Your ransomware nightmare just came true – now what? So, the worst has happened. Computer screens all over your org are flashing up a warning that you've been infected by ransomware, or you've got a message that someone's been stealing information from your server. There's a growing market of firms that advise extortion victims on how to handle the situation, but that just adds …
The only way to stop ransomware is to stop paying the ransom. It should be illegal to pay these scum a single milliSatoshi.
Excuses like "service had to be restored, fast." are just that; excuses. If your backup and recovery plans and your security systems are so poor that you can't recover from a ransomware attack, then the fault lies completely with you. If the company that you run is large enough to be considered "essential infrastructure" - like Colonial and Change Healthcare, then not having the technical ability, backups and expertise needed to recover from ransomware should be considered a failure of due diligence and the company involved should be fined appropriately.
Running a cowboy operation that makes lots of profit because you neglect to spend money ensuring that your systems are well defended and recoverable is mismanagement. At large scales, this mismanagement should be a criminal offence.
The rot won't stop as long as the income is there.
Set fines equal to the ransom paid. It's unlikely that even insurance will pay a fine.
Company reporting should require annual reports to include statements about testing of business recovery plans and their testing and also a security audit. Yes, poor audit results and inadequate recovery plans will make a business easier targets so those things should affect share price and once expenditure on preparedness improves the share price it ceases to be seen as a cost to be avoided.
If you are going to make it illegal, make it an automatic jail sentence.
And C-Suite-only. Unless there's clear and unequivocal evidence of culpable negligence below that level.
The presumption should be that staff were doing the best they could with the resources afforded them by the Board, and that the buck stops with people whose job description starts with "C".
Security audits and recovery exercises are often just security theater. The recovery exercises I was involved in were "tabletop". Sure, they're better than nothing and sometimes lead to a noticable improvement -- as long as it doesn't cost too much. And from what I've seen, even noticable improvement can still be suboptimal.
What genuinely annoys me about "cybersecurity professionals" is that every time I ask about wage decimation, offshoring, outsourcing etc. I just get "well the company is going to do X, and we need to work in that framework "
They tend to be aghast at my wanting to make CEOs legally liable as well as my wanting to tazer users who won't take the training. HR use it as a checkbox. People who scream loud enough get to avoid training & the assumption is "IT will sort it out".
As SOON as helpdesk etc is offshored, then risk registers should be screaming.
When corporations making $$$$ refuse to pay for the multitude of tools and insist on running at 50% staff across the board get hacked, then the mangement need to be held to account.
I mean, I'm not ever going to do the free over time that IT staff seem to rush into doing OR put in the hacks or drag equipment out in terms of lifespan.
Make the act of paying ramsons illegal. Hold the senior mangement legally liable & if the shareholders lose their shirts because the company goes to the wall....tough
I'm probably close to being one of those security people that annoy you, and I will say that, because no matter how much I might want to do all of the things you want (very much yes on most, but not all), I don't get to. I can't make ransom payments illegal, even though I think that doing so would be the biggest and only thing we could do to make a dent in ransomware. I'll continue suggesting it, as I have been doing for at least five years, and until that ends up convincing politicians, I have to deal with the situation where it isn't illegal and I can't make it.
That applies to anything about who is liable; it's also a legal thing I can't do anything about, but there is a reason I'd be cautious. Any time the suggestion is to find someone, the CEO or otherwise, and drop a load of bricks on them when something goes wrong, there is potential for that to backfire. No law would ever be that extreme, if only for the situation where the CEO approved a massive budget and some incompetent or malicious IT person failed to use it. Which means that there's always some chance that the person who gets all the blame and suffers the worst consequences won't be the CEO, but whoever the CEO's assistants can best pick as the scapegoat, which will be much easier for them than it will be for the scapegoat to turn around. The people I've seen suggesting it always manage to phrase it so they won't be in the crosshairs, which is unjust as they might actually have some responsibility for it, and even if we decided that was the best of the bad options, you can't successfully enact the "CEO is always responsible, IT never is" law. There are many risks in an enthusiastic blame game and so, even if I could pass that law just by saying it, I wouldn't suggest doing it with that severity.
