back to article Don't pay the ransom, mate. Don't even fix a price, say Australia's cyber security bods

Most online attacks could be easily avoided by following basic cyber security advice, Australia’s national cyber security bureau has said – even as it warned that the impact and severity of things like ransomware attacks are getting worse and worse. “Cybercriminals follow the money,” said the Australian Cyber Security Centre ( …

  1. Anonymous Coward
    Anonymous Coward

    Sacrifice your business for the "greater good" says the Australian Cyber Security Centre.

    Great (after the horse has bolted) advice, until your future is on the line.

    Followed by FUD: "...but the keys to decrypt the data were not provided". Really. What possible logic are the hackers following if they don't claim the ransom? And even if it does happen, the ratio between that and keys being provided would be useful (eg 1%) so businesses could make an actual informed decision, based on facts rather than the ACSC (who will be telling you next that back doors are for your safety next).

    Bottom line, get real security advice from non-government affiliated organisations. Likewise for business advice. Especially in Australia.

    1. Anonymous Coward
      Anonymous Coward

      Saying "While there have been a couple of anecdotal exceptions, 99% of those who pay the ransom received the keys and decrypted their data" doesn't fit the narrative he's trying to push, so he works with what he's got...

      1. Anonymous Coward
        Anonymous Coward

        It's called misinformation.

        Governments do that. All the time.

        If you knew the truth, you'd vote differently.

        1. A.P. Veening Silver badge

          If you knew the truth, you'd vote differently.

          Yup, with aimed lead instead of pencil and paper.

    2. dajames Silver badge

      "...but the keys to decrypt the data were not provided". Really. What possible logic are the hackers following if they don't claim the ransom?

      I suspect that if I were an opportunist malware writer after a quick profit I would concentrate on writing malware that scrambled a user's files and extracted money. I probably wouldn't pay too much attention to the tricky business of restoring the data after payment as I wouldn't be anticipating much "repeat business" from that "customer".

      Of course, if I were anticipating a career in junking people's data on a regular basis then I would want to have a good reputation for "after-sales service" -- but are criminal scumbags so forward-looking?

      1. Anonymous Coward
        Anonymous Coward

        @dajames

        "...are criminal scumbags so forward-looking?"

        Are you serious? Do you know so little about the motivation of these people?

        It's a £19 billion a year business, according to Computing, £200M of which is paid by British businesses.

        1. Allan George Dyer Silver badge
          Pirate

          There's room for different strategies among the criminals... the ones looking for a stable, long-term criminal income diligently provide the restore keys for victims that pay, and build a reputation. This provides an opportunity for "cowboys" that just trash the data and take the ransom, effectively feeding off the "reputation" of the "honourable" criminals.

          A plague on both their houses.

      2. Bitsminer

        yes, ransomware hackers do provide customer support

        https://www.theregister.com/2015/05/20/teslacrypt_ransomware_scam_dissected/

        The chutzpah of the crooks knew few constraints. They took on the role of tech support staff, resolving problems they were instrumental in creating.

      3. martynhare
        Thumb Up

        Yes and so are the anti virus companies who make enhanced decryption tools you can buy using the keys the criminals provide. Both sides of that battle WANT criminals to honour decryption so that everybody wins. What is even funnier is that infosec professionals get easy low-hanging fruit knocking on their doors wanting to be certified as being less likely to get owned as a result. Outsourced IT tech support even loves it because “user induced damage” is routinely excluded from contracts and that includes users running malware.

    3. DS999

      If your business really is that incompetently run that you don't have any backups, then you have no choice but to the pay the ransom and hope. If you do have backups, even if that takes a little longer, you should definitely use those rather than pay the ransom.

      Not "for the greater good" (though that's true as well) but for your own good. If someone gets a business to pay a ransom, OF COURSE they are going to go back and hit that same business again! You find a sucker who is willing to pay up, you will hit them again and again - and for more money each time - until they wise up.

      1. sanmigueelbeer Silver badge

        If your business really is that incompetently run that you don't have any backups, then you have no choice but to the pay the ransom and hope. If you do have backups, even if that takes a little longer, you should definitely use those rather than pay the ransom

        Australia's Toll Holding got hacked. Twice. In two months.

