While these stories are becoming all too common I’d like to think that while we’re in a golden age of being a ransomware payouts, it will lead to actually caring about security by many of the high-profile affected companies.
While the overall cost may be low for them, if they don’t make meaningful changes to prevent these issues in the future, it’s not hard to imagine it might add up quickly.
I don’t support these attacks and some of the targets in particular are insidious, like hospitals where an attack could lead to an actual death toll, but it might actually be the kick in the ass many organizations need to actually care.
It’s sad that it’s come to this point but the end result may be better for everyone.
> It’s sad that it’s come to this point but the end result may be better for everyone.
Meanwhile in the real world, a company I develop for implemented the most draconian security measures to "prevent ransomware".
Development environment is a virtual machine at the other end of the world, with disabled copy-pasting from and to the local system. A complete separation between safe internal network and unsafe development environment. No copy pasting from and to email, etc. Horrible environment to work in.
The security policy was draconian to the extent I’m sure it was well intentioned but led you to do things in the least secure way possible as it was the only way to complete a contract.
I.e the servers on the other end running Windows 7 (in late 2019) where so old they didn’t have the required cpu instruction set to run some required software. Likewise input lag was extremely noticeable to the point you hit a key, wait one second then press again thinking something went wrong only to have to press delete some seconds later.
How did I deliver that project? Developed on my own local machine, emailed the artifact to the cooperate email address obfuscated, log in to the corporate laptop, then Citrix, ssh the artifact up to the cloud ec2 servers.
That’s another one. The cloud ec2 servers. No public outbound internet, no internal trusted repositories. What was the accepted way of setting up the servers? Going to random internet sites, downloading random binaries to your Citrix account, scp’ing then to the servers. Trying to explain how stupid this is gets no where in organisations with thousands of people. When you mention trusted artifact repositories, immutable / reproducible builds, deployment pipelines the answer was we don’t have this as they didn’t meet security guidelines.
This was a tier 1 bank. Experience is the bigger the company the worse things are due to the size and different teams/departments being so disconnected.
The organization has externalized all the responsibility for the next breach to you, the individual contributor who is breaking security protocol to get work done.
When we little employees roll our eyes and say "this doesn't make sense," we're telling ourselves a comforting lie because the situation you describe DOES make sense- from the organizational perspective.
Management did everything their rules allow to make the computing environment safe, but you, the individual, hacked an unsafe circumvention into the workflow by finagling some personal website and using SCP. I bet none of that process is documented- and if it is, whoever made that documentation is now the responsible party and fall guy.
Get email approval, aka written documentation, of all process steps from people one step up on the food chain. Explain why it’s needed so they are squarely the section maker.
The setup you describe sounds less like draconian security and more like a half baked solution that confused usability hurdles for security. Just because security usually brings lower usability, it was probably (wrongly!) assumed that lowering usability will bring security.
How do top tier tech companies, who are very likely continuous targets for this kind of thing, avoid ransomware attacks? I know there's nothing like that at my employer.
1) App whitelisting. This is not the strongest mitigation (attackers with exploits can move in memory), but it stops drive-bys and 99% of malware, plus it massively reduces noise on the network.
2) Reduce lateral movement. If the attacker accesses an employee laptop, encrypts it, but can't move to other devices, that's not a very compelling ransom.
As someone who runs a Banks internal Red Team group, the App Whitelisting is the biggest roadblock for us. Carbon Black (if properly setup and tuned) is a large leap to overcome. Drive-by attacks just stop, you need a dedicated method to bypass Carbon Black. That is usually very org dependent.
You don't known Carbon Black is there until something doesn't work. That "not working" propagates an alert up to the security team.
App whitelisting is rarely rolled out, but it's just such a definitive win these days.
a) You just kill ~85% of malware (rough estimate, probably technically higher, but I'm basing that on stats around interpreter-based/LOLBAS malware). Anything that isn't targeted is probably dead in the water.
b) You know exactly what's running on everyone's computers, more or less, so you have a way easier time baselining and building monitoring.
It's honestly easy-mode for security. But it's hard to roll out to a company a decade after it's been running, so you really need to do it early on. And most orgs don't care about security until after a breach, at which point they're too large and slow to get something like that done.
It's easy-mode for security because it offloads the cost of security to employees. Done right, many hands make light work. Done wrong, it's the very picture of "if nobody can use it, hackers can't either."
I'm interested in learning how to do this right, because I've only ever seen it done wrong. How do you streamline the process for getting programs approved? How do you accommodate developers who need to generate and run code?
> It's easy-mode for security because it offloads the cost of security to employees.
Yeah, absolutely. But I consider this to be, when done right, a good thing. A single security team is going to drown trying to scale your company's security asymmetrically with your company's growth. For every 1000 developers you might have 5-50 security engineers depending on how serious the company is about it. Spreading out security work across the company scales extremely well.
Of course, you want to minimize burden too.
There are a number of ways you can go. Personally, at my company, we're so small that it's trivial. We rarely onboard new employees and pretty much all approvals are handled within a few minutes of the employee getting their laptop.
Upvote-like systems basically give you reputation based approvals. If you can convince a number of your coworkers that the app is worth installing, you can install it. I've seen a number of systems built this way that combine crowdsourced approvals with other forms of reputation.
At my company we use Chromebooks. Apps/Extensions are only allowed once approved. The Linux environment is where development happens.
This is nice because there's a strong separation between environments. That said, we don't do any sort of application whitelisting in the Linux environment today, due to a lack of tooling support.
If we did, what I'd like to do is just have simple rules like "If the binary was created by gcc etc allow it to execute". Santa allows for process-tree based rules like this.
Another option is developer VMs like in EC2. These can be nice for devs because they're often much more powerful than a laptop anyways. It requires a bit of tooling to work smoothly though with local IDEs and whatnot.
We're trying to do much of what you mention here. It ain't easy. Here's some of my thoughts, as one of the people in Development trying to achieve it.
The app whitelist impairs my efficiency, and honestly takes a fair amount of fun out of work. I can no longer use many of the tools that help me, and instead am confined into the corporate-approved structure. This is both a productivity issue and a job satisfaction issue.
Trying to separate our development workstations, and dev environment overall, from the rest of the sordid mess, is extraordinarily difficult. We're trying to do similar what you recommend, with developer VMs running in our internal ESX cluster. However, that technology conflicts with Microsoft's Hyper-V (we're a MS shop). We're trying to get to Docker/k8s, but we can't run Docker inside a VM that runs in ESX. So we're trying to offload the actual execution of the system, even for local testing, into DevSpaces. But there's a lot to figure out, and DevSpaces is a young product. Further, private AKS environments are a new thing in Azure, and we've a couple of times now run into roadblocks with MS's own growing pains.
Your "upvote" system seems to have merit, but with, I dunno, 50 or 60 devs, spread across several teams focused on different tech, it doesn't seem like it would scale well. Coming up with the right mix of apps, and convincing our Risk team, is very difficult. Especially when so much of their pushback seems confusing (like, DBeaver was denied as a FOSS product, but approved when we paid for the Enterprise version).
> I can no longer use many of the tools that help me, and instead am confined into the corporate-approved structure. This is both a productivity issue and a job satisfaction issue.
Out of curiosity, like what?
> Trying to separate
Yeah, like I said, starting early is going to make things much easier. If you're trying to get to this place later on, it's just wayyyyyy harder and most orgs can't get there. This is often the case with security - if you build your code, infra, policy, etc, with security in mind from day 1 it's 1000s of times simpler than doing it even just a few years later.
> Coming up with the right mix of apps, and convincing our Risk team, is very difficult.
Oh yeah, a risk team can be the real killer. That's why upvote is nice - security only gets involved if something is flagged. But if your risk team isn't willing to work with you that's a problem, and it sounds like yours isn't doing the work consistently.
To me, approval should be easy. Even if a malicious app is approved that's often still a huge win - the attacker can't use many of the tools and techniques they're used to. Obviously you want to avoid that compromise too, but it isn't the whole entire goal.
We whitelist some vendors entirely. Our app whitelist request form is:
* What risks are there with this extension/ app?
* Is there another approved app that can do this, and if so, why do we need this one?
* How will this app help you? What is it for?
That first question is really important because people usually have a decent understanding of what the app should/ shouldn't be doing, or if the risk should be trivial. It's all about spreading the assessment out.
Active defense is another option. It is possible to set up a trap such that when certain canary resources are modified they trigger an action to disconnect and lock out the offending user account as well as alert admins to the issue.
98% of the time this will be triggered by an admin performing a task that just happens to touch that resource, but it is incredibly helpful the other 2% of the time.
Can't you just still do a screenshot/screen recording and use OTR on it? Or just use a keylogger for logging what you typed (and just use keylogger to retype it)?
It definitely makes the costs of bad security immediately obvious to the company, rather than just taking the data and selling it, which externalizes the cost to the user.
To me this seems kind of like a company that has a big warehouse full of product that intentionally (or carelessly) neglects its fire alarm and fire suppression system. Or a warehouse of valuable product (say, many pallets of $5000 DSLR cameras) that has very lax security. It's the network security and endpoint security version of that.
It's not absolutely guaranteed that your warehouse is going to catch on fire, or that some guys are going to back up a box truck and clean out your valuable inventory at 3am, but there is a high likelihood of it occurring.
While these stories are becoming all too common I’d like to think that while we’re in a golden age of being a ransomware payouts, it will lead to actually caring about security by many of the high-profile affected companies.
It may also lead to companies paying for a more aggressive response. Uber has been known to deal with fraud by eventually finding the fraudster, even in Nigeria, and having them "visited".[1]
[1] "Super Pumped: The Battle for Uber" Isaac, (2009)
And just to clarify for others, "extralegal" isn't necessarily bad, and does not mean illegal. It simply means not regulated by the law one way or the other. Calling a Nigerian lawyer and having them talk to someone is definitely not illegal.
Bug bounties work well for publically accessible systems, e.g. a site's web service. As a result, many of the more visible break-ins occur through phishing or spear-phishing and combine social engineering with malware as well as classical intrusion techniques from within the network perimeter.
No worse than us being unable to take an extremely obvious joke as a joke, and feeling the need to respond to it as if it wasn't meant completely in jest.
The people releasing terrible software (that has a default-open admin port with no login credentials and no filtering, as just one of many examples) are not usually the ones who end up paying the ransoms.
I'd argue on the scale of a company like in this example and other high-profile example that if you're integrating software with such glaring holes in your network then you're the one who is culpable.
Obviously if there are unknown vulnerabilities that is one thing, but there is a level of due diligence you should practice as the operator.
