Most organizations hit by ransomware would pay up if hit again Almost nine in 10 organizations that have suffered a ransomware attack would choose to pay the ransom if hit again, according to a new report, compared with two-thirds of those that have not experienced an attack. The findings come from a report titled "How business executives perceive ransomware threat" by security company …
If you are a UK VAT business you don't have to buy goods and services from other VAT registered entities. If an individual or business has a turnover of less than £85K in a 12 month period they don't have to register for VAT.
And its not your responsibility as a business to ensure they are complying with UK tax laws if you are purchasing from them.
It never used to be, but they spread the responsibility,
"The corporate criminal offence (CCO) of failure to prevent the facilitation of tax evasion came into effect in 2017, making it a criminal offence for relevant bodies (companies, limited liability partnerships and partnerships) to fail to prevent the facilitation of tax evasion by their employees, agents and others performing services for or on their behalf. "
Given that the organizations behind these attacks are typically in places where the phrase "rule of law" actually NEEDS those quote marks, one wonders - in an entirely theoretical way - at what point it becomes more expensive to pay the ransom than, say, to hire a squad of thugs to "persuade" the crew to cease operations. It's not as though it's totally impossible to ID these folks, just difficult and costly (see "rule of law" above, ISP employees can be bought, too).
I don't think that always works - See the recent "More charged in UK Lapsus$ investigation" (The Register).
British police have charged two teenagers as part of an international investigation into the Lapsus$ cyber extortion gang. The boys, aged 16 and 17, are set to appear at Highbury Corner Magistrates' Court on Friday, according to the City of London Police, the force responsible for the capital's financial district.
And from bankinfo dot security dot com
Chats, Attacks Continue After Arrest
It is too early to say if this will be the end of Lapsus$, as the arrests may still be a false flag, bad attribution, or even a framing job, Westin tells ISMG.
This may well be true. A Lapsus$ Telegram chat group - whose members have previously leaked data of compromised companies - continues to be active despite the arrests. Days after the police began a crackdown on Lapsus$ members, the group said it has returned from a "vacation" to leak more critical data.
On Thursday, nearly a week after the first set of reported arrests linked to the group, Lapsus$ leaked what appeared to be 70GB of data associated with the Luxembourg-based software development company Globant. It also appears to have leaked credentials of several DevOps platforms belonging to the company, including Jira, Confluence, Crucible and GitHub.
Plus, many of the culprits are beyond friendly borders and any any thugs would need to be backed up by a coalition of nation state militaries (un)prepared for WWIII. It's not impossible to get those guys - just not immediately - you have to wait until they come to Disneyland.
I'd start by rolling back every measure allowing cryptocurrency to interact with the financial system. But crypto now has deep roots in the wealth profile of our Free World Leaders, so that's not going to happen until things get a lot worse, and even then I wouldn't count on it.
-> Almost nine in 10 organizations that have suffered a ransomware attack would choose to pay the ransom if hit again
I can just about understand it, paying up *once*. I don't like the idea of it, or agree with it, but I can just understand it if:
- they really can't get their data back from backups (already a failure)
- and they can't recreate that data within a reasonable time (reasonable depends on the nature of the data)
- and if that data is critical (so treat it as such)
- and they really have no other reasonable choice if you want to stay in business (recognise the importance of the data, and ensure it is 100% backed up and recoverable)
But paying up multiple times? No way. That is definitely a failure on the part of the victim. What steps did they take (or rather what didn't they take) after the first time? It's like being burgled while they used 'This is the Lockpicking Lawyer and what I have for you today is an egregious example of a bad lock' locks, then didn't replace them when then Bob the Burglar opened them using a fork, a spoon, or a spare bottle top. At some point you have to say 'these locks are no good'.
"- they really can't get their data back from backups (already a failure)"
Depends on the malware and how often data is backed up. If the malware waits until a certain date to do its thing, it may be on the backups as well and as soon as you restore, it starts encrypting again.
It is more than bad locks. It's the higher ups wanting to access the whole building, or all of the company's building with one key. Except, it's worse since the locks can be opened from anywhere in the world. If somebody in housekeeping can click on a link that springs the trap that infects the whole company, the systems aren't segmented enough. There isn't much usefulness in the warehouse conveyor system PLC's being remotely accessible from the internet. For troubleshooting, maybe there's a way to connect one specially so it can be inspected, but then disconnected once that procedure is done. SneakerNet isn't a bad thing. You do still need to make sure you don't track anything in.
-> why would you change that decision the next time? What would be different, specifically?
