Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Choice To Pay Ransomware Might Be Simpler Than You'd Think (axios.com) 217

The conventional wisdom about ransomware is that when local governments pay the ransom, it encourages more criminals to launch more attacks. But that's not necessarily the case, experts say. From a report:The costs of recovering from a ransomware attack are often greater than the cost of the ransom. The victims of ransomware attacks are typically targets of opportunity, and cities generally aren't the primary targets. Corporations are -- and they often pay up. "The fact is, paying a ransom does not create a market," said Forrester Research's Josh Zelonis. "There already is a market." Riviera Beach and Lake City, Florida, paid a combined $1.1 million in ransom over about a week in June. Meanwhile, Atlanta spent $17 million restoring systems rather than pay a $50,000 ransom last year. Baltimore is likely to spend $10 million restoring its own systems refusing to pay a $75,000 ransom this year. The disruption to its city services may cost another $8 million.

For some cities, the best response might be to pay the ransom, then use the millions of dollars that would have been spent on recovery to strengthen cyber defenses before the next attack. "If you don't learn from the past, you will end up being ransomed again," said Deborah Golden, the new head of Deloitte's cyber consultancy. Whether a city pays, doesn't pay, or has yet to be attacked, prevention will often save money.

This discussion has been archived. No new comments can be posted.

Choice To Pay Ransomware Might Be Simpler Than You'd Think

Comments Filter:
  • by pgmrdlm ( 1642279 ) on Tuesday July 02, 2019 @01:59PM (#58862456) Journal
    Seriously, these people are attacking health care and governments. They are harming everyone in these attacks. Fucking sentence these assholes to 20 years or more. If someone dies due to their attack. A First Responder unable to help someone in time, or dying in hospital because of missing records. Life in prison.

    They are fucking with peoples lives. Their sentence should reflect that. And if the police or a citizen beats the living shit out of them, oops. Shit happens
    • Yep. There has to be a way to follow the money back to these assholes when you're working with ISPs at government levels.

      • by DarkOx ( 621550 )

        The problem is these assholes are over seas. Often in a weak or failed state. The authorities in north Africa and the former Soviet block for example are not interested in some bitcoin scammer, the authorities in Russia don't care or if they do care would consider the information a recruiting opportunity for the NKGB.

        You can follow the money but unless the issue is big enough the state department is willing to make an international incident over it; that leads to dead end. Really the rule needs to be don

        • I've seen one ransomware attack up close and personal. It wasn't pleasant, but fortunately the organization involved had a very good back up regime. Once the offending workstation was identified and taken off the network, the nightly back up from the night before was restored. There was probably a day of downtime, not pleasant, and a small amount of data from the morning was lost. So the rule of thumb is backup backup backup, and not just backup, but make sure it's to tape or some other facility that can't

          • I have dealt with 4. In one case it tried to destroy the backup but I was able to recover it. In another they had no backup and had to pay. In the other two, it took longer to re-image the infected machine than to recover the data. If it costs $17 million to restore from backup, you have an amazingly sweet contract!
            • I've dealt with a few outbreaks myself. Some ransomware brute forces local admin and domain admin credentials. If a network is lazily setup then I could see it wiping out the entire domain, making most of the backups largely irrelevant. Worse, modern hardware makes the brute forcing too quick to catch by hand in most instances, you're talking hours from an infection to a breach that would compromise an entire network.

              I believe the quoted 17 mil was not to restore from backup, but rather was to rebuild the
        • by Shotgun ( 30919 )

          A federal ban on transfer of dollars to states that harbor these pirates would work nicely. Putin and his oligarchs will NOT be happy when their money supply is curtailed.

          Barring that, have the banks track them and then have the CIA serve the culprits some polonium tea. Let Putin know that Russia isn't the only one that can play that game.

    • by gweihir ( 88907 )

      That will have zero effect. The ones always calling for "harsher sentences" are part of the problem. You people are not interested in prevention at all, all you want revenge. Revenge is, as you may have noticed but obviously not realized the implication of, an after-the-fact thing. A threat of revenge is also known to have not much preventative effect and, as in this case, if the attackers have a very small risk of getting caught, it has no effect at all.