Back in 2018 I spent six months trying to get a small software shop to implement automated backups as their answer to ransomware fears.(on top of the usual anti-malware and restrictions on lateral movement where we could put those in)
They didn't object to the idea insomuch as they had somehow convinced themselves that they needed some kind of security specific product. We were never able to tease the shape or color beyond a silver bullet.
When basic business continuity planning with simple tools that companies should have anyway for a dozen reasons still aren't deployed, I'm pessimistic that this phenomenon is going away anytime soon.
"Ransomwair Protect for National Security is detected suspicious activity on your computer. Please be call Windows technology Support for assistence with the files at 1-800-xxx-xxxx as required by the FBI and IRS required laws." [sic]* /s
At the very least they should require full disclosure, including an analysis of how the hackers were able to breach their systems.
I believe that some laws requiring notification to customers in case of a data breach would already cover this. However, from another article I found this statement from CWT:
"While the investigation is at an early stage, we have no indication that personally identifiable information/customer and traveller information has been compromised."
That appears to be a complete lie based on the chat transcripts, and if so I hope CWT is punished legally for it.
Easy to go around that, companies will just pay an offshore company that can recover the decryption key (and they do so by using part of what you pay them to pay the ransom)
Given that the alternative is usually the business folding, I don't think this is likely to happen.
Edit: also, I don't think that making getting hacked more onerous while keeping software developers completely legally immune from liability for the software getting hacked would be politically sustainable either...
> Nothing will change until they make it a felony to pay a ransom.
It already is a felony to pay ransomware attackers in the US, depending on who attacked you.
Many of the principal ransomware gangs are listed as OFAC [1] restricted entities. If you pay them, even indirectly, you are as criminally culpable as if you sent sponsor dollars to ISIS or another terrorist or organized crime entity.
Garmin’s execs are in for a big surprise when the Treasury agents come to visit.
On what grounds would you make a monetary transfer like this illegal? Why a felony? What's the punishment? Who gets punished when a public company does it? You can't charge a company with a felony (usually). What about a private company? LLC? Sole proprietorship? What about my laptop, can I pay a $1000 ransom for that?
Yes, but the affected company is the one paying the ransom. Make that a felony and suddenly their choice is to invest in security or risk having their business halted for potentially months.
> It’s sad that it’s come to this point but the end result may be better for everyone.
You make a lot of good points, but I am afraid that when such organizations start caring the cure will be worse than the disease. Some of this already leads to either draconian security policies (that make development hard but do not improve ransomware security by much) or passing the risk on someone else, for example by buying a security policy (which increases costs, but seldom improves security). Similar to most restrictions introduced "because pornography" or "because terrorism" those are likely to be mostly a drag on society.
We might eventually get to better security practices: general policies that are easy to implement and not onerous to comply with and flexible exceptions, where the damage is small and relaxing a policy leads to other improvements, but this state seems very far away. My 2c.
For some context about CWT (I was curious about these figures) -- via Wikipedia[1]:
* US$1.5 billion in revenue
* 18k employees
For a firm like this, the payment probably amounts to a small uptick in a small portion of their IT budget and won't even come close to hurting them (and, frankly, neither would the $10m figure).
It's insane that this is the case and that companies are willing & able to pay ransoms like this, but the hackers were right - the payment is much less than lost business, bad PR, etc. if the actual information had leaked. Such is where we are.
I don't know about that. For one, travel margins are not exactly the same as SaaS margins. Secondly, there's the global pandemic and all, kinda hurts the free cash of most travel companies.
I wouldn't be surprised if they genuinely would have trouble coughing up 10 million two days after the attack hit.
theyr'e what we call a travel management company ( = travel agency + software solutions). Their margins are close to the travel agency though, that represents the vast majority of their revenue. They're particularly exposed to business travel, so even worse for them at the moment
It depends if they report revenue gross or net. If it is gross that means they recognize all booked travel as revenue (and earn a margin on top of that) instead of just recognizing their fee as revenue. In that case it would be much worse margins than a mature SaaS company.
If I had to guess based on the figure, I would guess gross but I'm not sure.
Sorry I should have clarified -- according to Wikipedia, they had $1.5 billion in actual net revenue by processing $23 billion in transaction volume (aka GMV).
It doesn't matter how big your company is, every penny still gets counted. This will come out of some department's budget and have an adverse impact on operations or even cost them some employees. Hopefully whoever was auditing their security.
For all we know their security folks have been warning about something like this and have been pooh-poohed by senior management for years. Sometimes the auditors can only lead the horse to water.
At the bottom of the thread the ransomers gave them security advice. Therefore this is an "unplanned penetration test" and gets filed as "consulting" on the expenses side of the accounts.
Almost all money going out of a business can be deducted from money coming for purposes of counting taxable profit. I'm having a hard time thinking of one that isn't.
In Portugal you can actually make a payment as "Confidential or Undocumented Expense" (with no invoice supporting it), making it taxable instead of tax deductible.
It might over time. If I was deploying ransomware, the first thing I would do after receiving a ransom payment from a company would be to try them again in a month or two.
And if you don't 'visit' them in a month or two, someone else like you will visit them. Now they know their security is crippled, there is no way the patched all holes (system, process, operations) in such a short notice, and we know they can be blackmailed and pay big money.
The only way to mitigate this risk is actually walk the walk (implement appropriate security controls).
Whilst paying the ransom is often advisable in specific cases like these, it’s absolutely a bad thing for society as a whole. Seeing successes like this will encourage organised crime to keep doing this, as they know there’s gonna be a big reward. It’s like the prisoners dilemma. If people didn’t pay the ransom, there wouldn’t be ransomware. But people don’t take precautions, so they have to pay the ransom, leading to more ransomware... it’s a vicious cycle
To be honest, just how bad of a thing is this? It’s a direct financial punishment for a company with lax security practices. It encourages greater security practices.
The money is funnelled to a criminal group, but what difference does it make? Some people consider the USG to be a criminal group; many people are out on the streets for that. My tax dollars directly go to corrupt crooks and nonexistent companies claiming billions for nonexistent PPE.
As a member of society, I don’t care if I’m paying a professional ransomware group, or a professional corruption gang.
> It’s a direct financial punishment for a company with lax security practices. It encourages greater security practices.
That argument could be used to justify any theft or even kidnapping.
I know many people who grew up in countries where kidnapping was a very real concern. Consequently, they had to adopt "greater security practices" and it had a very real, negative effect on their lives.
There are real harms to randomware. Companies go out of business, people lose their jobs, people lose their service providers, etc.
To say, "it serves them right for not following proper security" literally can be said for a mom/pop business in a poor neighborhood who didn't have bulletproof glass or bars on their windows. It is negating the fact that (a) the harms are very real and (b) security costs money and resources, which is effectively another tax on their business.
If instead the government made it illegal to pay such ransoms and actively audited large BTC transactions and charged people accordingly, then we could get rid of the incentives to do this in the first place.
The government should similarly hold firms accountable when they are hacked (due to the harms on consumers) and require prompt disclosure of any hacks.
There are ways to incentivize the preferred outcomes without supporting the active theft of property and destruction of someone's business.
Physical and digital security aren't the same thing. There's no such thing as "this website is in a bad internet neighbourhood and should take extra precautions".
I get where you're coming from but you can't really just flat out say "you can justify kidnapping with the same logic". Like, no, you can't. Fully agreed the government should be the ones playing the role of incentivizing security, but you can't then go back and say that security takes time and money those companies should not have to spend. They should, regardless of who keeps them accountable for it...
In addition, the company isn't the only victim in a ransomware attack, its customers are too.
And does anyone really believe the hackers deleted the data off their own servers? They can easily double-dip by selling that information. It's valuable, so why would they delete it?
> As a member of society, I don’t care if I’m paying a professional ransomware group, or a professional corruption gang.
The kidnapping analogy makes for a better understanding of why paying ransoms is bad for everybody else. If kidnappers know, or really just think, that they’ll get paid, they’re more likely to kidnap and hold hostages.
It’s not that companies are not solely responsible for their own lax security policies. It’s that incentivizing the exploiting of them is bad for society.
I don't think it does. It puts a much more tangible value on security, which encourages businesses to do a risk analysis like 'Do we spend $1m on security every year, or accept that there's a 0.xxx probability of a $4.5m ransom every n years?' That cost base analysis is often used to reduce the value of things that aren't obvious profit centers.
> To be honest, just how bad of a thing is this? It’s a direct financial punishment for a company with lax security practices. It encourages greater security practices.
I see your point but this is flat-out organized crime, extortion to be precise. How long will it be before we're all making protection payments to ransomware groups?
A difference to physical "protection" schemes is that the group you'd pay to might actually keep other groups out of what they consider their turf. Ransomware attacks are not geographically bound so I really doubt that similar structures would develop there. With growing numbers of ransomers demands just wouldn't stop until either the company runs out if money or security gets good enough to keep them out.
Organized crime has a specific meaning. Whether this particular outfit is one or more people has no bearing on the use of the term organized crime in this instance.
It sucks for the people who got their personal information caught up in this. They do more than just encrypt your files, they typically siphon as much data as possible from the companies before they execute the ransom part.
I agree. It's a trade-off, especially if you're a startup or a company with a hot product trying to beat competitors to market. Security practices would translate to loss of opportunity, so maybe it's a worthwhile trade-off to pay 1% of the gained revenue to these kinds of threats as a company. Unless there are harsher penalties and victims start caring more (and are given more tools and power to punish the companies that make that trade-off), this situation will remain.
But then again, this makes the barrier to entry even higher for newcomers and gives an unfair advantage to the entrenched players. Tragedy of the commons?
The folks like this should actually do a startup. Hardening security is often just keeping up with and following checklists, installing proper monitoring, backup and audit software however for large majority of company it is impossible to hire competitive security specialists. These guys can scale up by hiring 100s of employees who they train on different aspects and contract with small firms like these at annual subscription. That would enable them making much more than $10M. With their current approach they will almost certainly get traced eventually and end up in jail.
They are likely based in a country not regarded to be a technology leader. Say you were the CTO of a firm looking to improve security, would you engage a Nigerian cybersec consultant? Almost certainly not, you would look in your home country, or the US/Europe.
If they were to start a consultancy, even if they are as skilled as anyone else, they’d have an uphill battle from the get go; and have to either stick to their home market, or heavily discount their services. Either way making less than from their ransomware.
If you live in the third world, that immediately puts you on the radar of corrupt government officials and organized criminal organizations that want to extort you.