        If I was to believe the murmurs from the industry, Toll Holdings was downsizing and outsourcing their IT to India started from January 2020.

        The CIO parted with Toll Holdings not long after the second ransomware incident.

      2. JimboSmith Silver badge

        That is unless the ransomware has quietly been encrypting your backups (as well) for a while before you know anything is wrong. If you don't regularly check them you could find those are kaput too.

  2. Peter Clarke 1
    Coat

    Don't pay the ransom.

    Until he gets your data from the other side. Aahhh- Ahhhh Oohhh Ahhh Ahhh.

    I spotted what you did with the headline :)

    1. David 132 Silver badge
      Thumb Up

      Re: Don't pay the ransom.

      As did I, but you were just a little faster than I. Traveller, did you get here from Ship to Shore, or by Spanish Train?

      1. K.o.R

        Re: Don't pay the ransom.

        Got held up at the borderline.

        1. The Oncoming Scorn Silver badge
          Pint

          Re: Don't pay the ransom.

          I presume by a Lady in red, known to frequent in a little place I've found down by the quay.

          Her name is Patricia, she calls herself Delicia and the reason isn't very hard to see.

    2. BenDwire Silver badge
      WTF?

      Re: Don't pay the ransom.

      That really was a dreadful album! But without it the excellent "Part Troll" by Bill Bailey would never have happened ...

  3. Efer Brick

    Couple crates of fossies and a few dozen snags

  4. a_yank_lurker Silver badge

    Security Practices

    Good security practices are critical to avoiding ransomware and mitigating its effects. But often the 'advice' says not to open files attached to emails, etc. which is impossible to do for most workers. It's not uncommon for me to get an email attachment from an internal colleague. Now if you are in accounting and sales you have a much greater chance of receiving a legitimate attachment from an external source (bids, invoices, etc.) that are necessary for the business to run. These attachments have to be opened. So I am given idiotic advice that says I cannot do my job because some moronic 'expert' says never open an attachment, etc.

    One scenario that requires minimal social engineering is to pose as business trying to set up a business account with a company. The company will require financial and trade information to verify before approving the account. It is rather common to send this information via email as an attachment. And obvious for it to reviewed the attachment has to be opened.

    1. StrangerHereMyself

      Re: Security Practices

      Most of these attacks could be easily mitigated by giving most users a Limited Windows Account, which doesn't allow for the installing of software. But there are always a few vulnerable people in the organization (managerial level) who demand full control, and who in addition will deny any wrongdoing.

      1. Anonymous Coward
        Anonymous Coward

        Re: Security Practices

        Microsoft have fucked us over with that already, you used to be able to limit executables to run only from secured locations, but in the name of the 'cloud' and being 'agile' , aka we want to update when ever we like and bypass your restrictions, we will install in the home directory of each and every user and install updates there even if you do system installs in program files, we will just copy it to the users directory on first run. Block executing there and the software will not run as we are retards.

    2. Blackjack Silver badge

      Re: Security Practices

      Why aren't e-mail clients sandboxed by default? Is not that hard and it would prevent a lot of malware. Plus blocking any links you get by e-mail and any scripts would work too.

      1. Anonymous Coward
        Anonymous Coward

        Re: Security Practices

        What good are sandboxes anyway (remember Java)? They'll just use an escape or escalation exploit from the go. All they need is a toehold and they can do that by impersonating a colleague or client.

    3. Richard 12 Silver badge
      Facepalm

      Unsolicited is the key word

      If you are not expecting the attachment from that particular sender, then DO NOT OPEN IT.

      If you aren't expecting a link from that sender, then DO NOT CLICK IT.

      If some random person sends an unexpected invoice, do you pay it?

      Of course not. You don't pay invoices unless you actually engaged the supplier, and it matches the PO. If you never engaged them, you don't open the attachment.

      On top of that, invoices are in a defined format, usually PDF. A company can specify that format. Thus anything that isn't a PDF is not an invoice, and so must not be opened.

