First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo

Care to point out anyone who actually does claim that cryptocurrencies are actually "legitimate currencies"?

Even if they were considered as such, I think your suggestion would have about as much effect as trying to stop football violence by declaring that football isn't a sport.

edit - I'll also point out that Bitcoin transactions are technically less anonymous than cash, since every transaction is recorded for posterity in the blockchain along with the sender and recipient's IDs. If you bother to google it, you'll discover that these have, in the past, been linked to people's identities and used in police operations to trace the movement of cryptocurrency. It's just that until you work out who those wallet IDs correspond to, they are anonymous.

Cash, on the other hand... Well, there's a reason there’s such a thing as money laundering, and there are many, many forms it can come in. If you found £20 on the street, could you tell where it had come from? And before that? Back to the point in time it was minted? Because you can with bitcoin. It's all there in the blockchain.

Totally not the same. Any business that doesn't have a robust backup solution doesn't deserve to be in business.

A ransomware attack is somewhat different to a kidnapping. The entire company knows that the computer systems were suddenly down. The entire IT department knows why. None of them are paid enough to be accessories to a felony. If the CEO chooses not to report to the data protection authorities, they're taking a big gamble.

Re: Just make paying a ransom a criminal offence

Agreed, except that across the EU, GDPR comes into play. Don't report the breach and the fine could be more than the ransom you already paid.

The success of one attack motivates the attackers to repeat it against others, causing much greater losses to the wider economy. Losses which are not borne by the original victim - to them it's an externality, which doesn't come into their financial calculation about whether to pay the ransom or rebuild their data.

The idea of threatening sanctions to force companies to consider such externalities is hardly a new one. It's why companies get fined for polluting water courses or exposing our personal data.

Fines are the appropriate sanction here, though, not prison: you just need a sufficiently large monetary penalty to alter the financial calculus for the company, à la GDPR.

I recall video piracy was branded as financing organized crime. It always made me laugh to think that the drug and prostitution business was such a loss maker that they need to flog a few pirate DVD's in order to keep in business.

Re: Crikey

Thumbs down? Really? I'm not saying I have no sympathy, but I've lost count of the number of times someone has come to me saying that their computer has "died" and could I get their data back please? Are you giving thumbs down to the use of decent backup solutions, or to my apparent lack of sympathy? If someone is hit by a drunk driver and dies simply because they weren't wearing a seat belt, then it's still a tragedy. But they were still being stupid.

Re: Crikey

The really interesting thing is that the recent attacks have gone after LARGE companies. Those companies almost certainly have good backups and maybe even reasonable disaster planning. However, it seems that if you choose a large enough company, they will be willing to pay a substantial sum just to minimise their downtime.

Restoring all backups, including all the employee desktops, will take a lot of time, and a lot of effort and cause massive business disruption. A few million to reduce that to (say) 24 hours to decrypt and restore operation probably looks like a good deal.

Of course, as well as the obvious problems of rewarding criminals, how do you know you really have a safe environment afterwards? All data correctly restored? No hidden infections waiting to hit you up for an ongoing "insurance fee" (protection money)?

Re: Crikey

30 days is the worst case if the ransomware has been there for less than 30 days. What if it's been encrypting all the data you've been backing up for months?

Re: Crikey

>Yes, but they shouldn't be able to go after your backups if you've got them set up properly.

I don't know how that would work. If malware gets onto a backed up machine, it's probably going to lie doggo for a few weeks while it spreads across the network, and so it will be in multiple backups. It's possible that an alert, technically savvy person such as Hubert could spot something, but the backups are still going to include the malware.

The malware might encrypt the backups, though that is probably quite tricky because it would require compromising elements of the backup software.There is still quite a diversity of backup solutions available so this sounds quite hard.

Even if you backups are readable you've still got a big problem. Any largish business is going to have hundreds or thousands of machines and databases to wipe, rebuild and restore. And each of them will need to be forensically checked to ensure that it the backup hasn't restored malware. You might be able to get a few key systems up from backup fairly quickly, but your infrastructure is going to be in bits for weeks while you check every single object on your network with any kind of microprocessor to make sure that no nasties are lurking.

It's hard problem because no matter how carefully you run your infrastructure, it's nearly impossible to stop a really determined and technically skilled opponent from breaching your defences. The zero days can always get you.

Re: You get what you pay for

You mean, for the same group after it changes its name three months later. Or for factions of it after they inevitably fall out.

As in: avoid trying in CDG

Writable backups

Any backup should be read only. You can add new stuff to the backup but removal should be very hard.