The ransomware gig allows you to stay small and keep a low profile. Nobody has to know that you are raking in the cash until you pack up your family and book it to Tahiti.
> With their current approach they will almost certainly get traced eventually and end up in jail.
Prison in a first world country is a lot better than getting executed, watching your family get executed, or getting kidnapped and forced into slave labor for the local mafia boss.
There was a post on here a few days back about why it's not that simple. Basically, by the time your stuff is ransomed, they've potentially been in your network for a long time. There's no telling how far you have to go in your backups to make sure they are gone. Who knows, maybe they wait on your computers for several months just so restoring from backups isn't a realistic option, and punish you for trying.
What? I mean back up your data. Not your whole... computer, or whatever. Install latest software, import data from back up, back in business.
It's trivial to tell intact data from ransomed data - the latter looks like random noise, as it's encrypted.
If your backup process "isn't that simple", then you should make it that simple. Otherwise failure looms.
You misunderstand. I'm saying the network has potentially been infiltrated for months, and there's no telling what configuration and files have been altered to facilitate future infiltration. See further discussion here: https://news.ycombinator.com/item?id=23929344
> With their current approach they will almost certainly get traced eventually and end up in jail.
Depends. If they are a couple guys (or a single guy), and it's a one shot for him, he has very good odds of getting away with it. Cleanly launder his BTC and then move somewhere not suspicious and keep a low profile. At the end of the day, $4m is not that much money (ie: not able to afford multiple Ferraris).
You would need a way to legislate this globally. Outlawing it here in the US only intensifies the prisoner dilemma aspect of this - the criminal enterprises keep winning the remaining 85% of world GDP, while all US companies suffer the most from the ransomware.
You'd likely still see US companies pay the ransom anyway, but just try to keep it secret. Probably less risky than losing their crucial data and systems.
Not to mention the fact that the money could be going to terrorists or rogue states. This is clearly unethical, and IMHO should absolutely be against the law.
Here's a link to (photos of an lcd screen of) more of the chat, does anyone know where to get the full transcript? Feels like it has to be available somewhere.
If anyone is interested, I wrote a python script to track where transactions from this address lead. It constructs a tree with this address being the base node, and addresses it has sent bitcoin to being the leaves.
It didn't really lead anywhere substantial, but it was interesting to see how many addresses got involved after the depth of the tree exceeded 4.
As another commenter pointed out, some of these addresses have obscene amounts of money going through them. Really makes you think about the scale of these tumblers. 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s is an example, with about $108,081,555,724 having gone through it, and a current balance of $51,644,803
I would assume one address with 377k transactions that has seen over 131 million BTC move through it strongly implies it's some sort of tumbler address. I'm not sure why reusing one address like this would make any sense though...
It is more difficult to trace funds through a single node with gazillion transactions. This is part of the laundering scheme. Of course, all such addresses are immediately suspect, but if they pay out to innocent addresses too... It's difficult to distinguish between signal and noise.
When I started my career I'd always hear old greybeards talk about "oh this one time.. some certain thing happened, and everyone learnt a lesson" and I feel like I just witnessed one of those come into existence
But it's not like the problem is solved now. They still need to secure their systems, especially now that criminals know that this company is willing to pay out.
A company of this size? Just 10 or 20 times I'm guessing, which really doesn't seem like a high multiple. This is why laws are required to correct the incentives here.
Let this be a lesson to those that say bitcoin and other cryptocurrency has no real value outside of speculation.
This kind of attack would be almost impossible in the pre-bitcoin era. The difficulty of receiving that volume of money in that short of a period of time in a difficult to trace manner is a new thing.
We are entering a new era where crime can pay in very large sums with orders of magnitude less complexity.
Instead democratizing currency, we're democratizing large scale crime. Previously only large organized crime organizations could perform such an attack. Now, almost anyone can.
>Let this be a lesson to those that say bitcoin and other cryptocurrency has no real value outside of speculation.
>This kind of attack would be almost impossible in the pre-bitcoin era.... Instead democratizing currency, we're democratizing large scale crime.
Just wanted to make this same point - right now, cryptocurrency has negative value for society. Perhaps this is a justification for banning the current implementations.
We need to make laws in western countries that paying off these kinds of ransoms is illegal. It gives money to criminal elements and only encourages this. I also thought it would be possible for powerful law enforcement groups to follow the bitcoins even through exchanges. Why does this not run into the worldwide hunt for the perpetrators?
It's theoretically possible for powerful state-level adversaries to follow bitcoins through tumblers and exchanges (If they operate the former). Also, at some point, you're going to have to be paying rent, so you'll need to turn your BTC into dollars or pezos or pieces of eight, and may need to explain to your friendly tax authorities how you can by 4.5 million USD worth of BTC.
In practice, though, it's not clear what exactly are the capabilities of each branch of law enforcement.
In a lot of jurisdictions, your friendly tax authorities won't ask or care; international fraud is a valuable source of foreign currency for many countries as long as you're reasonably discreet about it. Banks and payment processors can't afford to be nearly as blasé, because they're at far greater risk of facing international sanctions; Bitcoin provides an essential layer of obfuscation and deniability.
In the US for example, there's an actual field in your 1040 tax return for entering income from otherwise undeclared illegal businesses. Putting your drug or extortion money there and paying taxes is not admitting guilt and can't be used against you IIRC.
Tax fraud is usually much more painful to suffer from instead of a simple drug charge or illegal gambling charge. If you get nicked on drug charges there will be parallel reconstruction to get you on tax fraud despite this "not happening" between US government branches.
I think you have it backwards. If you commit tax fraud, you will be prosecuted. And the FBI will work with the IRS to do this.
But, supposedly, putting a non-zero value in the "illegal income" field of the 1040 (which ISN'T fraud) both (1) can't be used as evidence against you in court, and (2) isn't reported by default to the IRS to the FBI or other law enforcement agencies, so you don't end up on any watch lists.
Of course you gotta take their word for part (2), but it is their incentive to get every tax dollar regardless of source.
No sorry, I agree with you. I mean if you don't declare your income THEN you get busted on the illegal activity, you are guaranteed to get busted twice.
> We need to make laws in western countries that paying off these kinds of ransoms is illegal.
That'd be the sort of counter-productive legislation we see too often. The only result would be to push this underground and to keep authorities in the dark. It might end up helping criminals.
A similar case has been made about corruption: If you're asked for a bribe by, say, a corrupt official you usually have no choice but to pay and once you have paid you are in it with them, both criminals, so no-one talks.
I disagree with “no choice but to pay”, so long as the bribery is illegal and the relevant legislation not entirely hollow.
You may be able to clearly document the attempted bribery, and report it to the relevant authority—which may be a central agency of some form, or may be just going up the chain within the same organisation. Success will vary by country, authority and magnitude of offence. But even threatening to do this (politely) normally achieves the desired result, though it does nothing to actually uproot the corruption.
Alternatively, just indicate clearly that you’re not willing to play along with this illegal behaviour.
The zero rupee note (https://en.wikipedia.org/wiki/Zero_rupee_note) is a fairly successful example of doing this, and bear in mind that India corruption problem is much larger than any western country’s—although it’s illegal, it’s still par for the course in a great many areas. Yet standing up to this bribery is quite possible if only you have any inclination to do so.
I am currently in India, residing with another Australian who has lived in India for forty-odd years and operated business locally, and bribes were solicited from time to time, but he would not play ball, typically by either pretend nothing had happened (that is, ignoring any “hints” that you could pay for such-and-such) or by actively declining. Flunkies that try to take bribes personally are generally quite ready to backtrack once they see which way the wind is blowing (they could get in trouble with their boss), and more institutional bribery can generally be waited out, at the least. Even if it’s occasionally a long wait (like, months instead of days, or years instead of weeks).
A large part of the fight on these sorts of issues is changing cultural norms. Consider seatbelts over time in Australia (and much of the world): fifty years ago seatbelts were uncommon, but legislation was paired with a big marketing push to normalise wearing seatbelts had the effect that before terribly long society would look down with severe displeasure on anyone that didn’t wear a seatbelt while driving, so that now most people (well over 99% of the driving population, at a guess) wouldn’t dream of driving without wearing a seatbelt. The same is possible here, and will be far easier than selling ice to proverbial eskimos, because it’s easy to take the moral high ground in advertising (and moral high ground is almost as powerful as safety and “think of the children”): we will not parley with criminals.
When you are a nobody facing a demand for a bribe by an official or police you have no choice but to pay.
> nd more institutional bribery can generally be waited out, at the least. Even if it’s occasionally a long wait (like, months instead of days, or years instead of weeks).
And in the real world that means you pay.
> wouldn’t dream of driving without wearing a seatbelt.
Because people understand that it is in their interest to wear a seatbelt. That's very different from paying a a bride that is often in the person's interest.
It was an Indian economist, and chief economist at the World Bank, that suggested making payment of bride legal to shift incentives [1]. You still have an incentive to pay but also an incentive to report it, while it increases the risk for the bribe-taker.
Whether that would work or not, it recognises that the key to influencing behaviour is to create the right incentives.
The existence of municipal police is a large part of the problem; the sheer number of police forces in the US is a huge barrier to effective oversight and accountability. A cynic might argue that this lack of accountability in routine policing is a deliberate choice.
If there are any large scale positive uses of cryptocurrency, I'm sure that we would have heard of them by now; The proponents would have shouted them from the rooftops.
That said, proponents do have a shot at enlightening us (me and other viewers of the thread). What large scale positive application are you aware of?
The main one I know of is international money transfers (remittances). Usually these have to go through an oligopoly that sets the fees and exchange rates to be favorable to itself. This is the kind of market that's pretty big on the international scale, but it's completely boring and non-sensational to read about a bunch of people who are sending $400 to their moms on a regular basis.
But you're making an assumption here that both the sender and recipient will be using fiat currency in the end, and that crypto is only being used as means to make the transfer. This is not necessarily true.
BTC is not the only cryptocurrency used there. I've sent LTC and XRP most often, but XMR lately. tx fees need not be large (also Lightning Network exists).
Although I refuted some of your arguments above (https://news.ycombinator.com/item?id=24033759), I agree that cryptocurrency has fairly limited utility, especially given the costs.
The biggest issue I have with cryptocurrency is that it’s an utter waste of resources. It incentivizes the consumption of electricity (and talent) purely to print money, rather than to produce value. Yes, currencies provide some value to society, but we already have more sustainable options.
I see the appeal if you hate taxes and regulations or live under a particularly oppressive regime. However, given that it relies, to some extent, on public infrastructure like internet and electricity that governments can outright shut off if they so desire, there are better options. Raw materials and bartering work pretty well. Just don’t invest in tulips.
