The policy of truth: As ransomware claims rise, what's a cyber insurer to do? If you rely on your insurer to pay off crooks after a successful ransomware attack, you wouldn't be the only one. Ransomware victims from municipal governments to universities have turned to their cyber insurance policies to pay for decryption keys after getting pwned. That's making some insurers nervous. How will they react …
Sure, but not spending a % of your profits each year on cybersecurity measures should be illegal-er.
Cybersecurity training should be treated with the same weight as fire training and first aid training.
I feel like we need a PSA like the old piracy ads.
"You wouldn't smoke next to a petrol pump"
"You wouldn't put your dick in a hornets next"
"You wouldn't tell your wife her arse looks big in that"
"You wouldn't open an attachment you weren't expecting"
"Cybercriminals, they target Muppets, don't be a Muppet".
I just don't understand why it's legal in any circumstances, regardless of who the ransom is paid to. It's extortion. And as the article points out, the more it's paid, the more it is encouraged.
I thought maybe it was still legal because there's a market for this kind of insurance, but this article points out how complicated that is getting.
So WHY is it still legal? Who benefits so much that we can't pass laws to make it happen a lot less (or at least make it go away from the public spotlight)?
How many of these bits of malware get in through users clicking on links or opening attachments in emails? Let's face it, that's a far easier way in than trying to get past tech.
And how many C-levels demand access to their GMail/social media/etc?
Also ob. SMBC https://www.smbc-comics.com/comic/2012-02-20
Unfortunately, many people who SHOULD know better and who are considered "trusted" (city council, for one) use third-party email services that automatically cloak any URLs in the email into a convoluted mess. So any user training to not click on dodgy links gets eroded. Unfortunately the email senders are not IT people and have no clue why this is a bad thing no matter how many times one tries to explain it.
If they are incompetent, how is the situation deliberate? That would be malice...
But yes, paying ransoms is massively fuelling the fire, and taking funds away from correcting the faults that led to the opportunity in the first place.
Hit any beancounter budgeting for ransoms with the Colonial Pipeline case: the victims paid and the gang gave a valid decryption program that performed so slowly it was quicker to restore anyway.
"If they are incompetent, how is the situation deliberate? That would be malice..."
Not necessarily. A decision not to have a reliable backup system because it costs less to insure against ransomware, and of course that's the only reason why one might need long-term backups, is very incompetent but is also deliberate. Failing to consider the need for backups at all is incompetent and not deliberate. That is the difference.
As with most things... follow the money.
Keep following where the "coin" goes and when the trail runs cold (suspect it will be the exchange where "coin" becomes ca$h, that org has a strike against it and a warning. Three strikes and your org gets sanctions from the Fed, EU, etc etc. those sanctions are loss of access to the relevant market, loss of banking licenses etc etc.
Very quickly, the crooks will run out of ways to extract cash from "coin" and the exchanges will find ways to facilitate "more info" on their "customers" to avoid being the one left at the end of the trail.
We had hopes that insurance companies would bring some discipline to security where stock-price-driven design consistently failed. The eagerness of insurance to pay cyberransoms caused me to give up hope in that regard. But it sounds like there might be some pullback. A glimmer of hope in the long tunnel. Wait. What's that air now rushing past my face about?
"stock-price-driven design consistently failed."
Thumbs up for that one!
**********
"paying ransoms online validates the crooks' business model, emboldening them to keep doing it."
Just calling it a "business model" seems to (insult the monkeys and) reveal, once again, *issues with "business as usual".
I've found that a lot of external HDDs and other devices are counterfeit and/or fake capacity so the capability to embed date/time or usage triggered malware also exists.
There have been cases where the entry point of a specific piece of ransomware or malware has not been found despite extensive efforts.
Is it worth looking in more esoteric places like the monitor, optical drives and USB cables?
To write malware that hides in the SPD chip on DDR4 RAM is another not so well known method and as its quite hard to write in W10 etc it wouldn't be much of a stretch to implant something nasty that only dumps its payload when it "sees" a specific setup like a server grade CPU or more than n system drives.
So your average home user won't even know its there.
Also heard of more recent malware that reflashes the BIOS with its current settings intact so unless someone goes to alter it they won't know that its actually been compromised, or a combination of the two that writes persistent code to any programmable chip.
Broadly, if you're not the bus master you don't get to initiate the transaction. So monitors, optical drives, usb cables, usb drives... anything short of Firewire or lights-out controllers, really, don't get to make a choice about installing anything on another part of the system. They have to wait for the user to do it for them, which they do over and over again.
When looking for a root cause, start with ignorance or inattention. The more esoteric attack vectors are out there, sure, but why work that hard when the clown on the other end of the keyboard will do it for you?
All that is fun, but let's be honest, it takes a lot of time and we programmers are lazy. The evil ones are too. Why go to the effort of manufacturing sneaky drives with a complex disconnected script which watches filesystem activity and implants itself only to find that it doesn't work because the users used something unpredicted when the script was written when you can email someone an executable and ask them to run it? It takes a lot of effort, time, and money to get those drives manufactured and sold and it's also a path someone could use to track you. Don't overthink it; the ransomware people aren't.
Insurers could arguably be doing deals with backup providers to encourage businesses to take preventative action by giving a hefty discount if you use their approved company.
If you say that insurers shouldn't be endorsing companies then why is it that when you successfully make a claim for everyday things like jewellery they often force you to buy replacement goods from companies they have done deals with?
I think ransomware insurance should cover the costs of system recovery.
Not paying the ransom ever.
I.e. if you get caught and it will take 100 man days to recover the systems then it covers the cost for the resource not the money demanded.
It is therefore a known risk (unless someone has being telling porkies about the systems) and a known cost. For larger companies it isn’t needed as they should have the reserves to cover it. For smaller companies paying say 10% of the cost as a premium it is treated as a risk.
And in the event of a payout the premium goes up to 50% of the insured cost next year….
Of course this should be subject to a process audit before the policy is even offered…
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