I'm not exactly sure what "wage decimation" you're referring to, but if the company has decided to outsource, then I don't get to tell them not to, and if I fail to convince them that there's a risk big enough that they choose to do it voluntarily, then what do you suggest I do? I can either do my job: secure the outsourced workers as best I can, or I can refuse to do that and quit, but I can't make them not outsource, and in many cases, this isn't a security problem, so I wouldn't be consulted in the first place.
In the end though, if you are the managing director or CEO of a company, the buck ultimately stops with you.
The reason why you get paid the salary that position demands is because you are responsible, not only for making decisions, but also ensuring that your minions implement your decisions.
If you claim, after the fact, that you were unaware of your orders not being carried out, you and you alone, are responsible for the consequences of your mismanagement. There's no honest way to slip out of this responsibility.
I'm not sure I agree, but even if I did, it doesn't matter. There are lots of dishonest ways of slipping out of responsibility and people in power are great at using them.
Responsibility is a complicated thing and dangerous when used improperly. Even if you decide that it can always climb the corporate org chart without dissipating at all, it would still extend back down. So we'll fire and fine the CEO, but why not also do so to the CSO, the middle manager, the line manager, and the team that were supposed to have backups but did not? It was the lack of backups that was the problem, no? Well, we could do the same to those who designed the security systems between the machines which allowed it to spread. And to that user who clicked on the phishing email and entered their credentials. And to that guy who used the USB drive which spread it onto a different network. And to that IT person who could have blocked USB drives but didn't. Do any of these people have no responsibility?
In my experience, a lot of people have some responsibility, but no single one deserves all of it. I prefer to focus on solutions rather than punishments, and one of the reasons I prefer that is that the punishments always seem to go to someone who probably does have a little responsibility, but certainly not close enough to all of it to deserve the consequences they get. Hard-coding that to the CEO isn't going to fix that, because it gives everyone who isn't the CEO carte blanche to act as incompetently as they like on the theory that the CEO is supposed to identify that they have and prevent it from causing any problem. In my company, the CEO has no clue what I'm doing. Expecting enough information about that to rise through the management chain and go to them is not logical. If they specifically decide to cut programs we need and that causes the problem, then by all means punish them. If I am the one who broke everything, then I should face the consequences instead.
Absolutely right, as a professional, you do the best you possibly can, you advise, you keep records (just in case), you do the best job you can. But ultimately companies will do what they want, probably the cheapest option, fine. You cover yourself and accept it is what it is, and keep your fingers crossed!
I think there are a number of us on here who are in a similar situation, we see what $COMPANY is doing, know that it potentially is going to end it tears, but still. We advise, document it, keep records of your concerns. Yes it won't make any difference, the C-Suite will do whatever for short term gains. But, but when the whole lot goes 'nipples north', they will be looking for a scapegoat to pin the blame on.
Not me but an ex-colleague of mine was confronted with just this situation but in the 'interview' with the senior management was able to bring out ' but this email I sent the CEO warning of this.... and this other email I sent warning of this; oh and this other email I sent.... oh plus the evidence that said email had been read....' .He had, of course kept copies of the emails.
Suddenly they dropped any and all issues and looked around for someone else to blame. odd that!.
Look after yourself, cover yourself - because nobody else will.
Wearing a previous job hat, our company was owned by a US company. In the US they have the Sarbanes-Oxley act* (though I wonder how long before that gets quietly scrapped in the current political environment), which essentially says "the big cheese has to sign off the accounts as accurate, and if it turns out that they weren't, then he's in the manure and possibly the slammer". As our accounts lead into their accounts, for him to sign that "these are true" statement, he needs to know that it applies to us as well. And so it fed down to us, and yes, our bosses in the US did send in auditors to make sure our systems were all in order and our accounts could be trusted.
The threat of big personal fines or even prison does tend to concentrate minds - and that does tend to flow downhill.
* Sarbanes-Oxley was brought in after "yet more" big collapses (Enron, WorldCom) where it turned out the accounts, signed off by the auditors, were a blend of pixie dust and unicorn poo - i.e. a complete and utter fabrication that any half competent auditor with both eyes closed should have been able to see.
"Excuses like "service had to be restored, fast." are just that; excuses. "
If a ransomware attack shuts down hospitals in a region and a number of patients are expected to die for lack of treatment, how many are allowed to die?
