PowerSchool paid thieves to delete stolen student, teacher data. Looks like crooks lied An education tech provider that paid a ransom to prevent the leak of stolen student and teacher data is now watching its school district customers get individually extorted by either the same ransomware crew that hit it – or someone connected to the crooks. In December, PowerSchool – whose student information management system …
This really needs to be covered in the mainstream media and shouted from every roof top.
It's far too easy for management to fall into the professional lies of "Yes , of course we'll delete that data of yours, if you pay the ransom." and think that they're buying some measure of safety.
It needs to be made as clear as day, clear enough for a Fox News follower to understand, that paying gets you nothing but a promise. A promise as trustworthy as a used car salesman's.
When the trust is gone, the ransom side of the business dies. It's in all of our interests for that to happen as quickly as possible.
Look at it from a board member's point of view, though:
Don't pay, and you get lambasted for lack of action when the news gets out, money has to go towards actually improving security to prove you're doing something about it, and worst of all... the shareholders might get upset with you and want you out.
Do pay, and if you get doublecrossed then you can shift blame by saying you were only acting in the clients' best interest, it's those dirty cyberthieves that are to blame for not holding up their end of the bargain. The ransom can be written off as an operational expense, questions about the state of your IT security can be deferred till they're someone else's problem, and the shareholders will likely pat you on the back for at least trying to be proactive.
The end result is basically the same, but one is far more likely to keep you in your nice office for another year.
As I have had to explain to several employers, including one that got hit by ransomware:
Paying a ransom is money laundering.
You are paying a criminal entity, as a reward for a criminal act, via anonymised and untraceable methods to an unknown end point, large amounts of funds.
How are you auditing that? How are you explaining it to the taxman? How are you compliant with "know your customer" regulations? Etc.
And, far more importantly... how would an official know the difference between:
- You paying a criminal to keep your data private / restore your system.
- You paying a friend huge amounts from company funds, a friend who has "hacked" your system, you pay them completely anonymously and untraceably, and then they "fix" your system. And then you pull that scam again every 12-18 months.
You are legitimising a criminal transaction by laundering the money through an anonymous money transfer system, you are - at best - supporting literal criminal enterprise, potentially obscuring deliberate and internal fraud in a way indistinguishable from paying a ransomer, and then you're somehow expecting to put this through your company accounts without question?
I work in an industry when accounts are audited regularly and I can tell you that it wouldn't ever pass muster. I work in an industry where "donations" cannot be accepted without identifying the donor, where cash deposits above a certain sum are prohibited, and where money cannot be paid back to someone without identifying the identity associated with the destination account (no, we can't just accept large cash deposits, and then "refund" your fee to a Russian / Swiss / whatever bank account).
Precisely because of money-laundering laws.
So someone tell me... how is paying a ransom NOT prima-facie money-laundering. Because nobody seems to consider it until I mention it and then their horrified looks as they realise I'm right (and in at least two cases checked with their lawyers / auditors / accountants and confirmed it) are just comical.
You pay a ransom, even for "your own" data... that's effectively indistinguishable from money-laundering even in the most positive interpretation. And it would be a great scam for a CEO and CTO to get together, have a ransomware incident every now and then, pay them off, take a percentage and "keep it quiet" because... well... you paid the ransom right, so nobody else needs to know?
Money-laundering differs quite a bit by jurisdiction but I think the simple answer is that the money doesn't become criminal until the ransom is paid, so the payer cannot be accused of laundering criminal money. Perhaps middle-men negotiators who also handle payments might be in more danger. I'm interested what specifically the lawyers said? (I'm imagining teeth-sucking and fence-sitting)
In the UK anyway there is a consent process, so you can ask the police for permission before doing anything that might constitute money laundering. Not that I recommend paying ransoms but anyone considering do so should already be in contact with the police, for a range of reasons.
Very clearly a ransom should not be concealed as 'C-suite golf membership dues' in your accounts!
Laundering money is merely the act of obscuring the origin or destination of it so that it cannot be traced.
