Sign in / up

back to article Software AG hit with ransomware: Crooks leak staffers' passports, want millions for stolen files

Software AG has seemingly been hit by ransomware, with the German IT giant itself telling the Euro nation's stock market it had been “affected by a malware attack.” In a notification to the German stock market published earlier this week, Software AG said: “The IT infrastructure of Software AG is affected by a malware attack …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. RM Myers
    Stop

    Ransomware

    I agree with the guy from Emsisoft. The law needs to be changed to (1) limit insurance to covering the cost of business interruption and system recovery, and specifically make it illegal to cover ransom, and (2) treat paying a ransom similar to paying a bribe, that is, make it illegal with criminal penalties and don't treat the payment as an expense for tax purposes.

    This will obviously be difficult given the number of countries involved, but it is the only way to prevent ransonware from becoming ever more common.

    30 0 Reply
    1. MiguelC Silver badge
      Reply Icon

      Re: Ransomware

      Paying a ransom could be construed as aiding and abetting, as it translates effectively to paying for criminal activity

      14 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Ransomware

        Unlikely. As its being made under duress. Only a twisted legal system like the US's generally goes after the victim.

        5 6 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Ransomware

      Disagree. Its not worth getting your knickers in a twist about. Its just this years ThreatThing. Something new will be along to replace it soon enough.

      There are only so many groups clever enough to do this thing. It takes weeks of surveillance and picking and choosing your targets and vulnerabilities.

      0 12 Reply
      1. Maelstorm Bronze badge
        Reply Icon

        Re: Ransomware

        There are only so many groups clever enough to do this thing. It takes weeks of surveillance and picking and choosing your targets and vulnerabilities.

        Most of the groups who are are capable of using ransomware are state sponsored threat actors. The rest are criminal enterprise. In many cases, it's actually cheaper to pay the ransom than to recreate the data. It does take weeks of surveillance to properly crack an enterprise network: Firewall upon firewalls, IDS, jump servers, etc.... Look at the Equifax breach. IMHO, that was state sponsored because there was two groups who perpetrated that...and the stolen information still hasn't seen the light of day years later. By two groups, I mean there was an entry crew who performed the initial penetration of the network, but they could only get so far. Then there was the second group, who penetrated all the way in and got the goods. They were in the network for so long that they actually tailored their tools to Equifax's network. That one was caused by an unpatched vulnerability in Apache Struts.

        4 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Ransomware

          "Most of the groups who are are capable of using ransomware are state sponsored threat actors."

          Wrong conclusion actually.

          They use roughly the same TTP, but TTP doesn't make it the same people.

          I disagree with a lot of the process of attribution generally, but you are definitely wrong here.

          If you look into the ransonware "scene" you see it is a supply chain. Its utterly commercial in nature, with people offering tooling, exploited targets ready to deliver the code into, resale of stolen data and more.

          I'll give you that some of the "state sponsored" activity is also commercial subcontractors and multiple teams operating different roles within the attack, but the ransomware scene is entirely a commercial operation - a marketplace of extortion sold to this highest bidder.

          2 0 Reply
    3. sitta_europea Silver badge
      Reply Icon

      Re: Ransomware

      [quote]

      I agree with the guy from Emsisoft. The law needs to be changed...

      [/quote]

      Agreed so far.

      [quote]

      ...treat paying a ransom similar to paying a bribe...

      [/quote]

      It's easy to say that when you haven't got a hospital to run and patients dying, or even if you've just lost the only photo of your dead child.

      Personally, I'd vote for putting ransom demands in the capital punishment bracket, paying big rewards to snitches who could offer adequate proof of their claims, kicking the likes of Facebook, Google, Microsoft, Yahoo (and not forgetting GCHQ) up their collective arses for doing sweet 2FA, and sending the boys from Hereford to deal with any perps who got sufficiently well fingered.

      0 0 Reply
      1. Charles 9
        Reply Icon

        Re: Ransomware

        "Personally, I'd vote for putting ransom demands in the capital punishment bracket, paying big rewards to snitches who could offer adequate proof of their claims, kicking the likes of Facebook, Google, Microsoft, Yahoo (and not forgetting GCHQ) up their collective arses for doing sweet 2FA, and sending the boys from Hereford to deal with any perps who got sufficiently well fingered."

        Instead, what we'll probably see is perps getting covered by hostile sovereignty, snitches offered threats no amount of money can salve, the big boys going sovereign themselves a la The Sprawl, and some perps having enough backing to counter any force you can throw at them, nukes included...

        0 0 Reply
    4. Charles 9
      Reply Icon
      FAIL

      Re: Ransomware

      They'll just switch to blackmail (it's happening already with exfiltration malwares) combined with hijacking backup processes. Blackmail's always been a gray area because not complying can easily kill a company and result in collateral damage.

      0 0 Reply
  2. Maelstorm Bronze badge

    An Impossible Situation?