The waste of electricity/mining gear is mostly due to Proof of Work consensus, but moving to Proof of Stake/other consensus algorithms will eliminate basically all waste (eg. Ethereum is moving to PoS).
From what I can see, cryptocurrency is technologically frozen right now because any change results in some people making less money so there can never be a consensus on anything.
No one has a demonstrated effective PoS implementation yet (that isn't simple centralization). ETH will not move to PoS anytime soon enough to be meaningful, nor will any other cryptocurrency.
I keep hearing that, but I am not familiar with any data that shows actual widespread use by common people* in those countries without a functional currency.
Most of these countries barely have a stable internet connection or even stable electrical power, so I wouldn't surprised if these 'currencies' aren't so helpful in practice.
* Note that use by corrupt politicians to launder their ill-gotten gains is not a positive.
It's true that Bitcoin is a poor medium of exchange: it's not stable, has slow transaction times, does not work well with mobile devices, and has intimidating identifiers, but it did open the door to new ideas that will likely soon have a huge impact on exactly the uses you're describing.
I feel like I've been hearing this for over 5 years. I hope it materializes, but to be honest it's hard to not be skeptical, not in the least because a lot of the original values of Bitcoin/cryptocurrencies seem to have been subverted by certain people to serve their own needs (which ... is what usually happens if there are no rules to set boundaries).
I'm a little biased, but check out celo.org and valoraapp.com. Celo is a Proof of Stake protocol built to work efficiently on mobile, with stable value, and with phone numbers as identifiers.
Cyprus currency is the Euro, hardly a bad local currency as far as value is concerned, and the local residents are already adept in keeping funds in other currencies. Historically, Bitcoin had little marketshare there and made no difference. Are there any evidence of large scale use in Venezuela?
These depend on a functioning legal system in a country that recognizes human rights. Dollar bills may work in incompetent states, but they don't in oppressive ones.
I'm not convinced that it is negative. After every high profile hack or breach, we complain about how organizations regularly get away with poor security practices with mere slaps on the wrist (in terms of legal penalties they end up having to pay).
Perhaps these ransomware attacks are the market's way of making things... more fair.
So far, these attacks don't seem to have prompted security improvements. I guess that for large companies, the payment is a small sum, comparable to the fines they pay every once in a while.
Security improvements seem to be driven more by regulation (GDPR), competition (when did ElasticSearch release TLS support for free? Not after the Nth open ES cluster - only after Amazon competed with them), and large costs (switching to Linux servers because they're cheaper. Though there are concerns about current security practices there too...).
By your logic, bank robbers are simply a manifestation of market forces. What did you expect to happen with all that cash in one place with no armed guards?
Actually, you're making my point for me. Banks don't typically hire physical pen testers at all, and yet our reaction to a bank robbery is not, "Well, that's just what you get for not taking security seriously." Nor is that our reaction when a gas station gets held up.
In a perfect world, everyone can be trusted, and we don't need locks on our doors or passwords on our phones. In a dystopia, everyone has to carry a gun or have a bodyguard to leave their fortified homes, and a quarter of GDP goes towards security measures. We're somewhere in the middle, but things like this push us a little further down the road to more sunk costs in security measures.
A locksmith might make a killing after a local crime wave, but they should understand that crime is bad for the neighborhood regardless. Cyber crime raises demand for white hat services, but what's good for white hats is not necessarily good for society at large.
Companies should be liable for negligence depending on the kind of hack. If they were hacked through use of an old package - defined by regulations - then they should be liable.
If it was a zero-day or something newer - defined by regulations - then the company is not liable.
Your analogies are cute but I want new laws, further making your analogies moot.
Bank Secretary : So, people hire you to break into their places... to make sure no one can break into their places?
Martin Bishop : It's a living.
Bank Secretary : Not a very good one.
Market price? Interesting way to put it. You could say that the ransomware issuer has a monopoly to the data and will price it to the level where the company owners have higher return paying and continuing it than closing the company down.
Bitcoin is only useful currently when it can be turned into cash. There are no real businesses that don't turn their payments into a taxable national currency at the end. If you just ban exchanges in a few dominant countries btc is effectively useless as a hold of value and you're back to convincing the pizza guy to accept 30 coins for one pizza and other one off transactions
If you give me 30 bitcoins I will even give you a free pizza and deliver them almost anywhere.
Joke appart, it is effectively useless for now but some places are now accepting it which means that the usefulness might change sooner than we expect. It doesn't mean the seller won't be able to locate you with the address for the delivery though. Real problem will be if they use Monero or some real anonymous cryptocurrency where fungability is respected.
The entire thing relies on several things: nearly always-on connectivity, ability to convert to USD, crummy UX, and legit cover.
A ban would do serious harm to 2, 3 and 4. If no one could pay legitimately and it would become (ever more) difficult to launder, the ransomware demands would die. The first (connectivity) could be impacted as well. What would happen when traffic shaping makes sync take longer and when every LN transaction risks losing money due to disconnections?
This isn’t a defense of Bitcoin. I’m often quite critical of cryptocurrency and believe the world would be better off without it. However, “banning” it won’t have the effects you’ve described, and you seem have some misunderstandings about how Bitcoin works, especially as it pertains to the criminal world.
1. Bitcoin transactions don’t require access to the internet at the time the transaction takes place. There have been solutions for performing offline transactions, though none have really taken off. Nevertheless, it’s not hard to do, though it’s riskier for the recipient than an online transaction. I won’t go into the technical details, but it’s nothing fancy. The idea is that you can place money in any number of accounts ahead of time, then simply pay people by handing them the keys to those accounts. There’s little overhead for creating new accounts; often merchants will use a fresh account for every transaction. Of course, the recipient has to be able to trust that they’re actually receiving keys to an account with the right amount of currency, which is a harder problem to solve.
2. This isn’t necessary. Bitcoin was popular in certain criminal communities long before there was any easy way to convert between Bitcoin and fiat. Cashing out dirty Bitcoin to USD remains risky.
3. The UX is already terrible. The UX that criminals experience isn’t the same UX that investors experience. They can’t use services like Coinbase to cash out.
4. Prior to Bitcoin going mainstream, the cover was that you could exchange your Bitcoin for various illegal products and services. (Want to buy a stolen car?) When there’s a whole underground economy whose participants are thoroughly convinced they are outside the reach of the law, any currency will work, as long as there’s a consensus within that community.
Banning cryptocurrency would have some interesting effects, but it would be nearly impossible to enforce, and it wouldn’t have the impact you’re seeking.
1. Passing keys around risks the original sender (or anyone listening in) grabbing the money after 'payment', and voids any guarantees Bitcoin etc. might be able to make - the transaction isn't even listed on the chain.
This would turn a 'trustless blockchain' to a 'non-blockchain relying on trust'. Assuming this transition can even be done (what would be the point of cryptocurrency in that case?), the result would be like the known hawala networks, which at least do not enable so much criminal activity and have some decent uses.
2,4. Bitcoin had an aura around it. Something experimental not really concerned with money or big crime, maybe a way to buy light drugs. Later on as a magnet for speculation. Remove the official cover, and laundering would become way more difficult.
3. There's terrible UX, and there's 'terrible horrible UX when one could easily lose money because the ISP closes your lightening connection'.
So I think this is possible to enforce, not completely, but there's no need for 100% enforcement to have a positive effect.
That implementation of offline transactions is a poor one, so the rebuttal would be too, but the reality is that bitcoin can work with offline transactions.
You can create the transaction object and hand that over. Transferrable literally as a file.
Instead of having over notes with the private key on them.
Eventually that transaction will need to be settled onchain. This can work in a world without a familiar looking ubiquitous internet. Regional internet cafes or even radio stations can settle signed transactions. People can have stocks of transactions and they just go to the cafe to settle those and also get their updated balance.
This capability always undermines a "ban crypto" thesis, or even a "crypto doesn't survive the apocalypse when the power goes out" thesis. It is merely a concept, just like computers communicating to each other is a replicable concept even if the head of state has an internet kill switch.
Well, that was a simple scenario with a simple answer.
But there are many other things powerful adversaries could do. For example, what happens when miner traffic itself is disrupted and the network is forcibly split between China and the rest of the world? Leaving everyone at risk of having their transactions overwritten when the network is allowed to reintegrate?
Anyway, we don't need a 100% effective ban to get an effect. A 90% ban may well be good enough for any practical purpose. Your example is a good one - sure, there are ways to get around 'internet kill switches' several countries have, but in practice these (unfortunately) work.
The fact that some people in a cafe can get one cryptocurrency transfer going is no defeat for a ban, so long as the ban is effective enough to reach its intended effects (e.g. making ransomware useless).
> what happens when miner traffic itself is disrupted and the network is forcibly split between China and the rest of the world?
How would this be done? It only takes a single node capable of connecting to both networks to keep the whole thing working. There are already many nodes working with satellite connections so I'm pretty sure this can't be done even by state actors.
A satellite connection is still dependent on BGP routing to get to China/RoW and still goes via the Great Firewall to connect to China (if outside of China, not sure on how the miners in China do it - possibly they don't have satellite equipment at all). Poisoning BGP routes is well within the capability of state actors, and China could of course decide to block its firewall.
Yes that's what I meant (not sure why you were down-voted).
Banning banks from doing business with bitcoin exchanges is not banning bitcoin. Banning use of bitcoin entirely is legally plausible, but technically impossible to implement without draconian internet censorship on the scale of China. It's a 100x harder to ban bitcoin than, say, bittorrent, and banning that in a free society ended up not being possible.
Well, ensuring that no one sets up a Bitcoin network from their retrofitted computers in the privacy of their home is not banning Bitcoin, at least not a useful ban that we should care to enforce.
If we can disrupt the network so that even criminals can't get ordinary people to 'pay' via the network, than it's for all practical purposes a ban.
I don't agree that banning it is harder than bittorrent. It's dramatically easier. Bittorrent doesn't have global state, so there's no one place to strike. The entire Bitcoin network depends on global consensus, and therefore there is one place to strike. If it is weakened so that it shrinks enough (how many miners will want to mine for an illegal activity?), than 50%+1 attack will be trivial for a state actor.
> right now, cryptocurrency has negative value for society
It's hard to say. The current fiat system, due to predatory and parasitic practices such as the inherent interest involved in working with it, and how the government is able to control inflation at will, is absurd.
> Just wanted to make this same point - right now, cryptocurrency has negative value for society. Perhaps this is a justification for banning the current implementations.
