80% of Orgs That Paid the Ransom Were Hit Again, Report Finds (venturebeat.com) 91
Boston-headquartered security firm Cybereason's study has found that the majority of organizations that chose to pay ransom demands in the past were not immune to subsequent ransomware attacks, often by the same threat actors. From a report: In fact, 80% of organizations that paid the ransom were hit by a second attack, and almost half were hit by the same threat group. This study offers insight into the business impact of ransomware attacks across key industry verticals and reveals data that can be leveraged to improve ransomware defenses. For example, after an organization experienced a ransomware attack, the top two solutions implemented included security awareness training (48%) and security operations (48%). This research underscores that prevention is the best strategy for managing ransomware risk and ensuring your organization does not fall victim to a ransomware attack in the first place.
Color me shocked! (Score:5, Funny)
Re:Color me shocked! (Score:4, Funny)
Well, of course... How much you wanna bet they still haven't made backups?
Cheaper just to pay...
Re:Color me shocked! (Score:4, Informative)
There's another business model there for the criminals. They could provide backup service. You already have proof they know how to secure data and can get it back to you -- all they have to do is download it and keep copies and BOOM, they're a "cloud backup service".
Re:Color me shocked! (Score:5, Funny)
80% of people shocked get shocked again.
Re: (Score:2)
And the other 20% did not report.
Re: Color me shocked! [There is Justice in the wor (Score:2)
Mod parent funnier, subject to the new subject. But I still think it starts with live and let spam as a standard business plan.
Re: (Score:2)
Re: (Score:1)
Forest Gump Says.... (Score:3)
Comment removed (Score:5, Insightful)
Re: (Score:1)
Do a simple exercise, figure out how much your organization would be willing to spend on a ransom, then have your organization spend accordingly on prevention and preparation.
So if you screw up you potentially pay 2x that amount?
I suspect there's easier ways to convince the CFO in invest in the appropriate risk mitigation.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Do a simple exercise, figure out how much your organization would be willing to spend on a ransom, then have your organization spend accordingly on prevention and preparation.
No. An asteroid impact on the company HQ is expensive. That doesn't mean you should spend that high amount on a giant shield.
The correct equation is ((Cost of a ransomware attack) * (Probability of a ransomware attack)).
Less than 1% of companies are hit each year. So if the cost of an attack is less than 100 times the cost of prevention, then it isn't worth it (on average).
Re: (Score:2)
Re: (Score:2)
Naa, that would be sane and a lot cheaper. Cannot have that. Management has a reputation for utter incompetence to uphold!
Re: (Score:2)
Spending that money on technology is likely wasted. While zero-day exploits remain a problem far too many of the hijacked systems are hijacked by poor security _practices_ that will not b e helped my adding money or technology to the equation. These include:
* System administrators or "architects" who refuse to change their passwords
* Laptops that are put on the same network as production hosts, databases, and storage servers with no firewall or other segregation
* Secretive security policies, kept secret to
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
They could fall under prevention. I'm pointing out that the frequent expenditure of large sums on sophisticated technological systems is often misplaced, and turns into this kind of XKCD published situation:
* https://xkcd.com/538/ [xkcd.com]
Re: (Score:2)
Do a simple exercise, figure out how much your organization would be willing to spend on a ransom, then have your organization spend accordingly on prevention and preparation.
It's almost as if you think "prevention" has no other benefits apart from this...
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
They aren't paying. Their insurance companies are. At some point the companies will be uninsurable which will lead to improvements. Things don't get better because someone wants them to. Things get better when the status quo becomes more expensive than change.
OK, a less (maybe more) cynical response (Score:5, Insightful)
Mod parent up! (Score:2)
My comment posted to a previous story: We need in-depth reporting of cyber attacks. [slashdot.org]
Re: (Score:2)
Re: (Score:2)
20 years ago my friends and relatives outside the US were in real danger because of kidnapping where the victim paid the ransom. They were to various
Re:OK, a less (maybe more) cynical response (Score:4, Informative)
Oklahoma it is theoretically legal to run over a protestors
Only if it isn't deliberate and it's on a thoroughfare that wasn't closed off. This was basically in response to derps darting into traffic just for the sake of being obnoxious and then wondering why they woke up in a hospital. Depending on the state laws, I don't imagine there would be any liability on the part of the driver in such a situation, so I doubt their insurance rates would go up, unless they bent a fender or something, but even then the rates wouldn't go up a whole lot because it isn't a vehicle to vehicle collision.
Re: (Score:2)
For instance, in Oklahoma it is theoretically legal to run over a protestors
It's also legal to shoot someone in the face if they try to run you over, because Oklahoma has a stand your ground law.
That might not stop their car from hitting you, but if I went to a protest in Oklahoma* you can bet your asshole I'd come armed in case it went sideways. And if I'm gonna get hit anyway, and I've got time to draw, you can bet that same orifice that I'm gonna do my level best to perforate the motherfucker behind the wheel.
* Same for Florida, for the same reasons, and on the same legal basis.