      That does make think that perhaps all non-pdf attachments and cloudy links should be removed from all external incoming beancounter emails?

      1. gsej0

        Re: Unsolicited is the key word

        This is dangerous advice - many people will assume that if they do know (or think they know - it's easy to spoof the from address of an email) the sender, then it's ok to open.

        1. Anonymous Coward
          Anonymous Coward

          Re: Unsolicited is the key word

          Plus PDFs HAVE been used as a malware vector in the past, and escalation exploits ARE a thing.

          1. Richard 12 Silver badge

            Re: Unsolicited is the key word

            JPEGs have been used as an attack vector in the past too.

            It is however much easier to defend against the remaining 5% of attacks when 95% of them have already been blackholed automatically.

            1. Charles 9 Silver badge

              Re: Unsolicited is the key word

              Not really. Edge cases don't stay edge cases, and what was 5% yesterday can easily become 95% tomorrow. Miscreants who have been around for a while tend to be very agile.

      2. jdiebdhidbsusbvwbsidnsoskebid

        Re: Unsolicited is the key word

        Ah, thanks for the sage advice. So all PDFs are trustworthy and safe to open. Useful to know. We all have much to learn from this security guru.

      3. Insert sadsack pun here

        Re: Unsolicited is the key word

        "On top of that, invoices are in a defined format, usually PDF. A company can specify that format. Thus anything that isn't a PDF is not an invoice, and so must not be opened."

        This is exactly the kind of shit that sounds easy to an IT person, and a clucking nightmare to anyone that actually understands how businesses work. You'd have to change your T&Cs with suppliers, ensure that change actually works under the law of the countries in which your trading, make all your suppliers aware of it (T&Cs? INRATS), make all your PMs aware of it, work out how to inject bling data (eg timesheets or hours or product specs) into invoices at vendor side and then work out how to extract it again on client side OR deal with two separate files in relation to same invoice, start rejecting incoming invoices and making your PMs and vendors send everything a second time, thus getting right up their hooter when they don't understand why it's done...but IT guy says "oh, only accept invoices in PDF..."

        1. Anonymous Coward
          Anonymous Coward

          Re: Unsolicited is the key word

          Indeed.

          It's so inefficient, you can only afford to do what you described if you are a government contractor. Else you'd go out of business.

    4. HKmk23

      Re: Security Practices

      Install a standalone pc (no network) transfer incoming attached emailed files via usb stick,and open them, print the files, scan the printouts back onto an internal networked pc.

      Format the usb's after each and every use.

      Each night rebuild the standalone from a previously vetted image.

      and....of course backup your data......and backup your backups OFFSITE.

      My mottto..... " I know I am paranoid....but am I paranoid enough?"

      1. A.P. Veening Silver badge

        Re: Security Practices

        I know I am paranoid....but am I paranoid enough?

        I'd say you are about half way there ;)

      2. Marketing Hack Silver badge
        Devil

        Re: Security Practices

        You're paranoid enough when you've configured your datacenter so there is a trapdoor triggered by a big yellow "in case of EMERGENCY" button. The door opens and drops your racks with the mail servers and their associated storage into a pit of sulfuric acid, which after 30 seconds of related bubbling then fills with molten lead from an under-floor reservoir. Then a steel lid marked "HAZARDOUS--DO NOT EXCAVATE!" drops from the ceiling to seal the whole thing off. Then maybe a very angry-looking grizzly bear walks in and sits on the lid.

        That would be about the right level of paranoia!

      3. Charles 9 Silver badge

        Re: Security Practices

        And if the malware pwns the detached PC's firmware (meaning it's nuke-proof) and creates a Sneakernet attack a la Stuxnet and BadUSB? And then hijacks your backup process (which is how I think some of the blackware works undetected)?

  5. StrangerHereMyself

    Easy to say

    That's easy for them to say. If all your business data, including the backups, has been encrypted, what choice is there? Not paying will simply mean the folding of your business venture.