      You have one thing right though: These are important

      • You assume(makes an ass out of you) a lot. Yes, governments and institutes need to be more vigilant in their security. But you assume(make an ass out of you) that these small time IT groups have the money and resources to make them as secure as any large company would. And even if they do what they think is right, they still may be broken into. There are certain services that affect the general population where if compromised where services and lives are at stake, the sentencing should reflect that.
        • by gweihir ( 88907 )

          The ass here is you. But you are too blind to actual reality to see that. Dunning-Kruger effect at work.

        • I am a consultant for small and medium business. Good backup is cheap. Far cheaper than the loss of the data. I can set up 48TB of out of band snapshotted backup for $2000 plus my time. But while they will spend $2000 on an 80 inch TV, often they will not on their business.
          • 48TB out of band snapshotted backup for $2,000?

            Surely you're talking about cold data. No way that is a one-size fits all solution, and no way the majority of that is hot data being snapshotted. Furthermore, how often would such a system be able to be tested? And what happens if a snapshot breaks along the way?
      • I'm not sure how people can "make more effort" to secure their systems when the flaws are in the underlying web browsers, the OS, in Java, etc.

        • by gweihir ( 88907 )

          Oh, sure. But what about having backup and a strategy to get up and running again? You know where you can be up and running again after a few days?

          • Yeah, OK, that can be done.

            Also switch to using client-server apps where no data is stored on local machines so a quick disk re-image can get a machine up and running again. Maybe even develop a way to trigger the re-image remotely.

          • Days? I have done it for my clients in hours...
            • Lower RTOs cost money, and so the lost time, productivity, and profit must be greater than the cost of the solution.

              The solution must also consider the broadest risk ranges against the greatest individual risks. Physical hardware failure, theft (stolen laptops and mobile devices), security breach remediation (OS reinstall of all machines especially domain controllers), data corruption (Incompetence or malcious), failed updates, acts of god, etc.

              These solutions must also be able to move enough data in t
      • A threat of revenge is also known to have not much preventative effect

        It has no preventive effect in the case of lowlife criminals committing opportunistic crimes, no.

        This is different though. It takes planning ans skill and once a virus is launched it stays out there, sending info back to their servers. That's the sort of thing that makes people lie awake at night if they start seeing lots of headlines about dawn raids, long sentences, etc.

        • by gweihir ( 88907 )

          You are mistaken. These people assume they will not get caught and hence the sentences threatened are irrelevant.

          • by Shotgun ( 30919 )

            Ok then? What's the problem with changing their assumptions? Once a few are dealt with, they will obviously need to reconsider their premises. A little foreign policy. . . something like "All foreign payments over $X must be picked up at an official branch of the bank and cashed by the recipient" should provide enough exposure to make the criminals think twice. Banks and countries that won't play along wouldn't be allowed to play at all.

      • Revenge is what criminals understand.

    • Fucking sentence these assholes to 20 years or more. If someone dies due to their attack. A First Responder unable to help someone in time, or dying in hospital because of missing records. Life in prison.

      Studies time and time again have shown that increasing sentencing time doesn't lessen crime much (if at all). Increasingly the likelihood of being caught and prosecuted is much more effective than increasing punishment. We need to improve our arrest rate- draconian punishments might help our sense of justice, but they won't stop ransomware; you can throw in a death sentence and torture listening to Kanye West for 48hrs straight- but it's not going to dissuade ransomware authors if they don't think they wi

      • by Shotgun ( 30919 )

        torture listening to Kanye West for 48hrs straight-

        Dude, I thought I was brutal, but you're scary.

        *I ain't sayin' she's no gold digga'
        *But she ain't goin' wif no broke unh! unh!

        Aaaaah!!

    • by Luckyo ( 1726890 )

      You could legislate their sentences to be slow death by thirst, and it will keep having zero impact. Because these people are not even going to be in the country they're ransoming people/organisations in. Chance of actually getting caught is sufficiently close to zero to where consequences of getting caught become irrelevant.

    • They are harming everyone in these attacks. Fucking sentence these assholes to 20 years or more. If someone dies due to their attack.

      It amazes me that whenever we talk about specific crimes, everyone wants people to be punished extremely harshly. Then when we talk about how America incarcerates too many people, we want to reduce prison sentences.

