There are no good guys in this story
A pox on both their houses.
CDK Global reportedly paid a $25 million ransom in Bitcoin after its servers were knocked offline by crippling ransomware. Last week, CDK restored services to car dealerships across the US after a two-week outage caused by a "cyber incident" that looked a lot like a ransomware infection. The shutdown of CDK's software platform …
CDK have taken the coward's way out, paying the Danegeld and emboldening the ransomware scum. The next company attacked by those vermin will be ever so grateful to CDK for validating the business model, I'm sure.
Paying ransoms should be made illegal, under any circumstances. With extremely stiff criminal sanctions for any corporate officers found doing so.
Why is "funding cyber attacks" not already illegal?
Do you think that money is going to be invested in medical services for third world countries?
I would love for their next victim to find evidence that the attack against them was "sponsored and funded" by CDK and file a lawsuit... Not sure what the court would say, but someone needs to try it.
"For every complex problem there is an answer that is clear, simple, and wrong." H. L. Mencken ·
There are a plethora of reasons that making ransomware payments illegal is probably an RBI (Really Bad Idea). For starters, it would probably be a dandy way to drive most of a country's larger businesses to some off-shore haven with less draconian laws. Why would any remotely sane corporate officer stick around in a place where they are likely to be confronted an day now with the choice of shutting down the business or going to jail?
What's an alternative clear, simple, and probably wrong idea? De-anonymize cryptocurrency. Require all crypto owners to register their "coins". Require every coin to be reported to a national authority within 15 days of being minted and require every transaction to be reported to the appropriate authorities within 48 hours. (Or better yet, do as China has done and just make the stuff illegal.). Why won't that work? For one thing, an illegal trade in unregistered cryptocoins will surely exist as long as some folks think the stuff actually has value. For another, most ransomware actors don't appear to be especially dumb. They'll come up with some other way to get anonymous payments.
A security audit would be interesting, specifically in: how much would it have cost you if you'd invested properly into security. Instead of, as is generally the case, considering it a cost centre that is the first slashed when the profit figures that determine annual exec bonuses are due?
No, not the latest silver bullet the <security vendor> promised you during the promotional round of golf. Or another mob of "consultants" from some Big 4 firm. Actual trained, motivated and well-paid professionals with the tools *they* would have chosen!
Not that regular security audits would be a bad idea for every business with significant on-line components (most everybody nowadays?). But there is one minor problem. We've spent three decades building a digital communications/interoperability framework that is wildly insecure. It seems likely to me that trying to paste a framework of security best practices on top of that is probably more cosmetic than realistic. But even Potemkin security might help a bit at times even though it's not likely to do wonders for usability.
How Does BlackSuit Ransomware Work?
“The group emerged with payloads that support both Windows and Linux operating systems. Payloads are delivered via phishing email or third party framework (e.g., Empire, Metasploit, Cobalt Strike). The use of malicious torrent files has also been observed as a delivery vector for BlackSuit ransomware.”
"Still, $25 million is apparently nothing to the industry-wide damages that this incident caused."
Keeping in mind that these $25M are being used to finance the crooks and their operations, allowing the to hire even more talented hackers, and also being a huge advertising for cybercrime, with its "crime pays" message, I think the total bang-for-the-buck ratio of these $25M is several magnitudes higher.
And that's the problem: by paying $25M, the company saved a few million in costs to other scenarios, but caused a damage that is ten to hundred times higher to future victims. And I think they should be liable for this. I'd like to see a class-action lawsuit from future cyber-attack victims against companies that are willing to finance criminals just to keep the cost and consequences of failing to secure their own systems lower. And I'd like to see a smart AG to open a case showing how paying ransoms like this constitutes "material support" of criminal organisations.
All in all it should be more expensive for corporations to pay the ransom than not to. That's the only way to stop this.
I'll keep dreaming.