Worried ransomware will screw your network? You could consider swallowing your pride, opening your wallet As ransomware infections continue, conventional wisdom on how to respond to threats is going out the window. The idea of agreeing to an extortionist's demand, and paying a ransom to restore your company's scrambled data, long considered a non-starter, is something businesses should mull over as a viable option, according to …
A customer of mine got hit by the ACCDFISA v2.0 ransomware on Saturday, they didn't realise til they got back on Monday. Business was down for all of Monday before they decided to pay the £3750 ransom. A day later we got the decrypter though and the following day they were back in action.
They didn't have regular backups in place so this was their only option. If they'd remained closed any longer they would have started losing customers and may not have survived.
It sucks, but what ya gonna do.
They learnt an expensive but valuable lesson.
"Ransomware is a multi-billion dollar business"
It's three things. For some it's a multi-billion dollar business; they're in organised crime. To work that sort of operation requires some degree of business organisation. It means that records have to be kept so that the payment can be related to the correct key. It means maintaining servers to run a large scale operation. Those servers also present a risk of being traced and traced back to the operators. That sort of thing needs effort and frankly some wannabes will find that boring which leads us onto...
...opportunistic criminals. If they can get hold of some software that just overwrites files with randomish garbage so that they look encrypted they don't have any of the overheads or boring stuff. If your data falls to these guys you're not going to get it back and, according to the article that's currently a 40% chance and, I suspect, rising.
Then there's the randomisation as a weapon operators. You're not going to get anything back from them. The main intent is the damage.
If you count on getting data back because it's a multi-billion dollar business operators you're going to rely on the organised crime operators carrying out a search and destroy operation on the opportunistics who are poisoning the well.
No, they didn't learn lessons in the past as Ransomware has been around for years and business "leaders" need to sort their shit out.
I'm sick if hearing lessons learnt etc when clearly they aren't looking at mistakes others have been making for ages. I know one person businesses with better backup plans than many large companies because the person in charge is actually giving a shit.
Great. With more funding, ransomware and its delivery mechanisms will only get more prolific and pernicious. But sure, ignore the effects on the market. And, when this gets around to some situation involving some kind of too-big-to-fail, the tax payer will end up bearing the burden. That's how it works right; businesses get to make decisions that affect the market with little if any responsibility for the damage they do.
And it's very good they didn't, as it was WannaCry, which DID NOT return any data. Just like the case mentioned in the article several times, Maersk. The article fails to mention that Maersk was hit with NotPetya, which was meant as a warfare tool and wouldn't have returned their information in any case. The multiple millions they spent were going to have to be spent, there was no option to try their luck with the fake criminals involved. Yet that critical detail didn't get mentioned. I usually like your articles, El Reg, as they're carefully researched by technical people, but that hole is far too big to be left unexplained.
On the topic of taxpayers paying for ransom, it has happened in the case of SamSam malware attacks on various cities, most of which are American ones. The higher-profile ones like Atlanta chose not to pay, but SamSam has obtained several thousand taxpayer dollars from America and will probably continue to target governments because they're found to be behind the times and potentially willing to pay up.
But in this instance paying the ransom meant that they didn't have to close their business, let down their customers and fire their staff. Think of it as a "consultancy" payment in return for a very effective lesson on why they should invest in a reliable backup system.
Then you are incompetent. Either as an IT manager, or as a board member.
I cannot imagine any situation where business-critical data cannot be backed up. There are mirror servers, one-way synchronization, hell, I can't even begin to think of all the ways data can be put somewhere to be stored on tape or disk arrays.
I am sure of one thing : a proper IT administrator will have a backup of business-critical data, and know how to restore it. The only real issue is ensuring that the backup is not infected.
Mirror servers are never a backup option. They are a redundancy option, in case one server fails. But if the main server gets hit with ransomware, the data on the mirror is lost as well, because, well, it mirrors the encryption! (Or corruption as one CEO found out to his cost, he told the IT they didn't need a backup any more, because he had invested in a new mirrored system... A couple of weeks later, he barfed an update on the database (he was a developer who grounded his own software company and "knew everything") and wanted to simply revert to the the backup on the mirror only... The mirror had the same corruption, naturally. A day later and a backup solution was back in play!)
