Pay ransomware crooks, or restore the network? Guess which way this city chose after weighing up the costs A city in Colorado, USA, has swallowed its pride and paid off a malware gang after deciding the cost of a network nuke-and-pave was too high. The city of Lafayette – technically a home-rule municipality – with a population of around 30,000, said it has opted to pay ransomware criminals a $45,000 (£35,000) fee after deciding …
> the possibility that the crims might just take the money and run.
Assuming they leave their calling card and have a 'reputation' to protect, that would be a fairly dumb strategy. It's no cost to them to follow through on the deal.
The victim's choice to pay is understandable, but supremely selfish.
I agree, there would be another type of cost for paying, in that the criminals are more likely to do it again.
Imagine if the Government made it illegal to pay the criminals the ransomware fee. I wonder if companies would still pay, or criminals would resort to something else.
Remember the recent attack against Garmin. A group called Evil Corp encrypted their infrastructure, demanding $10m. The problem with this group is that it was illegal for Garmin to pay up, so they paid a third party to "deal with the issue", and that company paid the crims. Making these payments illegal will result in similar deals.
If it is considered important enough, the law can be modified to clarify that paying money to someone else knowing that they will be paying the ransom means you are equally culpable. In fact, I'm surprised that's not already what the law says for cases like that. It won't stop it entirely, but by driving it underground there will be fewer people who will pay and less reason for other people to create similar malware.
Well you'd like to think tat, wouldn't you.
If I were cynical though, I'd say that what they'll do instead is restore the data, (maybe) update the antivirus on the PCs and retire their remaining Windows 2000/XP machines, and bumble along exactly as before, while congratulating themselves on their IT smarts.
"Assuming they leave their calling card and have a 'reputation' to protect"
You assume a large thing. A lot of ransomware artists don't see their job as requiring a reputation advantage. The smaller the scale of their effort, the less reason they have to write a decrypting program or actually check they're encrypting correctly instead of just corrupting every file. Even for those longstanding efforts that do have a reputation, nothing stops a competing criminal from designing their malware to look like one that is more trustworthy, if such a word can be applied to malware. It's been done to attempt to throw off attribution; it can be done to get more money.
"Not a week goes by without a sorry tale of someone paying up to the fuckers, "
At some point we're going to start hearing of these extortionists being found face down wherever they happen to live, having decided the guilt fo the crimes is too much to bear, thus committing suicide with three shots to the forehead, two to the heart and ample evidence of their activities left for the police to find
Think it won't happen?
[Three Mac users (so far) can't handle the idea that as their minority operating system gets more popular, the malware writers will demonstrate it has just as much potential for pwnage as Windows... I await more downvotes as they gradually realise my original post was insulting... (and for every downvote on this post, I'll punch a kitten, you cruel bastards.)]
Imagine if there was a criminal charge that would be levied against senior manager or officials of an organisation for allowing their security to be lax enough that they 1- allowed a significant and dangerous malware onto theri network and 2 - their systems were too poorly configured/maintained to allow them to recover from 1 in a timeous way.
If that was the case 1- security/maintenance would be much much better and these incidents would be much rarer, 2 - where an incident still happened no one would pay the fine therefore these incidents would continue to be rarer (bad business for the bad guys).
Things happen when the CEO or Mayor (whatever) has their arse personally in the firing line.
A successful criminal prosecution requires a motive and a payback and a "guilty mind" in the US parlance. Mere indifference or abstemiousness or negligence is unlikely to be sufficient to gain a successful conviction.
A civil action on the other hand has much lower bar, and several dozen citizens can sue their muni for such indifference or negligence. But any successful outcome with a payout would result in....higher taxes. Ooops.
The current list of IT vulnerabilities is far far longer than any other risk a city faces: offenses by police, weather events, labo(u)r unrest, and so on. It takes just one mistake to lose control of the complete IT infrastructure to criminals. City managers and politicians are slowly learning this the hard way.
I hope they do not fire their IT staff. Their IT staff have now learned very valuable lessons; hopefully they get to apply their lessons at their job.
"I hope they do not fire their IT staff."
I'd be surprised to hear they have much in the way of IT staff. I'd guess they have a couple people whose job is maintaining desktops and contracts with places to write web apps they need to provide city services, meanwhile the maintenance of infrastructure, backups, etc is handled by whoever needs it at the time. I've seen many systems run in this way because IT is a cost center, and backups even more so. Then this happens and they can't recover because they didn't make any backups or provide for a restore process.
"Imagine if there was a criminal charge that would be levied against senior manager or officials of an organisation for allowing their security to be lax enough"
What's driving a lot of these attacks is insurance - you can get policies against being attacked these days
When the loss adjusters decide to move in is when this will start getting interesting
"What's driving a lot of these attacks is insurance - you can get policies against being attacked these days"
My understanding of insurance is that it will only pay out if you have taken all reasonable security steps. If you have been found to be lacking in patching, configuration or training your insurance won't pay.
Same at home, you can have very good cover but I con't think of any insurance policy that will pay out for burglary if you never lock your doors.
Too many organisations right now get away without doing even the bare minimum. Running a municipality without adequate IT to manage and maintain systems should be criminal incompetance in the same way failing to run health and safety on a building site is.
The outcome is the same these are life and death systems (not just emptying your rubbish and putting up bunting at Easter but social work, child protection and criminal justice) and must be treated as such.
