back to article How do we stamp out the ransomware business model? Ban insurance payouts for one, says ex-GCHQ director

Increasing numbers of senior ex-GCHQ people have called for laws preventing businesses using cyber insurance to buy off ransomware attackers – with the money merely perpetuating the criminals' business model. Yet, even as industry gets used to waking up to find the entire corporate network is scrambled while user endpoints …

  1. sbt
    Megaphone

    Don't have to ban the payouts...

    ...just the insurance coverage. It's simple economics. At least then orgs will assess the risks more appropriately; why spend £££ on prevention when you can spend £ on a policy? Instead of comparing the prevention costs to the premium, they'll need to compare to the potential losses/disruption costs.

    1. Gordon 10
      FAIL

      Dumb and Dumberer

      Since when have GCHQ been good at anything other than electronic eavesdropping or lobbying for encryption backdoors? Its a disingenuous statement from a former member of an organisation who has contributed to the problem by hoarding and not reporting zero days and the like. The intelligence agencies are a large part of the problem.

      Banning coverage or payouts is a dumb suggestion. Its no surprise to see technocrats trying to avoid the problem (partially of the industries own making) and ignore fundamental human and business realities that are much much harder to fix.

      If this starts hurting insurances companies bottom lines then they will start taking action - such as setting minimum standards for coverage - but that wont address the core of the problem.

      Its predicated on the false assumption that people buy the insurance rather than fix their legacy software and hardware estates, and its also predicated that IT is the fundamental reason a business exists rather than a useful tool like accounting or sales people.

      There will always ransomware vulnerabilities just as there will always be fire risk in a physical premises. Suggesting that tackling a consequence rather than the multiple causes (human nature, Government behaviour, Vendor software development practises, designed in obsolesce etc etc) is just lazy and clickbait-ish.

      1. Anonymous Coward
        Anonymous Coward

        Re: Dumb and Dumberer

        Its predicated on the false assumption that people buy the insurance rather than fix their legacy software and hardware estates, and its also predicated that IT is the fundamental reason a business exists rather than a useful tool like accounting or sales people.

        This is exactly what's going on though. Having spent a few years doing on-site testing for CE+ (which is pretty basic stuff, nothing like a full-on pentest) I am absolutely astounded at the shocking state of the security in the vast majority of places I went to. Really basic stuff not done. And then companies wonder why they get hit.

        I did some incident response for a place that got hit by ransomware, and they had all of:

        * All users as domain admin

        * Password complexity not enabled, periodic password resets not enabled (example passwords found included: the company name)

        * RDP server wide open on the internet and connected to their internal (flat) network

        They had a nice fancy building with fancy video screens on the walls and all sorts of expensive manufacturing equipment.

        ...Which was all completely useless because they couldn't take orders, ship orders, pay their staff or bills, operate the machinery, etc. IT is intrinsic to most companies and organisations these days.

        Go and look up if your bank has even the basic Cyber Essentials. No? How about your utilities providers? More than likely not. Pick almost any company or organisation that you deal with: probably doesn't have it.

        CE is easy to comply with, but nobody wants to sort their sh*t out because they don't think anything bad will happen to them and they're rubbish at assessing risk (both of getting hit, and of negative impacts of doing the few common sense things needed to achieve CE).

        1. Anonymous Coward
          Anonymous Coward

          Re: Dumb and Dumberer

          Domain Guest user, enabled and in the domain admin group.

          Yeah I wouldn't believe if I weren't writing it.

          At least that was fixable. Still on Exchange 2007 to this day.

          I don't know how the human factor can even be called the weakest link, when it's this far short of being a link.

          1. Ken Hagan Gold badge
            WTF?

            Re: Dumb and Dumberer

            "Domain Guest user, enabled and in the domain admin group."

            Now *there's* a collection of words that I never expected to see in that order.

        2. MJI Silver badge

          Re: Dumb and Dumberer

          What did they make?

    2. DS999 Silver badge

      Re: Don't have to ban the payouts...

      Companies are poor at assessing the risk for things themselves, especially risks they don't understand. A CEO could find out the cost of better security from his CIO, but that CIO can't promise they still won't get hit by ransomware or even offer a percentage reduction in the risk. Just "less".

      So why would the CEO want to spend that money, when it will impact the profitability of the company and thus his bonus? If the company gets hit by ransomware that causes a major hit financially or otherwise, he'll simply blame it on his CIO when interviewing for his job.

      No, the ban needs to be on the payouts themselves. It will be a problem for some companies that get hit, and that's too bad, but once the criminals no longer get paid they will have no incentive to engage in ransomware attacks. It needs to be done pretty broadly though around the world, which will never happen. We should have done this from day one, but normalized the payouts so it is too late.

      At this point perhaps the best solution is for the companies offering ransomware insurance to take their own measures to reduce their exposure - by paying for Russian mafia contracts on the people distributing it and collecting the money!

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't have to ban the payouts...

        I suppose if you're going to pay the Russian mafia one way or another, paying them to kill themselves or each other at least provides some entertainment value.

      2. sbt
        Alert

        Re: the ban needs to be on the payouts themselves

        I see what you're saying, but there's a fundamental issue with banning the payout rather than the insurance; bans will just push the problem undercover and hurt disclosure, which ultimately will hurt the customers of the victims whose data has been lost or disclosed.

        Wholesale bans lead to things like speakeasies, drug barons and the use of coathangers as surgical equipment; not to be enacted lightly.

      3. Shadow Systems

        Re: Don't have to ban the payouts...

        What would happen if it were made law that any payments made in such situations came directly out of the C-level executive's pay/benefits/golden parachute/etc so that not only would they "feel the pain" of such payments, but that pain would goad them into making sure the company's defenses were as hardened as possible?

        1. DS999 Silver badge

          Re: Don't have to ban the payouts...

          And then next year they get a special bonus that just so happens to exactly cover what they lost from the payout. Won't change anything, and they'd probably figure a way to use it to their advantage tax-wise!

      4. Michael Wojcik Silver badge

        Re: Don't have to ban the payouts...

        but once the criminals no longer get paid they will have no incentive to engage in ransomware attacks

        This is a common but fallacious argument.

        The cost of ransomware attacks is close to minimal, and there will always be some non-empty set of victims who will pay even if payment is illegal. Thus the return on investment for ransomware attacks will remain positive, and so they'll continue.

        Moreover, many ransomware attack pipelines are largely or fully automated. Even if there were never any more payments, those systems will continue to mount attacks because there's no reason for their controllers to try to turn them off.

  2. Doctor Syntax Silver badge

    It would help if everyone were trained to follow a simple rule: do not click on a link or open an attachment in an unexpected/unsolicited email, even if you think you know who sent it. Trained on penalty of immediate dismissal for failure. Then train customers not to do so either because if you persist in sending emails with embedded links (yes, I'm looking at you, marketing) then, apart from the risk to the customers you've trained, it's very likely that you will indeed do that very thing.