The fact that you're giving it to a known criminal as a reward for a criminal act is merely reinforcement, the laundering happened the second you obfuscated the transation to them by not knowing who you paid the money to.
If that were the case then virtually all cryptocurrency transactions would be money-laundering in whatever jurisdiction you’re referring to (I say that while acknowledging cryptocurrency transactions aren't legal everywhere). As would a lot of the Panamanian/BVI/Swiss/etc fiat currency transactions involving shell companies, shady off-shore trusts and so on.
Money laundering is more commonly about obscuring the criminal nature of the money, not the source or destination. Of course, if the source is undeniably criminal then you need to obscure that in the process, but that's the not the sufficient condition.
I'm afraid you were probably mistaken when you explained that, because paying a ransom is not money laundering. It is a bad idea, unethical, possibly illegal depending on your jurisdiction, and should be made illegal where it isn't now, but even when it is, it's not because of money laundering laws which have nothing to do with the money until the criminals have it and want to do something with it. Similarly, it has nothing to do with know your customer laws because:
1. If KYC laws don't apply to whatever type of business you run, they don't affect you. A lot of businesses don't have those regulations in any case.
2. If they do apply to the type of business you run, they require you to identify those who buy services from you, not ones you pay for their services, illegal or otherwise.
If you were a financial institution and you decided to pay the criminals by opening an account for them and depositing funds, KYC applies. If you are or did almost anything else, they don't. If you actually get to choose between these two options, please pick the former in the hopes that the criminals are stupid and will identify themselves to get access to the funds, making them easier to catch. Paying ransoms is legal in a lot of places, including the auditing and tax implications. It is so legal that cyber insurance companies have specialized in doing it, while if it was illegal they'd be storehouses of perpetrators ripe for law enforcement action. I would like to make paying those ransoms illegal so that this stops, but that hasn't happened yet.
If you think using these incorrect legal arguments is helpful in convincing companies not to pay ransoms, I think you're using the wrong path. We have many examples like this article demonstrating how paying doesn't mean the business gets anything, whether the promise is destroying the data or helping with recovery. We can point to PR downsides of even a successful ransom payment which reduce trust. We can point out the consequences to others of propping up a criminal industry. All three of these options has a major advantage which yours lacks: when they call in a lawyer to review the plan, the lawyer won't be able to say "they misunderstood the laws and this actually isn't a problem".
Not true, money laundering is the act of obscuring or obfuscating the destination or source of money.
Money laundering regulations are literally there to PREVENT the money being laundered, such that it becomes useful for a criminal act like tax evasion, or paying a hitman, or offering a bribe. They act before the crime, not after it, and as I pointed out - how do you distinguish such an act of "accidentally" laundering the money to an unknown entity and actually setting that up as a money-laundering outfit deliberately?
Money laundering regulations - at least in the UK - mean that transmitting any sum of money to someone anonymous and unidentifiable and then claiming it on your business records will raise so many questions that your auditors and lawyers (again, note that I had both sets of highly-qualified people tell me the same) will break down and cry when you later try to explain that action.
"money laundering is the act of obscuring or obfuscating the destination or source of money."
No, quite the opposite. Money laundering is the act of providing incorrect information about the source or destination of money and specifically applies when that money is, directly or indirectly, from a criminal source. As the Crown Prosecution Service describes it:
Money laundering is defined in the POCA as “the process by which the proceeds of crime are converted into assets which appear to have a legitimate origin, so that they can be retained permanently or recycled into further criminal enterprises”.
You have it backwards. There are many situations where a business transferring funds to someone they don't know is entirely legitimate. For example, if a business buys items from people for cash, they do not have an obligation to identify those people before paying them. They can claim that as an expense on their records. Sadly, paying a ransom is similarly allowed, hence why the UK police haven't descended on anyone who has and extracted massive fines.
But, but ... Taking the money and then failing to delete it would be dishonest! Surely there must be some mistakes!
Actually, cynical me can't help wondering if there's more to this than meets the eye. A disgruntled (former?) employee with knowledge of the stolen data attempting to capitalise on the theft, maybe?