    I recommend people start using Linux for their desktops, especially their vulnerable staff who aren't IT and / or security minded. If all else fails I recommend people simply pay up, retrieve their data and take steps to prevent another attack. This will usually mean re-imaging or replacing all computers in the company.

    1. DS999

      Re: Easy to say

      How in the world would your backups get encrypted too? The person who designed that backup scheme would have to be complete moron for that to be possible!

      1. Shred

        Re: Easy to say

        It’s surprisingly common for small “Ma and Pa Corner Store” businesses (and some larger ones who should know better) to back up to an external USB drive. Typically, after the first few backups, this gets left permanently connected to the host computer and voila! Your only backup is now encrypted too.

      2. Roland6 Silver badge

        Re: Easy to say

        >How in the world would your backups get encrypted too?

        Remember early crypto-malware huge around for some months before announcing it's presence, so easy for multiple backups to be compromised.

        Remember the really valuable stuff (from a business continuity point-of-view is generally the work in progress not the stuff from several months back that was archived for legal reasons.

    2. doublelayer Silver badge

      Re: Easy to say

      Good backup policy requires, absolutely, at least one set which is stored offline and off-site. That's because you need that copy in various cases, including fire, flood, theft, or ransomware. Don't have that and your backups aren't good enough.

      Of course there are occasions where people find their system wasn't good enough and they have to make a hard choice between paying a ransom and manually recreating their data. If you do backups right, it's much less likely you'll end up in said situation. But what happens when you do? Well, you have to keep in mind that when you pay, not only do you expose yourself to risk of losing your money on ransomware that doesn't intend on decrypting for you and the possibility that you're now known as a person willing to pay up, but you're funding attacks on other innocent people. It is not only your business that is being harmed, which is why some countries have made the payment of ransoms illegal. People who ignore this are complicit.

      1. Symon Silver badge
        Linux

        Re: Easy to say

        "stored offline and off-site."

        Off site, yes, 100% correct. Offline, not necessary, unless you have absolutely no idea about security at all. Use rdiff-backup or something similar which gives you the ability to go back in time until you find the unencrypted backup.

        https://linux.die.net/man/1/rdiff-backup

        1. DS999

          Re: Easy to say

          Errr...if the backup is "online" then what stops it from getting encrypted along with everything else? If malware infects that online backup server, and encrypts everything including all those month ago backups you don't have anything to "go back in time" to!

          You either need to have backup media that's offline, or something preventing already written data from being overwritten.

          1. A.P. Veening Silver badge

            Re: Easy to say

            or something preventing already written data from being overwritten.

            WORM storage

  6. Pascal Monett Silver badge
    Coat

    I agree with every word

    It's nice to see a cyber security bureau on the ball and giving out the right advice.

    Such a shame about Australia's stance on backdoored encryption.

    Maybe this cyber security bureau could have a word with the government ?

    Mine's the one with proper encryption in the pocket.

    1. Anonymous Coward
      Anonymous Coward

      Re: I agree with every word

      re: I agree with every word

      Good for you - easy to pass judgement when your livelihood is not affected. Would you not do everything in your power to save your business?

      As a recent example, in 2017, the NHS was hit with a demand for $300 per infected device. It was not paid, and according to the Daily Telegraph, "the hack caused more than 19,000 appointments to be cancelled, costing the NHS £20m between 12 May and 19 May and £72M in the subsequent cleanup and upgrades to its IT systems."

      No doubt the authorities decided that wasting other people's money was a great idea. Still at least by not paying, that's stuck it to the hackers who have given up and gone home. Not.

      More to the point, why aren't government cybersecurity organisations making state run IT bulletproof from these sort of attacks? They should be better protected than private industry.

      1. Richard 12 Silver badge
        WTF?

        Re: I agree with every word

        Paying a ransom does two things:

        1) It marks you as an organisation that criminals should attack again. You paid last time, so you'll probably pay again.

        2) It requires you to run unknown software, provided by the criminals, on your computers, with access to all your data.

        Any smart criminal will use that unfettered access to make sure they can easily attack you again and again and again, and will sell that unfettered access to your computer systems to other criminals.

        To put it another way:

        You got burgled.