Ehhhh, I think the overall impact of Bitcoin is negative, but the "democratizing large-scale crime" argument is a pretty poor argument for why that is. First, Bitcoin isn't "democratizing" anything good or bad--people need to stop using this word with regard to Bitcoin. But assuming you mean something along the lines of "enabling", or "empowering", I'm not sure that the shift in computer hacking crime which is caused by Bitcoin is actually negative.
Prior to Bitcoin, the people who paid for poor security were consumers whose data, money, and time were stolen. In theory if an entity exposes your data, you can sue them, but in reality, data breaches are common and when entities actually get sued, they rarely pay out significantly. I've followed the Equifax case every step of the way for years and still haven't received a dime, and I doubt many people would follow through all the hoops they've put in place--I'm mostly doing it out of curiosity at this point.
That still happens, but more and more, ransomware's biggest targets are large entities which should have secured their services better. Not only does ransomware punish the entities who should have prioritized security, not the consumers, it also makes it public knowledge whose security is lax.
Now there are a lot of complexities here. In theory, ransomeware hackers could also sell the data--but as far as I know that doesn't happen much, probably because they rely on the "honest crook" effect to ever get paid. And sometimes ransomware is employed against individuals.
And to be clear, I'm not endorsing ransomeware attacks. I'm just saying this looks like harm reduction to me: if a big business is going to not prioritize security and get hacked, then I'd rather they pay a ransom than have user's private data sold on the darkweb. In a more just system, that's just the fines they'd be paying anyway.
What harm reduction happens when the 'large entities' are the courts[0], municipalities[1] or even hospitals[2]? Alleged better safeguarding of our data* isn't worth it.
* I suspect that right now companies find it cheaper to pay than to improve their security.
> What harm reduction happens when the 'large entities' are the courts[0], municipalities[1] or even hospitals[2]?
Aren't these the entities that you would most want to keep your data secure?
> Alleged better safeguarding of our data* isn't worth it.
> * I suspect that right now companies find it cheaper to pay than to improve their security.
That makes no sense, because if you don't improve your security, you'll be hacked in the same way again. There isn't an upper bound on how much it can cost to not improve your security.
>Aren't these the entities that you would most want to keep your data secure?
I don't think the local municipality or the courts have anything I'd consider sensitive on me. Regardless, my bigger desire is for them to stay running, especially the hospitals. I'm not willing to temporarily shut some down 'for better security'.
>That makes no sense, because if you don't improve your security, you'll be hacked in the same way again. There isn't an upper bound on how much it can cost to not improve your security.
What actually happens is that the targets pay, and issue tougher mandates which may or may not be respected in their organization. These hacks are rare enough for now - I suspect hackers don't like to hit the same target again soon after (bigger risk of the target not paying you) - so eventually the organization slips back into same security morass they were in the first place, if they ever left it. There isn't a true desire to change.
Also, there is an upper bound if you're paying insurance, like that hospital did[0]. Over the long term insurers will raise their price, but at least it's a predictable bound.
Even if the ransomware perpetrators aren't selling the data, do you think there is any real chance that a company that just paid millions of dollars in ransom would next go and invest more money into security?
More likely, other criminals will come knocking on the same company's systems and get that data for other purposes.
> Even if the ransomware perpetrators aren't selling the data, do you think there is any real chance that a company that just paid millions of dollars in ransom would next go and invest more money into security?
Yes. Or, they can get hacked again and pay another ransom until they learn their lesson.
Something like 95%+ of bitcoin is related to financial speculation, investing, DeFi etc etc.
An order of magnitude of more drugs are sold on Cash App and Venmo -- which is why they're in rap songs. As for large scale hacking, extortion and ransom, yes bitcoin is used but it is increasing difficult to cash out in a large way.
> bitcoin is used but it is increasing difficult to cash out in a large way.
But its not? You can convert 50 million usd worth of bitcoin in one order without moving the market more than 1-1.5% and have a wire transfer to your bank account same day. This happens all day every day, with the markets getting deeper year by year.
Trash exchanges for retail have nothing to do with the infrastructure actually out there. If you are moving anything over 4 figures you shouldn't be trying to use retail exchanges. They're trash, slower, randomly flag stuff, and have higher fees.
As someone who sold Bitcoin on LocalBitcoins, and have 4 friends in federal prison (or detention), plus friends with millions in tainted BitCoin, this is not true.
Almost all illegal bitcoin stolen by hackers and ransomware is cashed out in countries with limited or no AML/KYC.
I imagine you'd get caught on the off-ramps, since you'd most certainly be reported (by the exchange and/or your bank) to FinCEN. At that point you'd have to contend with the "the money came from bags of cash that just landed in my back yard" problem if federal agents come knocking. As for whether the federal agents will show up at all, I'm not sure. There probably aren't too many criminals who would openly admit that they successfully were able to withdraw their ill gotten gains.
Money laundering involves the intentional hiding of the origins of funds obtained through criminal activity. Attributing the source of funds as being criminally obtained is difficult if tumbling is done effectively. If tumbling was reason enough to be suspected of money laundering, so would splitting a $100 at a gas station.
There are projects like Miximus, which is an Eth tumbler with no operator. Participants deposit funds into a smart contract, then when they want to withdraw later, they use zero-knowledge proofs to show that they know one of the private keys without revealing which one.
There's also Zcash, which applies similar logic to all shielded transactions.
Presumably the people who use tumblers never transfer such a huge amount of BTC into any one single tumbler, at a time, that would cause the tumbler operator to seriously contemplate pulling an exit scam.
it seems logical to me a sophisticated syndicate would run their own tumbler. I'd assume there is some kind of OSS wordpress for mixing out there. And I don't think it'd be that hard to get other people to use it to get liquidity (just offer it as a free service).
500 unrelated accounts all deposit money into a single shared account. From that shared account, payments are made to 1,000 other accounts. None of the amounts match the original deposits, even when summed. Whose money is whose?
This is an oversimplification, but it should give you a rough idea of how difficult it is to trace Bitcoin.
Authorities might already know mixers service providers and a subpoena will give them all info they need. Not sure tho, I haven't used bitcoin but there always be weak link somewhere
How are you going to identify them? When they cash out, all their Bitcoin has already been laundered.
Granted, this is all theoretical. In practice, it’s not unusual for such people to make mistakes that reveal their identity; however, there’s nothing inherent to Bitcoin that ensures they can be de-anonymized.
Usually they attempt to go after hosting providers, but when the services are only accessible by Tor and they’re using bulletproof hosting—hosting providers who do their best to avoid law enforcement—that’s no easy feat. It’s not impossible, but it can be both a technical and diplomatic nightmare.
When you use a mixer, there’s a delay between when you put your money in and when it comes back out. The mixing service randomly splits up the transaction into batches and sends them out at different times. So even if you know that somebody sent to a mixer (perhaps as an investigator you could find out mixer addresses by sending lots of transactions to the mixer service yourself), you wouldn’t be able to associate those inputs with any particular output.
If the mixer has a lot of users, at best you could determine that the your target is among the entire set of people who used the mixer this hour/day. Although if the mixer was compromised, you’d have everything. That does seem like a substantial risk. It’s kind of like deciding to trust your vpn. You could mitigate that risk by using multiple mixers.
I would not split your transaction between mixers, but instead mix your entire amount through one, then mix all of the outputs through others. Use multiple mixers in series, not in parallel. Compromising one mixer there would associate the inputs and outputs of that step but wouldn’t associate your initial input with your final output. You’d also want to conceal your ip at every step so you don’t get compromised that way either.
Would there not be a huge danger that a mixer operator, if they received $4m+ of BTC in one big transfer, could simply shut down immediately and pull what's known as an 'exit scam'? They would be in possession of the BTC and could themselves then launder it through other mixers.
Perhaps they might do this if the saw keeping the entire 4m as much more lucrative than many years of taking the percentage skimmed off the top from a number of smaller transactions, and just going into "retirement".
You’d only want to use a mixer where your transaction represents a small fraction of the total volume (otherwise it doesn’t provide much anonymity). An exit scam isn’t so appealing in that case. If a mixer charges a 1% fee, with an average delay of 1 hour, the ongoing fee earns more than a one-time exit scam of all transactions in flight after just four or five days. It takes time to establish a reputable mixer and scale up, so your wouldn’t ruin it just to get under a week of profit early. Maybe they’d choose to do the exit scam if a really anomalous huge sum showed up, which is so large they can’t mix it effectively anyway. I don’t know if $4M is a lot by those standards.
Maybe I'm woefully out of touch on the scale of the BTC flowing through mixers on a daily and weekly basis, but if they can earn more than 4M USD in a year by just skimming off the 1%, that's a lot of BTC moving...
In that case, you split your initial sum and run through multiple sequential series in parallel. You produce more crackable sequences, but you still need to crack an entire sequence to trace the owner.
Investigators could be sending many small transactions into the mixer all the time. Depending on the transaction volume and how the mixer works, they could identify most of the mixer’s transactions this way. This would allow them to show that somebody sent money to or received money from the mixer.
I think one of the ideas of mixers is to achieve such a large volume of transactions that dedicating man-hours and personnel resources to tracking down every transaction path becomes cost prohibitive on the part of a law enforcement organization.
The idea is that you can't track any of the transaction paths. There's nothing tying a specific input transaction to a specific output transaction, and great pains are taken to ensure there cannot be any publicly available link.
If you understand enough about Bitcoin to know how the immutable ledger works, your questions feel bad faith. One of the biggest “selling points” early on was obviously anonymity.
There are other ways to track them than the trail of their BTCs. For instance, did they apply a proper opsec hygiene? Did they brag about it, to friends online or offline?
If I had to guess, the attack was done by a group of people and they split the funds up. Some of them were smarter than others.
It's also possible that the people who have been arrested are simply people who have received stolen goods (knowingly or unknownly). Perhaps they traded something else of value for the Bitcoin and didn't know how dirty it was.
4chan. He wrote it there, afaik from a Twitter comment with screenshot posted many days ago before the Feds announced the kid.
Then bragged about it and went for more accounts. His friends left him when he went for the high profile accounts. I think it was organized on discord.
The mixers keep a ledger outside the blockchain, so no—and a well written one wouldn't store any logs. You could possibly know that someone used a mixer but you wouldn't be able to track from the blockchain where the money came from. It could've come from 1000s of other transactions all with different amounts—none that would trace back to the source funds wallet.
As with everything else, the internet serves as a kind of lense, amplifying whatever underlies it to orders of magnitude unimaginable. It doesn't matter if it's a random bit of information on a encyclopedia (wiki) or cybercrime. If it can be scaled up, it will be scaled up.