But with a mirror server, you can then take one mirror offline to perform a backup without affecting the in-use system. Then put it back in where it can sync change to get up to date.
Not ideal, but in some circumstances it's the best way to do things.
Actually, since that drive is probably left disconnected a lot and few ransomwares attack small removable drives (not unheard of but most I've seen only attack internal drives), that spreadsheet is probably safe. The IT department should have informed the finance person concerned that the spreadsheet should be stored in compliance with policies, but assuming they did that, they shouldn't be held responsible if it is later lost because it wasn't.
He would get a written warning, if that was the case.
IT policy, by us, clearly states all company data has to be stored on company servers. Not locally on the PC and the use of external media has to be through encrypted media supplied by the IT department. Using your own media or cloud services is a disciplinary offence.
The encrypted media supplied by the IT department does not really help in this scenario. As soon as the user plugs it in and enters the encryption password to access it becomes just as vulnerable to malware as any unencrypted media.
Sorry, but you don't seem to have any experience with real world ransomware attacks.
Most business ransomware attacks are not due to someone clicking on a link in an email or visiting a dodgy web site. They're network penetrations where the attackers looks around for some time before executing the "monetization" ransomware encryption.
And as a result, they can and do take down all the "easy" backup solutions, whether mirrored physical, attached redudancy storage, cloud backups etc.
You have to have something completely offline and with data being tested before update in order to avoid the data poisoning.
Yes, there are some companies deploying tools like entropic profiling to detect when data has been encrypted (encrypted data shows a much more uniform entropy profile than random data), but this is only works well once large swathes of data have been effected.
Ethics? Where do you stand on Richie's example above of a company either going to the wall or paying (what may be a relatively trivial to them) £3750?
How do your ethics square with that company not being able to make payroll at the end of the month, going bust and putting all its staff out on the street?
There's no easy answers in the real world and sometimes you have to hold your nose and do something you don't want to. As long as they *did* learn their lesson and have implemented a proper backup then this may well be the "right" thing to do.
"they *did* learn their lesson"
And their lesson is it's cheapest and easiest to fund the ransoming of some other company's data. Let's not shy away from the facts here. If you pay ransomware, you are funding continuing criminal action against others and putting other companies' staff out on the street.
No, per my original statement, "learning their lesson" means implementing proper security and backups in an attempt to prevent the same thing happening again. My point was it may be cheapest and easiest to do this once, but if you're going to get milked on a regular basis then you've learned nothing.
No one is shying away from the fact it's funding criminality, what I'm saying is, the greater good for the company and those it employs may be to do this, this once. If you read the article properly, you'll see the point made that the ransomware genie is out of the bottle and one attack does not now fund the next; it'll happen with or without someone paying.
And the next step will happen when the following discussion occurs. The IT staff, of course, are not present. This version as written from the perspective of a small business:
Finance: "We had to pay four grand to get our data back."
Operations: "Our technical advisor says we should hire a systems administrator and pay for a backup system so this can't happen again."
Finance: "How much will that cost?"
Operations: "The salary for the IT person plus whatever a backup costs. How much does a backup system cost?"
Finance: [Types in Google search box] "Well, this says that backups can be done to tapes. You need a reader and some tapes. Readers cost ... about three grand. Tapes cost ... about fifty. They recommend taking an incremental backup every day and a full one every week. I think that means we need a tape for every weekday and another two every week, or about seven a week."*
Operations: "How much will that cost a year?"
Finance: "Well, three thousand plus three hundred fifty a week comes to about twenty thousand a year not including the salary of the administration guy."*
Operations: "Yikes. That's quite a lot."
Finance: "Yes it is. That's why I've written a small Excel spreadsheet to calculate how often an attack like this will happen. Based on the number of ransomware attacks per annum for the last ten years and the number of other victims in the world, I anticipate that we'll probably see one of these every four years or so. This means paying the ransom will cost us on the order of one thousand per year, while backing up will cost a lot more."**
Operations: "Let's do that then."