    On which topic, can anyone recommend a UK bank or building society that has the faintest clue about email security because mine has finally convinced me that they haven't and don't intend to get one.

    1. DailyLlama

      I'm with Barclays, and don't get any emails from them at all (by choice). Seems the most secure method...

      1. Doctor Syntax Silver badge

        My immediate situation is that I've got 2 AGM notices. One is on paper and the other is an email stuffed full of links because they think their customers who pretty well have to do business online because branches are an endangered species won't be able to find their website unaided. Unfortunately I'd transferred the account concerned away from the paper-based lot as a result of bad customer service.

        It's high time we saw the race to the bottom replaced by a race to the top..

    2. Anonymous Coward
      Anonymous Coward

      I get where you are coming from, but before I get fired for clicking on an attachment in an unsolicited email, I want you fired for letting me get to that point. If you want a 'no link to click/ no attachments' email policy then implement it at your firewall. You'll have to deal with the issue of how your users get to safely access links that they do need but that's why you get paid the big bucks!

      1. Licenced_Radio_Nerd
        Boffin

        Not a firewall - a content filter.

        The firewall merely keeps out bad IP packets. You are referring to a "content filter" and these are only as good as the block-lists they use - assuming the business has implemented one! Criminals have been waging a speed war against the real-time block-lists to see how quickly they can spread their spamwares before the RBLs catch and block them. It does not matter if you are filtering content, or blocking at DNS level, you will never keep ahead of the criminals. So you do need your end-users to pay attention to what they are doing, and not have the entire finance department blindly following the "click here to download the invoice" link!

        The mail-user-agents can take some of this blame. Whilst Thunderbird has always offered the URI of the link when hovered over, Outlook, in its attempt to be totally clean, never did*, so end-users got used to blindly clicking on things, whilst TB users could spot the dodgy URI and trash the email.

        * No idea if later versions have started offering this, although I am aware Outlook started to flag potentially dodgy sites.

        It might pay insurers to risk-assess businesses as they do with vehicle owners. Points for DUI, etc., and you pay more. Fail to implement strong passwords, security training, content filtering, etc., and you pay much more for premiums. And as others have said: sort out your back-up solution!

        1. Anonymous Coward
          Anonymous Coward

          Re: Not a firewall - a content filter.

          Criminals have been waging a speed war against the real-time block-lists to see how quickly they can spread their spamwares before the RBLs catch and block them.

          Which is why you don't use block lists. You use allow lists, aka whitelists. The same as you do with software. Everything is blocked until you check it and deem it safe. Even then you still run it all through anti malware scanners for good measure.

          Don't tell me this isn't manageable: I've been doing this at at scale (thousands of users) for over ten years.

        2. SImon Hobson Bronze badge
          Facepalm

          Re: Not a firewall - a content filter.

          Yeah, Outlook is a 'kin security "this is how to actively not help the user" example. It does actually show links if you hover over them (I think, my work laptop is shut down and it's the only place I am forced to use Outlook). But it puts finding the actual email address behind a "friendly" name (from memory) a couple of clicks and a hover away - not "hover and there it is".

          So how can you blame users for sending an email to fred_the_criminal@gmail.com instead of fred_in_accounts@company.com when Outlook actively makes it hard for the user to see that "Fred" is not actually "Fred" ?

          I've had my boss accidentally email me work stuff at my personal email address - before I started the job, we conversed using my personal email. So my name is in his autocomplete with two different email addresses - and as mentioned above, Outlook goes out of it's way to hide the difference.

          It's a bit like the real email address being in a locked filing cabinet, in a disused lavatory, with a sign on the door saying Beware of the Leopard !

    3. sbt
      Alert

      sending emails with embedded links

      A thumb up, but I think that's just too compelling a feature for legitimate use cases for organisations to give up. Tackle it via solving the lack of authentication for e-mail, and then links can be deleted from any unautheticated e-mails. Give people easy to use white-listing tools for trusted suppliers.

      Charge a fee per e-mail.

      Folks got used to tossing the junk mail that arrived through the post. While they still fall for bogus letters, the postage cost vs return rate from victims there is not good enough to support the kind of volumes we see via e-mail.

      1. Doctor Syntax Silver badge

        Re: sending emails with embedded links

        Some of the worst offenders seem to be those who use a 3rd party agency set up as a sub-domain of the alleged sender. Pinging those reveals the truth but not many recipients are able to do that. An automated check and bounce would help. OK, it destroys a business model but it's essentially a parasitic one and if the choice were made between adding the spamming capacity in-house and not spamming it might, in effect, raise the cost of email as you suggest.

      2. Version 1.0 Silver badge

        Re: sending emails with embedded links

        Charge a fee per email and you will start getting invoices claiming that you have sent a 1000 emails last week and that you need to pay the invoice in bitcoin quickly otherwise you will be disconnected from the internet.

        Adding little fees isn't going to stop anything, the internet is designed to always work, security was not an issue for years after the internet first appeared - it needs a complete redesign.

      3. Dave 15

        Re: sending emails with embedded links

        How would you do that? Most people trust certs from the larger cert providers so you buy a cert, sign the mail, it looks cushy at least until the cert is revoked, more than enough time to have caught a few people

    4. vtcodger Silver badge

      Real users

      It would help if everyone were trained to follow a simple rule: do not click on a link

      It would. But anyone who has dealt much with real users will tell you that the only way to keep one substantial subset of that bunch from clicking on links would be amputation of their mouse clicking appendage.

      One could try using a text-only mail reader like Alpine or Mutt or perhaps a 1990s version of Eudora. But I expect that some users would still find ways to get themselves (and your system) into trouble.

      1. Version 1.0 Silver badge

        Re: Real users

        Or configure the mail server to remove all links from emails - remember the days when we all used to email friends .exe files? Back then it was not a problem, these days it's a disaster.

      2. hoola Silver badge

        Re: Real users

        That is all well and good but when organisations send out internal emails littered with links, have systems spew out millions of emails that look like spam and use a third party to send emails to all staff that are equally iffy, what do you do.

        So many internal systems spew out huge html emails to do nothing more than tell you that somebody has clicked something where do you go. The problem is much closer to home and IT needs to do a lot more to clean up its act and not keep blaming the users.

        Sure the users (at all levels) can do some really daft things but there is no reason for IT to make it easier to actually be that daft.

    5. amanfromMars 1 Silver badge

      Not such a good plan ... when IT Morphs into Malfeasance.

      Doctor Syntax,

      That is all very well, but wilfully keeping oneself deaf, dumb and blind to a great deal of what is going on all around you, leaves one ignorant of what is in store and effecting and infecting everyone and everything around you.

      That presents you with an exclusive narrow rose tinted view of a huge deep and dark web with myriad worlds of intrigue and persistent endeavour.