Re: (Score:2)
> They could start with putting people in charge of technology that understand technology,
Sadly, many of the people negotiating for technology decisions are excited by very shiny toys. The number of complex anti-virus systems that interfere with ordinary system operation is stunning. But many security departments demand the latest expensive toy rather than insisting on proper backups, especially of the core configuration management hosts.
Re: (Score:2)
YOU HAVE WON!!!!! (Score:2)
Link? (Re:YOU HAVE WON!!!!!) (Score:2)
Link? What link? There was no link in the summary. Am I the only one left on Slashdot that reads the linked stories and noticed a lack of a link?
Think like an attacker (Score:5, Interesting)
The world is filled with countless organizations, some that are well defended against a ransomware attack, and some who are not. Who are you going to invest time in trying to attack? Organizations that have proven themselves to be vulnerable.
Security isn't as simple as turning on a firewall and doing backups. You need to know what systems exist and how to back them up, you need to know what services are supposed to talking to what other services, you need to know what employees need to access what systems.
I don't think it's possible to secure an organization overnight, meaning that the moment you've proven to be vulnerable to one group all the other groups know that you're vulnerable.
"Code of Conduct" violation? (Score:3)
I thought the whole point behind Ransomware was that they always actually unlocked your files. If people didn't actually get relief they would stop paying so there is a financial incentive for attackers to actually have a code-of-conduct and good customer service.
Hitting the same target again, sounds like a violation.
"If I pay this, you probably just put a trojan deep deep in my systems and will make me pay it again, so fuck off, we're wiping everything and starting from scratch."
If this is true this should destroy the game theory on payingout.
Re: (Score:2)
Re: (Score:2)
It is exactly what most companies would do in response to a full takeover attack— anything short of it is ineffective. You might go department by department and isolate/segment systems as the process takes along time, but you cannot trust any machines that haven’t been replaced or at least wiped and isolated.
Re: (Score:2)
If you believed the hackers had any kind of ethical "code", you are really really dumb.
Re: (Score:3)
They probably have trouble excluding those they hit before from getting attacked again. The field of companies with utterly crappy IT security is vast enough that it is easy to hit targets again by accident, because you just did not remember you had hit somebody before.
Re: (Score:2)
You are ignorant of the ransomware business model against large corporations. The keys aren't the issue at all. It's shame site identification of corporation and posting of sensitive data that causes business loss and lawsuits far greater than the ransomware price.
Do NOT Feed The: (Score:1)
* Animals
* Hackers
* Trolls
* Audrey II
Once you pay the Dane-geld.... (Score:5, Informative)
Dane-Geld
A.D. 980-1016
It is always a temptation to an armed and agile nation
To call upon a neighbour and to say: --
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation,
To puff and look important and to say: --
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: --
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that pays it is lost!"
-- Rudyard Kipling (1911)
Re: (Score:2)
Thank you for posting this.
It should be required reading. The concept is simple, but those who do not study history...
Re: (Score:2)
Rudyard Kipling did not write history. Rudyard Kipling wrote fiction. The lesson is old, and presented in memorable poetry, but in practical terms refusing extortion from someone who can entirely bankrupt your company by doing nothing further, it's understandable for most to pay the Dane this year and hope to shore up defenses to prevent another invasion next year.
Re: (Score:2)
Rudyard Kipling did not write history. Rudyard Kipling wrote fiction. The lesson is old, and presented in memorable poetry, but in practical terms refusing extortion from someone who can entirely bankrupt your company by doing nothing further, it's understandable for most to pay the Dane this year and hope to shore up defenses to prevent another invasion next year.
It's understandable, but this kind of short-term thinking is wrong. Consider that there is no guarantee that you will get the funding to prevent another invasion next year. After all, you didn't get the funding last year, even though that would have prevented the ransomware attack.
In addition, there is the likelyhood that the threat actors have scattered persistent backdoors throughout your computer systems. No matter how many you find, you can't be sure there isn't another. To be safe you are going to
Re: (Score:2)
Except the Danegeld actually paid for a navy and protected England against Viking raids from non-Danes (who were already Christian at that time and no longer raiding). Of course when England stopped paying and still hadn't their own navy, the Viking raids resume.. Sometimes using some of the same mercenaries the Danes hired for the Danegeld.
Clearly says the ignorance/fault is (Score:2)
Don't download porn at work! (Score:2)
How hard is this? Just don't download porn or other sketchy crap on your work computer. Ever. That's where these attacks are coming from, people downloading "free porn" on work computers.
Re: (Score:1)
Your fake morality blinds you. If you had done any actual research instead of virtue signalling, you would know that "downloading porn" is not a major attack vector. Instead it is email attachments opened with crappy insecure "Microsoft standard" tools.
Re: (Score:2)
I download porn. Then I delete most of it. But the payoff is being able to watch it in VLC and smoothly skip to/past scenes. Using an embedded video player is painful, even on 400Mbps cable. (OK, it's not THAT fast, but it's far and away the fastest internet I've used)
Re: (Score:2)
And how many malware infections did you get from that downloaded porn? None at all would be my guess.