Finance: "You should know that there is some chance of being hit with multiple ransomware attacks in one year, so you can't be guaranteed a low level of risk. However, we can weather at least eight of them and still have less costs than a backup system by my Google math."**
*This is obviously not how backups work. However, I've heard people do that type of mathematics before to try to estimate costs.
**I'm presenting a rather unintelligent finance and operations staff. Plenty of companies wouldn't get into this type of situation. However, not every company is run competently, and you don't need a lot of incompetent companies of this nature to fund even more ambitious and sophisticated ransomware that will in fact destroy someone else's company, government, or infrastructure system.
I'm sorry you will get downvoted as long as you use the Windows name.
Tell people to use Linux Btrfs or BSD ZFS snapshots and you'll get a lot of upvotes - even if they work the same way as VSS
Anyway care must be taken that the malware is unable to delete the snapshots.
Snapshots are anyway a layer of defense, and one that when properly used can drastically reduce recovery times.
**I'm presenting a rather unintelligent finance and operations staff. Plenty of companies wouldn't get into this type of situation. However, not every company is run competently, and you don't need a lot of incompetent companies of this nature to fund even more ambitious and sophisticated ransomware that will in fact destroy someone else's company, government, or infrastructure system.
There is a question very similar to this on one of the harder information security certification tests. The question is stated in terms of being a purely business perspective, but that is often how decisions are made - a simple cost-benefit analysis with $$$ as the deciding metric.
"This means paying the ransom will cost us on the order of one thousand per year, while backing up will cost a lot more."
The calculation should, of course, take into account the nearly events probability of not getting anything back at all and of losing the data to any of the possible hardware problems that could take the data out with no possibility of paying a ransom to get it back. Saving on ransoms is simply a side benefit of the backup system which should have been there for other purposes.
Hence the footnotes. This is not an accurate calculation. A technical person could redo those numbers to the satisfaction of many a finance person, but that doesn't matter if the finance person does an inaccurate initial calculation and decides not to ask a technical person on the basis of that calculation.
You assume the crims will plough all their ill-gotten gains back into their business. At what point do they take a profit then? It would seem to me that operating costs are fairly minimal. An anonymous digital funny money account, a hired botnet and some coders. A pretty lean operation.
The real problem with all crime though is laundering the proceeds. I think of that every time I pass a tanning salon which is fairly often as our local shopping centre has one between the Iceland and the Coop. The cops will have you believe it has been sorted out but I suspect the crims have just gotten smarter about it.
"You assume the crims will plough all their ill-gotten gains back into their business."
I assume nothing of the kind. I only assume that they like money, so getting it would convince them that they should keep up with this plan rather than doing something else to get it. Or, for example, that stories of lots of people paying will convince other people to start writing and distributing ransomware because they too like money.
So basically you're saying you'd take the hit, liquidate your company and make your staff redundant and start all over again, rather than pay a relatively small ransom, all to protect potentially hypothetical other unknowns who have been as stupid as you were and got themselves infected? Get back to us when that happens and I'll be first to applaud your ethical stance.
Not exactly. I'm not saying I would never pay the ransom under any circumstances whatsoever. I can imagine a situation in which 1) I know I'll get the data back if I pay, 2) there is a confirmed bad result if I don't such as all the employees losing their jobs immediately, and 3) I don't have the alternative of restoring from backup. Even then, I'd have to consider very carefully.
I'm pretty sure I will never face this situation, though, because I do back things up responsibly. If, for example, some quick math tells me that it might be cheaper to pay the ransom than restore from backups, which was mentioned in the article as if that's a good reason, I would then never accept paying the ransom. For one thing, I would require performing a clean reimaging of every affected machine at the very least, so we'd be paying that bill one way or another.