      Can you imagine what would happen if governments followed that advice ......... do not click on a link or open an attachment in an unexpected/unsolicited email, even if you think you know who sent it. Being deaf, dumb and blind to all that is going on around them renders them extraordinarily easy prey to that which they mightn't have even the faintest of clues about. Methinks that is tantamount to a right treasonous dereliction of both public and private duty in national administrative office. And it is always inevitably increasingly quickly self-defeating.

    6. RegGuy1 Silver badge

      NEVER click a link in ANY email

      Never, never, never, never click on a link in an email. NEVER.

      The mail should have the link in plain text (without all that guff to identify you) and you should cut-and-paste it. Train your staff to understand the structure of URLs, I mean, even my wife[1] will ask me first, saying it looks funny.

      I know buttons look nice and with business presentation is so important. But NEVER EVER click a button in a mail, it is just too easy to fool people.

      [1] Wow. WOW!

      1. Anonymous Coward
        Anonymous Coward

        Re: NEVER click a link in ANY email

        Dumb advice. There are quite legitimate cases where clicking a link in an email is valid. For example, validating a newly created account on a website. It's standard advice from penetration testers to construct such a link.

    7. Jim-234

      How about you put the burden on the multi billion dollar companies that make the software?

      I would say that your approach is a very bad idea.

      Apparently most of the world decided to give a virtual monopoly on software to a couple large multi billion dollar (mostly American) companies.

      Perhaps they could be held to account that their software is so insecure that opening something in your e-mail allows the take over of your computer?

      It seems instead of fixing the root of the problem by suggesting those who get extremely wealthy writing the software don't produce buggy code, you suggest that the least technical end users should have their livelihoods under constant threat of being destroyed by arrogant know it all types who want to have fun setting traps for people instead of actually working on trying to not have such an insecure operating system be responsible for all their business.

      Your solution most likely would do nothing more than simply enable some IT people with a god complex to go around terrorizing the workers at their company while making nothing actually more secure and making doing actual business very difficult.

    8. Anonymous Coward
      Anonymous Coward

      I know that not clicking on links is standard advice, but I've never been completely clear what the risk is that's being mitigated here. Is this about 0-day exploits that can take over your machine simply from clicking on a hyperlink? Or is it about stopping the user before they manage to download something and then execute it? Or something else?

      It's occurred to me in the past that telling users clicking is dangerous is a bad idea without explaining why - I've certainly seen a user, who told not to click on links, carefully typed the link instead into an address bar.

      1. doublelayer Silver badge

        It's an attempt to encourage caution about external resources which could host malware, request information, or try to steal SSO tokens. Clicking on the link versus pasting it doesn't really make much difference. Sure, there's a chance that someone will recognize a URL as malicious but not bother to check the URL on a link, but I don't think it's a large subset. Most users I've seen will either check where the link goes before clicking it or cheerfully copy and paste a link to iamactivelyevil.com.

        1. hoola Silver badge

          And then you get the "safelink" stuff in Outlook that makes it next to impossible to check if it is embedded under text.

          1. SImon Hobson Bronze badge
            Facepalm

            Yes, that 'kin evil system that a) slows everything down massively, and b) makes it 'kin difficult to work out what the actual URL is. For good measure, it also makes it a PITA for support when a URL "doesn't work" and you have to work out what it is that doesn't work !

    9. Michael Wojcik Silver badge

      Trained on penalty of immediate dismissal for failure

      This is a terrible idea. When you penalize employee error, errors will be concealed rather than used to improve systems.

      Thomas Limoncelli had a good piece on this in the February CACM.

      1. Charles 9

        So what does propose instead? Discipline demands at least a few sticks. Frankly, I would counter with making the potential for concealment more difficult.

  3. My-Handle

    Use traditional security insurance as a model?

    Take the problem out of cyberspace for a moment...

    If someone breaks into your business premises and nicks a bunch of stuff, your insurer will do an inspection of the site post-event. They will check that you had a reasonable amount of security in place. If you did (e.g. you had lockable doors which were actually locked, you had cameras in place, plus whatever other measures were agreed in your policy...) then they will pay out. If not, they won't.

    Now bring the problem back into cyberspace.

    You and your insurer agree a set number of practices that you are required to follow to ensure that you are secure, and to mitigate any attack that might get through (e.g. segmenting the network, taking regular backups and testing recoverability etc). If somehow a particularly motivated or well-resourced attack does make it into your network, the insurance company sends out a qualified investigator and pays out. If you weren't secure... tough.

    The nuanced approach works, at least on paper. Hopefully it should encourage companies to invest more in IT, in the same way that they should for other business costs.

    1. sbt
      Pirate

      Re: bring the problem back into cyberspace

      Great idea, but I fear there's an immaturity in assessing the risk on the underwriting side and a fatal lack of qualified and experienced professionals to take on the claims assessor/adjuster roles. It's taken decades to establish and mature the premises insurance underwriting/claim model and deal with fraud issues, assess losses and costs, etc.

      Brought to you by The Crimson Permanent Assurance. -->

      1. My-Handle

        Re: bring the problem back into cyberspace

        Fair enough.

        But for something to mature, it has to start somewhere. There are a number of cyber-security companies out there already offering services such as pen testing. That would be a place to start.

        The question to ask here isn't whether the idea is perfect, but whether it is better than the current status quo, or other potential solutions

        1. Emir Al Weeq

          Re: bring the problem back into cyberspace

          Absolutely right.

          In the same way that my vehicle insurer won't pay out if I don't have an MoT[0]; my contents insurance won't pay above a certain value for jewellery unless items are kept in an approved safe etc.

          You are also right to say that this will take time to mature, but we need to start somewhere.

          [0] Left-pondians: an MoT is an annual, legally required test of road-worthiness.

          1. Charles 9

            Re: bring the problem back into cyberspace

            In the US, road-worthiness is handled at the state level (each state has its own rules), so you would be saying your car insurance won't pay out if you don't have your driver's license and the car isn't current on its state inspections.

      2. SImon Hobson Bronze badge

        Re: bring the problem back into cyberspace

        I fear there's an immaturity in assessing the risk on the underwriting side and a fatal lack of qualified and experienced professionals to

        Add to that, you get situation like I had a few jobs back. We had an assessment from someone - I can't remember now whether it was our parent company, the auditors, the insurers, or someone else. We in IT weren't told about it, or offered the opportunity to respond to their queries - we only found out afterwards when we got a list of technical things our manglement had agreed that we'd do (in a "we normally expect to see ...", "OK, we'll do it then", box ticking exercise), some of which were not supported by our systems.

    2. JetSetJim

      Re: Use traditional security insurance as a model?

      > You and your insurer agree a set number of practices that you are required to follow to ensure that you are secure, and to mitigate any attack that might get through

      At the moment this is called the Security & Fraud Awareness mandatory eLearning courses that I've been doing every year for the last many years.

