When are we gonna stop calling it ransomware? It's just data kidnapping now It's getting difficult these days to find a ransomware group that doesn't steal data and promise not to sell it if a ransom is paid off. What's more, these criminals are going down the extortion-only route, and not even bothering to scramble your files with encryption. As we've pointed out before, by ditching all that fiddly …
I don't know. Given that it is nowadays apparently deemed acceptable to spam customers with questionnaires for every possible interaction ("You filed a complaint. What is your opinion of our company?") I suspect someone will eventually do this, if only because of a dark sense of humour.
(And yes, I received a questionnaire after asking a company to fully and completely removing my details, so that's gone in a complaint to the regulator)
Yeah, I love the "please rate our app" before it even finishes installing. That guarantees a 1-star.
I updated the Google SMS app, which installed some new app because Google changes their SMS app every Thursday. It demanded that I review it, so I said in the review "Stop asking me to rate it"
Google deleted it saying I needed to make feature requests elsewhere.
I changed it to "Giving a review as requested. Can't give the 0-star review that it deserves."
I suspect they care about reputation just as much as any similarly long-lived white market brand does. How's Fyre Festival doing on Tripadvisor?
Meanwhile a well established ransomware group could see it's profits plummet following an El Reg article mentioning a single failed decrypt.
From a cybercrim's perspective, the problem with extortion-only datanapping is that some other cybercrim can come along and repeat the exercise, meaning that the victim might have to deal with more than one extorter. With ransomware if you're there first nobody else can swipe your lunch. In fact, with ransomware you are kinda protecting the victim by limiting the damage.
(IANACC, just pointing out the dangers with a tongue in cheek example).
I'm not aware of the criminal's boardroom discussions, but I'm certain I read an article recently describing multiple thieves hitting the same poor duck such that their likelihood of decrypting was about zero.
Dunno. What happens when two pirates hit the same ship? Do they share the booty and have a jolly time talking about crime, father-stabbing and other groovy things or does it devolve into a shark feeding frenzy?
The distinction might make sense to the suits due to the PR hits mentioned.
But for IT it is a distinction without a difference. Preventing network intrusions doesn't care what 'ware' it is. Nor does detecting and removing intrusions caused, as is so often the case, by social engineering. Data recovery has been an issue since before 'ware' became big, although it's existence makes the process more difficult.
The biggest problems for IT in this area are lack of funding and lack of in-house talent.
One can only hope the suits might consider this as they beef up PR, lawyer, and insurance budgets.
Detection is different though.
Datanapping requires a significant amount of outbound traffic which ought to be relatively easy to detect while in-progress, while encryption only requires the key to leave your servers so you'd never see that in the noise.
The CPU and disk usage profile is also different, of course.
The biggest problems for IT in this area are lack of funding and lack of in-house talent.
I'm going with "lack of in-house talent", since Software Restriction Policys have been a freebie in Windows since XP (and applocker is also a freebie in later versions although the SRP still works) and even an incredibly lazy method of setting the default level to disallowed and allowing %program files% and %//authorised network share% instantly prevents the userbase from running trojans they either download or bring in with them on external media. (since %temp% isin't in program files and is therefore disallowed from executing a program)
Without spending so much as a penny that instantly and pretty permanently kills trojans, while still allowing the users to work as normal. (as long as their normal job doesn't require them to receive .exe files via email and run them)
> One can only hope the suits might consider this as they beef up PR, lawyer, and insurance budgets.
What else would they beef up? Once your data is gone, IT is pretty much useless, except as a scapegoat.
Unless of course you mean anticipate potential risks, and waste perfectly good, bonus-inducing profits in obscure pointless technobabble. No sane manager would do such a thing! As long as there is the slightest chance it won't happen to you, you will avoid wasting any money on it.
> That said, Morris isn't convinced that extortion-only needs its own category.
I agree. Technically it's blackmail in both cases, and in both cases it's your data which is at stake. The only difference is at PR level, because instead of the mild sympathy you'll get if your vital data gets encrypted and you're incapable of doing business anymore, you will experience some public resentment due to all that sensitive data you had accumulated being now spilled all over the Internet.
If you pay the ransom, what's stopping the ransomers demanding more? Or releasing anyway? If your data is that important to contemplate paying the ransom, maybe, just maybe you should have invested properly in your backup and storage security personnel & systems?
STOP FUNDING THE BLOODY SOURCE OF THE PROBLEM PEOPLE.
Sorry about the all caps.
Victim blaming! Drink!
I expect they pay it for the same reason that people pay kidnappers, despite government orders to the contrary: they're not willing to lose what was taken. It's all well and good for people with no skin in the game to tut judgementally, but if it were your business or beloved person at risk, you might be talking out the other side of your mouth.
We're talking ransomware here, not people. The latter, it's a different situation.
If my own business was hit with encryptionware, then the backup strategy is there to get us out. If somehow the backup strategy is hit, c'est la vie, go back to an early enough point to and carry on. Somewhat annoying, some rework, but largely, not a big deal.
If it was a straight up ransom for the release of data, there is very little around that is really that confidential. Customer data, names addresses etc being the most obvious things requiring a degree of protection in your average business. Maybe some IP or technical documentation (and what is that doing in a low security system if it's that valuable?)
As there is no guarantee that even if you cough up they won't release or resell the data and/or demand more, the policy is don't pay, and with good reason. One can debate the merits of "good criminal/bad criminal". If they've already stole your golden goose you can pay what you like - but you have still lost it.
If your data IS that confidential to warrant actual protection. MOD stuff, etc. you should damn well be paying for knowledgable security in the first place. E.g. theft of data from the F35 programme, cough, cough.
> We're talking ransomware here, not people.
Yes and no. I mention kidnapping because the guidance of the US Government is for US citizens not to pay foreign kidnappers (in fact, I believe it's illegal) for precisely the reason you cite for not paying ransomware scum, which is that paying off one set of kidnapper encourages others. That aside, people are impacted by ransomware. For example, there was a recent article in this very organ which highlighted a hospital being afflicted by a ransomware outbreak. In such a case, people's lives are being very directly impacted!
It's all well and good to point the finger sanctimoniously at organizations impacted by ransomware, but it's worth remembering that perfect security is an illusion. You personally might think you have sufficient protection, and maybe you've done sufficient testing to be sure. For many organizations, however, there is a combination of complexity, legacy configurations, inadequate budget, and lack of security focus in, it must be remembered, a rapidly evolving threat landscape which makes it very difficult to be certain that one's IT environment is sufficiently protected. And those factors, of course, exclude the widespread burnout in IT professionals.
One thing I note in the mindset of many Register commentards is a distinct lack of understanding and imagination with regard to managing any environment besides their own, resulting in a concomitant simple-mindedness with regard to solutions. Any problem you don't adequately understand is easy to solve, after all!
You are correct that with the right protection (and backups are not really enough; the data would need to be encrypted at rest for example), it would be wrong to pay the ransom because you have a way out of the situation.
But if the thieves have managed to catch you flat-footed, it can quickly become about people as you are forced out of business and all your employees get dumped into the street. Is it your fault if you get caught flat-footed? Yes. Does it happen? Yes.
If you are protected, why do you care if the buggers hit your windshield? The business that failed to plan is getting punished for being short-sighted (and might never get to make the mistake again). It would be great to see the thieves put out of business. Of course if the data theft business is a thin veil for state actors then profit isn't necessarily going to impact them all that much.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
