back to article A tale of 2 casino ransomware attacks: One paid out, one did not

The same cybercrime crew broke into two high-profile Las Vegas casino networks over the summer, infected both with ransomware, and stole data belonging to tens of thousands of customers from the mega-resort chains. But despite the similar characters and plots, these two stories have disparate endings — and seem to suggest two …

  1. Crypto Monad Silver badge

    "So why is it that networks are so Swiss cheese that these guys can actually take advantage of this swiss cheese?"

    Don't blame the networks - they are mostly the wrong place to put security. Most traffic is encrypted these days, and there's very little a firewall can do to inspect it. It can restrict which machines can talk to other machines (but only if they're on different subnets which are routed via the firewall), and it can generate alarms if machines start to attempt connections that they shouldn't be attempting. That's about it.

    Most security belongs at the host side: vulnerability management and patching, antivirus / EDR, authentication / MFA, logging and log analysis etc.

    1. rcxb Silver badge

      restrict which machines can talk to other machines (but only if they're on different subnets which are routed via the firewall),

      "Private VLANs" which is an option on most smart/managed switches, can put EVERY system on their own virtual subnet.

      Certainly security on the host side is valuable, but "the network" could do a lot more for security. That it doesn't is because a culture of laziness, permissiveness, and insufficient security concideration permeates most companies.

    2. Phones Sheridan Silver badge

      "So why is it that networks are so Swiss cheese that these guys can actually take advantage of this swiss cheese?"

      In my experience, it's users convincing the higher-up-than-mes that they absolutely cannot do their job without admin rights. I'm fighting 2 battles right now, one with a marketing team, and another with the design team, both of which get the CEOs direct attention, cos, ooh, shiny and buzzwords. I've written a report to my superiors why I am refusing to let anyone including myself work with realtime admin rights ( they don't want to have to go through the bother of elevating privs during a task ), and have given them the option to follow my Expert Advice™*, or sack me. I'm getting too old for this same old same old, and I've already retired twice, and changed professions completely.

      *I was headhunted out of retirement, so someone thought I knew what I was doing.

      Not working with admin privs out of the box stops 99.999% of malware intrusion.

      1. cyberdemon Silver badge
        Devil

        Upvoted, but I think a bit more than 0.0001℅ of malware intrusion works without users having admin privs..

        If users can download and execute programs or scripts from elsewhere, and have no whitelist policy on internet hosts they can contact, then there are plenty of malware possibilities, admin or not. Data exfiltration can often be done from an unprivileged account as most company info is usually readable to any employee.

        If there is a supply-chain attack on a cloud service as part of some Business Process Outsourcing, then no amount of access limitation of the users will protect you.

        In this case i'm led to believe that it was a double supply-chain attack, i.e. the supplier's supplier was compromised. The only defence against that is to not send your data into the bloody cloud in the first place.

        Or if your policy is to always install software updates and their dependencies immediately without considering what is being updated and why, then more fool you.

        And obviously: Don't pay the bloody ransom. That ought to be a criminal offence

      2. Anonymous Coward
        Anonymous Coward

        Normally stops 99.9% of work too. Dinosaur IT stops the user being productive again. Good job!

        They likely have a good reason they’re begging you for admin rights unlikely connected to buzz words or shiny…fucking users…why can’t we just get rid of them so we can all just sit at home wanking?

        1. tiggity Silver badge

          No it does not stop 99% of work.

          If I need to get onto production servers to investigate or fix issues I have to go via logins to 2 different boxes (and some intermediate remote access software) and then can finally log onto production server.

          3 different sets of credentials (plus MFA confirmation) (or 4 if not already logged onto a suitable server that is allowed access to the 1st jump box)

          ... But it only adds a couple of minutes delay onto the process compared to being able to log directly onto production servers so is not an impediment to work (and none of the logins give me admin rights, even on production servers (and by using additional login) I only have permissions to do certain things, but enough to do my job). It's good I do not get admin rights, if my creds & phone (would be needed for some MFA options as might be via text or authenticator app on phone) were stolen, then someone could do nasty stuff to the production database (as I need access to that to do my job) but they could not get access to the backups (as I don't have access for obvious security reasons) so damage would be limited.