    • most of these guys are in old soviet block countries where engineers are plentiful but jobs aren't. Some have been traced back to North Korea too. In any case they don't have a lot of options.

      This is where diplomacy should come in. Same with Mexico & South America. It's cheaper to drop food than bombs. It's cheaper to build up a region or to reform a man than to lock 'em up.
    • by xtal ( 49134 )

      Life in prison is already the law in Canada if you kill someone with a hack.

      I suspect it's the same in the USA.

      The problem is, you're never going to catch these people. Computers are basically un-securable, and the industry blames the users instead of it's own failings.

      This is not being fixed any time soon.

  • Incompetent or no IT staff, no backups, lots of savings, great bottom line.

    Why not spend some of it on ransom?

    • by Penguinisto ( 415985 ) on Tuesday July 02, 2019 @02:41PM (#58862764) Journal

      Pretty much. When TFS says
      "Baltimore is likely to spend $10 million restoring its own systems refusing to pay a $75,000 ransom this year. "

      What they don't mention is that Baltimore is most likely spending the vast majority of that money on things they should have spent it on beforehand: Upgrades on all levels, decent security systems and procedures, a decent and updated DR/backup system, maybe decent IDS and mitigation systems, compartmentalization of resources, mail/web filtering, security training... ...crap that I'm willing to wager they'd blown off or outright denied funding for, for years beforehand (and whatever bureaucrats blew it off? They're likely still enjoying either their current jobs or fat city pensions - yay for being a PHB I guess.)

      TL;DR: Paying off the ransom doesn't mean they wouldn't end up spending that $10m on top of any ransom to bring their systems up to snuff... like they should have been in the first place.

      Unless you enjoy having your infrastructure become everyone's subsequent bitch, you're going to be shoveling money, time, resources... all into making sure it doesn't happen again (or if it does, only after at least a decade or two of subsequent blowing off of needed upgrades, training, systems...)

      Nobody escapes that cost, ransom or no ransom. Maybe it's time folks learned that...

      • by skids ( 119237 )

        And to add, when TFS says:

        "The fact is, paying a ransom does not create a market," said Forrester Research's Josh Zelonis. "There already is a market."

        What they forgot to add was "...which you just made bigger."

  • by bjdevil66 ( 583941 ) on Tuesday July 02, 2019 @02:05PM (#58862502)

    And spending more on security isn't going to stop these attacks because we're fallible. There's a sucker born every minute.

    It's the lack of a real worldwide, coordinated deterrent that threatens physical capture/harm.

    Just like when email spamming lost a little juice when some spammers were finally prosecuted and/or jailed, or when the Somali pirates started getting hunted down by the US Navy, there has to be a coordinated effort by governments for ransomware attacks.

    Until then, the risk of getting caught and prosecuted is almost zero - and cities with average Joe employees will get burned time and time again.

    • by jythie ( 914043 )
      The trouble with worldwide solutions is, in general, countries are reluctant to crack down on things that are making money for their citizens and only costing citizens of another nation, esp when you not really like that other nation in the first place. This goes both ways, and makes either side crossing that divide iteratively difficult.
  • by Fly Swatter ( 30498 ) on Tuesday July 02, 2019 @02:06PM (#58862510) Homepage
    If the first victims never paid, then there would never have been a market. If new victims don't pay, there would be no more market. The overall expenses from these type attacks would decrease. These 'experts' are idiots.
    • by jythie ( 914043 )
      I think the point is that directing these public institutions to stop paying doesn't really help since they are collateral, not targets.
    • by gweihir ( 88907 )

      I agree. These attacks create costs on the criminal's side. If they had no chance of recovering these costs, the attacks would stop pretty soon. But since these "victims" (they _did_ set themselves up for it, when you look at actual facts) do pay, the problem will persist. I think it is high time to make paying such a ransom illegal.

      • by Luckyo ( 1726890 ) on Tuesday July 02, 2019 @04:16PM (#58863356)

        Costs to conduct most such attacks are miniscule. That's one of the problems with internet. It made delivery of payload effectively free, which means you only meaningful cost is developing payload. Internet solved that as well with darknet forums which sell malware for cheap. Last thing that was the problem was how to get the money transferred. Internet solved that as well with bitcoin.

