LinkBack URL
About LinkBacksRead more.And the negotiations from the $10 million demand to payment were on a public forum.
Read more.And the negotiations from the $10 million demand to payment were on a public forum.
I'm sick of these crooks getting away with this chit!
So they're sure the nice hackers will do as they say and delete all the stolen data?Originally Posted by HEXUS
And why would the hackers do this ?So they're sure the nice hackers will do as they say and delete all the stolen data?
They got money, they have data that is their safe card when they get caught.
It's an win win for them in this difficult situation.
Well proper companies has backups.. my previous company I worked for got attacked, but the competent IT guys work just waved them off... and then installed the backup.
The hackers are not stupid and this is, as above, a business for them. If you screw over this one "customer", you may make a killing, but no one will ever pay a ransom again. They also will struggle to get other teams to work with them on jobs as they're seen to be ruining the ransom business.And why would the hackers do this ?So they're sure the nice hackers will do as they say and delete all the stolen data?
They got money, they have data that is their safe card when they get caught.
It's an win win for them in this difficult situation.
The other thing to consider is that this is a job with a lot of costs. The kit you use is burnable (obviously, and depending on what you're doing there may be a lot of it including cars / vans, a Yagi rifle or two and so on) and the skilled people willing to take the risk are expensive. You may put months (or more) work into this, setting up a botnet or pivots or phishing people. There was an attack on a large company and the attackers were in the network for two years before executing their attack. The odds of getting caught are very high as time progresses and so many of these scams will fail, but people and equipment will still need paying for.
Once you get paid, you have to fence the money. There are plenty of people looking to do this for you, but their cut is not small.
To keep business good, it is a poor idea to sell the company's data to competitors, especially when those competitors may just report you or actually be the next victim.
If it were me, I'd send a "taste" of data off to an up and coming exec of the next target, then I'd send him more with a trojan in it. Then I'd wait for him to take that trojan to work for me. Then I'd do them, too.
In Ransomware threat action, you always want to fulfil your end of the deal because if you don't, people won't pay or your payouts will be less.
It's in the hackers best interest to unlock the data so if they hit them or others like them in the future, others will be more likely to pay up.
Malware and hacking are multi billion dollar businesses now, if you aren't an honest thief then people don't shell out.
I did love the "AV software doesn't help" thing. It's so true. I've not used any antivirus (aside from windows defender) for over a decade. I do occasional scans using a downloadable tool if I suspect any issues.
There are tools (Veil evasion, for example) which will create AV invisible malware with a custom payload with a few commands. Sometimes it takes a few tries to customise it properly, but it's like 30 minutes work. There are websites which will test that malware against AV software for you, so you can see if it evades all, or just the AV software specific to your target.
So these guys will not go after the "backers" of bitcoin ? i mean if no bank want to have anything to do with bitcoin, bitcoin is worthless as it have no real currency to be exchanged into.
Personally if i was the dictator of Denmark i would ban bitcoin in any way as one of the first things. so people better start selling when my tanks are rolling up to the parliament here to make pulp of the people there.
I skimmed the title at first, so was thinking it was talking about the OEM PSU manufactuerer.
The negotiations in an area open to the public is certainly an interesting note. Although I do agree it seems to go against the general advice of experts not to pay as it gives more encouragement to anyone (not just the particular group in this case) seeking to take similar actions.
It wouldn't surprise me if CWT has insurance to cover the cost though, as that seems to be the sort of thing that has been mentioned increasingly in recent times with reports of some companies or local governments as time passes.
Plus there's also no guarantee that whoever is behind any crypto-locker attack will actually provide the decryption keys, they could just demand more money afterwards or just never provide the decryption keys at all.
Seems like a very polite exchange of blackmail... Still, not to keen on the idea of funding black hats.
I don't think this is black hats - this is organised gangs. I'm guessing even having backups is no use if they get long term access to your network and can hit the backups too. My firm has moved to cloud backups of local machines. I guess that would really help as you can probably roll any attack back by just restoring the cloud backups (I assume there is no global delete all backups mechanism as a protection from the admin account being hacked).
They can't be sure, but the hackers may do so. If the ransom is paid and the data subsequently leaked, it undermines the case for future victims go pay up, and ruins the hackers' business model.
Hos about legislation making company bosses criminally liable, with jail time, for paying out, and making their companies liable for a fine of 100x whatever they paid?
Make it unprofitable to pay. If the motive of the hackers is money, destroy the motive to comply.
A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".
Not trying to be too much of an ass in saying this but i am being pretty incredulous: how on earth could that possibly fix anything?!?
You're literally making it legislation that if your security is breached, you're either jailed for paying to re-operate the business or your business goes under making hundreds if not thousands of employees jobless.
These hackers will breach a business, read their financial data and know exactly how much they can extort without causing the business to fold.
But what you're forgetting is that to make the extortion scam effective, you have to threaten the viability of the business continuing to operate. Oh, so now it's a jailable offence to pay the ransom to get your business back online while you sanitise the entry points and analyse the threat chain to stop it happening again? Business owners will survive a business going under, but not the employees as much.