          So saying extra security precautions stops people doing their job is BS, it can slow things down by a few minutes, but that is worth it for better security*

          * no such thing as perfect security, all systems have flaws (no matter what you do, human error or a zero day can break things), but at least it helps to make things difficult and ensure that (whenever possible) no one person has all the "keys to the kingdom" so damage that is done is more likely to be limited.

          1. This post has been deleted by its author

        2. Strahd Ivarius Silver badge

          If the software you are using is properly designed, there is absolutely no need to have admin rights.

          When you let the nephew of your CEO create business tools vital for your activity, the sooner your company folds, the better humanity is.

          If you are using a cloud solution like ServiceNow and its MID Server for Active Directory that seems to require domain admin rights for updating accounts, stop using it.

          1. Anonymous Coward
            Anonymous Coward

            “If the software you are using is properly designed, there is absolutely no need to have admin rights.”

            So in the real world if a business needs specific software and doesn’t have a spare software development team handy and the software requires admin rights what’s your answer?

            “the sooner your company folds, the better humanity is.”

            What if the company makes cures for cancer? Does your glibness stand given both of these attacks had nothing to do with having admin rights or not and everything to do with blagging access?

            1. Anonymous Coward
              Anonymous Coward

              If shit software demands admin rights use something like policypak to elevate it for non admin users.

            2. Paul S. Gazo
              WTF?

              In reality, there's almost no such thing as software that requires admin rights.

              Oh, sure, there's hunk-of-crap software that puts some critical .INI file in c:\windows\system32 and there's plenty of trashware that expects to write to c:\progra~1\trashware because that's where it put its database. There's also more than enough badly-written code that wants to modify registry keys it put in HKLM when it should've been HKCU. Granted.

              Spend a half-hour with something like Process Monitor and identify those oddball dependencies and grant the user(s) perms on those specific files and/or keys.

              But wait... how about those pesky programs that just fire up a UAC prompt when you run them Just Because? Almost all of those you can make an application shim for that turns on the RunAsInvoker compatibility flag. Just because the horrible developer turned on the "you need admin rights" checkmark when compiling their code doesn't mean it's actually required. It very, very rarely is.

              Learn these two things and earn your pay as an IT professional. In nearly three decades of doing corporate IT as an MSP before MSP was a thing, I've encountered maybe one program that couldn't be handled by scoped permissions.

              It CAN'T be harder on Linux.

              1. RAMChYLD Bronze badge

                Sadly tho, it seems that most HR software are written by HR people who learnt programming from a very outdated copy of "MFC for Dummies". I had to deal with a piece of timekeeping software in my previous workplace and the software was so badly written it needs to be running 24/7 as admin or it just won't collect the punch-in and punch-out data from the networked readers all over the building. Yes the hardware is impressively modern with NFC cards being used to punch in for work and punch out after work and being wired up to the company intranet, but the software looks like it was written in the Office 2003 era and even then not using services and requiring admin rights to use is just idiotic.

                I could cacls the directory but it needed to start Firebird SQL as admin. Dunno why Firebird isn't running as a service.

              2. Prst. V.Jeltz Silver badge

                I know its not practical but .....

                Wouldnt it be nice just to tell the horrible developer to get F****d and use something else though :D

        3. Anonymous Coward
          Anonymous Coward

          You do not need admin. If you have shitty software that asks for it, it can normally be tracked down to permissions that can be fixed. If this is not the case, use something like policypak which can safety elevate a problem application for non admin users.

          Giving anyone admin rights to run software is simply administrative laziness.

          1. Claptrap314 Silver badge

            FIFY

            "simply administrative malpractice"

        4. Ken Hagan Gold badge

          I'm a software dev who has spent the last few decades writing applucations that might sometimes need admin rights. I stopped having admin rights on my day-to-day account (where I do all the development) some time in the last century when I started using NT 3.1 [sic].

          Evidently, it hasn't stopped me doing my job.

      3. Anonymous Coward
        Anonymous Coward

        My entire department has, and needs, admin rights. It's because we're automation engineers (not beancounters or managers) that do hefty things with our computers, which often require admin access. We're also specially exempted from the "no unencrypted thumbdrives" rule, as a number of the systems we work with can't handle encrypted thumbdrives, and sometimes that's the best way to get data, files, backups, etc. on and off them.