Frequency? The amount? If you paid up once a year £10,000 or $10,000 (just for the sake of argument), you might say that's the price of doing business. What happens if it comes round once every 6 months? Or every month? Or the amount goes up to 100,000?
If you are burgled once because your processes weren't up to a good enough standard to recover from, you owe it to yourself (and probably your investors, customers, and staff) to see that as a problem and to fix it.
Let's imagine you have a bicycle and somebody steals it after you put it somewhere with a weak lock. Would you really put your next bicycle in the same place with the same lock? Perhaps you have deep pockets.
"64 percent of companies surveyed already having suffered an attack, but more worryingly, that executives seem to believe that paying the ransom is a reliable way of addressing the issue.... In contrast, among those that have not so far suffered a ransomware attack, only 67 percent would be willing to pay, and they would be less inclined to do so immediately."
Which way does that causality run?
Is it that those who have been attacked had and still don't have anything in place to deal with it other than paying ransom and those who haven't been attacked have not yet seen that particular version of the light?
Or is it that those who haven't been attacked haven't escaped by chance but, being less inclinedt to pay, have put in place stronger protections?
Once again, Pterry may have been a visionary: just introduce a Ransomware Guild, with the proviso that they also enforce unlicensed gangs.
<company gets hit by ransomware>
"But we're fully paid up! What do we pay our fees for?
<guild, likely with better resources than most law enforcement agencies anyway, hunts down the freebooters and turns them into dog food>
Companies that pay their fee get a nice little icon on their website! Maybe introduce another EV system so your browser can show it right in the bookmark bar. May I suggest the silhouette of a person with dropped pants bending forward?
"Once again, Pterry may have been a visionary: just introduce a Ransomware Guild"
Or Michael Atamanov with "The Hive of Tintaro" from the Reality Benders series. Depends on your choice of fiction. Of course, you can't go wrong with Discworld. I was just listening to Interesting Times again a couple of days ago. I had to. It was mentioned in the Bobiverse series by Dennis E. Taylor. Another favorite. The next installment of the Expeditionary Force books by Craig Alanson is due out in a couple of weeks.
Never mind the moral and legal implications (and ramifications) of trusting enforcers who are less than careful about accuracy and who, in the course of their investigations, will likely be deliberately fed some false leads as well.
Let's suppose it possible to catch some of the villians on this side of friendly borders - (which currently does at least sometimes occur anyway, using legal policing powers.). There are still many villians beyond the reach of any conceivable local "enforcers".
You pay only for getting your data back, assuming you have no other recourse, e.g., restoring from backups. [Aside: getting you data back is an assumption. IIRC Colonial pipeline paid, but the decryptor didn't work very well.]
It seems to me that this is a small part of dealing with a ransomware attack. Surely cleaning up and identifying how the criminals got into your network and plugging all the holes and making sure no warez remain after cleanup, including in backups, etc., is bound to be a much higher cost to the organization compared to the ransom payment itself.
So is the "I'll pay again" statement completely reasonable in the context of "I'll have much bigger problems if I am hit again" or is it completely unreasonable in the context of "restoring from backups is bloody hard but still just a small part of what I'll have to go through if I am hit again"?
Can one get insurance to cover the ransom payment? If I can I won't care about paying the next time - I will have already paid my premium. That's until the premium grows enough after the Nth breach... Can I get insurance to compensate for the downtime while dealing with the breach, as above? The premium may be a lot higher than just for the ransom - maybe better invest in actual security: teams, tools, procedures, equipment, etc?
No, I have not made any actual calculations. Hence all the question marks.
>> Surely cleaning up... a much higher cost
Yes... and how much extra cost to maintain a "clean house" afterwards?
At sites where I have worked, I remember disaster recovery as not being THE priority.
i.e. they all had backup plans but recovery.. more of a theory.
I'm not sure how to estimate tipping points... I do know it's expensive to do things well.
Personally I've always like overkill and lobby for as much as I can get. e.g. redundant, isolated systems, images, backup's, cataloged install media, up to date maps, etc...
When a recovery was finally needed at one site... even though I had just about everything on hand that I had ever asked for, it still did not go as fast/simple as I had originally planned.
It's easier to live life reacting than planning ahead. That's why quarterly results take precedence over long term planning. I see little evidence that way of life is actually cost effective in the long run.
Disconnecting crypto from the financial system would put a huge damper on ransomware. Banning, and enforcing that ban, of ransomware payments would also be very effective. But you know such legislation could never get through without enormous loopholes.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