      Not much has changed over the years - if you get something unsolicited, leave it alone. If you must be curious, hover the links to find out where they actually go. But still not all users have a clue. I remember a boss coming to me saying he thinks summat was wrong with his laptop. Turned out he had been "randomly selected to win an iPod" and had to open a Word doc to fill in a claim form. The filename was "EntryForm.doc .exe".

      Needless to say I popped the LAN cable while switching it off and told him to call in IT, but he was a relatively clued up guy in tech, so would have thought he'd be a bit more careful.

      1. usbac Silver badge

        Re: Use traditional security insurance as a model?

        Why on earth would their email server/client allow a .exe attachment? I thought every responsible email admin has been blocking unsafe attachments for more than two decades...

  4. Tom 38

    I'm surprised the insurance companies pay out anyway - all they would have to do is show some security negligence. No different from getting burglarised if you leave your front door open, no security, no claim.

  5. anthonyhegedus Silver badge

    Those in security all know a dodgy link or attachment when we see one, and can train staff, but we cannot anticipate what future attacks will look like with any degree of certainty. IT managers could block all links in Outlook, and block all attachments, but this is likely to be impractical.

    The real problem is that the system allows for scammers to extort money through several weak links in the chain:

    - ease of OSes being susceptible to viruses

    - governments hiding these perps, or even being the perps

    - ease of sending malicious links or attachments

    - ease of creating a website that hosts malicious code

    - ease of opening links or attachments on computers

    - ease of getting payments more or less anonymously

    I don't profess to know the answers, but it's clear to me that the problems are manifold. Each one of these things is being addressed in part by systems, people, laws etc. but I do feel that more could be done in regards to the payment mechanisms like Bitcoin, and perhaps sanctions against those countries which continue to do not a damn thing about the criminal gangs behind these attacks and the hosting companies that help them.

  6. alain williams Silver badge

    How hard is it ...

    to implement good backups that cannot be corrupted, done at least daily ?

    Too hard it seems.

    There is a difference between a small business that should know better and a large one where the IT director should be shot for not implementing this.

    1. Doctor Syntax Silver badge

      Re: How hard is it ...

      The IT directer may want to do it but be restricted by beancounters.

    2. My-Handle

      Re: How hard is it ...

      By and large, I agree.

      I think there are some nasties out there that sit quietly and encrypt away for quite a while before announcing themselves, thus ensuring that a lot of your more recent backups are also toast.

      Last time I had to deal with an issue like this, that was exactly what had happened. The recent backup drives were also live on the network, with the same admin security as everything else, so they were a nice ripe target anyway.

      1. alain williams Silver badge

        Re: How hard is it ...

        nasties out there that sit quietly and encrypt away

        That is why you keep Monday's backup for a month or few and the backup on the 1st of the month for a year.

        Restoring last night's backup should be quick. If you have not noticed these files being corrupted then it does not matter if it takes longer to restore them.

        backup drives were also live on the network

        Not a problem, it makes it easy for users to restore their own files, I do the same myself. But surely these backup drives are read-only to anything other than the backup server to which only savvy IT people have write access ?

        It is not really that hard, neither is it expensive compared to the cost of not being able to work for many days. But people do love making plausible excuses.

        1. Anonymous Coward
          Anonymous Coward

          Re: How hard is it ...

          "That is why you keep Monday's backup for a month or few and the backup on the 1st of the month for a year."

          The REAL nasty ones wait you out and can corrupt even that far back.

          "But surely these backup drives are read-only to anything other than the backup server to which only savvy IT people have write access ?"

          And then they take over the backup server using one of THEIR credentials?

          Remember, the double-jeopardy ransomware writers will be looking for the juicy bits so will be patient.

    3. Anonymous Coward
      Anonymous Coward

      Re: How hard is it ...

      Genuine question - what kind of files are people losing to ransomware?

      Small files that don't change very often? Archived and on the most recent back up. Big files that don't change very often? On the last backup. Small files that change very often? They should be under change control. Perhaps the whole repository got encrypted? Big files that change often (e.g. databases)? Are they even that vulnerable? And, if they are, do you not just get the last big back up and then re-run the outstanding log?

      I've (touch wood) never been near enough to one of these attacks to know what it is that really tempts the marks to pay the ransom, can anyone please enlighten me? The media articles tend to just refer to 'data' and 'files' ...

      1. vtcodger Silver badge

        Re: How hard is it ...

        "Genuine question - what kind of files are people losing to ransomware?"

        I've always assumed that most of the problem is the loss of one or several days worth of work product and/or transaction data. Not a big deal for some of us, but for a retail business or hospital, it's a disaster. The older data can presumably be retrieved from the backups (assuming they exist, worked properly, and haven't been trashed or booby trapped), but this morning's orders and deliveries and payments are toast unless hard copy transaction records have been rigorously maintained along with the digital stuff.

        1. My-Handle

          Re: How hard is it ...

          One example company I can think of had 3D CAD design files for their latest prototypes encrypted.

          Redoing those would have taken many months of effort, and the products that these files would become would contribute hugely to the company's revenue over the next few years.

          And an actual backup strategy is apparently expensive, so a NAS drive will do.

          /s

      2. Anonymous Coward
        Anonymous Coward

        Re: How hard is it ...

        Anything and everything the encryption can get it's hands on.

        Sometimes it's just files on local and network drives. I've also seen entire SQL databases encrypted, with the server being rebooted first to free the locks on the files.

        There's often privilege escalation code to try and get administrator, system, domain admin, root etc. privileges.

        Don't forget the remote access that maybe also gets fired up, with real people trying to find and destroy backups, and also extract files containing anything they think they can blackmail you with by threatening to post it publicly.

      3. Anonymous Coward
        Anonymous Coward

        Re: How hard is it ...

        It's all the CEO's porn. Failure to restore is NOT an option!

        *Cough*

    4. Anonymous Coward
      Anonymous Coward

      Re: How hard is it ...

      Rotated offline backups costs money. Does the cost of insurance reduce that cost? If it does then they'll keep doing it. Economics 101. My own personal setup for documents I can't lose consists of a Nextcloud server and client, BD-R and an offline two disk raid NAS I turn on and update twice a month.

      1. SImon Hobson Bronze badge

        Re: How hard is it ...

        At a previous job, we had lots of backups (we did a nightly backup of the live ERP system, and kept these for several months, and larger weekly backups of the whole system that were kept for longer) - offsite, kept for a long time. This was in the days of tape - DAT and SL? respectively IIRC, that'll date it !

        After I'd left, the new admin got a surprisingly large sum of money budgeted, and a surprisingly large discount from Dell - so setup a VMware system, and I was called in to help migrate the old ERP system running atop SCO OpenServer on an out of support IBM system to a VM on the new setup.

        Backups changed from being to tape, stored off-site, with many iterations to ... live snapshots of the VM stored on the same disk arrays as the live VM.

        So yeah, basically not a lot of backup if the building burns down, the array fails, the hardware is stolen, ...