        Looking at the article, both of these were social engineering attacks against a vendor, who then provided access to the crims. Internal controls might have prevented someone from getting the customer list - maybe - but admin access doesn't seem to be relevant here.

        1. Anonymous Coward
          Anonymous Coward

          The OKTA breach gave the perpetrator access to the list of people who had access to the administrative part of OKTA.

          The information leaked was enough to start a phishing campaign against these users, or even better their service desk (since these are often outsourced) and have then a password reset performed, allowing then to get access to ALL the cloud applications where SSO was managed through OKTA.

          And it took more than one month after the breach was made public to have OKTA warn the affected users...

          How do I know this?

          I am one of the affected users, and I am also the guy who setup the security on all our systems, who is glad that I put in place the rule that no "standard" account has any admin rights on any of our systems and that everybody needing any remote access to our servers is using an "operator" account, with no access managed through a third-party system, and that the same rule is in place for accounts managing any cloud service we are using.

        2. Paul Crawford Silver badge

          My entire department has, and needs, admin rights

          There are some situations when that makes sense, but you can also add steps to make it harder to accidentally type in your own password for admin, rather than having to su to another account/password pair that has such rights, not allowing such machines for web/email use, etc.

          But for most businesses, and most jobs, the elevated privileges aspect should be granted to a few who have demonstrated the care and responsibility needed to use it.

    3. elaar

      "Most traffic is encrypted these days, and there's very little a firewall can do to inspect it"

      Maybe old, traditional firewalls, but there's a great deal that Next Generation firewalls can do to control, inspect and secure ALL traffic. The FW controls the encryption process, rather than the client directly with the destination host.

      1. Tom Chiverton 1 Silver badge

        Congrats, you've broken end to end encryption, so never get to handle sensitive PII. Tough luck if that's your business?

  2. Steven Guenther

    Like horse thieves

    In the old West, horses were a life necessity. Stealing one was a hanging offense, well above the punishment for stealing similar value. Computer systems are the lifeblood of the modern world. Shoot on sight would be a reasonable way to deal with the Mitnicks of the world. Pay Blackwater another $100 million to find and erase the hackers. Start finding these guys hanging from a bridge with their genitals in their mouths. It is the lack of IRL consequences that keep them coming back. Using "Social Engineering" makes the whole world a colder, less helpful place.

    1. Phil O'Sophical Silver badge

      Re: Like horse thieves

      And take Caesar's casino license away, for paying the ransom and so enabling the crooks as an accessory.

    2. An_Old_Dog Silver badge

      Re: Like horse thieves

      The problem with your suggestion is that witch-hunts would follow ("He's a witch hacker! Look at her nose!" "No, I'm not. You put that on me!" ...). Tracing intrusions back to their true instigators is murky and difficult, with far-less assurance of accuracy than the outcome of most public criminal trials.

      Having summary executions based on, "They probably did it." and/or, "We have reason to believe ..." is hardly a fair process, and I suspect it would lead to fake evidence-planting by bad people (analogous to "SWATting" in the U.S.).

      1. Yet Another Anonymous coward Silver badge

        Re: Like horse thieves

        We know who the bad guys responsible are, it's posted on a chalkboard outside the DoD

        Today we are blaming Russia ISIS Iran China Belgium Cuba Hamas

        So we just need to drone strike any of them that don't have the ability to drone strike back

        1. Prst. V.Jeltz Silver badge

          Re: Like horse thieves

          also they said who they are in the ransom demand

          aliases yes but its a step closer than tracing non ransom demanding hackers.

          If you find the bit-wallet you paid into in their "my documents" - there yer guy.

    3. mpi Silver badge

      Re: Like horse thieves

      Other than the horse thieves, which conveniently operated from inside the country that outlawed their actions and had jurisdiction and manpower to deal with them, these guys don't operate from a place where such simple solutions can be applied.

      There is a very sizeable list of nation-state level actors which are essentially safe havens for these groups. Many of them simply don't give a damn about it. And several other nations actively encourage the extortion groups (as long as they don't attack the hand that feeds them), or even RUN them in the first place.

