I hope this is a sign of things to come. Train robberies and privateering were common because the culprits were rarely caught. I feel ransomware has been so successful because it operated in an environment where you never get caught.
The solution is always the same, step up the enforcement.
Train robberies and privateering were common because the culprits were rarely caught.
There's a delightful video, "The Barbary States - The Final Yarrs"[1] which shows the end of piracy in the Mediterranean. The European sea-going states and the United States had been paying tribute to the Barbary pirates to sail cargoes past Gibraltar and into the Mediterranean Sea. That video claims that tribute was the biggest single expense of the United States Government in its early years.
After the War of 1812, the United States had a moderately powerful navy. Congress decided to go to war against Algeria. Commodore Stephen Decatur was sent with a fleet. They won. Then the fleet went onto Tunis. They won. Then on to Tripoli. They won. The US paid no more tribute after that.
It got even worse for the Barbary pirates. The European powers now saw the pirates could be crushed. In 1816, the British and Dutch sent a fleet. Someone from the Algerian navy shot at it. The fleet shot back. Most of the Algerian navy was sunk. Eventually, France conquered and annexed Algeria, and Spain conquered Morocco.
For train robberies, see, of course, Butch Cassidy and the Sundance Kid.
The REvil crowd has managed to get to the point where the rather large US anti-terrorism community is focused on them. That usually doesn't end well.
That's like saying "make it illegal to get robbed". If I have a robber with a gun to my head asking for my wallet, I would comply. I wouldn't tell them sorry it is illegal to give you my wallet. You should not penalize the victim. Crack down on perps, not victims please.
No those are not similar cases. Yours is urgent, violent, tiny scale, and individual level. The individual doesn't have any agency in this situation. The alternative is get shot and robbed.
If a corporation is unable to pay a ransom then the incentive to do the ransomware attack immediately drops.
Cracking down on perps would be nice, but is not feasible.
No. I can’t believe this needs to be explained, but the two situations are remarkably alike. If all of a corporations data is being held to ransom, there is no choice in the matter, they must pay. You’re talking like losing all their customers or IP or shutting down the corporation wouldn’t hurt anyone but it would hurt all their employees at the least.
What such an idiotic, short sighted policy would do is to encourage corporations to pay the ransom in secret. This only strengthens the hackers because now law enforcement has no idea who is being hit, when, and with what malware.
Then a bunch of employees will have to find new jobs and some people have their retirement savings drained because it was illegal to pay the ransom and the business shut down. Society will move on. No long-term loss.
The same can be said for highway robbery. It happens in my country and people say well it’s just a tax you have to pay for taking that road. Since the victims are businesses handling goods, the robbery fee is priced into imports and we all pay extra. It can’t be priced into exports because we are too negligible of an exporter, so instead workers in that industry are paid less and there is less money left over to invest so our growth lags behind other counties. Overall the whole country suffers, all because of a few thousand bandits sitting in the forest near the border.
But hey… our society moved on, so you’re right about that: you can definitely live with it.
That's like a 40,000 foot perspective. As a sibling comment says, what about hospitals?
The total value of the stock markets didn't seem to suffer from Covid-19. But people have.
Maybe your point is that unrestricted ransomware shouldn't affect GDP? I'm honestly not sure. Doesn't there have to be a limit? Civilization depends on trust. Sometimes there are critical points.
Here are two representative arguments that I got sick of hearing and pushed me into the negative Kelvin:
1. Green energy requires too few employees per gigawatt compared to coal
2. It would be irresponsible to pursue a policy of a sharp correction toward affordable housing prices because it would push too many elderly into poverty
That would be true if it was possible for any company to have perfect processes, but that’s not the case. Companies are run by real people with real flaws and a perfect system doesn’t exist.
That's like saying "Right now it's cheaper to not have locks so lets punish the homeowners who don't lock their doors instead of punishing the thieves and robbers"
Yes, security and backup measures are critical and companies SHOULD be scrutinized for those things especially if you deal with mission critical data/information. But that has nothing to do with Ransomware Gangs.
"If all of a corporations data is being held to ransom, there is no choice in the matter, they must pay"
This sounds reasonable at first, but I think it might be leaning on anthropomorphizing a corporation a little much.
I think of them more as a machine, or a biological cell or microbe.
While it may be a machine optimized for survival, I'm not sure that they all are or that they must be.
An organism can self-destruct if that's what it's programmed to do.
And an organization in theory should be able to maintain processes that result in orderly self-destruction in certain circumstances, where it's appropriate in the wider society.
After all, companies typically go bankrupt rather than devolving into gang warfare, right?
A "humans first" society should not be prioritizing the survival of human created organizations above all else.
Many ransom payments don't even release the ransom.