        The burglar says they'll put your stuff back if you pay them and leave them alone inside your house for a few hours.

        Do you pay the burglar?

        Of course you bloody don't, because that would be insane!

        1. Anonymous Coward
          Anonymous Coward

          Re: I agree with every word

          Oh? What if the burglar also happened to steal something not worth much money-wise but beyond priceless personally, such as the only pictures you have of your late grandmother? Or your secret family recipes? This is the level of "value" business secrets can be, and one can only pray the thief doesn't KNOW of this value (otherwise, as seen recently, they could hold the secrets themselves for ransom and threaten to reveal your secrets to the world).

          1. lglethal Silver badge
            FAIL

            Re: I agree with every word

            Thats why you have copies (known as Backups). So that even if those things are stolen by the thief, you still have them.

            As for the ransom revealing, well thats basically the same as being blackmailed. And if you pay a blackmailer, they will milk you regularly and often. They might say they will destroy the evidence once you pay, but you're relying on the word of a blackmailer. Sure they might destory the evidence after you paid, but oh look here's another secret they found down the back of the sofa, you need to pay for that to be destroyed to. And the next one. And the next one. etc...

            Pay a blackmailer once, and you'll be paying forever...

            1. Charles 9 Silver badge

              Re: I agree with every word

              "Thats why you have copies (known as Backups)."

              The sneaky ones wait for a while so as to infiltrate your backups and corrupt them, too. OR they hijack the backup process itself to make it look like it's working when it's in fact corrupting or exfiltrating your secrets.

          2. Richard 12 Silver badge

            Re: I agree with every word

            So you trust them to put it back and not steal everything they missed first time around?

            And you also trust that they won't dig a tunnel so they can come and go as they please in the future?

            Are you really that stupid?

            1. Anonymous Coward
              Anonymous Coward

              Re: I agree with every word

              All these comments against paying ransoms to save your business are based on the assumption the hacker has copies of your data with which to blackmail you. If true then yes, it's game over.

              If the malware simply encrypts the machine(s) and paying the ransoms unlocks it, if you subsequently get attacked successfully, due to inadequate security improvements, then more fool you.

      2. Anonymous Coward
        Anonymous Coward

        Re: I agree with every word

        "More to the point, why aren't government cybersecurity organisations making state run IT bulletproof from these sort of attacks? They should be better protected than private industry."

        No, because they have "backup" in the government itself. Any government that kicks its medical infrastructure to the curb and lets everyone's gran die isn't going to last long. At least private industry has the Sword of Damocles over their heads.

        1. Alan Brown Silver badge

          Re: I agree with every word

          "More to the point, why aren't government cybersecurity organisations making state run IT bulletproof from these sort of attacks?"

          I'm at the point of wondering why government cybersecurity operations aren't starting to deploy hit squads.

          They pretty much KNOW who the operators are and where they are.

          1. Charles 9 Silver badge

            Re: I agree with every word

            Fear of retaliation. The best ones tend to be state-sponsored, and the last thing one wants is to make a hit look like an act of war...especially against an adversary less averse to going MAD.

        2. tiggity Silver badge

          Re: I agree with every word

          "Any government that kicks its medical infrastructure to the curb and lets everyone's gran die isn't going to last long" .. er, the current crowd in the UK are doing just that and still have lots of supporters

      3. doublelayer Silver badge

        Re: I agree with every word

        "Good for you - easy to pass judgement when your livelihood is not affected. Would you not do everything in your power to save your business?"

        Everything in my power? Even on the brink of disaster? That's a hard no. Consider this situation:

        You and I run a business together. It's small, sometimes profitable. We get a large contract which requires us to invest a lot of our money, but it's going to pay us good profits. After considering it, we accept. Then it turns out to be a scam. They've stolen our money. We'll have to declare bankruptcy tomorrow because we haven't the money to pay for the lawsuit to get our resources back. Our employees will lose their jobs. This is terrible and it's not even our fault. We could try to liquidate our resources, but our building's not worth much. Then it strikes us. While our building isn't easy to sell, we've insured it for quite a lot because it's important to us. If we committed insurance fraud, we'd have enough money to save our livelihoods and those of our employees. All we have to do is burn the building down tonight, taking care not to let anything happen to other buildings, and file a claim. Would you commit the fraud?