      And THAT is the real problem here.

      1. Lurko

        Re: Like horse thieves

        "There is a very sizeable list of nation-state level actors which are essentially safe havens for these groups. Many of them simply don't give a damn about it."

        Then isolate them from international telecommunications networks (and make neighbouring countries follow the rules or isolate them). We all known that wouldn't stop the digital attacks much if it all, but would make for a considerable inconvenience and cost to their economy. And that's what's missing for cyber crook host nations - there's currently no consequences.

        For those countries where a total digital blockade is impracticable because we've allowed ourselves to become dependent upon trade with them, look for other ways of costing the host nation money - for example add selected Chinese banks to the anti-laundering lists that block Western banks trading with them. Yes, there would be consequences to this, but at the moment, the cyber war is being fought impotently and ineffectively by the west.

        And of course we should start at home with prison time for Western execs whose companies pay ransoms.

        1. AVR Bronze badge

          Re: Like horse thieves

          Aside from North Korea, basically every country is important to some other country. Georgia may really dislike Russia but they can't cut them off; Turkey has billions in trade with Georgia, and more with Russia; any number of countries in the EU can't afford to cut Turkey off; the US won't be cutting ties with the EU or Turkey. China let Trump save a little face with their obviously false promises but they won the last trade war with the US. And to be clear, you're talking about starting trade wars, plural.

          1. Anonymous Coward
            Anonymous Coward

            Re: any number of countries in the EU can't afford to cut Turkey off

            OT: they / we CAN afford to cut Turkey off, they / we just - under NO circumstances - don't want to lose ANY profit(s) coming from their / our trade with Turkey. Plus they / we're being held hostage by Turkey: trade with us (be nice to us), OR ELSE those refugees start marching (again).

        2. mpi Silver badge

          Re: Like horse thieves

          > look for other ways of costing the host nation money - for example add selected Chinese banks to the anti-laundering lists

          Look, I understand the mindset of a harder stance on the organizations, including nations, that are behind this, but unfortunately, it's not that easy. To stay with your example, do you think the CCP would just take that sitting down and not retaliate at all? Of course they would retaliate, and make sure this move costs us easily as much money as it does them.

          You are talking about starting trade wars here. And sorry to say this, but at some point, we need to do a simple cost-benefit-analysis when talking about such options.

          > And of course we should start at home with prison time for Western execs whose companies pay ransoms.

          Not paying ransom is, unfortunately, not always an option for companies in this situation. The article outlines a few of the hairy scenarios.

      2. Strahd Ivarius Silver badge
        Devil

        Re: Like horse thieves

        What about the ones operating from Virginia?

  3. DS999 Silver badge

    They wouldn't have done this 60 years ago

    When the mob ran Las Vegas. Those guys would spare no expense to track down the ransomware hackers and kill them, or if they couldn't find them kill their families instead.

    1. Anonymous Coward
      Anonymous Coward

      Re: They wouldn't have done this 60 years ago

      The management must have thought "$30m cash or $5m for an open contract?"

    2. Anonymous Coward
      Joke

      Re: They wouldn't have done this 60 years ago

      Maybe the casinos did it themselves :o

    3. Anonymous Coward
      Anonymous Coward

      Re: They wouldn't have done this 60 years ago

      Ocean's 11 is a 1960 American heist film ...

      1. Strahd Ivarius Silver badge
        Coat

        Re: They wouldn't have done this 60 years ago

        And all the perpetrators are now dead...

    4. Ghostman

      Re: They wouldn't have done this 60 years ago

      A press conference from the Las Vegas Strip:

      Good afternoon. The Casino has had a data breach. The ones who have illegally broken into our database with personal information of our guests is demanding a ransom of 30 million in crypto for the promise of them not releasing the data.

      We spoke with their negotiator, interviewed him, and extracted the data we need to start the manhunt for those who thought this was a good idea. They should in a few hours receive the negotiator and understand the error of their ways.

      We called the media here to announce that we will not be paying the ransom. We wish to let those who have created this problem know that we do take this seriously, but we will not tolerate it.