Re: (Score:2)
None because I'm not dumb enough to open email that promises me porn, I just go to the site and youtube-dl it. And I'm using noscript to block ads while I'm there...
Re: (Score:2)
I would like you to take a step back and think about this.
Who is paying for your porn? Porn make up a sizable portion of the internet. There are very large and expensive porn data centers to process and stream all that data. Who do you think is paying for it? Do you pay a subscription?
As the old adage goes, "If you aren't paying, then you are the product not the customer." Now think about who is paying? What ads have you seen on porn sites? I mean, how many Subaru ads have you seen? Probably none. The only
Good lesson on the benefits of disclosure (Score:3)
This is one of the reasons why it's incredibly helpful to disclose if you've been hit, etc.. This information is probably extremely helpful in deciding on paying the ransom in the first place, and ensuring it isn't repeated.. (And maybe getting help from the feds.)
I'd imagine the more disclosure, the more prepared people can be.
My car's manufacturer warranty is expiring AGAIN? (Score:3, Insightful)
But I just renewed it last week!
Re: (Score:2)
It also shows that they're willing to sell out their fellow criminals to advance their own interests.
If anything the ones most likely to put a stop to them are other ransomware gangs whose profits are now on the line because these idiots are derailing their gravy train
Wow, who would have thought? (Score:3, Insightful)
Damn, I never would have seen it coming.. it's almost like, if you reward a certain behavior, that behavior will be repeated..
My mind is blown.
No surprise (Score:2)
If yo get hit and paid, it means you were badly prepared. That in turn means you need to invest significant effort and time into getting prepared, and, in many cases, you may have to get rid of some incompetents in "leadership" positions. Many companies fail at these steps or are too slow, and so they remain vulnerable. Not being prepared for ransomware is an expensive strategy these days.
Sounds plausible (Score:2)
Re: (Score:2)
Big corps pay to not have their name and sensitive data posted on shame sites. That causes business loss and lawsuits of greater value than the thugs' demands.
Re: (Score:2)
Just install Russian virtual keyboards (Score:3)
yes of course they did (Score:2)
Small wonder (Score:2)
It's the First Law of Blackmailers.
They always come back.
This is EXACTLY what I said (Score:3)
I said paying out a ransom lets attackers know you are a cash machine.
I was "informed" by some dildo that they wouldn't bother because they know you improved security.
That person (who shall go unnamed because they are unimportant) forgot that security is not a product, it is a process, and the people who fuck it up once are likely to fuck it up twice.
Re: (Score:2)
You don't fully understand the ransomware issue. Getting keys to decrypt isn't the only thing for sale, they have shame site where they post victim and sensitive stolen data they use for extortion. This causes massive business loss and lawsuits.
Re: (Score:2)
Even if you pay doesn't mean it still won't get exposed. Better off not paying.
Re: (Score:2)
You don't fully understand the ransomware issue.
Says the guy who goes on to prove that he doesn't fully understand the ransomware issue with his comment.
Getting keys to decrypt isn't the only thing for sale
Frankly worthless keys, you can't trust that your data is how you left it, so you have to restore from backups anyway.
they have shame site where they post victim and sensitive stolen data they use for extortion
Which you can't stop them from doing by paying.
This causes massive business loss and lawsuits.
Which can happen whether you pay or not.
You don't seem to understand that there's no honor among these people, paying them means nothing except they're richer and you're poorer.
nt (Score:2)
Millions for defense, but not one cent for tribute.
Also, did anyone really expect there to be honor amongst thieves?
More worrsome way to view this (Score:2)
After being hacked/breached, one would expect a major institution to call in a first-class expert team to examine their systems and procedures to prevent recurrences. The fact that 80% of the time these companies are hit again indicates that it is IMPOSSIBLE to prevent hacking! Whether that's due to the CIO refusing to implement the recommended strategies no matter how draconian, or simply that there will always be undiscovered 0-day exploits no matter how may eyes, can't be predicted just from that statist
Re: (Score:2)
After being hacked/breached, one would expect a major institution to call in a first-class expert team to examine their systems and procedures to prevent recurrences.
Only if "one" is living in deep denial.
The fact that 80% of the time these companies are hit again indicates that it is IMPOSSIBLE to prevent hacking!
No, it certainly does not. It indicates that companies that failed at security once failed again. Say it with me, say it again, say it loud and proud, Security is not a product. You can't simply buy security. You have to change your processes, not just the shape of your network, though network design is also critical.
Another law? (Score:3)
Re: (Score:2)
Do we need another law on the Federal books that makes paying ransoms illegal?
Yes. And the fine for doing it should exceed the ransom, and be spent on improving security somehow (though I'm not sure how you could improve security by spending money unless you used it as campaign funds for someone who wanted to reform the NSA.)
Outlaw paying ransoms. (Score:2)
It seems a bit weird but honestly outlaw that stuff.