Or, how long can a city be without water or electricity before they can pay? Or should this be indefinite and people should just migrate out of the city?
Would you hold up this remarkable ethical stance if it were your loved ones on the line?
Computers don't treat patients, doctors and nurses do that. All hospitals should have appropriate procedures in place so that they can function in the event of a breakdown in their IT systems.
Imagining that an IT failure could lead to people dying for lack of treatment is unfounded.
Likewise, the provision of water and electricity is about delivering a critical service to society. The companies or government departments responsible for delivering such services have a duty to ensure that the services can still be provided in the event of an IT issue or other operational emergency. Not delivering on that duty should be associated with legal consequences for those who neglect it.
My stance is not remarkable. What is remarkable is the lies and excuses that get rolled out to justify inaction and failure to properly discharge responsibilities.
The scourge of ransomware is not going away while ransoms continue to be paid. If you're suggesting that the status quo should be maintained because of some hand waving, that is itself remarkable.
"Computers don't treat patients, doctors and nurses do that."
Seems you haven't been in a hospital lately. Have a chat with medical staff in a hospital and then come back telling us how they should be run without a computer.
We can run our businesses with paper mail and paper ledgers. But for how long? Minutes?
It's not so much lack of treatment it's more about diagnosis. Even "simple" things, like a broken arm - these days X-Rays aren't done on film, they're imaged on a high-res monitor.
This I know from personal experience.
The doctor really won't know if/how the bone needs re-setting until he/she can see what's going on. Yes it can be done by touch in extremis but that's sub-optimal.
Same thing with blood tests - often there's a number of different causes that can present with similar symptoms.
"If a ransomware attack shuts down hospitals in a region and a number of patients are expected to die for lack of treatment, how many are allowed to die?"
The whole point of banning payment of ransoms is that it's the only effective way of banning ransomware. You're not going to get the money so why bother? It's not an ethical stance, at least not only an ethical one, it's about the only effective practical preventative step to take but it has to be legally enforced so the toerags realise it's real.
Every time I see one of these posts about making ransomware payments illegal with draconian penalties, I ask myself exactly how simple minded the proponent must be. While it looks good on paper, legal penalties for ransomware payment will create a perverse incentive to avoid disclosing the attack and give the attacker additional leverage over the victim, thus likely making the ransomware problem even worse. Furthermore, it's easy to criticize these organizations for being attacked (and the criticism is definitely warranted), but the attackers only have to be good once, while the defender has to be perfect every time.
I've said it before, and I'll say it again: if you really want to undercut the profit motive in these attacks, ban or heavily regulate trading in cryptocurrency. Eliminate the medium of exchange, and the business will fall apart.
Thanks for calling me simple-minded, a good ad-hominem is always a good way to further the discussion.
If you outlaw crypto currencies, it will not magically make them vanish. The horse has left the field a long time ago on that one.
Even in your perfect world where banning something makes it vanish, there are other ways to demand and make payments.
While the ransom payments continue to be made, the ransomware will continue.
So tell me, given that you can't revise history by legislating against a technology, and given that there are other ways than cryptocurrency to exchange money, what is your suggestion for dealing with the problem?
"legal penalties for ransomware payment will create a perverse incentive to avoid disclosing the attack "
Failure to disclose should then be a criminal offence leading to at best personal fines, possibly imprisonment and likely subsequent banning from holding directorships or posts in the relevant industry. Disclosure is likely to come out in the company accounts - if it's hidden there then it becomes cooking the books fraud.
It also needs to be part of other measures as I suggested to make businesses more resilient.
I prefer banning payments to banning cryptocurrency for three independent reasons:
1. Banning payments is much more practical. Banning cryptocurrency is going to run you up against a lot of people who want to keep making money from normal cryptocurrency trading, assuming you're doing it globally, and if you only do it in your country, it makes little difference; the company can pay someone in another country to do the transaction for them and that would be legal.
2. I'm not convinced that a company willing to pay an illegal ransom under the table will somehow balk at making an illegal crypto exchange under the table, so it doesn't sound like your alternative fixes any problem you were referring to.