      Any and all data, including the media it is stored on, will need to be returned, intact, with no, repeat, no distribution to us within 24 hours. There will be no recriminations other than the legal ones for the actual data breach.

      If the data, any of the data, has been distributed, clients contacted, accounts hacked, then the gloves are off. If our demands are not met, the gloves are off.

      24 hours from now, 10 million in cash will be placed in a reward account for return of the data, media holding the data, and physical proof that the miscreants can no longer steal data and demand a ransom for it's "possible return". You, the ones who stole the data, are not eligible for the reward.

      In a few hours you will realize just how seriously we take this affront to the security of our guests and clients.

      We know the requisite 4 Ws. We know Who you are, Where you are, When you are there, and What you did to enter our system.

      We will not at this time entertain questions from the media, we do request that you put this out immediately.

      1. Ghostman

        Re: They wouldn't have done this 60 years ago

        The next press conference 48 hours later:

        We have called this conference to inform our guests, the public, and the media, that the threat of release of information from the recent data breach has been resolved.

        All data and all media containing that data have been turned over to us. We are now contacting anyone whose account was found in the data breach to log onto their accounts, check for any problems, and to change the passwords to a minimum of 8 letters, 2 numbers, and a special character for a total of 11 inputs.

        We are assured that the instigators will no longer be able to cause problems like this again, and that their network has been dismantled and destroyed.

        We would like to thank the media for their response to our earlier requests in getting out the directives to the criminal element that caused this disturbance, and hope you will report that any more issues of this type will be met with similar enforcement.

        Reporter: Sir! Does this have anything to do with the explosion a fire that burned down a warehouse complex in RickyTikistan last night?

        Speaker: Where is that Rikistan place?

        Reporter 2: Do you have any information on why 9 people were found dead, hanging from the railing of the police building? And why was their fingers and toes removed? Worse yet, did you know that their skin had been practically peeled from their bodies, including their faces?

        Speaker: Somebody must have been really mad at whoever they were.

        Reporter 3: Something different here, but I would like to acknowledge you for what you did this morning. This morning you grilled chunks of meat and then took it down to the homeless groups and gave the cooked meat to some of their dogs and invited the group to be at the rear area for lunch today. A very humanitarian guesture.

        Speaker: Thank you, we try to do good in this mean old world for those less fortunate. We have to leave so we can set up for the big picnic outside, so we again thank you for coming to the press conference. Oh yeah. You are all invited to come and talk with those attending, and eat a little if you want.

        A few minutes later in an upstairs suite. Well Mr. negotiator, here is your million dollars we agreed upon. Keep your mouth shut, don't try anything like this again, and you won't become dog meat.

        1. cyberdemon Silver badge
          Facepalm

          Re: They wouldn't have done this 60 years ago

          You assume that it is possible to find the crooks.

          Obviously, they are behind seven proxies etc, and they are shielded by a nation-state that disagrees with your nation-state.

          Even if you offered a bounty, the gangsters could simply find some desperate stooges to offer up who would love to confess all for the reward of being sent from their torturers to the relative safety of an American prison.

          Meanwhile the real gangsters are still at large having collected both bounty and ransom, and the cycle continues.

        2. Prst. V.Jeltz Silver badge

          Re: They wouldn't have done this 60 years ago

          Press conference day 3

          ok , we realised we didnt actually know the 4 W's and have no fooking clue who did this to us .

          Cash waiting if you bring our data back , and a free stay in the high roller suite , with blackjack , and hookers.

      2. Anonymous Coward
        Anonymous Coward

        Mob movie fantasist fan fiction

        Meanwhile, outside your fantasy imaginings and back in the real-world 1960s, the mob wouldn't have been stupid enough to overtly grandstand and issue implied but clear threats in such a public-facing manner.

        That overt willingness to display and exert outside-the-law power in the running of their casinos would pretty much force something to be done to clean it up.

        They might- emphasis very much on "might"- try something similar in private, but even if they did, I doubt they'd do so in such a Hollywood scripted manner.

    5. J__M__M

      Re: They wouldn't have done this 60 years ago

      When the mob ran Las Vegas, getaways were made in things like cars or airplanes.

