Ransomware crims saying 'We'll burn your data if you get a negotiator' can't be legally paid off anyway

Re: mailed cash

They wouldn't get unmarked bills from me. I'd wipe my arse with every single tenner.

Re: It is easy for us to say "don't pay"

Fire 'em all the way up the chain. Publicly. Let 'em go sling burgers at a fast food shop, don't let them glorify their "accomplishments" and repeat the stupid at the next job for even higher pay.

Most security problems (and in this case, backup problems) come from the C-level.

Re: It is easy for us to say "don't pay"

In the following tale it wasn't ransomware but, to the effect, it's the same as if it were.

In the (late) 90's I was called to "rescue" a largish occupational health company that had all of their information (I really mean everything, client info, contracts, test results, payroll) in a single 700 MB Access application. They had an hardware failure that crashed the .mdb and their most recent backup copy was over a month old. Unfortunately (for them), we were unable to restore it, we only managed to salvage parts of tables, unlinked to anything else.

They ended up losing several contracts over the issue but, hey!, they weren't in IT and didn't know any better at the time.

BUT.... do you think they learned the lesson? Well think again because they just rebuilt from the backup copy and manually re-inputted all that could be saved from the crashed file, leaving everything else as before.

I really have no idea if this was part of the reason but they are now, in fact, out of business.

Re: It is easy for us to say "don't pay"

If anyone "deserves" to be punished, it's the management that allowed the company to be put in such a position. The boots on the ground employees likely have little to no say in the direction of the IT department, even the IT staff themselves, while the upper managrment does. If the employee was not directed to do something, and something bad happens to the company because of it, it's the manager's fault. Get rid of that manager, salvage what you can, and those hundred some innocent employees hopefully get to keep their jobs.

Re: It is easy for us to say "don't pay"

There's probably 1 or 2 IT guys in the company, but hundreds of floor workers actually making widgets. All of those folks "deserve" to be out of a job because the IT guy is an idiot? Get a grip.

How many guys are employed fixing the widget machines? If they are idiots, does the company go out of business?

If you cannot function without IT, it is just as important as any other aspect of the business, and needs to be resourced accordingly.

Re: It is easy for us to say "don't pay"

If you are planning to start a business or find investors, presumably you will make sure you got the capital to cover the office / workshop / machines / salary for at least a few months / utilities, etc.

Now you just need to add a bit more to the amount you going to prepare to buy computers, pay for internet, etc to the office.

For the extremely small businesses, 1-3 men shows, they can at the least pay for some cloud storage and arrange for someone (or one or all of them) to take backups on a few portable drives and rotate amoungst them.

My non-IT aunt has a cloud storage and an external drive for her important data backups. Don't tell me you can't do even slightly better in a small office? If you cant afford another 300-500 bucks + maybe a yearly fee of 50 to 100, maybe you are not the right person to start a small business.

Re: It is easy for us to say "don't pay"

"hundreds of floor workers actually making widgets. All of those folks "deserve" to be out of a job because the IT guy is an idiot?"

None of those people deserve anything, as they didn't do anything wrong. However, they are likely to lose their jobs due to the incompetence of others, which is the problem. It's not new, and it's not limited to IT.

If these people worked in a manufacturing plant as your example suggests, that plant likely has safety risks and equipment to deal with them. If the management decided not to include fire protection and the plant caught fire, the workers would probably lose their jobs. In that case too, the workers did not deserve any bad consequences. That is why negligence related to safety is in most cases a crime and sufficient penalties assessed to prevent it from happening frequently (void in some countries or particularly negligent operators).

I do not like saying that someone deserved a bad outcome happening to them, and in this case I don't think that's the best word for the situation. However, in many cases, I don't have sympathy for the management who didn't try for backups. If it was very small or the attackers very good at their job, there would be some. If a business is large enough to employ a hundred widget-makers and still doesn't bother to invest in their survival, I do think the management needs to take some blame for that as they would in many similar circumstances where computers are not involved.

Re: It is easy for us to say "don't pay"

Possibly, but as I see it the real problem is lack of proper "old school" security.

Far too often we get some C level person who just "has" to be exempt from the companies security procedures, and that same person has to have full access to EVERYTHING!

It amazes me that when a single point of entry gets compromised (one user) now ALL the companies data, including their backups, are compromised! Why does this person have this access? Why does the account they are using for daily work have this access?

As a senior IT person "I do not have that level of access!" I certainly do not have that level of access into our financial system.

Putting aside the cost of securing your operation, correcting the above cost almost nothing except having the courage to tell management it must be done. If they refuse, you have 2 choices, accept the risk (and accept you will most likely be blamed when some thing does happen) or find another position!