3. If cryptocurrency was eliminated entirely as an option, but it was still legal to pay ransoms, then as long as the ransomware people can think of an alternative, they continue. They're getting payments measured in millions. That's a lot of incentive to find some other way of transferring money around, and this was possible before Bitcoin came into existence. If paying ransoms was illegal, then no matter how the companies did it, they'd still be breaking that law. I fully expect that some would continue to pay, violating the law, but I think there would be a significant decline and I'm not convinced anything else would make such a similar dent. Banning cryptocurrency might be the second largest thing we could do, but because of option 1, I don't think you can.
You do make a good point, re. banning payments to extortionists.
But, hypothetically, I am the CEO of $BIGCORP which has been impacted with a ransomware attack and they want, say $10 million. I'm not allowed to pay them off, fine, but can I pay $9 million to a 'third party consultancy' who claims they can restore my data.?
Even if said third party simply negotiates with the hackers and gets a decryption key for, say $8 million and they keep the difference? And if said third party doesn't operate in the same country, how do you police this? How do you legislate against this?
Look yes I think you are right, if payments were to be stopped then ransomware would die out overnight - but how do you get there?
I definitely expect some will do that. I think it's more likely that will happen if you just have to use a method other than cryptocurrency than if it's always illegal, but either way, there will be those who ignore the law and pay anyway. The hope is that there will be enough who don't pay because it's illegal that ransomware operators find a different thing to do, hopefully not crime, though I wouldn't hold my breath. I think that's the only chance we have to accomplish that goal, and although it won't be fast or easy, nothing else we have will work at all.
That's exactly the same as hiring a hitman, so still covered.
At the small scale it's harder to prove, however if the sums are significant then they are very obvious in the company accounts, and prosecution still follows.
Companies are already required to disclose data thefts and ransomware attacks due to existing law jn many jurisdictions, with personal consequences to the CEO and potentially the Board.
While it looks good on paper, legal penalties for ransomware payment will create a perverse incentive to avoid disclosing the attack and give the attacker additional leverage over the victim, thus likely making the ransomware problem even worse.
Good luck with that. Kevin Beaumont calls most major ransomware incidents whilst the victim is still denying they've had an incident. And the leverage ransomware offers is 50% disruption, 50% threat of disclosing sensitive exfiltrated data. So if attackers know that orgs won't pay if it's known they've been popped, then attackers can't threaten to disclose or advertise stolen data on dark markets. They have to keep it secret so that paying the ransom remains an option for victims.
And of course if the infection is bad enough that the incident becomes public knowledge, the org also can't then pay. Realistically, most incidents would then end with "Hey, we'd love to pay but our execs aren't willing to go to prison now The Reg has reported it, sorry.".
Unless of course the ransomware folks know that when negotiators get involved, it causes them time, hassle and eventually a lower payout.
It's a bit like where I once worked, corporately the organisation had animosity towards the Union because the Union were very good at their job and had a reputation for airways winning.
Unless the ransomware lot are crap negotiators - which in some cases they seem to be - they might well find they have the choice of a quick but lower settlement vs a long drawn out but still lower settlement. It's very likely the crap negotiators who take adversarial approach. The same probably applied to your employers and the Union.
In my experience, it was because the Union knew the relevant law very well and also knew where the organisation regularly didn't comply with said law. Not because of any deliberate lawbreaking, just a widespread lack of diligence on behalf of the organisation and line managers. Hence the Union knew exactly where the organisation's case would instantly crumble if/when things ever came to a tribunal.
If I was brutally honest, it was because most line managers were a kindly bunch who underestimated how militant individual employees could become when supported by a knowledgeable Union when the brown stuff was heading towards the fan.
That seems stupid. Establishing a working relationship should make things easier for them.
This should be the case. It's a bit like lawyers mediating an acriminous lawsuit. The clients can be screaming and shouting, and then the lawyers go off to a room quietly and say "Okay, this is what our respective clients want. How do we get to an acceptable midpoint?"
They can be objective, unemotional about it, let the client do the whinging and then go have a to-the-point conversation.
Of course, not all lawyers are good at their job, and some get invested in their client's hubris (*cough* Giuliani). But court cases and lawsuits tend to go quicker and smoother with some detached professionals in the room rather than two parties screaming at each other. Of course some parties are perfectly capable of carrying themselves as well. But many are better off with representation.