  7. Anonymous Coward
    Anonymous Coward

    Can't help but feel more people should be using Content Disarm and Reconstruct e.g. Glasswall. Malware attachments gone!

  8. Cuddles

    We do not negotiate with terrorists

    Unless it's convenient.

    1. Anonymous Coward
      Anonymous Coward

      Re: We do not negotiate with terrorists

      "We do not negotiate with terrorists

      [Unless it's convenient.]"

      It turns out that the Thatcher method was deny any such negotation could ever be acceptable, while supervising a couple of minions who are dealing with it on the quiet, in the background.

      See e.g. https://www.bbc.co.uk/news/uk-northern-ireland-16366413 and others.

  9. Rol

    We have created this mess for ourselves

    What was once a perfectly safe conduit for plain text, is now a funnel for all manner of shite, because "we" yearned for increased functionality, or rather, developers thrust it upon us, in the war for market share.

    It's the never ending cycle of "upgrades" and "enhancements" that has shot away all the security that the basic original concept had in place.

    In some things, it is fine to let the market lead the way, but fundamental and strategic resources need strong governance to help maintain security, and stop developers from opening ever more exploitable avenues.

    1. vtcodger Silver badge
      Thumb Up

      Re: We have created this mess for ourselves

      You're dead right and upvoted accordingly.

      Internet security is a difficult problem and ultimately there may be no very satisfactory answers to many of its problems. But today at least, many/most of our problems are due to ignoring warnings that in the long run X is a terrible idea and you'll wish you hadn't implemented it.

    2. Roger Kynaston

      Re: We have created this mess for ourselves

      I've upvoted you for the sentiment but email was never secure. It was designed in a different world where computers on the network were trusted. Now we don't trust other computers and the increased "functionality" of email has played a part in breaking that trust.

    3. doublelayer Silver badge

      Re: We have created this mess for ourselves

      "What was once a perfectly safe conduit for plain text, is now a funnel for all manner of shite, because "we" yearned for increased functionality, or rather, developers thrust it upon us, in the war for market share."

      I'm sorry, but in most important respects, this is just wrong. HTML email does allow a few exploits, such as embedding an image to check when somebody is opening the message, but that's not a major security risk and the privacy risk that does exist is mitigated by most modern mail clients and some mail servers. Opening an HTML email doesn't in itself give the attacker access to run code.

      The exploits which have worked so well over email are all hacking the human. Open this attachment which is an executable but looks like a document because the OS doesn't show extensions. Open this document which is actually a document but contains macros. Go to this website and enter the information on it (if the user copies a URL or clicks a link, they're ending up in the same place). All of this was as possible with text-based email as it is today. A few of the risks that make it more dangerous, including the structure of the protocol meaning it's possible to impersonate anyone and a lot of servers will just trust you, are leftovers from that old text-based conduit which was never secure and still isn't today.

      Back in those good old days, it wasn't that email was more secure. In fact, it was almost certainly less secure because we have found some things that could easily be fixed. The reason it felt better is that there were fewer attackers and fewer users who were biased toward more familiarity with the technology and its risks.

    4. mark l 2 Silver badge

      Re: We have created this mess for ourselves

      A lot of the faults can be put on how badly broken Office macros are. Because MS relies on the backward compatibility to sell MS Office and they are afraid that if they fixed macro security it would break some 10 year old documents that some big business use they work they won't fix it.

      And I am also think that OS developers could do more to stop the malware being able to encrypt files by implementing something at the filesystem level, Rather than making things more shiny shiny.

      And then there is the browser itself, how are we still in a situation where mealy visiting a website can pron your entire machine?

  10. Pete 2 Silver badge

    Send the bill to the board

    I have a sneaking suspicion that if the directors of the company were made personally responsible for paying the ransom from their own pockets, there would be a near-instant upgrading in the status of IT security. It would be transformed from being an annoying backwater, to being an annoying front-line operation.

    1. Doctor Syntax Silver badge

      Re: Send the bill to the board

      Not near instant. There'd be three categories of director. Those who'd react promptly, those who didn't & got bankrupted and those who'd react once they'd seen a few bankruptcies amongst fellow directors.

      1. Anonymous Coward
        Anonymous Coward

        Re: Send the bill to the board

        What? No Directors who would hire Bryan Mills?

    2. onemark03

      if the directors of the company were made personally responsible

      Provided such events were also excluded from D&O insurance - just to make sure.

  11. Scott Broukell

    Taking all of the well made points made above, I would like to add the problem of convenience. Todays software is all about convenience. That's all well and good for marketing the stuff and using links within emails etc., but it isn't any bloody good in terms of security. Computers are great servants but terrible masters - inherent in their very design is their ability to execute commands or instructions at fast speeds, without any thought as to the consequences of that instruction - because computers don't think, they do. The thinking still needs to be done by we humans. But then we find a work-around to all this onerous thinking because software developers build in convenience, cos we bloody demand it from them, cos we are dumb that way. So, one approach might be to make things (like opening attachments or clicking on links) a lot harder to do, at least, harder to do without some serious thought about what the consequences might be (see personal liability above etc.). But businesses like to be that one step ahead of the field and would protest that such a slow down in process time would reduce profits and reduce their competitive efficiency. Bring back command line input! (I feel sure many hereabouts will remember having to think through entering commands in that manner!) Or, perhaps better than that, implement a modern version of command line input, with built in flags and checks designed to alert the human user that it is time to apply some serious thought as to the actions they are currently undertaking!

    We just can't continue to have all this thought-free, convenient, computing going on if we actually wan't to do something about ransomware / malware etc.

    1. Retiredwatcher

      It starts at the top

      How often have I been involved in cleaning up a mess all because the organisation is OK

      However the MD - to whom the rules don't apply - clicked on it or went to that site.

      Then the house of cards falls down.

      Time to have some storage devices that disconnect the network interface unless it time to do a backup perhaps?

  12. naive

    Stop using MS Windows is also an option

    Still scratching my head how in the world it is possible someone manages to design, produce and make truckloads of money of an Operating System that allows its kernel, device drivers and boot code to be changed by a webpage, email or a pdf.

    Maybe it is provocative to many, but after all, it is 2021 not 1995.

    Technology today should allow for better operating systems, maybe with slight discomfort to the user, comparable to put on seat belts in a car.

    MS is a very capable and rich company, they really should do better and not get away so easily with products that are unsafe dead traps like pre 70's cars were.

    1. olid

      Re: Stop using MS Windows is also an option

      I don't care if my kernel, device drivers or boot code are overwritten, I can restore them from the installation media.

      The important files are my personal files, which I have full R/W access to.

      I think a more functional sandboxing of external untrusted content would help. Currently it seems that you can do little with untrusted files, until you click on the unblock, which everyone is trained to do if its enabled.

      1. Boris the Cockroach Silver badge
        Linux

        Re: Stop using MS Windows is also an option

        I think you missed the point.