If paying in secret is a crime, with whistleblower opportunities, then paying in secret is not so easy. Forbidding payments will massively decrease the value of doing the attacks and reduce the number of them.
"unable to pay" is not the same as "should be illegal"
The perps don't give a shit about what is legal and illegal. They target preys that are vulnerable but have critical functions (e.g. a Hospital network). It is not just about individuals. If a Hospital Network gets attacked and has serious consequences, they won't do a board meeting to discuss "Gee, paying ransomware is illegal. We must say No. ".
I am not advocating that people should just pay but we cannot punish the victims even if the victims were careless (bad security practice etc).
Also, there are middle-man "security companies" that you can pay to "help you decrypt your files" and what they do is simply pay the ransom under the table for you... So you can't really tell if a company paid the ransom or not.
You can also make it illegal to seek assistance from an out-of-jurisdiction middle-man. Thus, any middle men are going to be subject to the same regulations.
Yep. It's like governments that forbid use of things like facial recognition software by its police departments. Sure, the police department doesn't use facial recognition, but they commonly work around this by using a vendor that may or may not use facial recognition. This model is actually commonly employed by both companies and that are forbidden to do something.
Except in this case you can just... restore your wallet from back-up.
Pretty much the reason wallets are worthless is that if you snag one, all you get are plastic cards that are going to get cancelled in the next minutes/hours.
S3/Azure/Backblaze are really cheap and just work.
The main argument against making ransom payments illegal is that it simply drives ransom payments underground. Legislating something, similar to vices like drugs, alcohol or gambling, doesn't make it go away.
I assume they mean make it illegal for corporations to pay the ransom. It's obviously unjust and ineffective to punish private individuals for paying ransoms, but that's not where the money is. OTOH, corporations have budgets and can be prosecuted if X millions dollars disappears out of it.
I don’t view it as obviously unjust as applied to individuals. That may suck for that person, but turning off the revenue demands substantially reduces the odds others are subject to ransoms. If all you do is focus on the individual case, you never actually address the root cause.
Make hiding ransomware attacks a criminal offense mandatory and offer whistleblower programs to companies that try to conceal it. This is an issue of national security. Individual alcohol problems are irrelevant and not comparable to large corporations.
And then you've just created a chain of legislation with the associated loopholes and confusion which will allow corporations to hide and deny any of it happening and then using legal fog to stonewall any Govt investigations and force people to risk their careers to call it out.
Forcing people to be whistle blowers is not a scalable enforcement plan. Very few people are willing to be one.
We need to legislate with the goal of corporate transparency not for more hidden behavior.
If you make it a felony to pay ransoms (which I strongly support), there will be far fewer ransom demands. Yes, some of it will go underground, but in my view it’s the only way to actually decrease the demand side of the equation.
How will you know if the total amount of ransom payments goes down? How will you know how much is under the table vs over the table? This argument seems to be "the over the table stuff goes down therefore the total goes down" which is faulty logic.
It would follow logically that it'd go down. It's like saying making murder illegal would only push murder under the table.
A company currently performs a simple mathematical equation when deciding to pay a ransom. Does the reputational and financial cost of not paying the ransom outweigh the price of the ransom? In a world where ransom payments were illegal, then those same companies would also have to include the legal penalties and probability of being caught as part of that equation.
Obviously, some companies would still see a net benefit in paying the ransom, but fewer would, so less ransoms would be paid.
It seems to me like you're trying to use 'war on drugs' logic on ransoms. The key difference is that companies don't want to pay ransoms, but do so out of necessity.
Sure, but what you’ll end up with is that the fewer people who still do it while is illegal are those in the most desperate and sympathetic sounding straits.
It’s like prostitution, if it’s illegal you find that most sex workers are the most vulnerable in society. When it’s not, sex workers can be anyone who doesn’t want to drive 6 hours for Uber on the weekend for extra cash.
The other approach is to remove the transaction system. Make bitcoin trivially traceable (or drive it out of existence entirely) and it becomes much more difficult to handle the ransom payments, and thus, to profit from the operation.
I would have loved to have seen what would have happened to the East Coast of the US if Colonial wasn't allowed to pay ransomware, or the various beef suppliers in the Americas if they weren't allowed to pay.
Making it illegal to pay just isn't feasible for practical business purposes.
I imagine, Colonial would have restarted the pipeline without billing and figure it out later.
Probably similar for beef suppliers, although I didn't read any media about what systems were impacted there. Assuming some of the labelling or other food safety things were impacted, you would need an FDA waiver of some sort.
Make insecure software the problem of its producer, so that except for gross negligence by the user, the software vendor is on the hook (reimbursing customers) and will want to prevent ransomware from being a thing in the first place.
Even the most secure piece of software - assuming such a thing even exists! - can't do a thing against incompetent users.