If I didn't have backups for some reason, I'd have to ask what the costs would be if we didn't pay the ransom. They'd have to be extremely high for me to decide to pay it. As I said above, "Every employee will definitely lose their jobs tomorrow" is strong enough that I'd have to consider it. However, lots of other things would not be so strong. I care much less about the investors or owners than I do about the employees, so "We'll lose a lot of money" almost certainly wouldn't cut it. If I was the person involved, the reason there are no backups is almost certainly an incompetent superior who rejected my suggestions for backup or violated the policy, and once again, I have no sympathy for that. So "that person will lose their job" wouldn't matter to me either. If this was a small company without employees, E.G. a company run by a few people who all own part, I would probably be willing to let it fold rather than do something this unethical. If they're going to pay, they can do so without me.
"So basically you're saying you'd take the hit, liquidate your company and make your staff redundant and start all over again, rather than pay a relatively small ransom, all to protect potentially hypothetical other unknowns who have been as stupid as you were and got themselves infected?"
Are you saying that there's no need for a backup arrangement because data can only be lost through ransomware and not through the possibility of a physical problem such as a drive failure? Are you saying that all those of us who maintained backups years before ransomware was a thing were wasting our time?
No, of course not, you're trying to put words in my keyboard. For a so-called Doctor of Syntax, that's unforgivable. Where exactly in the paragraph you've quoted does it say anything even in the same ballpark as that? Are you even a real doctor?
I've been religiously maintaining backups on a daily basis since you were still in syntax school, long before there was this kind of malware to cover all bases, including the cases you mention. In this case however, I'm arguing for the company outlined above where in their indivdual situation, the "moral" choice may well be to protect their employees, hold their collective nose and make the payment hoping for the best. As also stated above, this is only a lesson-learned if they subsequently implement full and tested backup solutions amongst other defences. Now read this again before commenting wildly inappropriately.
"People who do make decisions like that, know that there's a balance."
People who make decisions like that should have made them years ago. In that case the thread of ransomware will just be an additional one to the many threats for which they have already covered themselves. They then won't have to make the call of making a payment with a little better than evens chance of rescuing their business.
"I'd rather my business die than pay a ransom."
Easy to say for personal business / sole ownerships without so much to lose, or for giant corporations who can take a massive hit to rebuild all their systems. What about SMEs, which are the majority of companies out there? If you employ 10, 50, 100 people... are you happy for them all to lose their job because you won't pay a ransom? Are you happy to screw the clients whose money you've taken but whose orders you can't fulfil? Are you happy to bankrupt yourself or your partners / investors just to not take a hit on your pride?
"I'm confident enough of my security and backups "
Good for you, but the point of the article is addressed exactly to those who don't have good security and backups. They ALREADY screwed up and are already in the shit. So then what?
Absolutely, the way to go is invest in good security and good backups, and certainly anyone who has neglected these has already put in jeopardy through their negligence their workers' jobs, their clients products/services and their partners' investments. But once you're in that situation you have to make a judgement call on the cost of paying the ransomware (even factoring in the possibility of not getting an unlock key) against the cost of rebuilding all your data or bankrupting the business. And sometimes that equation is going to come down on the side of paying the ransom.
"If you employ 10, 50, 100 people... are you happy for them all to lose their job because you won't pay a ransom?"
No, not happy. But you have to do what's right, and what's right is to not pay the ransom, period.
To take any other stance is like saying "sure, I may have ebola, but if I don't go to work and spread it around anyway I won't be able to pay rent."
You have a very firm idea about what's right, but how do you come to that conclusion? What weight do you attach to "don't reward wrongdoers" vs "be a reliable business and employer"?
You can't act as if there is only one moral requirement to consider. Well, you can, but then you're not being very moral.
"how do you come to that conclusion?"
The same way everyone else makes ethical assessments -- according to my own sense of ethics. Topping the list of my ethical sense is "don't harm innocent others". I think paying the ransom does exactly this.
"You can't act as if there is only one moral requirement to consider."
I never said, and don't believe, that there is only one moral requirement to consider. There are always multiple viewpoints, and in the real world we rarely have a clear black and white choice between "ethical" and "unethical". It's almost always that we have to choose a course that is a shade between those two.
