CNA Financial Paid $40 Million in Ransom After March Cyberattack (bloomberg.com) 11
CNA Financial, among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, Bloomberg News reported Thursday. From a report: The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren't authorized to discuss the matter publicly. In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker's identity with the FBI and the Treasury Department's Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.
If these ghouls have $40M... (Score:4, Insightful)
...to placate script kiddies, they damn well have the cash to enact a $25/hour minimum wage for the hired help.
Re: (Score:1)
If they advertise a job with the pay rate of half that and they end up with enough qualified applicants to fill the positions, why would they ever offer more than $12.50 just because they happen to have $40MM lying around? Which isn't to say they do have it, maybe they drew against credit, but regardless they have no reason to offer more as long as they are getting qualified applicants.
Re: (Score:2)
There's a difference between a one-time expense and ongoing expenses.
Like affording to buy a $1000 laptop vs the rent going up $1000.
Re: (Score:3)
Re: (Score:2)
It's often not the lack of staff, it's the disruption that proper security creates. Getting the C levels to accept stuff that reduces productivity and costs money instead of making it is hard.
It's time to outlaw paying criminals to criminal (Score:5, Insightful)
This is the only way the Cxx suite will see IT and information security as anything but a cost sink.
Cost and benefits (Score:3)
I suspect the companies who decide to pay these huge ransoms are reasoning thusly: how much money do we lose by being down for x amount of time? Is that greater than the ransom demand? If yes, then pay the ransom.
This might change if the government passed laws that levied huge penalties against companies that pay the ransom, then it might not be in their favor to pay it, and maybe instead they will invest in the security and training necessary to mitigate the risk in the first place.
I wonder whether terrorists are using ransomware.. (Score:2)
I wonder whether terrorists are using ransomware to finance their other endeavors.
(In addition to the ransomware itself being terroristic.)
If they are, and you get hit by one that's recognized by the US government, paying the ransom is funding terrorists and would already be illegal.
Ransomware and related malware is a logical tool for any of the use cases of asymmetric warfare - revolution, subversion, religious conquest, etc.
Jail time for execs that aren't prepared (Score:2)
Plus stockholders should be able to bankrupt c-level officers who fail to have a tested ransomware plan.