        So the problem you have is simply "internet and things it made possible", not "costs"

    • by kackle ( 910159 )
      I would agree, except it costs close to nothing for them to keep trying.
    • You're correct, but you can carry the line of reasoning even further. If it becomes known that you have security vulnerabilities and that you are willing to pay ransom, you become more likely to be targeted by further ransomware attacks. And if they know how much you paid for the previous ransom, they may ask for more. The cost of paying a ransom can't be calculated by just looking at the difference between the cost of the ransom and the cost of an outage. You *have* to account for whether your vulnerab

  • Right... (Score:5, Interesting)

    by Drethon ( 1445051 ) on Tuesday July 02, 2019 @02:06PM (#58862516)

    "For some cities, the best response might be to pay the ransom, then use the millions of dollars that would have been spent on recovery to strengthen cyber defenses before the next attack."

    I suspect most of these cities will pay the lower cost (pay the ransom), then spend the next few years complaining that paying for the ransom took all the money they would have spent to improve their IT department. I wonder what will happen after that?

  • Applying the logic of this story, the makers of ransomeware should obviously increase their investments in finding new security vulnerabilities to exploit.

    Entropy always increases. Especially in Windows environments. Guess who's going to win?

    The closest thing to a real solution is to stop with the giant targets already. Any gigantic target is going to get attacked, and Windows has merely become the largest and most attractive target.

    Imagine that Microsoft had cloned itself into several daughter companies wh

  • by SuperKendall ( 25149 ) on Tuesday July 02, 2019 @02:11PM (#58862546)

    After anyone pays and gets everything back - they should make public all correspondence and related materials for whoever they interacted with.

    Then, place a bounty of twice what you paid leading to their arrest...

    If everyone could have access to full emails including headers, along with bitcoin wallet addresses don't you think a lot of amateurs could figure out who was behind some of this ransomware? If there's a lot of financial motivation to hunt down people or groups behind the ransomeware, maybe that would tart to put a brake on it.

    Right now it just seems like easy money with zero repercussions.

    • ...and if the perp lives halfway across the planet (or worse, is a state actor doing its best to get around sanctions on the down-low?)

    • No, rather than hunting down the ransom author for $2M, when all their communications are behind seven proxies... it would be much easier to use the same 360d to infect two new cities and ransom them for $1M each.

      • when all their communications are behind seven proxies

        What makes you think script kiddies doing these ransomeware things are even close to that smart or careful.

        It may turn out to be so, but in the past most criminals end up being lazy. They slip up eventually.

        Don't forget if nothing else you can follow where the money goes from wallet to wallet after the initial transfer of the ransom. No way to disguise that and once you find any wallet along the chain of money sent from the ransom account, you can wal

  • Do not take anything an "expert" from Deloitte says. If you are well-known expert in a non-bullshit field, you simply do not end up at Deloitte. Or any big four.

    • by gweihir ( 88907 )

      These big consultancies basically sell you their name and nothing else. I have seen a slide-deck that one of the big-four produced for a technical analysis that was an utter disgrace. Complete chaos, basically unreadable, and the conclusions simply wrong. That analysis did cost a lot and cost a lot more in the damage done to the customer. And I saw an IBM big-data team fail after bumbling about for 3 years. At the end they did not even have the sensors working, while I had implemented a real-time transforma

      • To be fair, their personnel is often people fresh from school who struggle to find a job, or are terrified to be jobless for more than two weeks and stay there for a few months to have a line on their resume. They know the working conditions are bad, the corporate culture parodic and the pay below average for anyone with a serious degree. They leave ASAP.

        Also a few fools who love stereotypical corporate culture and believe on day they will become "partners" and afford costlier ties. Those are very comical,

  • if your network is unsecure with poor backups, the cost you incur to fix it doesn't change if you're stupid enough to pay off the script kiddies that took you down. You still need to fix your security and backup problems regardless.

  • ...the minute you start giving into ransom, you will trigger a wave effect that will tell every other criminal, that this crime we can get away with.

