Let that be a lesson
The worst thing you can possibly do is pay the scum
Paying a ransom (unless authorised as part of a credible police sting) needs to be a criminal offence
Change Healthcare is allegedly being extorted by a second ransomware gang, mere weeks after recovering from an ALPHV attack. RansomHub claimed responsibility for attacking Change Healthcare in the last few hours, saying it had 4 TB of the company's data containing personally identifiable information (PII) belonging to active …
Many years ago, I posted the idea of paying a ransom being a criminal offense. I got down-voted heavily on that comment. I also received tons of criticism followed by all kinds of pathetic reasons why companies need to be able to pay ransoms.
I'm glad everyone is starting to see the reasons why this just has to be the case.
Likely by the same incompetent CISO/CIO's that allow this sort of thing to happen under their watch fearful for their own careers.
Like the Solarwinds CISO getting sued for gross negligence, Change Healthcare's management should as well, first for being lazy/stupid to let it happen in the first place, for even considering paying the fine let alone doing so as they did, and for letting it happen AGAIN not learning from the first.
Organizations like these are so broken it's laughable, but this is how most run businesses operate still I deal with in consulting still in 2024.
Guess what everyone, medical insurance rates are going up again to pay for their mistakes. North Korea thanks you for your continued support.
As usual it is always easy to be critical from the side lines with no knowledge or understanding of what actually took place.
Not every security event is a result of incompetence or negligence. It is also vey easy to say something could have been avoided with hindsight.
If there is actual negligence then it should be easy enough to take action.
"If there is actual negligence then it should be easy enough to take action."
No, no negligence at all, the malware fairy dropped off malware to hose the systems.
But, rather than providing healthcare, they're now paying out to criminals. Maybe they'll at least be able to cover euthanasia.
I've been saying it for a while too.
Lately, most of the stupid have come around, years late, but at least they've finally realized we're right.
Make it a real crime to pay, put a couple CEOs in prison for paying, and ransomware will stop being a problem because it will be unprofitable. It really is that simple a problem to solve.
"Paying a ransom (unless authorised as part of a credible police sting) needs to be a criminal offence"
I think that's taking it too far. You might as well say that in relation to any extortion attempt. Paying the mafia to take out the garbage in your office building should be a criminal offence. Yeah, well failure to do so will get your legs broken. This is the nature of duress.
The question we all should ask is was the ransom the point? I'm sure there are plenty of countries that do these things that aren't interested in money or fame. Even so called "friendly" countries.
"belonging to active US military personnel" makes me think there could be an ulterior motive at play.
It's almost a mistake, PR-wise. Indeed, now the scum have demonstrated publicly, in less than a month, that they will go back after targets that have previously paid up.
Boards everywhere should be paying attention here. You get hit, you'll get hit again if you pay.
Stop paying. It's the only solution.
Once you've secured your network properly, that is.
The first step in a National Cyber-Defense is to create a cyber priority for business operations. Right now it is an externality. If I am the service member whose data is released, I become the target of phishers, swishers and other attacks. Change Health has no fiscal liability for the costs I incur to get my cyber-slate cleaned. They may offer a useless insurance warranty for the "next" attack - but currently have no legal obligation to make me whole. Nothing changes until that loophole is closed.
Seriously? Making paying a crime?
That sone step away from making it a crime to hand over your wallet to a mugger. Armed with a knife.
Or the very real low level extortion whereby pets are kidnapped and held to ransom. Should we prosecute and imprison 68yr old Mrs Smith for paying to get Tiddles back?
According to the logic displayed by posters here, blackmail and extortion has only criminals and never victims.
Just remember that until a COURT finds a company or individual guilty of negligence, or an offence, then the CISO/CITO/whomever has not committed any crime.
Anything else is lynch-mob mentality. There is a basic principle of justice called "innocent until proven guilty".
US law does not currently prohibit paying a ransom for people or goods, and data possibly falls under 'goods', but it does prohibit paying people or organisations on various sanctions lists, which can include known members of ransomware groups or the groups themselves. Hence paying a ransom may or may not already be illegal, depending on who gets the money.
No, THIS is nonsense. It will never ever fly. It goes against natural justice to turn victims of extortion into criminals for acting out of fear. I do not want to live in a society that deems this acceptable. Acquiescing to threats by simply handing over money can never be a crime.
Plus, we're actually talking about property, whether it's the property of the company or the property of the company's customers. The fact that it's digital doesn't make any difference. As a legal person, the company has rights with regard to property. It will also be legally obligated to safeguard its customers' personal data as far as practical. You have not thought it through.
You cannot force victims to rely on law enforcement. The idea that it's illegal to pay a ransom "unless authorised as part of a credible police sting" (as I've seen suggested) is laughable.