm and death. That's the point I was making. These issues don't have easy answers, and the government's policy seems to me like a hankering for an easy answer
Re: (Score:2)
It's a hard answer. By stating "You will categorically not be paid if you try to ransom us", you're cutting out the part of organised crime that does stuff for a profit. There will be no profit in attacking a hospital. They will not pay, and you'll take an awful lot of heat for no return (and potentially be liable for any deaths that occur if they eventually catch you, increasing the sentence that's meted out to you).
However, there is still the vulnerability to politically motivated attacks, so safety s
Re: (Score:2)
You're missing my point, though. It's all very well to talk about high principle, but how long do you get to hold that line when a hundred patients a week are dying due to a successful cyberattack where you refused to pay and the data are gone? You'll be in (a British criminal) court for corporate manslaughter as a CEO, trying your luck in pointing to that law as a defense and finding that the jury just thinks you should have secured everything better, and politicians won't be immune either.
You bring the systems back up (Score:2)
Eventually money gets spent setting up better backup systems. It takes about 10 or 20 years because government contracts are filled with nepo babies and corruption and nobody ever wants to eliminate those things because we tend to get distracted by shiny objects and moral panics. But it does eventually get done.
The biggest problem with government systems is that like any system they eventually
New MMO/business model on the horizon. (Score:2)
Instead of locking machines, find databases and encrypted all the data. Then, find and delete or corrupt backups.
Regardless of what the law says, losing access to all records would force companies to pay up.
No one cares about devices because they can be reprovisioned fairly quickly, but data is priceless.
Re: (Score:1)
Why not go scorched earth? If you can destroy/ encrypt databases, you can probably destroy the systems used to access them while you're at it.
It's not about having backups. (Score:2)
Having backups, and having tested backups is pretty much what everyone has.
The critical thing that people are finding is the metric to follow with Ransomware attacks is the Recovery Time for the entire estate. Not one system, but potentially hundreds of interlinked systems that all fail catastrophically at once.
That can take weeks of forensics to work out what's happened (and needs to be done before you can make an effective recovery, otherwise you may find you're back at still being compromised and ransom
ransomeware (Score:2)
UK Banned stabbings (Score:1)
Which worked out really well so we have high hopes of this working. /s
Re: (Score:2)
This is an attempt to change the incentives: on the org side by removing "just pay up" as an implicit alternative to "do better DR", and hopefully getting IT more attention for security and DR work; and on the attacker side by creating a gr
Ignore the "yeah but....". (Score:2)
There will be a popular reaction that goes like "But think of all the damage that will be done when the school/hospital/whatever doesn't pay the ransom!".
Get real. Continuing on the current path of paying ransoms will only lead to a death spiral where attacks become ever more common due to it being so lucrative. The _only_ solution is to eliminate the source of profits, regardless of the short-term consequences.
Why not all orgs? (Score:2)
Why would they restrict this policy to public sector organizations when extortionists get the bulk of their money from the private sector.
Bye-bye ransomware insurance (Score:1)
This will kill the ransomware insurance market for the affected sectors. That's probably intentional.