After weighing the arguments put forth in the comment I replied to, though, I think that the "most ethical" course is to avoid harming innocent others.
"What about SMEs,"
Oooh, oooh , me ... me ... ask me! I own a vSME (the v is for very - three directors and 20 odd employees). I will not pay a ransom ... ever.
I spend quite a while growing up in a funny land called West Germany in the 1970s and '80s and some people didn't like us and sometimes tried to blow up people like my parents (me and my brother might have been collateral damage) with explosives. Not nice. This particular nonsense is not so lethal as that but the principle is near enough the same. If you pay criminals/terrorists once then you will continue to pay, one way or another. Sometimes the price is money, sometimes not. They do not play by the same rules as you and you will lose.
My best effort so far to detect ransomware in action (above and beyond AV) is to use "find" to detect numbers of changed files over 1,2,3, ..., 21 days (eg: -mtime +1 flag) and email the results for inspection by a human. The idea is that we already have backups that are unchangeable (WORM) with retention that is longer than ransomware works over and we use scripts to look for large numbers of modified files to detect wholesale encryption in action. Business really, really critical data (not email - piss off!) is given even more attention.
"Easy to say for personal business / sole ownerships without so much to lose, or for giant corporations who can take a massive hit to rebuild all their systems."
Or a municipality such as Baltimore, MD which is looking at something like $18m to rebuild and, hopefully, harden their systems (and segment them as well). Would risking $50k in ransom be worth a chance to unencrypt their data against that $18m they know they'll have to spend? (I'm pulling the ransom amount from a nether region I can't normally view).
In Baltimore's case, the attack brought to light how poor their system was put together and operated just from a few of the reports I have seen. There's never enough money to do it right, but they seem to be able to find the money to do it over.
"Good for you, but the point of the article is addressed exactly to those who don't have good security and backups. They ALREADY screwed up and are already in the shit. So then what?"
Drifting through life thinking "if the worst comes to the worst I can always pay the ransom" is exactly the attitude that can land them in the situation where the worst comes to the worst and it isn't ransomware.
The problem is, once you've paid and got your data back, can you actually trust your computers ever again? Are they really clean? Is all the malware gone? Is it syphoning off information? Will it be hit again?
Even if I paid, the first thing I'd do is make a secure copy of all the information (a backup), nuke the PCs and servers from high orbit and install everything from scratch anyway. As I have the backups anyway, why would I bother wasting money to recover the last couple of hours of work, since the last backup, when I'm going to re-install everything anyway? The extra couple of hours work redoing the last few transactions won't make a huge difference at the end of the day, anyway.
A company I know of was informed by the Federal Office for the Protection of the Constitution that the IP-address of one of their servers had appeared on a well known hacker board. They provided consultation, but their advice was, even if the drives were removed, new ones plugged in and a restore from a known good backup performed, there was no guarantee that the hackers hadn't put something nasty in the UEFI. The best option was to put the server through a shredder and install a new, factory fresh server from scratch and restore the data.
"there was no guarantee that the hackers hadn't put something nasty in the UEFI. The best option was to put the server through a shredder and install a new, factory fresh server from scratch and restore the data."
Dell's marketing department going to new lengths to secure a sale?
And that was for human beings, not data.
The more people pay, the more the "business" becomes profitable. It's useless to say "use it only as a last attempt" - crooks are already giving less and less time to pay before menacing to delete the keys to put pressure on victims.
Where's "here"? Globally, kidnapping for money is still a thing. Also in "failed states".
As for the deadline... tell 'em the finance steering committee only meets quarterly. Also, this is the year of "shareholders reject the executive compensation plan" - you'll have heard what happened to Hamelin Inc. trading as Rats R Us. :-) So paying the ransom demand... the moral is, when robbing and extorting honest CEOs and local politicians, don't be greedy.
Although, leaving a trail of dead victims who couldn't or didn't pay will also encourage your latest to be generous.