        If a user can click on a link or get a webpage that can download a nasty that will get root level access to your PC, then the design of the OS is important, after all without root access , it will only screw up the files in your account, with root access it will screw everyone else's accounts, then spam itself onto the network looking for more machines to screw up.

        What the insurance companies should be doing is exactly the same as they do assessing physical crimes.

        Eg no immobilizer or lock(s) on your bike... less of a payout

        Running windows XP* on a production machine tethered to the internet.... no payout

        *Scrub that.. running windows at all ;)

        1. Ken Hagan Gold badge

          Re: Stop using MS Windows is also an option

          Nope, I think you've missed the point:

          "The important files are my personal files, which I have full R/W access to."

          That's the point. It is really hard to protect files that (in some sense) must not be protected!

          I think you can probably do it with a SELinux setup that has religiously mapped out all of the required access for all of the packages that a user needs to do for their job, and then locked the whole system down. I bet that fewer than one in ten thousand Linux systems are configured that way and I bet there are fewer than ten thousand people on the entire planet with the expertise to do it.

    2. Martin J Hooper

      Re: Stop using MS Windows is also an option

      Maybe Microsoft should be liable for their Operating System - In other words if malware got through the OS it should be Microsoft's fault...

      or am I taking it a bit too far... I do think that software companies should not be able to hide their liability in their TOS/Licences...

    3. doublelayer Silver badge

      Re: Stop using MS Windows is also an option

      "Still scratching my head how in the world it is possible someone manages to design, produce and make truckloads of money of an Operating System that allows its kernel, device drivers and boot code to be changed by a webpage, email or a pdf."

      Simple answer: they didn't. Your OS's core components can't be infected by opening those things unless they've found one massive vulnerability, and they probably haven't. In most malware attacks, the powerful application is a binary, executed on the machine. The user may be prompted to download the binary by a website, but the website didn't do it. Or the binary might get installed by modifying something they already have installed. Or a password is guessed and someone manually executes it. These are the very common things.

      Yes, there are vulnerabilities allowing an attacker to do drive-by attacks without the user or someone with user-level access executing something. They are somewhat rare. They're also found in all OSes. Linux, Mac OS, Windows, Android, IOS, you name it. That's basically impossible to prevent because there is so much going on. Implying that Windows has a lot of those and they are the cause of lots of malware infections is incorrect. For many attacks, the people to blame are the users who executed it and the administrators who didn't protect the method used to attack. Some of the time, the blame is squarely on one of those. The original developers deserve blame too at times, but not as much as you may think.

      1. Anonymous Coward
        Anonymous Coward

        Re: Stop using MS Windows is also an option

        How many other OSes in widespread use still (after an alleged root and branch security review) have a zillion critical vulnerabilities related to buffer overflows, don't even need the victim to click//download a .EXE, just a malformed JPG or a malformed font or some other thing which in principle ought to be pure data which in principle ought to be checkable before any real damage is done?

        "The original developers deserve blame too at times, but not as much as you may think."

        Early versions of NT had some of the characteristics of a secure OS, with communication between proesses done by message passing rather than shared memory, thereby allowing some level of parameter checking and such. Relatively secure, but also relatively slow in comparison with doing the same things using shared memoryshared address spaces rather than message passing between processes in separate address spaces.

        And lo, it came to pass that Win16 games ran faster than the same game on the same hardware under NT. And so HQ said that message passing between processes in separate address spaces needed to be replaced by shared memory, which is even worse when kernel mode code was involved.

        Still, what could possibly go BSOD.

        And the rest is history. The progess backwards principle.

  13. amanfromMars 1 Silver badge

    A Plum Promotion or Mercenary Fact Finder Appointment for Future Pirate Operations

    Whenever one is a former GCHQ director/former government hacker/former chief of the UK's National Cyber Security Centre/former whatever, what does it tell one and all, both of the individual and the office formerly held?

    Was the office too challenging and unsuitable for the individual or was it vice versa, with failure guaranteed because the private sector beckoned with its more attractive rewards? Public service in lucrative fields of deployment is not an employment all can hack successfully and profit from magnificently and graciously whilst others would be so into imagining any excessive just reward, should ever it be revealed and admitted, disgraceful and disgusting. And given the sensitive nature of those sorts of remunerated roles, any leaks unveiling that privileged information can hardly be spun as anything other than a damaging failure of the office and a colossal betrayal of the officer ... which, in its turn, due to the systems and personnel directly involved, will not be without a response invariably packed to overflowing with dire consequences.

    Maybe both, the office and prime systems administrator are not fit for great global purpose?

  14. Dave 15

    Bit coin

    Well bitcoin is only a form of cash. Can't be impossible to work out who has benefitted,. Find them and chop off all their bits.

  15. Dave 15

    While we are stamping on things

    Can we stamp on all Nokia Android phones. This one is a sti king pile of crap that requires switch onff and on several times during each post because the Fing pile of crap keeps locking the screen up and not updating it also can't answer a phone call. It also stops taking any input at different times. It is a stunning crock of shit which shows Nokia are now so downgrades they can't even test their crap before shipping it. Google's test framework would have highlighted these problems had anyone bothered their arse to use it. A heap of crap that no one should sell and certainly no one should buy. Those if us conned out of our money for this insulting piece of shit should be compensated by being allowed to kick the 7 bells of shit out of the developers, testers and management involved

    1. Anonymous Coward
      Anonymous Coward

      Re: While we are stamping on things

      And yet Nokia are (I think still) the only Android phone manufacturer (excluding Google themselves) to make a selling point of actually providing monthly security updates to their phones for a few years.

      If yours isn't behaving properly, UK consumer law is there to help you - understand your statutory rights! (Oh, and grow up)

    2. Lunatic Looking For Asylum

      Re: While we are stamping on things

      Is this a recent thing - my N8 was acting weird for a few days last week and I did a webview update and it solved the probs. Google had pushed a funny patch out that was stuffing something and forcing a reload was enough to clear the probs. I'm sure I saw an article on the reg somewhere about it... here it is :-

      https://www.theregister.com/2021/03/23/google_webview_patch/

  16. Dave 15

    Ban Microsoft?

    Most of the problems seem to be with microshite software so ban that and make the hackers life at least more difficult.

  17. Long John Silver
    Pirate

    An excellent idea

    A ban on insurance payouts would focus people's attention on security. I presume GCHQ is doing its bit too for curbing this type of cyber-malfeasance.

    1. Ken Hagan Gold badge

      Re: An excellent idea

      I would hope that the /subsequent/ premiums for maintaining the insurance would have the same effect. It seems amazing to me that insurers are not the ones making a killing here. Immediately /after/ a payout, both the insurer and the perpetrator know that the victim is ripe for a repeat attack so why would the insurer not adjust the premium accordingly, to be lowered to a less eye-watering level only once the customer has demonstrated (and continues to demonstrate under regular audit) safe working practices?