    6. Blofeld's Cat

      Re: They wouldn't have done this 60 years ago

      Nowadays the perpetrators would simply be interviewed to find out what their motives were, and who they were working with.

      Following those discussions, concrete proposals would be set out on how the persons involved could become useful members of society.

      A supporting role in highway development might well be suggested at this point ...

  4. TaabuTheCat

    All because of crypto

    Isn't it amazing that the only useful thing crypto is good at, other than duping suckers, is paying ransom? Get rid of cryptocurrency and the problem goes away. What are they going to do, demand $15M in gift cards?

    1. doublelayer Silver badge

      Re: All because of crypto

      Challenge: find a way to get £10M from someone who has it and is willing to pay it, into your hands without the police identifying you and you win £10M. Do you really think that, with an incentive like that, people will really just give up if the first one they used isn't working anymore? Can you really not conceive of a method that might work?

      What if I give you an extra asset, one the largest ransomware organizations tend to have: if you have some people in Russia, the Russian police won't try to arrest you anyway. That means you can do things in Russia that wouldn't normally work in a different country, if any physical interaction is needed. I'm guessing you have some ideas that don't involve cryptocurrency. And they already have the software, so trying some new ones would be close to free. If it fails and their transaction is reversed, they can always try another method with the next company, or even call back the first company and try again.

      1. mpi Silver badge

        Re: All because of crypto

        It's not about making it impossible. It's about making it harder than it currently is.

        Sure, there were ways to pay dark money before crypto. But none as convenient, that is simultaneously so hard to track.

        Plus, with crypto being essentially nothing but an internet-sized exercise in the Greater Fool Theory, the practical, non-criminal, real world applications of which have mostly failed to materialize in the 14 years since bitcoin was invented, and an enormeous waste of energy and hardware on top of it, there really is no downside to shutting this crap down.

        1. doublelayer Silver badge

          Re: All because of crypto

          Did I say that you need to keep cryptocurrency because it's so useful? I did not. What I was arguing against was this: "Get rid of cryptocurrency and the problem goes away." Sorry, that would be great, but the problem won't go away with a flip of a switch. If you pretend it will, it will only result in disappointment when you spend a long time convincing people to do the difficult work required to shut down or make effectively worthless all cryptocurrencies and ransomware operators are still around. A counterpoint is that, if we could retroactively disable cryptocurrency a decade ago, I think we might have prevented ransomware because they started with small attacks and small ransoms where finding a transfer method was not worth it, but you rarely hear about a ransomware attack on a personal laptop anymore. Nowadays, it's large groups going after large companies or governments for millions in ransom, and that scale is where finding alternatives is worth the effort and much easier to try.

          I don't much care whether cryptocurrency exists. I have none, I don't want any, and the benefits it was supposed to bring it hasn't and won't. Let's still be honest about the realities involved in both the ransomware industry and the cryptocurrency industry before we claim easy answers.

          1. mpi Silver badge

            Re: All because of crypto

            > Let's still be honest about the realities involved in both the ransomware industry

            Alright, let's do that.

            One of those realities is (and that is true for almost all crimes where a transfer of money from a victim to the criminal is involved), that receiving the payment from the victim is one of the most dangerous steps from the point of view of the criminal.

            Because payments, especially large sums of money, have a tendency to either leave a paper trail, or require physical presence, or both. At least this is the case when we talk about FIAT currency. With crypto, the situation becomes a lot murkier, which is why it is the perfect payment vehicle for these groups.

            So: Let's take that away from them.

            I never claimed (and if you disagree: show me were I did) that this is a silver bullet that will magically solve all cybercrime. This is about making it HARDER for these people, and force them to use methods that are a lot less convenient, and involve a lot more risk for them to get caught.

            1. doublelayer Silver badge

              Re: All because of crypto

              "I never claimed (and if you disagree: show me were I did) that this is a silver bullet that will magically solve all cybercrime."

              I agree, you did not. The person to whom I first replied did, or rather that it would magically solve all ransomware. I've seen the argument before, and similar to the discussion elsewhere in these threads about whether you could start a global trade war to stop ransomware, it could theoretically help but not as thoroughly nor as cheaply as people would like to believe.