Italy. Kidnapping became a criminal business in the '70s and early '80s (remember John Paul Getty III?). Criminal groups like mafia find it very lucrative - and kidnappings became a quite common crime.
Until a law was passed that allowed to freeze assets to avoid ransoms to be paid. Criminals found that they risked a lot for nothing.
Very different economics. Kidnapping people is extremely high risk, requires a huge reward to make it a viable business.
Malware, not so much. The marginal cost per infection is zero. So if 99% of your victims don't pay, no problem - just infect another million.
We've tried preaching "don't pay, ever", and it's been about as effective as abstinence-only sex education. Maybe acknowledging reality isn't such a bad idea.
Exactly because it is low risk and low cost that it risks to become a huge problem - especially since cryptocurrencies made it too safe. Moreover this kind of criminals don't bother if they put many lives at risks - and if people thinks they have no choice but to pay, crooks will also ask for more money.
It requires a proper legal framework to stifle this kind of criminals - "wire fraud" or the like is outdated.
Maybe acknowledging reality is that you lost you data, so others will understand that thinking "oh well, no need to make systems secure, in the worst case I'll pay" is utterly stupid.
The point I'm getting at is, with kidnapping you need a good degree of certainty that the ransom will be paid. Without that, the economics just don't work. If you can prevent payment in just 75% of cases, nobody will risk kidnapping.
With ransomware, preventing even 95% of payments makes no real difference. So this approach doesn't work. You could try banning cryptocurrency, but I think we all know what that would lead to.
Ok, another alternative plan, legalise hacking to demand money... if the government does it. Try this: if the tax office can get malware onto your company computers and perform encryption and denial of service, then they're entitled to demand extra tax from the company in return for releasing the encryption. That will motivate the finance director to support keeping your systems secure and also well backed up, to not pay even when the government successfully breaks in. And this will keep out other bad guys as well.
Although I suppose there are quite a lot of foreseeable problems with this scheme...
If it's profitable, then the market will grow. There'll be more resources dedicated to finding exploits and programming ransomware.
Remember, capitalism works and doesn't particularly care about ethics. If you reward the unethical parts of the market, then you contribute to problem.
Dod the ransomware bastards manage to get a sleeper into the organisation?
Is someone high up being blackmailed?
I can't think of any other explanation. This is just totally wrong from any point of view. To say nothing of the fact it simply WON'T WORK!
Shouting? I wanted to scream it out.
I got a tour of a cash centre for one of the major banks a few years ago. Quite a secure place to get into, but surprisingly ordinary once there.
In one corner was a cage containing a pallet of notes.
"What's that?"
"That's the ransom money in case we're ever asked to provide a cash sum in a ransom situation"
Just shows you should always be prepared.
I wonder how often they rotate it?
I can fully see them keeping it $100,000 increments with a sheet listing all the serial numbers for that bundle. Quick and easy to grab the amount needed without delay.
Then the kidnappers look at their unmarked, non-sequential cash and realize all the notes were printed in 1974.
"Then the kidnappers look at their unmarked, non-sequential cash and realize all the notes were printed in 1974.'
It would be easy enough to just bundle up currency taken from the stream currently in circulation that have been scanned into a database. If it sits for a year or so, start swapping bundles and updating the database. Having all of a stack of notes from one year would be pretty unusual.
I seem to remember that the largest ransomware hitter, WannaCry, actually didn't have a mechanism for tying payments to infected machines and as such it was impossible to decrypt?
Don't always assume that the bad guys even have a mechanism to give your data back to you, just a way to trick you into sending bitcoin...
This is a straight-up Prisoners' Paradox type situation. Paying the ransom == defecting.
The repeated use of the word "ego" in the article is a tell. If a "security" company ever gave me that advise, especially if they used the word "ego" to damn not funding criminals, I would mark them as compromised.
Just like the machine that's been infected.
"If a "security" company ever gave me that advise, especially if they used the word "ego" to damn not funding criminals, I would mark them as compromised."