    Doesn't matter how much money you lose vs ransom, it's the core principal that matters here. Start accepting ransom payments, and giving in to the criminals, will open up a whole Pandora's box for them, not just ransomware, but literally everything.

  • For the individual companies affected, paying a ransom may make financial sense because it costs less than the damage impacted by the ransomware. And the hacker is unlikely to target the same individual twice.

    However, by paying the ransom one is providing financial resources to a criminal organization and encourage them to carry out more ransomware attacks. The cost of paying the ramson may be far smaller than the potential damage for an individual, but for society as a whole, the damage inflicted by paying

  • I don't have an economics degree, but I'm pretty sure giving people money works as an incentive.

  • by FictionPimp ( 712802 ) on Tuesday July 02, 2019 @02:22PM (#58862648) Homepage

    The simple fact is that paying the ransom is a terrible idea.

    1) It shows you already are failing as a company/government/etc
    2) You will have to pay it again and again, because they can just go right back after you. You are now a top target of ransomware.
    3) How do you know you are operationally secure?

    If you do not have offline backups and a BCP that have been tested and practices you should just shut down and delete your data now.

    This is not about 'the market for ransomware this is about basic business continuity. Being unable to recover from ransomware quickly without paying the fee shows you are not taking any due care.

  • Please correct me if I'm wrong, but isn't the usual way networks are infected and encrypted by ransomeware because of phishing emails?

    I mean we can talk all we want about logging, permissions, backups, etc, all of which are good things to maintain and manage, etc; but isn't it just someone opening an attachment or clicking a link that is the problem here?

    If that is so, if phishing emails are the attack vector, why are we ok with users being able to open attachments and click links in this way?
    In thi
    • Like it or not, email is a major platform for day-to-day business activities. Documents get sent back and forth all the time. I agree it's not ideal, but regular users are an amazing combination of lazy and gullible (well, some IT admins are, too). I've tried many times over the years to insist people use shared drives or online document management systems to move files back and forth, but unless you outright ban attachments, people will just use email. And really, you can minimize the attack surface, but y

  • The fact is, paying a ransom does not create a market

    The fact is, you're wrong, dipshit. Saying "The fact is," before you spout some bullshit won't fool anyone but millennials.
    It may be a coerced market, like the mob offering "protection", but it exists only because people pay up.

  • I think the hairsplitting between "paying ransom CREATES a market" and "paying ransom ENCOURAGES a market" is pretty fucking pointless.

    The fact is, paying a blackmailer absolutely going to encourage more criminals to attempt it, at the very least. All the news stories crowing about how it cost $10 million to restore a system to avoid paying a $50k ransom are practically accomplices.

    You know what wouldn't encourage hackers? Beheading. For instance, I bet the Russian mafia doesn't get hacked by script kidd

  • The attack vector is Outlook + a Windows box. This particular vector has been around for at least 25 years -- with lots of noises coming out of Redmond saying "We'll fix the problem", some hand waving, and the problem continuing. Sure, there should be backups, but maybe you could try using Free Software for you email stuff instead? At least stop using Outlook on Windows? If you have a particularly technically illiterate person, buy them a Mac and watch with glee as they try to open viruses programmed for Wi

    • MS-Office based vulnerabilities may extend to other systems that implement VBA (Libre/OpenOffice, I'm looking at you). And if Libre+Linux became the major platform, you'd suddenly have bash script trojans on the loose. Underlying it all is the automatic opening of files from external sources, and no matter how good your malware detection, they'll always be one step ahead of you.

      • Underlying it all is the automatic opening of files from external sources,

        It doesn't have to be automatic.
        If you don't have the expertise to set up some kind of virus detection, use gmail. They have good corporate plans, and they detect this kind of thing before your users find it.

  • by Xoc-S ( 645831 ) on Tuesday July 02, 2019 @02:54PM (#58862846)
    If you get control back to the machines that were encrypted, you MUST wipe them and reinstall everything. You have no guarantee that the hackers have not left additional back doors on the machines to re-attack them later. The ransom only recovers the data, but does not put the computers back into the state they were. So there is still considerable cost coming.
  • of course paying the ransom will grow the market, and that's exactly what we're seeing. More and more.