              I also agree that disabling cryptocurrency, if we could do so unilaterally, would cause some serious problems to ransomware operators. So would several alternative methods, such as making payment of ransoms illegal or having a larger dedicated police force for identifying operators and tracking them until they come to a country in which they could be arrested. We could try all of these things and more. Each would probably have some effect. None would have the ultimate effect we both want, and I fear that cryptocurrency might be among the weaker of them given the scale involved. There are a lot of criminal organizations that have spent time and effort figuring out how to move large quantities of money before cryptocurrency existed, and ransomware has become large enough that they could start to do the same. I think that there is an appetite to shut down ransomware that is strong enough that people are abandoning the step of considering the costs and likely results of possible measures. This has led, in these comments alone, to suggestions to send assassins to kill the ransomware operators and to commit acts of war against the countries in which they are located. Banning cryptocurrency is much less outlandish than either of these, but that doesn't make the description realistic.

      2. Yet Another Anonymous coward Silver badge

        Re: All because of crypto

        >Challenge: find a way to get £10M from someone who has it and is willing to pay it, into your hands without the police identifying you

        1, Call Swiss bank

        2, Deposit pile of gold teeth and some bars of god with a repurposed Hindu symbol on them

        3, Receive elite premier customer status

        ps I wonder how drug dealers do it? I don't see many of the folded fans of fentanyl in downtown east-side memorizing public keys

        1. Peshman

          Forensic accounting is a thing as is KYC.

          >Challenge: find a way to get £10M from someone who has it and is willing to pay it, into your hands without the police identifying you

          1, Call Swiss bank

          2, Deposit pile of gold teeth and some bars of god with a repurposed Hindu symbol on them

          Find who took the 10M and 'sold' you the gold by following the electronic transaction. If the 10M is disseminated after buying the gold slowly because it's in cash form then that's a PITA for anyone to sit on without being questioned about paying for anything substantial. Sellers also have PnL to account for. Try buying a yacht with cash and see what the reaction would be.

          FIAT currency is very tightly regulated these days. A prime example is when my bank called me to verify that my multiple lots of 2000GBP transfers from my mothers savings acc into my current acc (multiple because there's a 2000GBP limit on single online transfers and a max daily limit of 10k) to pay the DD for her care home fees were valid transactions. They saw it as unfamiliar activity and so it was flagged. I'm sure there are ways of getting around it illegally but that's why money laundering laws exist.

          10M without someone getting their fingers dirty, from a legal perspective, would be really hard to shift quickly.

          1. doublelayer Silver badge

            Re: Forensic accounting is a thing as is KYC.

            "10M without someone getting their fingers dirty, from a legal perspective, would be really hard to shift quickly."

            Let's be clear that the people who would be doing this have already started out by breaking into someone's system and installing ransomware on it. I don't think they're too worried about staying legal. They're only worried about the pragmatism of whether they get the money without being identified. Therefore, several of your objections do not apply. For example, tracking the person who bought the gold before it got to you: they don't matter. Paying ransoms is still legal, so that person can go out in public and say "I'm buying gold for these evil guys" and they are fine. So are the criminals. Nobody cares if that link is tracked down.

            Similarly with the arguments about the slowness of cash processing. This is the same problem that criminals receiving cryptocurrency have. They don't really want cryptocurrency, as there are only a few things you can buy with it directly. They need to turn it into something else, and there are problems doing so quickly in a way that evades local authorities. It has no advantage over any other commodity that isn't immediately convertible into high-value purchases. While doing it in gold or physical cash has that annoying feature for the criminals, cryptocurrency has it as well.

    2. john.w

      Re: All because of crypto

      What do you think the 500 Euro note is for, it has no use in legal cash transactions. The EU, an institute that likes to keep its corruption off any computer networks.

      1. Peshman

        Re: All because of crypto

        What's your point?

        500 Euro notes ar regulated well enough that you can't use them in normal circulation. I had a 200 Euro note once. It was completely useless to me. I gave it to a friend in Dublin to see if she could take it to a branch of AIG and have it broken up. They wanted to provenance before they'd take it.