A million times this. Not paying the ransom isn't even remotely a matter of ego. To frame it that way appears to be engaging in intentional emotional manipulation, and you really have to question the motives for doing that.
If this extortion was taken a little more seriously, given the sums that are involved are increasing, and steps were take for more cross border cooperation then this could stop. The funds can be tracked, but there is no political will to do anything about it.
The anonymity of cryptocurrencies makes this difficult. While the currency of choice remains bitcoin, which is public, there is a little chance, but the criminals can switch to closed cryptocurrencies (zcash and monero come to mind) to make this difficult or impossible. In addition, a lot of these strains are being written in countries whose attitude toward international cooperation is not so positive. WannaCry and NotPetya, for example, were government projects of North Korea and Russia respectively.
But zcash and monero are anonymous, hence my saying that bitcoin might get switched out for those. Bitcoin is not anonymous, that is correct, but it is pseudonymous and can be difficult to track until it is exchanged. If it is paid to someone else before they exchange it, it may well be that they don't know who originally obtained it, making tracing the payment very difficult. In addition, there are plenty of ransomware stories where crypto was deposited into a wallet and it's still there. Why the authors chose to do that is anyone's guess, but tracking them down, even if the various law enforcement bodies were to try, will be hard if that's the only evidence available.
I run a UK cloud backup company and the vast majority of customers are happy to pay anything from £20-1000 per month to backup all their data.
The worst companies who see no value in backing up and protecting their data are for some reason: architects and solicitors, specifically solicitors. They will think we are mad if we quote them £50pm to backup a server to protect them against ransomware. Instead they opt for non-GDPR, cheap consumer grade USA backup solutions with no encryption. Scary stuff...
No, at the request/demand of the manager we upgraded the batch file to use robocopy so that it had a summary report "in case they get audited" and added a vbs script to rotate and prune the folders on the external hard drive used as the backup destination so that they didn't have to change it every day anymore.
The social costs are too high to allow anyone to pay a ransom because paying the ransom ensures that the criminals will continue to victimize other companies. The interests of the victims and the interests of society as a whole are not aligned, the victim's primary goal is to save their company even at the expense of future victims, societies interest is to stop it from happening at all. The only way to stop it is to make it illegal to pay the ransom, if nobody pays then it won't happen.
Actually paying the ransom is socially irresponsible and only makes the whole situation worse for everyone. I know that it can be very hard or impossible for a company who's been affected to take this into account. But, speaking personally, I would absolutely view people and companies that to this in a very negative light.
Working at an IT services company, I can't recall the last time any of our clients were hit by ransomware. It was almost a daily event a couple of years ago, but not much recently.
We have always been able to recover our clients data and with the mitigations we have put in place can generally prevent attacks in the first place, but the crims seem to have moved on to other things. The biggest spate of malicious activity we have seen recently are O365 accounts with no MFA being phished, then either used to spew malware or pretend to be the user and request bank transfers from the finance people. They usually also add rules so that the mark doesn't get bounces or replies.
Although we try and persuade people to use MFA on cloud services, many don't listen.
I'm definitely no expert on Ran$omeware but there is no way I could ethically tell a business to pay said ransom.
There is simply no guarantee that a) the data will be 'released' (for want of a term) or b) said 'released' data doesn't have little 'timebombs' to be set off when the next payment is due.
I think all we IT folk can really do is press the point home re: security and the need for backup, as intimated in the article.
Just my 2c but YMMV.
Dane-geld
A.D. 980-1016
IT IS always a temptation to an armed and agile nation
To call upon a neighbour and to say: –
"We invaded you last night –
we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation,
To puff and look important and to say: –
"Though we know we should defeat you,
we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested
to pay up or be molested,
You will find it better policy to say: --
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game
is oppression and shame,
And the nation that plays it is lost!"
It's so humorous when people feel a business should go out of business... just don't pay the ransom.
Everyone agrees the business made really poor decisions in relation to IT security, DR planning, business continuity, etc. That being said, they shouldn't kick their employees to the welfare office just so your sense of "ethics" don't get bruised.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