I've got a friend who does red team work as a CIA contractor for both terrorism smuggling and drug/human smuggling operations. And at least based off of conversations with him, crypto currency isn't quite the win that you're portraying. If you're in any country where it can be converted to cash, you're also in a country where it still needs to be laundered. And that means that no matter how quickly the transaction took place, converting to cash is gonna be a long haul, and it gets riskier the longer the haul.
The one area where he claims it is an enabler is as a medium of exchange between criminal organizations. It's easier to transfer large quantities of currency and easier/cheaper to verify validity, than the traditional method of brokers and illicit escrows (nothing like the briefcase handoffs you see on TV).
But those same qualities that enable those types of transfers also enable transnational transfers of currency between nations that do not have agreed on standardized electronic methods. And I'd view that as an overall win. I'm also of the opinion that on a slow and steady long haul, cryptocurrencies will eventually take over the role of the US dollar as a trading base currency. Which would also be a win in my opinion, with respect to geopolitics.
Boy do y'all come off as entitled and privileged. I know people in Third World countries with no access to international bank accounts that were only able to buy stuff online thanks to Bitcoin.
Just because you don't see a utility for it, doesn't mean it doesn't exist.
Yeah, same issue with Nobel inventing the dynamite. Just because some people are going to use it for unethical purposes, it doesn't mean that we have to stop the advance of science and technology. Besides, it seems that Bitcoin was inevitable, the internet needs its own decentralized currency.
> Instead democratizing currency, we're democratizing large scale crime.
democratization works both ways. A democratized currency facilitates both crime as well as the oppressed - after all, you cannot tell the difference between them under an oppressive regime.
What you implied that we should have is a democratized currency that's _only_ good for non-criminals (and used for "good purposes"). That's impossible. It's like asking for a gun that you can't commit a crime with, but can be used to defend yourself with.
Middle class people can still be part of the oppressed ,and them being able to get money out or use it to fund resistance or activism is a good outcome.
Cryptocurrency can’t really get a fair shake at being legitimate until it’s treated by governments as currency, which means not taxing its capital gains.
Criminals don’t care about filing tax returns for digital assets, which is why we see them use it as currency. When you or I try to use it as a currency, we’d have to file a tax return if the value of it changes (at least in the US)
If we saw governments ease up on this a bit, we might see some interesting currency applications come if it, but I don’t see them letting go of that control.
An interesting technical and financial challenge is how they intend to launder and tumble the Bitcoin and eventually turn it into fiat currency. The open nature of the block chain means that third parties can and will track all transactions related to the wallet(s) that received the 4.5m.
I guess figure out the average amount tumbled typically (maybe half a bitcoin - 4kish), divide that by total amount (4.5m), something like 1100 tumbles/mixes? Then spend 1100 days mixing the total sum to keep things as banal as possible (3 years). Possibly randomize the amount tumbled per transaction up to $1000 dollars.
The 4.5m would have to be mixed immediately so the original wallet can no longer be an event source.
The smarter move if this was 1 person who intends to use the 4+m to live off, and not buy a Lamborghini or some stupid shit, would be to extend the timeline much further past 1100 days. The smaller the individual amounts the better. If they are long term bullish on the prospects of bitcoin retaining its value or increasing, launder just enough to pay themselves a nice monthly 'salary' for living expenses, under 200k a year, and take a lot of time to consider what to do with the rest.
And dividing it up between as many possible independently run tumblers/mixers.
I'm sure some additional smurfing techniques could come into play for additional obfuscation.
Not kind of a context I'd like to be associated with a cryptocurrency, though. Privacy is great, but I'd rather prefer people of thinking of that property associated with buying online porn (or whatever legal) than paying online ransoms.
That's analogous to saying, "For better or worse, you can look at Robinhood's stock price as an options contract on future insider trading." It's meaningless unless you consider wild west financial speculation and traders as criminal activity.
Isn't this confusing the fact that in general any mean of transaction, can be used negatively? The nature of which depends of the nature of the currency. But that's not an argument to say bitcoin and crypto are bad as opposed to for example the dollar. Rather this only shows that criminals are much faster at understanding crypto's advantages and adopting it. The "good" use cases will follow when adoption increases and a proper legal framework is implemented.
Would you blame <insert any currency here> for things such as the innocent lives lost to the drug trade and or human trafficking? Banks have been caught stealing more money than there hackers could ever do in their lifetime, with fiat currency. This is what economic freedom looks like, theft is made possible again, but then again, it was always possible to some.
>This kind of attack would be almost impossible in the pre-bitcoin era.
Is it? VIPs are regularly held for ransom in unstable countries, so much so that ransom insurance is a thing[1]. If those ransoms can be safely received, why can't it be the case for ransomware ransoms?
I don't see how the two are similar, because traditional kidnapping/ransom requires someone to somehow take physical delivery of a ransom in cash or highly portable, dense valuables (gold bars etc), which is risky. They're certainly not going to do it by ACH or SWIFT. The bitcoin part makes it non tangible and could be done from anywhere in the world.
>The bitcoin part makes it non tangible and could be done from anywhere in the world.
It streamslines it, yes, but it doesn't make it "almost impossible" to pull off like gp claims. Russia is listed as a "high risk" area in the wikipedia article for ransoms, so if they can pull off a ransom exchange (with human hostages) there, I can totally imagine russian hackers being able to pull off a ransom exchange with cryptographic keys. If anything, it's probably easier to pull off than a regular ransom because you don't have to contend with a human hostage.
Also, a quick skim of wikipedia[1] suggests that buying/selling of stolen credit card info predates the creation of cryptocurrency. If cybercriminals were able to find ways of transferring money back then, I'm sure ransomware authors can use the same methods to transfer money today.
Can't you apply the same logic to regular ransoms? They say life is priceless, but there's clearly a limit. Also, unlike a human lie, there is a substitute for the unlock key... rebuilding your business from scratch.
my understanding of bitcoin is that it's just used to back the drug trade.
the recent price spike, as all other price spikes are the result of some (probably) nefarious activity that pumps real dollars in and out of the bitcoin platform.
Credit card fraud is 'some people steal credit card numbers and (eventually) steal some funds'. It's not good, but it doesn't have the major disruptive effects ransoming an hospital has.
Crypto may not have been founded based on malevolent intent, but the majority of its initial usage was definitely used for so.
In my time exploring Tor pre crypto boom 2017, I noticed markets of CP, Illegal Weapons, and Illegal services such as hitmen all operating under Bitcoin.
And I'm willing to bet that, since its inception till now, the number of transactions that was used for crime is greater than the number of transactions that weren't.
And I'm also willing to bet that the majority of the transactions that was used for crime, was to purchase drugs.
I do think we need to be concerned about Bitcoin and how it is a crime enabler.
So how exactly were people doing these crimes before 2009?
>>And I'm willing to bet that, since its inception till now, the number of transactions that was used for crime is greater than the number of transactions that weren't.
Nice bet, but if you are wrong can I send you my bitcoin address?
It should be a criminal offense punishable by prison time for companies to pay for ransomware keys. While that might cause some businesses to fail in the short term, it would benefit society as a whole by eliminating the financial incentive for such attacks.
It wouldn't work in this case. It will be similar to drug trade, where everything is hush hush and the price probably will go up. It will just push more innocent people into white colar crime.
You are running the company. You spend all your life getting to CEO position. And then boom breach and your company has massive loss, lawsuits and you are out of the job. Probably 9/10 CEO types will just engage in a crime to avoid that situation.
Current situation is way better. All breaches are public, prices are public, so the correct answer is to invest in security and if you get caught with your pants down, just pay the fee Let justice department handle it from that point on.
The way bank robberies are handled is the best. Just give them everything they ask for. In the end of the day it is either insured and even if it is not, it is stupid to risk anyones life for money created in fractional-reserve banking system.
I assume that the money is just laundered and appears as clean money on accounts.
If drugs distributor has money in cash, they will probably engage in loaning short-term to ligitimate businessses with very predictable massive cashflows that pay in cash: construction, cleaning, farming, gambling etc. They don't even have to pay in cash, as long as they have cash receivables that will work as well.
They probably called something like Farming Loans Inc and deliver cash in the beginning of the month for business to meet their cash requirements. They either use it to pay their workers or will just deposit into their account as revenue. Month later they just send me back the check,that is loan pay back that is 100% clean money.
Obviously they will need to manage Farming Loans Inc balance sheet to explain where the seed money for loans are coming from, but that's where white colar crime comes in, where not so good accountants and lawyers will cook books.
For ransom money, the system will be even more cleaner. Somebody will create offshore consulting security firm, that will engage clients in return for consulting fees. So if somebody has breach, they will call them and like we need some consulting. Consulting firm will talk to ransom guys, get keys and then bill the client. So if you accountant and look at the balance sheet of multimillion dollar company, you will see consulting fee invoice and that is pretty much it. For IRS or FBI to dig any evidence, they will have to get a whistleblower plus somehow get the documents of offshore company, which makes it impossible.
In the end of the day white colar crime is 100x bigger then anything to do with drugs/ ransomware and it starts early, because the system pushes people to behave this way and 100% trust base and a lot of behaviours are 100% legal.
The good example is retail brokerage companies that encourage day trading, options trading, FX pares trading. This is just a scam, but hey why not.
While I understand the sentiment, there needs to be a reasonable alternative here. You can’t ask people or organizations not to protect or recover their property if they have no other recourse.
I don’t know much about this travel agency. They may or may not have had a security team. What they did have was mentioned in this article: liability. They took steps to reduce or eliminate this liability. I think we all know that there’s no proof these attackers acted in good faith past the actual decryption, but now CWT can at least say they attempted to recover lost data.
I think we can only realistically hold companies liable for transactions like this when we have better government resourcing and oversight. Getting the FBI involved in stuff like this is difficult, as they’re over loaded with such cases.
I also feel we should never hold individuals liable for stuff like this. It’s unreasonable to expect people who aren’t security professionals to know how to defend or respond to threats like this given how rapidly the landscape changes.
Figuring out a good way to holistically deal with cyber criminals will probably be a problem we struggle with for years, if not decades.
How about a tax on paying bounties that is used solely to fund agencies that track down and put those engaging in criminal activity online in jail. In order to be allowed to deduct the expense require paying the tax.
I think this is a step in the right direction, but I'd expand this to be a tax on all organizations that maintain large enough systems to become targets because:
1. Taxing only the victims is adding salt to a wound: these companies are already hurting from being attacked, lost money to the ransomer, and are likely to lose more shortly thereafter due to bad PR. They'll need this money to fix things and hire/consult appropriate experts.