    Again, why aren't the IT departments thrown out the door on their butts when they can't recover from ransomware attack, only the incompetent will have that problem

  • }}} "The fact is, paying a ransom does not create a market," said Forrester Research's Josh Zelonis. "There already is a market." {{{ --- Give me a break. Zelonis is creating a straw-man and then arguing against it. TFA article says, "The conventional wisdom about ransomware is that when local governments pay the ransom, it encourages more criminals to launch more attacks." TFA says, "...launch more attacks..." That is not the same as what Zelonis' straw-man says, i.e., start launching attacks to creat
  • Why pay millions to secure the system if you're done with a few thousands paying the ransom.......
  • The article seems to be arguing that because it is cheaper to pay the ransom than fix the problem without paying it, it is the rational choice for the victim. This may be true, but to make the leap that since that is true, paying the ransom does not encourage the criminals that launch the attacks, requires a level of stupidity that I cannot believe. Of course paying ransoms encourage the blackmailers. It may be in your selfish interest to just pay the ransom once you have already found yourself in that s

  • In the past you installed Windows and were anally raped by Microsoft for years. Then you got totally owned because of Windows. Did you learn that to install Windows is to be anally raped and owned? If you did not learn this, then kill yourself.

  • So... with all of these "encrypt the files in place on network shares" ransomware attacks, why DON'T we have the ability to set aside ~half the hard drive for journal history & enforce a rule like, "all changes get journaled, history can't be deleted or overwritten for 7 days, and when history log becomes full, the drive is effectively write-protected until enough time elapses to allow overwrites"

    Yeah, it would mean we'd need 1TB drives to handle a week with 512GB worth of existing files & changes,

    • Nothing replaces a good backup regime. Full stop.

      Weekly full, daily incremental, offsite, offline, new servers on the shelf (iron or virtual), workstation images. Have these in place, and even in the worst case scenario, where servers and workstations are put out of commission, where a really nasty exploit that can run in privileged mode can fuck with FS journals, and your downtime is minimized. I've done it. It sucks. New server brought online, backups restored from tapes, workstations having to be spun up

  • "The costs of recovering from a ransomware attack are often greater than the cost of the ransom."

    Well they certainly are if you don't have viable backups.

    Yes, I know that doing the whole recovery-dance is a pain in the ass and will obviously cost something in terms of time and effort, but compared to the typical ransomware extortion fee? Probably not nearly as much.

  • Do not pay these ransoms. You're just encouraging more of this type of malware to be created and spread.

    Stop paying. Use sensible backup strategies, and train your staff to know what phishing emails look like.

    STOP PAYING! STOP ENCOURAGING THIS BEHAVIOR, FFS.

  • I have little to no faith in any of these companies or organizations learning from their mistakes and not being subject to another ransomware attack. If they were on the ball in the first place then the attacks would never have happened. If I were the one in charge of a company that was attacked, or mayor of a city that was attacked, I'd be firing the heads of the IT department immediately and being very very picky about who got hired to replace them. All these other organizations? Probably won't go there.
  • They had someone intelligent enough on staff to look for keys to the ransomware. There's sites that collect the keys, they don't have them all but...
  • This may be a crazy idea, and it just popped into my head, but perhaps if the cost to a business (or government, or even individual) was higher if they pay the ransom - via fines, prosecution, etc - then maybe they would not do it. And if no one pays the ransoms, they *will* eventually stop. But it has to be 100% or very, very close. If just some people stop paying, but others continue, then it just encourages more ransomware (because they will need to increase the overall number of victims to keep profits,

  • For some cities, the best response might be to pay the ransom, then use the millions of dollars that would have been spent on recovery to strengthen cyber defenses before the next attack.

    How about they spend some of the money they would have spent on recovery on developing a recovery plan that doesn't cost so much?

  • False dichotomy.

    You can do both: recover your systems without paying the ransom *and* improve your cyber defenses at the same time.

    If you're refusing to pay the ransom, the ROI on improving your cyber defenses is really damn impressive, using the numbers given in this article.

  • Rid your organization of the plague. It would be more clever to get the ransom, and then have daemons lie in wait for a future opportunity. Hell, you might as well charge a subscription, or protection, like the mob did/does.

If you didn't have to work so hard, you'd have more time to be depressed.

Working...