  18. John Savard

    Depressing

    This is a recommendation that will, as its immediate direct effect, inflict additional problems on some of the victims of ransomware. We should focus on good solutions, like making it much easier to back up computers or like making operating systems so secure that ransomware infections can't happen.

  19. JimC

    Its impractical of course.

    But I would like to see all financial transactions reversable under court order. And if bank can't find where the money went, then it comes out of the bank's bonus pool.

    As for bitcoin, it needs to be banned simply for its contribution to global warming.

    1. jtaylor

      Re: Its impractical of course.

      "I would like to see all financial transactions reversable under court order."

      Money laundering makes that impractical. Person A stole money. They then purchased gift cards and sold them on. Person B bought the cards and used them to buy products from Company C, which were manufactured by Company D. D is also my employer. The crime is uncovered after my payday.

      Which transactions would you reverse? All of them?

      1. Paul Hovnanian Silver badge

        Re: Its impractical of course.

        "Person A stole money. They then purchased gift cards and sold them on."

        Put the gift cards behind the counter. Customer wants to buy one, fine. Smile at the nice camera over the cash register. With a piece of ID held in the field of view.

        That will help prevent scammers from copying the card numbers and pins and hanging them back up until a customer loads one as well.

        Yeah, it's inconvenient. But if I'm at risk of a money laundering charge for purchasing a bearer negotiable security, then all the people sending money using cards should expect to leave an identity trail as well.

        1. doublelayer Silver badge

          Re: Its impractical of course.

          Please stop. There are lots of people who want to stop crime by completely eliminating privacy, but that doesn't make that right, practical, or even functional. If person A doesn't buy gift cards, but instead buys other items and sells them onto others, the problem is the same. Let me guess, we now need to present ID to buy anything that looks easy to resell?

          There is already a method of doing what you want. Proceeds of a crime can be ordered seized from someone who knowingly received them, someone who didn't knowingly receive them but was contacted fast enough, or someone who has the ability to obtain them from the criminals involved.

          1. Paul Hovnanian Silver badge

            Re: Its impractical of course.

            "If person A doesn't buy gift cards, but instead buys other items and sells them onto others, the problem is the same."

            Yes, but the practicality sending Tide detergent over the Internet as a series of numbers is vanishingly small. Intercepting meaningful quantities of physical products crossing tariff borders is comparatively easy.

            "Proceeds of a crime can be ordered seized"

            Then why can't we track Bitcoin payments to blackmailers? Or gift card numbers through a hawala?

            1. doublelayer Silver badge

              Re: Its impractical of course.

              We can do both of those things. The problem is that doing so takes some effort. Some people want it to be doable with a click of a button. If it is that easy, then every transaction will receive a button press and the data will be on file. On the file of the police for easy tracking of criminal activity. On the file of the police enforcing a dictatorial regime. On the file of a police officer who doesn't mind using it to stalk someone. On the file of an advertiser who thinks they can use it to sell stuff better. On the file of an abusive family member. On the file of an unethical journalist. On the file of your boss.

              Sometimes, we have to concede something which makes it easier to commit crimes because it supports others' ability to live a life without oppression. If we didn't have to, we could eliminate all crime, or functionally so. 95% of crime would be impossible, 4.99% of crime would be possible but nobody would do it, and 0.01% of crime would be detected immediately. You would not want to live in that world, especially if you ever disagreed with the people who decided what crime was.

              1. Charles 9

                Re: Its impractical of course.

                "You would not want to live in that world, especially if you ever disagreed with the people who decided what crime was."

                WE wouldn't, but you'd be surprised how many people would prefer it...

            2. Charles 9

              Re: Its impractical of course.

              "Yes, but the practicality sending Tide detergent over the Internet as a series of numbers is vanishingly small."

              But bank account numbers, diamond rings, and other small-but-valuable-and-easily-concealed things were a thing before the Internet. And there are usually black-market agents who are willing to do things no-questions-asked for a cut of the take. It's all part of the whole money-laundering game. Sure, the Internet makes it easy, but it's not like there were other ways then and they can still work today.

        2. Charles 9

          Re: Its impractical of course.

          The guy actually buying the cards is just a mule who doesn't even know who gave them the money. All they do is get a cut. Even if they're busted, the head honchos cut them loose and leave them to roast. Plus they can always look for different avenues of laundering such as ghetto marts who aren't as diligent about who buys their stuff.

  20. Marty McFly Silver badge
    Go

    Companies need to start lying (well, more than they do already)....

    Acme Corp pays or doesn't pay the ransom for XYZ ransomware, it doesn't matter. However, they publicly announce they paid the ransom and were unable to recover their files.

    The Register and other media publish the story and all the IT folk believe the decryption tool for XYZ ransomware doesn't work. The next company that gets infected by XYZ ransomware won't consider paying the ransom as an option because of the widespread industry belief that it won't work.

    Heck, a bunch of companies could get together and simply claim they got hit by XYZ ransomware, paid the ransom, and the decryption was broken. A few CISOs making some announcements and pretty soon no one will make a payment. This forces the attackers to create new ransomware attacks - as even variants would be lumped in with original. Once there is a widespread belief that the attackers are not producing a viable decryption tool, the ransom payments will dry up - regardless of how many systems are actually attacked.

    1. amanfromMars 1 Silver badge

      Re: Companies need to start lying (well, more than they do already)....

      That's far too much of a transformation of The Register, from vulture to puppet, to be in any way believable, Marty McFly.

      They've been a long time reporting on such shenanigans as are designed and operated by crazy fools with blunt tools to deprave and corrupt/deceive and disguise hard core porn with soft ware scorn and because they are so good at it, are they always first in line for those lucrative exclusive scoops which can justify and reward their lairy existence and cheeky irreverence ....... revolutionary attitude?

      And posed as a question there, for that might be all wrong as opposed to being probably quite right.

    2. doublelayer Silver badge

      Re: Companies need to start lying (well, more than they do already)....

      Wishful thinking, I'm afraid. Several ransomware attacks were known not to return decryption keys, yet received payments. Probably not as much as they would have if decryption worked, but they got sent money by people who didn't investigate them before deciding to pay up.

  21. Lunatic Looking For Asylum
    Coat

    Of course, it would be cheaper if said companies (and public sector orgs) actually paid for qualified advice and staff to mange the problems and risks BEFORE the attack took place.

    Unfortunately we have a culture of cheapest wins and Brenda* can do speadsheets, lets make her security officer.

    *Apologies to any person called Brenda - it's not personal - I just pulled the name at random - I don't know anybody called Brenda either.

  22. Anonymous Coward
    Anonymous Coward

    Surely

    The best solution is to use Sun Tsu "Attack is the best form of defense"

    Go after weak systems and encrypt them before someone else can, of course then the key is known and it is a simple though inconvenient matter to reverse.