        I'm guessing your answer is no. Why not? The only entity to get hurt is an insurance company. They have plenty of money. They can take it. Still no? If you don't, your employees are going to have to spend tomorrow on the phone to the unemployment office and your bank account is empty. Still not doing it?

        Of course you're not doing it, because insurance fraud and arson are wrong. You are doing harm to someone. Paying the ransom, in addition to being a bad idea, is also harming others by making more of a market for others to develop and deploy ransomware. I won't do "everything in my power to save my business" because some of the things in my power are wrong. Sometimes, I have to do what's right even though it would work better for me to do a wrong thing. Some countries make paying the ransom illegal for exactly this reason, but even if yours hasn't, you have to take into account the harm you're going to do. Of course arson is more dangerous than paying a ransom, but if we compared it to insurance fraud without arson, they're quite similar. In fact, I think paying a ransom is worse than otherwise-victimless insurance fraud--I have more sympathy for multiple, mostly small victims of ransomware than a large, cash-rich company. Yet I still won't commit insurance fraud. And I won't pay a ransom either.

        1. Charles 9 Silver badge

          Re: I agree with every word

          IOW, you'd ruin everyone near and dear to you in the name of principles. You see, you're going into Trolley Problem territory. Better pray no one in your employ is on a financial razor's edge or things could get ugly.

        2. Anonymous Coward
          Anonymous Coward

          Re: I agree with every word

          Totally false equivalence.

          Insurance fraud is illegal. Paying ransoms (except to terrorists) is legal.

          Your argument fails completely.

    2. cyberdemon
      Trollface

      Re: I agree with every word

      > Such a shame about Australia's stance on backdoored encryption.

      But since they've banned strong encryption, all an Aussie needs to do is ask the government to decrypt his files, right?

  7. N2 Silver badge
    Facepalm

    So much for the great firewall of Australia

    Which as I understood, was supposed to keep this sort of stuff out?

    1. Anonymous Coward
      Anonymous Coward

      Re: So much for the great firewall of Australia

      Unbelievably, that was 11 years ago, according to El Reg!

      They probably took it down recently due to it's symbolic association with China, since they're the enemy now. LOL.

  8. Mark192 Bronze badge

    What businesses need to be told is:

    - How to secure their systems so that, even when users open that attachment, the attack will fail.

    - What a best-practice back-up system looks like; one that can quickly and easily get the business working again and not itself be compromised.

    1. Charles 9 Silver badge

      "How to secure their systems so that, even when users open that attachment, the attack will fail."

      Too much hoop-jumping. Most people are not of that ilk (they're the kind that just settle for a dead bolt) and spend their days wanting to JGSD.

      "What a best-practice back-up system looks like; one that can quickly and easily get the business working again and not itself be compromised."

      Can you make it turnkey and on a shoestring budget?

  9. arthoss

    Paying data ransoms should be illegal

  10. Ashto5

    Hmm how long have we been doing this

    Don’t you think that by now we really should have this s@@t sorted out.

    I received a dodgy looking unexpected email, used the “report suspicious email” button and away it went.

    Then all hell broke loose as the security guy just open the attachment and it proceeded to copy itself to all shares and encrypt an files found, 5 minutes it was all over the network.

    Links / attachments from outside of your domain should be quarantined or just deleted.

  11. PerlyKing Silver badge
    Pint

    No love for Chris de Burgh?

    Just to let you know that someone noticed the reference in the headline ;-)

    1. Anonymous Coward
      Anonymous Coward

      Re: No love for Chris de Burgh?

      That dates you.

      You'll be a grumpy old man by now ;)

      1. PerlyKing Silver badge

        Re: That dates you

        Also the author, although I suspect that "grumpy old (wo)man" may be in the job description ;-)

  12. FlippingGerman

    "5G...risks of being online" - are you saying 5G can give me a virus?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020