2. Taxing all parties likely to be hit by stuff like this spread the financial burden amount companies of all sizes. Larger companies/targets can thus help protect smaller outfits that aren't well enough funded to field a robust security team or program.
3. Some kind of revenue stream is required here to beef up federal/regional programs relating to cybersecurity. There's no real source of funding for this that doesn't come out of a larger budget. The scope of the problem is large enough that I feel it justifies a specialized agency with it's own budget. Having a dedicated tax applied to parties with need for the service/support seems fair and progressive to me.
It's almost like there should be some national security agency whose sole purpose would be to uncover this kind of activity and help those impacted. I wonder what I'd call it?
Jokes aside, I absolutely agree that this is a failure of the US federal government and congress. We should have answers for these things for now, or at least the beginnings of a national security program to combat cyber crime. The FBI is seriously overwhelmed and the other three letter agencies can't be bothered to play the blue team as far as I'm aware.
Isn't this likely short sighted in the same way that people talk about draconic enforcement of immigration laws?
Criminalizing ransoms will result in victims doing it in secret, not in the elimination of ransoms. People won't be able to share information, and the financial incentive will continue to exist.
If you were a corporate executive would you risk hard prison time just to save your employer from taking a loss? The whole point of imposing draconian penalties is to make such attacks unprofitable. If the attackers know they won't be able to extract any money from victims then they'll move on to some other scheme.
Executives don't go to jail when their companies kill people. There's no way we manage to restructure our justice system so that they go to jail for paying ransoms.
There are reasons why companies manage to do tons of illegal things. A lot of executives would have a good amount of their wealth in company stocks, for example. This has no reason to be an exception.
Banks deal with cartels and other bad guys, they make lot of money and pay a small fine when they get caught. Why do you think paying ransoms would be different?
In general paying off kidnappers is also a bad policy. However I see a huge difference between protecting human lives versus protecting corporate assets.
But really, I expect such a law would provide for exceptions, with a maximum payout capability. And for such a law to come after an offsite airgap backup requirement for such entities.
But really, the answer is that the equivalent physical criminal action: walking into a hospital and absconding with all of their medical records, would result in criminal action against the thief. Their actions may be akin to manslaughter if deaths result.
Tell that to a family where both parents are unemployed, they got 2-3 kids, a mortgage, a couple of maxed credit cards, they used to live paycheck-to-paycheck, one of the kids needs special care that the state doesn't provide due to budget cuts.
Now take this scenario to every major financial crisis (e.g. USA today, Latin America for the past couple of decades, some EU countries hit 20-30% unemployment a decade ago, and are still recovering).
It won't kill them instantly but consider what it does to them, if it turns them to crime, alcoholism, depression, and the general impact on the quality of life.
That’s an incredibly naive way of viewing things. Not everyone can afford losing their job. Let’s say job loss increases your chance of dying by 5% — not an exaggeration in some communities — 20 jobs lost is exactly the same as one death.
Reading "Never Split The Difference" - sounds like the police will work with families pay off kidnappers is some countries, but get it down from millions to a token amount. I think he aims for zero though most of the time.
I liked the part about delaying the negotiations until Friday in (I think) Haiti, because they realised a lot of kidnappers just wanted money to blow partying on the weekend. They got away with paying a lot less.
Police/authorities want to do that because (perhaps) there is a connection between crime and terrorism. Meaning that, if you pay $100m to the kidnapper, 50% of that amount will end up funding <insert terrorist org>. They want to drain this to the lowest possible amount.
> "However I see a huge difference between protecting human lives versus protecting corporate assets."
The idea that there are fundamental differences between human lives and corporate assets is flawed. There's a very specific value of human life: https://www.npr.org/transcripts/835571843
The value of human life is orthogonal to economic value, and doesn't follow the same rules. It works like fine art. The price of art doesn't move towards a final value; paintings bought and sold for centuries still appreciate faster than inflation. They aren't getting any better, the only thing that's changing is the amount of money people have to spend on paintings.
Human life appreciates the same way. In some number of years the government will decide that the economy can sustain valuing human life at a trillion dollars. And they'll look back at us and see that we undervalued life in the same way that we can look back and see that the Romans undervalued human life. Lives are worth whatever we can afford.
If I say I like cats, and you find an article saying someone else doesn’t like cats, that does not mean I’m mistaken on the fact that I like cats.
You seem to think they said that ‘everyone sees a difference’. They didn’t. They said ‘I see a difference’. They’re only ‘wrong’ about that if you think they’re lying to us about their own personal position.
The main idea here is that prohibiting payouts might make the crime less frequent. That’s somehow reasonable given the relative low stakes involved—from a moral perspective, data is usually of a lesser value than human lives. Therefore, yes, those cases are very different indeed. For once, kidnapping a human being is already punishable enough by itself so it makes no sense to punish a payout that could actually save a live.
The only reason the kidnappings happen is because the payouts happen. If effective measures stopped any real possibility of payouts, the kidnappings would stop, too, saving a lot more lives.
Maybe require cyber insurance instead, pricing premiums based on audits performed by infosec practitioners. Similar to auto insurance, and what happens when you’re a high risk driver; you still have insurance, but you’re paying out the nose for it.
Our current legal framework doesn’t support such a draconian suggestion as presented imho.
You want poor security practices to be painful, not fatal, to the corporate entity.
As an infosec practitioner, I can’t tell you how many times I’ve seen someone have insurance and their security posture be effectively nothing, or the insurance not pay out even with reasonable measures in place. Market failure in my opinion, needs more regulation.
Our legal framework already contains many prohibitions on financial transactions with criminals and terrorists. It wouldn't be difficult to add one more.
My point is there are better, more reasonable ways to arrive at the same end goal: effective infosec practices that prevent ransomware attacks (among other threat actors).
Banning ransomware payments just makes it more difficult; someone will still find a way to save their business by paying. You want to resolve the root issue: a business not taking security seriously.
So you suggestion is to let any company that doesn't have the budget to have a proper cybersecurity team just die? I'll guarantee you that most of the small businesses that you encounter each day do not have such a thing setup.
> let any company that doesn't have the budget to have a proper cybersecurity team just die?
Are you implying that without a cybersecurity team, you'll fall victim to ransomware and be forced to pay up to stay in business? Because that's a false dichotomy - the simplest of backup solutions would have prevented this. And if a company can't manage the most basic offline redundancy for their critical business operations, I really don't have a problem with them going under. It's less burdensome than being compliant with the local tax code, which all businesses have to do already.
> the simplest of backup solutions would have prevented this.
Incorrect. The black hats almost always encrypt backups, too. You could say "what about offline, glacial backups?" But then you're no longer talking about "the simplest of backup solutions"
How many people you meet everyday that are not in IT even knows what offline redundancy means?
I think what your suggestion amounts to, is effectively a mandate on SMBs having either an in house security team, or a contract with a consultancy on cyber security. That's a huge burden. It's not really easier than local tax code. These things change much more frequently and it's not like you can just walk into a local H&R Block to take care of your cybersecurity needs. Ransomeware, as it is now, didn't even exist (or is that popular) 10 years ago.
Even though not paying the ransom is recommended, some companies are instead paying the ransom as part of their insurance coverage. For example, earlier this year Lake City, Florida was a victim of a ransomware attack. After receiving approval from their insurer. Lake City paid $460,000 in order to restore their systems. Since they had cyber insurance, the city only had to pay a $10,000 deductible.
I don't think that budget is the problem. You can be very safe without a big budget. It's a lack of priority and management valuing quick development over security.
Why not make it a criminal offense for companies who don't take reasonable approaches to preventing such attacks in the first place? We place a lot of trust in companies that hold our personal data (e.g. Equifax), and I'd argue there need to be harsh penalties. The tools exist and guidelines are clear.
It shouldn't be the criminals penalizing them, but here they are filling the gap that the regulators ignored.
Not that but you could punish companies severely for the security practices that led to the hack. If those are high enough, it could make better security cheaper than paying randsom.
Maybe I just don't understand either the ThreadReader or Reuters article, but I couldn't find a transcript of the chat linked anywhere? Does anyone else know where it is?
Gotta love that they pitch this as a "service" they provide. The person talking to them must have been seething at having to treat them like "professionals" too.
Offsite offline backups. Redundant ones. This scenario is really no different than if your datacenter had a gas leak and blew up, particularly because you never will ever be able to prove the attacker didn't retain your data somewhere so all you can do is guarantee recovery. Of note in this case is that the thieves only stole 2TB of data - this is a trivial expense to orchestrate a manyfold backup regime for in near real time when the alternative is shelling out millions.
And its also about your threat model. If data leakage of any form threatens your business you need way more security than if you just want to be able to recover from exploits in your publicly facing infrastructure (or the ability for a rogue actor inside the company from sabotaging the business from the inside).
At the most extreme having physical separation of infrastructure with physical token based auth and multiple signature verification to interact with data is going to be a heavy price in diligence to maintain secrecy. At the lowest end having a redundant backup storage array with a cron job on all employee computers to versioned backup files every minute that doesn't have network signin access.
The responses suggesting backsups are ignoring the exfiltration part. The ransomware groups have updated their strategy to encrypt and carry away data that they would leak if not paid.
Protecting against that is much harder. Compartmentalization and data minimization might help.
Not really. A sister company of my previous company had ransomware incident, and as far as I've heard this was not the case. They had just purged local backups. The attack was stopped quite early by an engineer noticing abnormally high IO activity and shutting the whole infrastructure down as soon as they realized what's going on - while a lot of data was lost and had to be restored from backups, most of the files were untouched. Still, the recovery took really long while to audit every machine before they could be even powered on again.
Poisoning backups requires backup systems receiving encrypted data for a while. Which means live systems running off the encrypted data (and most ransomware encrypts at the file level, which is much harder to do transparently, compared to the block device level). Which requires effort to make sure this is extremely transparent and goes unnoticed. Doubt that attackers do expend their resources unless they see a necessity.
Continuous append-only backups, where one can't rewrite them without physical access to the system, would - most likely - help with a data loss, malicious or accidental.
Do you want a solution that makes such an attack unprofitable to execute (i.e. it raises the cost of doing a similar attack above $4.5M)?