"Imagine if there was a criminal charge that would be levied against senior manager or officials of an organisation for allowing their security to be lax enough that they 1- allowed a significant and dangerous malware onto theri network and 2 - their systems were too poorly configured/maintained to allow them to recover from 1 in a timeous way."
On the surface, this sounds nice. I'm all for accountability, and the senior management is the place that most often needs and fails to be accountable. However, I think the criminal penalty would probably break things, and maybe we should be more lenient but more precise in our penalties.
If such a criminal penalty were enacted, almost certainly it would include a provision making it the fault of the technical people if they could be proven incompetent. For example, the senior managers hire people and pay for backups, but the techs don't actually do that. It makes logical sense, and it would undoubtedly get lobbied into the law. The problem here is that, in every case, the senior management will do everything it can to put the blame on somebody in IT rather than take the blame themselves. They will be backed up by the legal and financial power of their business, while the IT person will be backed up by their life savings, which will have to serve for their protection from charges of incompetence and for their legal expenses for wrongful dismissal. The answer to this would probably be things like required audits by an independent third party to confirm that IT are doing what they should be doing, which would be nice, but would also mean IT has to keep stopping normal work to complete the audits and the business has to pay for them frequently. This is easy for a large business, but it could make things hard for the small ones.
It would never work.
The malware got onto the systems by dodgy email attatchment (my preference for users that click on the link/attatchment is to be burned alive infront of the rest of the staff) and we all know that despite the signs/training it will be From: Doug(best friend) " here watch this video" and the user will click on it (even after seeing my demostration 10 minutes earlier).
And i were the crims.. leave a nice little booby trap on the machines timed to go off in 12 months so I get a nice annual subscription.
Paying the danegeld means the dane will be back next year for more
So, no computers, or only air-gapped computers and no portable media then... Maybe an internal network, but no Internet access...
The problem is there are so many security issues in modern software, from the firmware, through the OS to the applications and web services, that it is impossible to effectively lock down a system if it is networked, or worse, has access to the Internet (E.g. email).
Even if you patch everything when the patches are released and you have good border protection and up to date AV software, you have just reduced you vulnerability a bit, you haven't eliminated it.
You have to start further up the line, with the software developers, hold them liable for their mistakes, not persecute their customers. But neither will happen.
It is now an arms race, the bad guys buy exploits on the black market, before they are discovered by security companies or the software developers. The infiltrate the target systems and... nothing. Well, nothing visible. The quietly work away in the background compromising the backups and all the infrastructure they can access. Only once they are fairly certain that they have done enough damage to make recovery too expensive or impractical do they trigger "the event".
There are fly-by-night operations that encrypt straight away or don't provide decryption tools upon payment, but the high end malware is thorough and is a slow burn.
You have backups? Good. How often do you do a complete restore to a fresh machine, to check everything works? Most companies assume their backups are working, until they need them.
But if the malware is on the last 3 months of backups, with a trigger date, doing a restore isn't going to help much. Or you are going to have to rebuild the servers (fresh installs) and then recover just the data and doing very thorough checks - oh and everything offline and in isolation, until it has been thoroughly checked and certified clean, before it is brought back online.
How many weeks do you need to completely rebuild your architecture and rebuild all client PCs? You will be offline for weeks or months? I can see how paying the ransom and recovering the data might seem like an easier solution - although even then, I'd be backing up the data, restoring it in isolation and scanning it, before moving it to new infrastructure.
I'd hope I could get away without paying a ransom. But realistically? I hope I never have to find out!
There are a lot more things you have to do to prevent ransomware attacks, and yes they can be prevented. There is no excuse in my book that every dagone one of these situations could have been prevented, although not easily, I'd be willing to say even one IT person could have done it for a city that small. The cost is more than affordable as well. Until they make it illegal to pay; this madness is just going to keep going on and on and on.
Hmm, they've clearly an urgent need to upgrade/update/patch their systems. It's possible that they've made the decision that paying the ransom allows their IT staff to focus on preventing the next infection.
They better have invested in their systems because they've now got a reputation for paying...
This would be much easier to do in the United States, since the state insurance departments have the ability to do this under the concept of it being against public policy - no law change needed. TI could also see tax codes being revised to disallow ransomware payments being considered as a business expense for tax purposes, similar to other expenses considered to be against public policy (paying bribes, for example).
Ultimately, the only really effective change would be to make ransomware paying illegal, possible by defining it as aiding and abetting the original crime, just like fencing stolen goods for the thieves is a crime.
The value of the ransom was pretty low and staff hours lost whilst it was fixed would far outweigh the cost of paying. This could easily be a straight commercial decision. Maybe they were insured and the insurers advised to pay out once the analysis had been done. We got hit by ransomware a few years ago but the source was very quickly found, isolated and because of how the data was organised, the impact limited to one area. We still had to restore about 30TB of user data which took time. The cause was a PC that was not centrally managed and this is where problems start. If there is a culture of dispersed IT that is not as well manged then it is easy to make an argument for centralisation however in some environments (particularly academia) there is a legacy of culture & systems that are very difficult to bring in. Centralised IT is seen as control to stop people doing what they "need" to do to work, not something that is there to make their systems more secure and better managed.
There is very little excuse for not being up to date on patching (software or firmware) or even running current operating systems but it requires planning, routine and acceptance that it has to happen. This is rarely a technical issue but is management. Only when patching has a direct impact on profit or regulatory compliance that impact them will people believe that it is an essential tool in modern IT.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