        1. Yet Another Anonymous coward Silver badge

          Re: All because of crypto

          No but you can take out an easily carriable few million in Rome, walk across the frontier into the Vatican, deposit it and withdraw it in Columbia the same day to fund your 'charitable works'

  5. HuBo Silver badge
    Holmes

    Pay it forward, or sideways

    It seems that both casinos blame a "social engineering attack" on outsourced ID management biz Okta as the cause of their customers' data being hacked. In the MGM case, Scattered Spider even "bragged that all it took [...] was a 10-minute call with the help desk" (at Okta). Searching El Register for Okta lands more hits, including on the 2022 "Oktapus" phishing campaign by that same Scat. Spider (an AlphV/BlackCat ransomware affiliate?).

    If the behavior of Okta employees is the main point of failure then some improvements would need to be made there. Then again, in their successfully foiled "Lapsus$ incident", Okta blamed an employee of Sitel, their "(former) outsourced customer service provider" -- and so, all employees, everywhere, may need to be patched! -- https://www.theregister.com/2022/06/22/okta_lapsus_zero_trust_explanation/.

    As for ransom payments, the points made by Hornbuckle, Callow, Stifel, Rubin, and Goody, are all excellent, and very well presented in the article (IMHO). They do cover the extensive gamut of considerations and possibilities very well. In the end, it seems that a case by case approach remains best.

    1. Anonymous Coward
      Anonymous Coward

      Re: Pay it forward, or sideways

      Given that Okta's security is what led to both these breaches and more, can they be made to pay the expenses of the companies they helped breach? Surely letting in cybercriminals is a breach of contract!

  6. Anonymous Coward
    Anonymous Coward

    Crooks stealing from crooks

    Popcorn.

  7. ChoHag Silver badge
    FAIL

    > "Sometimes when you are providing really critical services, to get back up on line quickly, unfortunately [you] do have to make that decision to pay even though that's not something you really want to do."

    Critical services have failover and backups ready to be restored to freshly working systems within n hours, where n is dicated by how critical the service is. Ransomware (nearly typed randomware which would be quite appropriate) is no different than any other disastrous event that you are supposed to prepare for recovery from.

    "We're really important" does not justify being even more shit. Paying the ransom is an admission that you're a failure.

  8. Mike 137 Silver badge

    "an Okta customer that fell victim to phishing attempts targeting its IT service teams"

    A clear lack of adequate defense in depth at both casinos. Reminds me of the Far Side cartoon of a couple of polar bears lifting up an igloo, with the caption "I love these things -- crunchy on the outside, chewy on the inside". Too many organisations still operate like that, so they're wide open once the gateway has been passed.

  9. Ashto5
    Mushroom

    £100 m

    That would buy a lot of turn coats

    Offer a £50m no prosecution offer if the person turns over the whole gang

    Now there is the incentive

    Watch the filthy cockroaches turn each other over.

  10. Anonymous Coward
    Anonymous Coward

    Security holes

    AC to protect the guilty.

    I have worked in a place where the PM's bonus was based entirely on time & cost of a project. So anything that could be cut was and if there was a case of passing data between two systems, neither PM wanted to pay for doing it properly. So a lot of semi-manual file-based integrations. Which means all of the users and all of the systems had access to all of the file servers. They never got a ransomware hit while I was there, but if they had there was nothing to stop it crawling across everything.

    Madness, but some genius thought it was a way to control the cost of IT.

  11. Grunchy Silver badge

    Why does any customer data need to be net-accessible? You set up three servers. The first one faces the net, has no data, and can only talk to server 2 through a single low-speed connection and only using a particular messaging protocol. The second server has no internet connection and also no data. It can only talk to servers 1 & 3 via two separate low-speed connections and two different protocols. The third server can access the data, but only for confirming true or false if a particular query is correct; and can only speak to server 2.

    And all 3 of these servers could run on the same physical hardware, as independent VMs!

    I could write this in BASIC and it would still be utterly unhackable.

  12. mevets

    What happened to the mob?

    I thought the main role of mobsters in places like vegas included making sure these places didn't get hit.

    Even if the mob thinks computers are out of its ken, organizations like okta are directly competing in the protection racquet domain.

    Have the movies been lying all along?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like