Buy insurance and pray. There is not a single readily available enterprise solution that would even dare to put that in writing, let alone deliver. If there is one that does dare, ask to test their claim by having the deal conditional on them putting out an open $4.5M bug bounty and nobody collecting on it (you should also be the one to determine if they have to pay). Every company will either back out or get collected on, no question. This is a good test because if it costs more than $4.5M to do such an attack, then it would be unprofitable to collect on the bug bounty. It is also unlikely to give a false positive (their system is good when it is not) since $4.5M is more than than almost every other bug bounty and it is totally above board, so you will get the best of the best trying to break into the system.
If they expect a decent ROI, the attack can't cost any amount up to $4.5M to execute.
The $4.5M isn't a guaranteed outcome from such an attack. Some targets may not be willing to pay, or may only be willing to pay a substantially smaller amount.
Also, part of the execution cost is the non-monetary "breaking the law" factor. For instance, would you rather make a legal $1M or an illegal $2M?
Are you saying it is a bad test because it overestimates the difficulty? If so, I agree that it overestimates the difficulty. My argument is that nobody would dare to accept such a test, which is clearly an overestimate of difficulty, therefore nobody is even close to achieving the actual number. If you wanted a more accurate estimate of security you would probably need to bump it up by a factor of 3-5x to account for execution risk.
If you are not, I am not sure what you are arguing since all of your statements show how the test overestimates the difficulty. The test is designed to identify, with reasonably high confidence, whether any attack is profitable given a specific upside. Therefore it should be as easy as possible for a legitimate bug that could result in at least a $4.5M upside to be paid.
A 100% guaranteed legal payout clearly minimizes the risk and thus allows more attacks below a $4.5M cost to execute to be profitable. Any other form of payout means the cost to execute must be lower to be profitable. Put another way, if it is unprofitable to do it totally legally for some amount of money, it is probably even more unprofitable to do it illegally for the same amount of money (obviously this excludes cases where you might be able to gain a higher upside, but then we are not talking about mitigating attacks with a certain upside), therefore this estimate should be no lower than the true cost to execute (on average).
To use your examples:
If they want a decent ROI, the cost of attack must be significantly less than $4.5M to execute to be a good investment. ROI of illegal actions usually needs to be higher to make up for the risk since you would almost always choose a legal action with the same ROI.
If the probability of payout is less than 100%, then the cost of attack must be less than $4.5M to make up for the reduced probability of success. The probability of payout for a bug bounty is usually higher than the highly variable payout of an attack. Also since the buyer is using this to make a quality decision and has authority to force the vendor to pay out with the stated scheme, it is in the buyers best interest to pay out credible attacks.
If the non-legal nature is a serious cost, then the cost of attack must be less than $4.5M for the illegal case to make up for the extra risk and cost. Non-legal actions usually come with extra costs compared to legal actions and thus have to be even more profitable to be worth doing.
Therefore, if a $4.5M bug bounty (where payout is decided by the product buyer) is not claimed after some reasonable amount of time we can conclude, with some reasonable amount of confidence, that the lowest risk option is likely unprofitable. Therefore, higher risk illegal options with the same upside are even less likely to be profitable. Thus, the test is a relatively good lower-bound for identifying if attacks with a $4.5M upside are actually being mitigated. If you can not even institute this lower bound, then you are nowhere near the necessary level.
Garmin, now this, in one week. I beleive it is much easier to pull a trick like this with the help from the inside. If so, with malicious insider's incentives in a ballpark of hundreds of thousands we are doomed :(
And yet, these hacks tend to be done with some social engineering and no insider knowledge. Many companies aren't well protected, you don't need an insider to hack them.
I think this is just a beginning. Word is out you can extort millions with internet connection and some scripts, no guns and police chase involved. And it looks like chances of getting away with the money are quite high. Compare it with Getty III ransom story.
The US needs to pass a Federal law making it personally (not just "corporately") illegal to pay ransom. That would stop them because it would kill the market.
Historically it's how they stop kidnapping in countries where it's common. It REALLY sucks for the first few people after the law is passed, but after that things get better.
But wouldn't the payments just end up being passed through?
For example, one way to get around that is you could sign a contract with a foreign consultant firm for "security services", say for 1 year, and they would take your money, and pay a portion of it to the ransomware authors and profit on the rest.
Not when it's done through several layers of employees and then potentially multiple layers of foreign companies.
It's very hard to find individuals to hold criminally liable for things like this. When was the last time you saw a CEO go to jail when their company killed someone?
> Historically it's how they stop kidnapping in countries where it's common. It REALLY sucks for the first few people after the law is passed, but after that things get better.
Is this based in reality? What countries have banned ransom payments for human kidnapping and what people did it “suck” for?
My hunch is that if your spouse gets kidnapped and you have the means to get them back, you’ll risk it.
Countries where kidnapping was common, are also usually countries with weak government and very ineffective policing, so it's not that simple. Laws like that are in the end pushing responsibilities of law enforcement on the companies and citizens.
I'm against ransoms, but if I was CEO of company that's about to release COVID19 vaccine, or provides jobs to 100k of people, you bet I'd pay that ransom.
But even if that would happen, it's naive to think that corporations wouldn't work around it. They already do, by outsourcing payments to 3rd party companies - they can proxy it via other countries, fake identities, etc, etc.
Based on other articles, it appears they didn't hire specialty ransomware consultants for the negotiation but still got a 55% discount. Wonder if they did, if they would have been able to get a better all-in cost.
Anyone know what exchange would allow them to purchase 4.5m of bitcoin on short notice? I wonder if anyone can find the ransom payment transaction in the block chain.
Who's to say this isn't an internal job? Random developer that is unsatisfied with his job sees blatant security hole and exploits it himself for ransom.
Let the money sit in a Bitcoin wallet for a while. Maybe move it around a bit here and there and cash out a few years down the road. Good retirement egg.
Another windows local admin/group/domain thing. When are IT departments going to take it off their networks? Why have LANs at all, for most back office work?
Immutable, versioned files in managed cloud storage eliminates the locker threat (not the disclosure one though).
When work for a big IT team at a company that's already invested a fortune in on-prem storage and your job depends on pre-cloud procedures, you keep your mouth closed and do what's asked of you. After all, if the company gets hacked, it's usually just the CISO that gets fired. Not you.
You made a very good point about Windows GPOs. The delivery mechanism for them vs. how macOS does it shows how dated of a paradigm they are. It's bringing back memories to me of importing ADMX templates, gpupdate.....
Scenario 1: Keep head down, company gets attacked, shrug shoulders.
Scenario 2: Sell solid security and backup principles to management, fighting annoying budget and corporate culture battles along the way. Company does not get attacked. Nobody notices.
Scenario 3: Quietly set up an immutable backup service with hourly backups for your enterprise without anyone really noticing. Company gets attacked. "Actually, we do have backups. We can just reformat all those Windows machines." Hero!
> backup service with hourly backups for your enterprise without anyone really noticing
Well, except this is similar to #2 as it will likely stand out in the budget - especially the initial setup. IT being a cost centre has to fight for every penny in most non-IT-centric organizations.
Plus, the hackers will still threaten to release your corporate data (i.e. emails, client info) which would compel most companies to pay-up.
Bottom line: every company needs good backups, intrusion detection, and system hardening (with 3rd party review).
But now you have $4 million in a bitcoin address linked to criminal activity. Then what? How much do you lose along the way to having laundered cash in hand?
Aren’t there mixer services for that or just convert to monero? This is off an exchange so lots of shenanigans to make things less traceable. I am guessing these people know what they are doing.
I’d imagine the feds are involved at this point. They paid to get their data, but the feds have to be tracking the addresses from this juncture and examining the breach.
I hope the hackers are caught too. But from bitcoin perspective, I am not sure how traceable things are if the hackers use mixing services or convert to actually anonymous currency such as monero. The main problem is converting untraceable bitcoin back to fiat, since most exchanges now follow KYC and will track bitcoin both before and after it touches the exchange.
When I was running some IT for our startup we used FreeNAS with ZFS (and had off site, borg backups), from my understanding we could just get to the last snapshot for the (unencrypted) data? (sorry, no IT admin but developer ;-)
I wonder if this is a good argument to use cloud service providers. I'm sure if someone got into your network they could probably delete everything from your corporate Google Drive/Microsoft Office accounts, but these big companies are more likely to be able to restore from backup than you are. Similarly, good managed cloud databases will have backup and restore options that are much easier than setting up immutable backup infrastructure for your company, which might encourage companies to back up more often.
How about good offline back ups? Then you don't have to pay and hope you get your data back. Of course you still need to to figure out how they got in and lock it down so it doesn't happen again and there will be downtime as things are restored. However your are already down at that point so that doesn't really make a difference and by paying you are encouraging the behavior.
They don't just start encrypting stuff as soon as they have a foothold. They spend some time on your network siphoning out valuable data, compromise backups, and staging for re-entry.
Not necessarily the same attacker but unless the flaws that led to the attack are patched then copycats will target them now they know they will pay up
A lot of people here are asking the government to make payment of ransoms illegal. Makes sense to me, but can someone explain the potential downsides, and why it may not be as simple as it sounds (I'm sure it's not)?
What is the total size of the backup software industry, compared to the total size of the security industry? Is backup software undervalued, if "offline backup" is the only known defense against ransomware?
I constantly hear talk about Bitcoin not being completely anonymous, but it seems like these ransomware attacks are always requesting Bitcoin. How are they managing the Bitcoin so it's untraceable?
What spend another few million on an illegal adventure well outside their area of expertise? Great idea. Why not reintroduce blood feuds to the Toy manufacturing business too!
Low. The hackers are likely European, since there are telltales like European number formatting ("10.000.000$") and awkward phrases like "make a step forward" (perhaps Italian fare un passo avanti?).
Google translate seems to jump to "take a step" for most languages I've tried that usually say "make/do a step". So this is likely someone with a little English but not knowing the idioms. Might have done better with Google translate.
Would you really expect state sponsored hackers to drop references to Korea? They are either European and don't mind anyone knowing, Europeans who accidently dropped hints, or not European and want people to think they are.
Hypothesis B: There are North Korean hackers who have mastered English, an enemy language whose speakers they have almost no interactive exposure to, to such an extent that they can, in real time, simulate the subtle mannerisms of another, completely unrelated set of non-native speakers of English.
It's screencaps from one of those annoying in-browser support chat systems, where doing text-align: left for one side and text-align: right for the other is pretty common.
While the overall cost may be low for them, if they don’t make meaningful changes to prevent these issues in the future, it’s not hard to imagine it might add up quickly.
I don’t support these attacks and some of the targets in particular are insidious, like hospitals where an attack could lead to an actual death toll, but it might actually be the kick in the ass many organizations need to actually care.
It’s sad that it’s come to this point but the end result may be better for everyone.