    Because many are refusing to pay the ransom, the ransomware groups are now exfiltrating gigabytes of data from their victims. Along with encrypting your files, if you don't pay the ransom, they will expose your data on the internet for all to see. This puts victims in impossible situations where even if you can recover using backups, you are still going to get burned by not paying because your data is exposed. As we all know, depending on the nature of the data, this could be customer information, embarrassing emails, classified information (if a government contractor), etc.... All bad.

    6 0 Reply
    1. Lyndon Hills 1
      Reply Icon

      Re: An Impossible Situation?

      Yes, a bit of a double whammy. Unless you get a very privileged account, you can't encrypt everything, including backups, so grab a load of data as a plan B. It also feels like a more sophisticated attack. Surely it would take a bit more time on the target network, to get access to and find some juicy data? Maybe this step can also be automated?

      0 1 Reply
  3. Snorlax Silver badge

    Negligence or incompetence?

    I keep an eye on the Maze website to see who's been hit lately. I can excuse the 'mom and pop' companies somewhat and say that they're incompetent or lacking skills, although they may still have legal obligations to secure data under GDPR, HIPAA, etc. Enterprise companies on the other hand, have no excuse. They've got SOCs, IR teams, etc.

    The problem I see (with the companies I work with, at least) is that too many don't do enough proactive work to prevent a ransomware attack, and have the attitude "Well, isn't that why we have cyber insurance?".

    They pay the ransom...get back to work...no lessons learned.

    Expect to see more pushback from insurance companies in the future. As any fule no, they don't like paying out to customers.

    6 0 Reply
  4. StrangerHereMyself Silver badge

    We've been here before

    If you don't pay up your company's future could be on the line, as most ransomware also infects the backups to make sure their victims have not choice but to pay up.

    Prohibiting ransom payment could lead to some very high-profile bankruptcies of large companies and organizations or major disruptions to government services such as healthcare.

    Believe me, this is not something you'd want. It's better to just cut your losses and pay up.

    What potentially scares me even more is that these kind of disruptions could lead to international political and military conflicts.

    2 6 Reply
    1. EricM
      Reply Icon

      One word: Darwin

      Especially because of exactly this argument, which is very understandable given the economic position of a victim, ransom payments need to be forbidden by law.

      If this means bancruptcies, OK, let Darwin take its toll.

      By continuing to willingly incentivize predators while keeping targets softer than necessary we will create more predators feeding on a soft population until the economic system of cyber-insurances becomes unbearably expensive - which will also lead to bancruptcies.

      By terminating the soft victims early, the more hardened targets will survive and form a more hardened population while at the same time cutting the incentive for the predators to close to zero.

      Will be cheaper from a society's position.

      8 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: One word: Darwin

        "Especially because of exactly this argument, which is very understandable given the economic position of a victim, ransom payments need to be forbidden by law."

        Turn the argument around. Won't that just motivate hackers who aren't in it for the money, like state-sponsored hackers? It's like with immunizations, eventually a new bug comes along that the jab doesn't stop...

        0 2 Reply
        1. EricM
          Reply Icon

          Re: One word: Darwin

          "Won't that just motivate hackers who aren't in it for the money, like state-sponsored hackers?"

          These type of hackers are typically motivted independant from monetary rewards, but based on a tactical or strategic decision by a government.

          So cutting the monetary reward would not eliminate the overall threat, it would just reduce the number of attackers.

          I do not see any additional motivation for state sponsored hackers by outlawing ransom payments.

          2 0 Reply
      2. Charles 9
        Reply Icon

        Re: One word: Darwin

        "If this means bancruptcies, OK, let Darwin take its toll."

        And if it means collateral damage as innocent people lose their livelihoods through no fault of their own (including potentially you), then c'est la vie?

        0 1 Reply
    2. steviebuk Silver badge
      Reply Icon

      Re: We've been here before

      But there has to be a limit. The more people pay up, the more they'll target people.

      3 0 Reply
      1. Charles 9
        Reply Icon

        Re: We've been here before

        Not really. With enough dirt, there's always the "offer you can't refuse"...

        0 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    Its been said

    That World War Three may be started by one country finally having had enough (tm) of attacks by others, and conventional weapons escalating to nuclear if the message doesn't get through.

    If that isn't a good enough reason to stop people paying ransoms then I don't know what is.

    2 1 Reply
  6. Anonymous Coward
    Anonymous Coward

    All made possible by Bitcoins...

    ... it would be far more difficult to ask such ransoms without a way to get the money easily without being tracked....

    0 0 Reply
    1. Charles 9
      Reply Icon

      Re: All made possible by Bitcoins...

      To which they'll just come up with another way. Money laundering does predate e-currency, after all...

      3 0 Reply
      1. EricM
        Reply Icon

        Re: All made possible by Bitcoins...

        Which is true, but e-currencies drastiliy reduce the risk for the attacker while scaling perfectly.

        There's a point to the OP's argument...

        1 0 Reply
  7. Robert Grant

    Former employee of Software AG here - sorry to my comrades!

    Supplement: I know this isn't the main point, but... documentation websites should not be live systems. They should be rendered out as static files and pushed to a CDN, with maybe a search service running somewhere (although hopefully just client-side, reading static files again). That's much more resilient - and cheaper to run - than a database-driven approach.

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like