Or an attempt to neutralise the original villains by publicising their "dishonesty"?
Probably not - the simplest explanation is usually best, and it's likely that the original villains are just greedy and stupid enough to destroy their own chances of ever picking up another ransom - but I still can't help wondering.
It'll probably be just as simple as the criminals not deleting it because they're criminals.
Or, perhaps, it's a case of criminal gang A stealing the data then passing it on to their boss gang B, then A get the ransom and delete the data but it's still with B who extort further with it. A has "kept their promise" because they deleted it, but B still profits from it.
Too many amateurs in the business. Originally they were business-like and you got what you paid for. Being dishonest about it just gives the business a bad name and puts customers off altogether. If this keeps up it will be the death of the industry if people can't trust crooks to deliver.
Some of the larger groups did indeed build up a brand name so they could get more payments, but ransomware has long had lots of people infecting with badly written encrypters that wouldn't decrypt or went with the whole infinite extortion loop. Unfortunately, that didn't happen often enough to convince people that paying didn't help. I'm not sure this example will prove any different. While there are people who can hope that their problem will go away for one short bit of pain, people will pay ransoms. I think we will have to prevent them from paying to make a meaningful dent in the problem.
That's what I've been saying for years; see how plane hijackings dried up like spit on a hot stove in the early-mid 80s once Western governments made it very clear that they would not negotiate with hijackers or pay ransoms (a lesson that is starting to be forgotten, alas).
The usual counter-argument is that it would discourage companies from public disclosure of such attacks. Which could surely be mitigated against by governments offering really large bounties (funded by subsequent fines on the company) for any whistleblower who comes forward with evidence that their employer suffered an attack and chose to keep it quiet.
...Except that hijackings were also stopped by better airport security preventing people bringing guns and knives and hand grenades on planes, and it also just pushed some terrorists to be even more extreme, which is how we had 9/11. Most gave it up, sure, but some didn't.
So by this logic most criminal gangs will stop stealing data for ransom, they'll just nuke the environment instead because what's to lose?
is an actual solution to the problem. That solution is holding the CEO and CIO in charge when the breach happens criminally responsible. When a breach occurs, regardless of what else happens, the CEO and CIO should be arrested, held without bond, and tried. When found guilty, they should be charged a rather hefty fine (hefty by CEO standards) and sent to a general population prison instead of a country club prison for a decade or two. As it is, a company's finances and reputation are a mere job change away from not being their problem while everyone else takes it in the shorts. If those who run the companies that collect and save personal data were held criminally liable, they would spend the appropriate amount of money to actually safeguard it instead of today's "nothing happened today so nothing will probably happen tomorrow" mentality.
C-suiters get paid the big bucks for taking the big risks, correct? Prison for the company they run doing anything wrong that affects others should be one of those big risks.
One reason you're not seeing that is that it's not a great solution. The solution I and others have proposed in comments is a bit similar: make paying ransoms illegal, and then you can basically do the same thing you want to do to them if they pay one.
Your solution is a lot more drastic and puts the CEO and CIO in a position they can't manage, meaning that you can't implement or enforce that. The CIO, or CSO if they have one, is responsible for trying to prevent and respond to incidents, but that doesn't give them total power to prevent them from happening. You can investigate them for negligence in some cases, but deliberately not all cases, because they are not all-powerful. For instance, if a criminal robs an employee at knifepoint of their work laptop and forces them to log in, that's not something worth arresting the CIO over. The same is true if some employee clicks on a phishing link and installs some malware. A successful ransomware attack is a bigger breech, meaning more likely that it's negligence on the part of the employees or management, but it's still not a guarantee of anything. I'd like you to consider whether it would be fair if we through the book at you if tech you're responsible for was involved in an incident, with or without your manager included? A lot of people who want senior management to face serious consequences don't extend that downward even when there are significant problems there as well. That would never fly, because when the CIO is facing prison time, they'd find reasons why someone else should be going instead and some of the time, those reasons would be accurate.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