    While they are at it publish a few well timed news articles about "x, y or z got ransomwared", and intensive retraining of the people falling for script kiddie level pwnage.

    AC, because technically ths would violate the CMA, anti terror laws etc. Or would it?

    1. amanfromMars 1 Silver badge

      Re: Surely

      AC, because technically ths would violate the CMA, anti terror laws etc. Or would it? .... Anonymous Coward

      You can surely safely and securely ignore and avoid any difficulties relating to that technicality, AC, by travelling the APT2 [ACTive Persistent Threats and Treats] Routes and flashing one of those Ultra Secret Accredited Governmental Licences to Thrill Exploring and Exploiting and Expanding and Employing Advanced Penetrations Tester Root Boots and Reboots, should ever anyone consider misidentifying and questioning one as a awful lawless terrorist rather than realising it all simple clear evidence of some novel kind of SMARTR HyperRadioProACTive Being.

      Both the Corrupt and Perverse and the Petrified and Terrified Threatened with Great Positive Change Systems alike invariably invoke the Brain Dead Headed Cells of Terrorist Violence Card in fatal response to their defeated position. 'Tis a sure sign of the Endemic Systemic Craziness which Supports and Servers their Certifiable Madnesses.

      1. amanfromMars 1 Silver badge

        Read IT and Weep if Drowning in the Pit of Despair, Choked of Fresh AIr

        Do you want to see a present running current and correct picture of Corrupt and Perverse and Petrified and Terrified Brain Dead Headed Cells displaying and pimping the pumping and dumping of Endemic Systemic Craziness which Supports and Servers their Certifiable Madnesses in a defeated position ‽ .

        Behold, and wonder at how and why they could get everything so awesomely wrong so quickly....... https://www.zerohedge.com/markets/global-debt-problem

        Is the crass stupidity responsible theirs or yours to enjoy and seek to blame, or was/is it a pig ignorant JOINT Venture, with a rigged market place resulting in a very few filthy rich winners with fistsful of dollars and billions of piss poor losers with almighty blunt instruments and massive rocks to wield?

    2. Charles 9

      Re: Surely

      "Go after weak systems and encrypt them before someone else can, of course then the key is known and it is a simple though inconvenient matter to reverse."

      What's to stop the real criminals from encrypting the encryption using THEIR wrapper instead? Surround the surrounders, so to speak?

      "While they are at it publish a few well timed news articles about "x, y or z got ransomwared", and intensive retraining of the people falling for script kiddie level pwnage."

      And then it gets hushed quickly because the one who clicked the link was in the C-suite or cuts the checks, you know?

  23. Anonymous Coward
    Anonymous Coward

    Ban insurance payouts for one

    I'd go further: ban insurance payouts for ANY type of crime, and thus ALL crime shall cease to exist AT LAST!

    p.s. and encryption!!!! BAN ENCRYPTION, cause PEDOPHILES! PIRATES! TERRORISTS! RUSSKIES!

  24. KSM-AZ
    IT Angle

    Lots of opinions, Problem is ...

    People need email to do business. They complain loudly when it starts 'costing them money' because you are being secure . Then even more loudly because you let something thru that created a ransomeware or someting.

    It's not perfect by any means, but you really need to use Mimecast/Proofpoint/Barracuda/etc, and have them defang MIME attachments, and filter/rewrite links. Nothing prevents a zero day exploit, but with sufficient volume, the bigger players can detect, and block maybe three nines or more depending on scope. They detonate the link for you first, and try and dig down, or follow you in.

    Spam is somewhat more difficult than the malicious to eradicate.

    Finally EDUCATION is the hardest thing but nothing beats running one of the phish testers against your people, and 'having a prayer meeting' with the dumb-asses that follow the link and put in thieir creds...

    So Jody! How long has your password been MyDogRover1989$ ?

    1. Charles 9

      Re: Lots of opinions, Problem is ...

      "Finally EDUCATION is the hardest thing but nothing beats running one of the phish testers against your people, and 'having a prayer meeting' with the dumb-asses that follow the link and put in thieir creds..."

      Until they find out that "Jody" is the one cutting the checks...

  25. KSM-AZ
    IT Angle

    Ban Microsoft?

    Calls to ban Microsoft . . . Google Chrome is probably one of the currently weakest links, but I digress. Like the microsoft issues chrome allows a bit too much flexibility.

    Training is really the best way to prevent problems. If someone emails a the payroll clerk asking for an emailed copy of the W-2 run from last year that appears to be from a legitimate person, the answer should ALWAYS be no. Such information should NEVER be handled thru email, if you are that is a procedural problem. I'm still trying to get this thru peoples thick skulls. Okay sent it on a USB via POST c/o General Delivery, Caymen Islands <sigh>.

  26. KSM-AZ
    IT Angle

    There is *NO* excuse for paying to get data back

    Never pay ransom,

    You should always have a backup. period. If you don't you should go out of business because you deserve to. If you pay the ransom to keep them from disseminating info they stole you are even dumber. For how long?

    If you fail to protect your business, it's on you. Backups, Backups, Backups

    1. Charles 9

      Re: There is *NO* excuse for paying to get data back

      And what about all its customers that depend on that business to keep operating. "You should go out of business" sounds nice...until you learn it's your bank...or your insurance provider...or the only grocer in your neck of the woods...

      Sure, it's the whole "too big to fail" collateral damage thing, but the fact is, it's still a thing...that could come back to bite you in the keister.

  27. Joe Gurman

    Simple

    Ban all cryptocurrency transactions. They benefit no one but speculators (bad) and criminals (worse).

  28. ert

    Crypto currencies are the main problem

    Eliminate trading in crypto "currencies" and many current problems are eliminated at once, from crypto trojans to drug dealing, money laundering and terrorism financing.

  29. MJI Silver badge

    Hmm lets think

    GCHQ are supposed to be the best at spying.

    So GCHQ should be able to trace the ransom crooks.

    UK also has special forces who would appreciate some extra training missings.

    Now that would stop it dead!

  30. Steven Guenther

    Treat it like kidnapping

    Back in the 70s some South American criminals kidnaped a Cola executive. The company did not pay, instead they had the kidnappers hunted down. The whole village was killed, dogs and chickens includes. Nobody kidnapped any of their executives again. Cyber crims have less bravery and think they are safer hiding behind a screen. Chop a few up and post pictures to Facebook, I would bet the crime rate would go down. This would be a great use for those armed drones that do not respect national sovereignty. Kevin Mitnick should be digging ditches for a living.

    1. Charles 9

      Re: Treat it like kidnapping

      "Back in the 70s some South American criminals kidnaped a Cola executive."

      Won't work now. Most terrorist organizations are media-savvy. They'd take pictures of the carnage and start posting them wherever they can (possibly through a front) and cry out, "This is what your prized Cola company does to innocents!" Can you say PR disaster?

      Other organization are just that ruthless and probably would kill the hostage and then nab some more, daring the company to either cough up or risk the former.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like