Even a perfectly patched Windows instance can't be reasonably protected against an user executing an attachment of an email that then goes ahead and encrypts all files writable by the user. The only option is to ban the user from anything executable and interpreters as Apple does on their iDevices, but we all rightfully and regularly complain about that one.
As for vulnerable software: I agree, some pressure on Microsoft to open-source or at least provably audit their software would be nice - but it's rare to have a definitive attribution on how a piece of malware entered your organization, at least not in places where record-keeping and retention is restricted by laws like the GDPR.
It's high comedy to me that 90+% of ransomware is targeted at Windows, and yet beyond the year 2020 you can still find corporate-speak in the wild that all basically boils down to a hare-brained assumption that the corporate vendor will in some way be liable if the customer suffers a breach.
When in fact the largest of software vendors sits in plain sight, obviously liable for poor designs that invite these breaches, and no one has held them to account for it.
Not having updated the system (within reason: it _can_ take a week, but it should _not_ take a year) is gross negligence as far as vendor liability would be concerned.
But by all means, let's limit the minimum liability for software vendors for such scenarios to "costs of downtime and effort for reinstalling backups and getting everything up again": That should provide an incentive to make backup procedures effortless and have the systems make some noise if they aren't backed up (with regular recovery testing etc).
As it stands, software vendors say "users are to blame" as if their shitty software isn't enabling ransomware, users say "can't do anything about it, we're down for the next 6 months" as if ransomware is some force of nature (or act of God or whatever), when both positions, while not entirely untrue, are mostly lazy.
I think a constructive thing for governments to do is to gently push people in that direction.
Make high-quality, audited backups a legal requirement, or offer strong incentives for it, and much of the problem goes away. Companies may be able to outsource it, which arguably just shifts the attack vector elsewhere, but you would hope people who specialise in backups are better at it than their amateur clients.
Good point, but in a war, the goal is to disarm your enemies in order to pacify them. I'm not sure how you disarm a hacker in this century. State sponsored or not, everyone will have access to a computer.
If this century sees large-scale DDoS attacks, information breaches, power plant / pipeline shutdowns, etc., I strongly prefer that to the trench warfare and carpet/nuclear bombings of the last century.
Hacking wars are lukewarm. A hot war seems like it will involve a lot more drone strikes -- which might not be significantly better than the last century, but terrifying nonetheless. And until it comes home, I don't think Americans will fully appreciate how our government (hence, our nation) is perceived a terrorist organization abroad.
One thing we did before to solve this problem in the train robbery days was eliminating bearer instruments. I strongly suggest we revisit this solution.
Exactly. Until people are arrested, the government just basically shutdown a REvil billboard. They'll just pop up with a new one.
No one has actually stopped REvil hacking operations. There's been a lot of drama with their affiliate programs that are probably not government related. This Reuters article is giving the government a tiny little more credit than it deserves.
Yup. No arrests. Just a little holiday for the elusive operators:
"The server was compromised, and they were looking for me," 0_neday wrote on a cybercrime forum last weekend and first spotted by security firm Recorded Future. "Good luck, everyone; I'm off." [1]
This is only a disincentive to people who normally don't commit crimes. If you're part of a crime ring, this ins't something you are concerned with on a daily basis.
YAY! Some thoughts about the article. In my country and many others it is for sure already illegal to pay ransom. Would say it applies to the entire EU at least. Every company that paid should be prosecuted. I work for a company that payed ransom. Yes, it was illegal, and yes, the company is owned by "dudes"...
The solutions are multi-pronged.
1) Step up enforcement of current laws and regulations. (A law or regulation is only as effective as its enforcement.)
2) Do as much as possible to trace payments and force payment networks to co-operate with criminal investigations, preferably through multilateral treaties or agreements.
3) Thwart social engineering by training and promoting good online hygiene.
TLDR: "We failed to arrest, or even identify anybody, Team US OPSEC FUCK YEAH!!!"
FBI, Cyber Command, Secret Service, Russian run Group-IB, DoD and spokesperson for the White House National Security Council seen in the background doing high fives and congratulating themselves on "Mission Accomplished".
Well Unknown is missing and their keys were recently used [1] so maybe they've been arrested or flipped? I think some were arrested in Ukraine too [2]. The US won't have as much success extraditing people operating out of Russia however.
There's a lot of evidence REvils was sent from the future to stop a coming cyber-war that wipes out much of humanity due to systematic unpatched issues across the world that multiple nation states collected and used at once wiping out supply chains killing billions.
It all fits, imagine if REvil's "Colonial Pipeline that led to widespread gas shortages" was in the hands of North Koreans or from a solar storm.
Which does beg the question who really is currently attacking REvil. It stands to reason future nation states also might send people back in time to keep things unpatched and they would already know Biden has Alzheimers.
The solution is always the same, step up the enforcement.