Doing ALL of these:
1. Wiping any potentially infected system, and restoring from backups.
2. Negotiate with the hackers, but...
3. Never, ever actually make a payment - just keep their negotiators tied up for as long as possible.
In other words, not only do they not get paid, it costs them money instead.
The bad executives are just the symptom, not the disease. Blame the shareholders who demand perpetual double-digit growth and the voters who want all the government for none of the taxes. When has arresting a john ever hurt a pimp, or harassing a user ever cost a dealer a penny?
The only real fix will take a generation and it is investing seriously in an educational system that teaches reading comprehension and critical thinking.
... I'm not holding my breath either.
"investing seriously in an educational system"
Honestly does anyone see much evidence of investment, serious or otherwise, in educational systems? Outside the PRC where I suspect the reading is conveniently constrained and the thinking perhaps not so critical in some areas; anywhere?
Higher educational institutions have been a resource extraction industry strip mining students for so long most of us have forgotten that it wasn't always so.
At least once a year, assume every main server and PC has been compromised - what you gonna do?
It may not even be an attack. A fire or something could have taken your main systems down.
The server responsible for backups should have every non-essential port locked down with 2FA or local access only.
With tapes, or whatever media stored off-site each day, few days.
At least one a month, recall a tape and check it can restore OK onto a mostly air-gapped test server.
As far as the PCs are concerned - use a Linux-based partition manager to nuke and repartition the drives.
Then reinstall the OS with a standard, company customised, disk image.
If users have stored stuff locally, rather than the fileserver - sucks to be them. Any personal stuff they should have been keeping copies of it themselves.
Several work hats ago we (IT) got one of those "sounds really simple, but ..." one liners from manglement: "write disaster recovery plans for IT". IIRC it was the insurance auditors who'd been through and seen a box not ticked.
I had a bit of an idea, but almost by chance had the opportunity to get on a decent business continuity course - which was quite an eye opener. So when I got back, I asked manglement some basics: what's your recovery time objective ? and a few others. The answer: "stop being awkward and just get on with it".
As pointed out in the course, there's no point planning to be able to recover the IT within (say) 2 days, if the business will be dead if it's out for 6 hours - it would be a waste of time and money doing it as the business would be dead anyway. Conversely, no point planning the IT stuff to have a recovery time of (say) 12 hours (quite tricky and expensive) if the business is such that you could take a week (simpler and a lot cheaper) without killing the business.
The pipeline and medical cases others have cited are good examples. The recovery times for the systems just didn't match the requirements of the business (or it's customers, or the public) - so the business manglement was negligent in not having properly assessed that and put the "right" technical and process measures in place. That's not just "recover the IT faster", but also things like "how do we operate a basic service without the IT ?" - in the case of the pipeline for example, that could have been "have a plan that if the brown stuff hits the fan, we can deploy people to local control points to manually operate the systems".
With current work hat on, we deal with systems where if the brown stuff hits the fan, people can die - quickly (in some cases it's a matter of minutes). As you can imagine, a lot goes into the safety cases and engineering. But it's not just the engineering, the people who operate the systems are highly trained and routinely practice all manner of scenarios so that if (or given the complexity and nature of the environment, when) something happens - people will "just deal with it" rather than go into headless chicken mode. And while there's centralised control (essentially one person can operate everything from a chair), everything has local control options.
So no, "our systems had to be back up quickly" is NOT an excuse for paying, it's an admission of (at best) incompetence, at worst wilful disregard for public safety.
Computers and networking are hard. You have to compete with all manner of industries to attract the talent you need too. Buy the computer, buy service agreements, pay folks to maintain them, and hope it holds together. And all the software license money leaves your local economy while the folks that actually do the work are stuck learning the new way we aren't changing the computer systems or watching cat videos while backdoors in the browser are pushing malware.
TBH, a competent admin assistant team with a floor of filing cabinets is starting to look attractive from an ROI standpoint. You got them locked in from a talent perspective and you can traina new helper in a week or so... No complicated industry certs, and you can lay them off if business turns down. Also, you aren't pumping money to wherever VMware lives.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