Saracen, i have a lot of respect for you (with the exception of your extremist data privacy observations) but a legislative suggestion to screw a business and making them criminally liable trying to recover from a breach is just ridiculousness of the highest order.
How about someone kidnaps your family and ransoms them back to you? You pay the ransom, they're returned then bobby turns up and says "hey buddy, you're under arrest for paying the ransom for your family and oh yeah, here is a financially crippling fine for paying that ransom turn you from an upper class occupier to homeless, chop chop, get your family to pack your bags, the bailiffs are here".
Jesus H Christ.
Perhaps if company directors knew their behinds would be in a sling, they'd take steps to avoid putting their users data at risk in the first place, and not taking sufficient steps to prevent it. Which, of course, merely serves to encourage hackers in the first place.
How about it? Where did I say anything, directly or indirectly, about kidnapping cases? It has nothing to do with what we're talking about.How about someone kidnaps your family and ransoms them back to you
As for "extremist" views on data privacy, well excuse me is I choose to regard MY data as private. If you remember what I've said, it's that I highly regard my privacy, and object vehemently to companies 8nvading or abusing it for any reason, unless I've agreed to it. I've not suggested anybody else should feel the same way. If you don't care how companies abuse your data, that's your decision. My point is that how my data is used should be my decision. I fail to see the extremism.
The problem is that many companies not only don't give users the choice, but some go to extreme lengths to deprive us of it, up to and including lying about what they use it for and the measures they take to preserve it.
Give the people runnng such companies "skin in the game".
If they get hit, they are liable to personal punishment, in the event that they cannot prove they took all reasonable steps to prevent it, including serious penalties for not doing so. This is actually already in line with measures in place under both US and EU law to punish companies for data breaches. Like I said, make it more painful to get caught out than to risk user's data and maybe those responsible for making decisions will take their responsibilities for user's data, about which they often gave the users little choice in the first place, more seriously.
It's like health and safety, or regulations about building safety. Fail to take responsibilities seriously and director's, and even responsible managers, can (and occasionally are) liable to personal penalties, including substantial periods behind bars. The principle is identical.
In fact, in my opinion, there are more than a few cases where those criminal sanctions aren't used enough, up to and including unsafe fir cladding on buildings. Or storing vast quantities of explosive materials like ammonium nitrate close to built-up areas, though it looks like the authorities are looking for some backsides to fry in that latter example.
A lesson learned from PeterB about dignity in adversity, so Peter, In Memorium, "Onwards and Upwards".
You dodged my entire point to jump into total irrelevancy then dial back to something worth responding to.
And the kidnapping metaphor is totally relevant. The kidnappers (hackers) took your family (data), made it inaccessible to you (ransomware/encrypted/exfiltrated), ransomed you for their safe return, if you don't pay up then your family is gone (data/decryption keys are destroyed). Your point is to make the voluntary payment to these criminals to get your valuables back a liable and criminal offence. In literally every case, no one turned around and went "well our security wasn't good enough" because even with the most cutting/bleeding edge SIEM, artificially intelligent, behavioural analysis, locked down tighter than a nuns unmentionables; there will always be a way. You don't see banks getting sued when a vault is raided because to sue them, you'd have to prove the bank was criminally incompetent/or had a dereliction in their responsibility to secure goods. The same happens in the security trade, you have to prove that Sophos didn't know about the Windows DNS bug that allows you to take over an entire network administratively with nothing more than a Raspberry Pi, you also have to prove Microsoft didn't know about since server 2003. It's a ridiculous notion.
These ways can be anything from brute forcing the firewall externally to beating a security analyst half to death to get his access key, 2FA receiver and passcodes. Do you know how many of these threat actions are done by compromising general people and not crushing the defenses? Over 60% last time I checked the Verizon breach report.
And you want to criminalise businesses and their leaders for something they actually have marginal control from vendor to vendor over.
Your legislation would effectively boil down to "I won't pay the ransom because of the large fines and potential jailtime, lets try and recover our systems" or "i will pay the ransom, we'll get financially crippled and our leadership will go to jail leaving the business rudderless". Those two options are "potentially close the business" or "definitely close the business", that's an impossible choice.
In fact, the people who should be fined if this ridiculous notion would ever gain traction are the businesses who let this happen. Intel for Spectre/Meltdown derivatives, any hacl ppreceded by them, Intel should have been financially responsible for. Stupid crap like that, not the business who got attacked.
Iranian nuclear plants that was creating weapons grade fissile material. When you actually read about the security the plants had, it was pretty top notch for the time. All users were educated on the "don't be stupid", the security systems in place isolated the entire plants systems from any networked systems that could be contactable outside the plant. A memory stick was the likely infection vector, a damned USB stick dropped in the car park.
But yeah, a tired engineers mistake one day is totally a reason for legislation to arrest the leadership and financially cripple them.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote