This is the right course of action. Always think about how your actions incentivize future behaviour. The only right course of action is to halt the flow of revenue to the attackers in order to disincentivize future attacks.
This will not solve the problem of ransomware alone, but is a step in the right direction.
Put yourself in the shoes of business. Well, like the oil company now in USA.
Lets say you haven't learn the lesson of backup importance.
Your business has stopped. Your ONLY way to recover and restore revenue stream is to get the data. You are aware that paying ransom may or may NOT work.
Now, what do you do?
The suggestions (cut the attackers revenue stream) may sound very right, correct and whatnot. But think of the side that is held as hostage.
This is why you need government intervention. Just make it illegal to pay such ransoms. Now the easy option has disappeared. You likely go out of business, and the company which takes your place implements good security policies from the get go. Funding for hacker groups and newer attacks dries up. Sucks for you in particular, but the public overall is better for it.
Sure, just like when you have 5 sick people, each needing a different organ to survive. We need the government to select a healthy person, take his organs and save the other 5. Sucks for that person in particular, but the public overall is better for it.
Interesting argument, though forcefully selecting a donnor does not increase organ failure rates for others, whereas paying ransom does increase risks of future attacks.
It does modify behavior though: I am more likely to engage in risky activities like heavy drinking and overeating if I know a replacement organ (like a liver) is readily available thanks to the wisdom of the government.
On its face, this sounds like an extreme behavioral reaction to having “replacement organs” available, but it actually tracks with my own anecdotal experience.
I was not comfortable skateboarding again until I had good insurance as I do now. I don’t go crazy, but it is definitely a weight off my shoulders knowing that if I break a bone I’ll be able to get help without wrecking my finances. On the other hand, my brother doesn’t currently have insurance, and in the past he was super advanced at skateboarding. He is very hesitant to skate with me because of his fear of getting hurt. It’s pretty wild to see that play out in my own life, and it has made even more empathetic to the decisions other people make and the sorts of high-level factors that come into play there.
Now swing it the other way. Only harvest organs from those guilty of crimes. Would that make you less likely to commit crimes, knowing that your organs will be harvested?
> This is why you need government intervention. Just make it illegal to pay such ransoms.
this penalizes the victim. Legally this might be impossible for the same reasons the law is unable to stop you from paying a ransom in kidnapping.
I'm not convinced this would affect the problem even if outlawed. Companies would simply go the path of least resistance the same way they do with avoiding tax. There will always be loopholes for shell / shelf companies to hide activities. The ransomware gangs themselves already today encourage you to reach out from private emails and promise smoother negotiation if you do.
There are several laws already on the books which address this – various international sanctions (https://www.reuters.com/article/us-treasury-cyber/companies-...), anti-terrorism laws (can't pay ransom to a known terrorist group), anti-money laundering laws and more. There is nothing stopping the government from enacting more.
Attorney-client privilege does not extend to lawyers doing illegal things on your behalf. For example, you can't ask your lawyer to hire a hitman to off a guy, and any evidence related to such activity will not be protected by attorney-client privilege.
Please. There is a difference between saving a loved one, and hiring a hitman to kill one.
It's literally illegal to pay certain sanctioned organizations today for kidnappings - because they are designated terrorist orgs.
Who negotiates the ransom? Lawyers and security firms, been going on for a long long time.
Amusingly enough, this has even gone through courts in some places, you might wanna look up caselaw. They just decided to classify kidnappers as "criminals" for the ransom purposes, or some other such wordsmithing.
In the US these laws are simply ignored outright.
"The United States Code prohibits funding terrorist organizations, which includes the payment of ransom monies to terrorist organizations.2 However, the outlook in the United States on ransom payments being made to terrorist groups has softened. In June 2015, President Obama announced that private parties may negotiate with and pay ransoms to terrorist groups without fear of criminal prosecution, which has been the informal practice for years. In fact, nobody has ever been prosecuted for paying a ransom in the United States."
Just imagine your election prospects after jailing a mother who paid a ransom to save her child.
Imagine defending a claim that such law is constitutional, moral and just.
Businesses can't expect claims for theft insurance to be honored if they didn't take reasonable measures (install security cameras, alarms etc... and lock the valuables). How is this different?
You quit and go do something else. It's not like your life ends when a company ends.
In a less sarcastic tone: this is where your DRP and BCP get involved, and if you don't have those at that scale, then you were doomed from the start anyway and your existence as a company was on a short lifespan to begin with.
To play the devil's advocate, in an ideal world, you go out of business and another business that actually followed security best practices takes over.
Over time, companies start taking security more seriously. When it affects the users, they can just ignore, business as usual. But now, they can't just go on with their days, so that's the real accountability in my opinion.
If the ransomware operators follow best practices, their C2 is in those backups too. The data's not encrypted, but without good IT, not for long.
Maybe go two weeks' back and you'll get a clean instance, but that's two weeks' data loss, I've seen (non-tech) institutions hit where an hour of data loss is worth paying a ransom for.
Not executable. Text. Readable by humans. Inspectable by humans so you can root out rootkits. Not even the valuable data that cyber criminals go for anyway - they go for personal and financial data, not k8s config files.
Neither of those are relevant. You don't back up virtual machines or image disks - you take afore-mentioned plain-text, audited config files and spin up new instance from scratch.
This is irrelevant snark. If you back up a data file, it doesn't matter that it's stored in the memory of a Von Neumann architecture - it's only going to be used as a data file.
> Separation of code and executables is a nice idea that approximately 0% of organisations fully adhere to.
Citation needed. Also, you just said:
> If the ransomware operators follow best practices
...so are we considering the ideal case, or not?
> I'm really not sure that has a serious answer.
Being snide is bad by itself, but it's even worse when you're wrong on top of it.
> You are aware that paying ransom may or may NOT work.
The ransomware campaigns are pretty good on support. You will get a key for a sample of your data as a proof. You can sometimes pay progressively to get more trust. Getting your data back is just as important for the criminals as encrypting it in the first place - otherwise their business goes down.
Oh, good to know they provide support. I just remember some ransom (was it notpetya?) that had a broken "pay" thing or some invalid mail... anyway, you couldn't get the key.
And encryption your data doesn't help if you don't have backups.
> And encryption your data doesn't help if you don't have backups.
Actually, it does. "We'll delete your data." is not the only ransomware threat - the other one that's not quite as big, but growing, is "We'll leak your data."
Have the government bail them out by buying them out, then collectivize the company.
If your company is too big to fail, maybe it shouldn't be controlled by profit-optimizing external shareholders and reckless directors. If it isn't too big to fail and can't get a loan the usual way to pay for the ransom (or better: data recovery), just let it go bankrupt like any other company making a costly mistake.
You can still have your assurance pay the cost of setting your revenue stream back up the hard way. As long as the money isn't going to the criminal groups.
The one company that I know personally that was hit by ransomware, and paid off the attackers, managed their own backups Which were encrypted as well. IMO, it's not just the importance of backups, but of having third party, redundant, off-site backups.
For the business they do not care about the greater good, the greater good is not paying the ransom, for the business paying the ransom and then taking measures so it doesn't happen to them again personally is still likely to be the better option and that is the problem.
It's a mildly interesting game theoretic problem, where if you are attacked and you pay, that wins over not paying -- but if you are not attacked and others pay, that loses you money because now you need insurance. So the actual optimum is for nobody to pay, but good luck on that.
It will incentivize others paying the ransom if the consequences are dire enough. Remember the after-ambush interrogation in the film Inglorious Basterds.
I don't think this will set any precedent. Unlike a standard kidnapping and ransom, where there is a huge amount at stake for the kidnapper - there is little consequence for ransomware authors and those who hold businesses hostage. They do it from the other side of the world, anonymously (assuming good opsec) and if someone doesn't pay up, they just move on.
Not this event alone, sure, but it is a step in the right direction. The attitude will need further adoption and it may drive pre-emptive actions actions ransomware instead of the "do nothing and cash out on insurance" approach
This hasn't really worked for real-life kidnap/ransom, which has probably been done since the dawn of civilisation. I don't see why it would change now.
Kidnap/ransom only really exists in countries with poor or corrupt governance.
It's a solved thing in the West for example, because the criminals know they will not get away with it. It's easier to get away with murder, because it doesn't create such social commotion, which in turn bring in the government focus.
I wish they were this well intended, or even that it’s actually what’s happening behind the scenes.
More often than not “don’t negociate with terrorists” [0] facades are just a message sent to the world, only enforced when the stakes are low enough and the ‘terrorist’ party has nothing actually valuable.
This will not solve the problem of ransomware alone, but is a step in the right direction.