Pelley may be unaware that paying the untraceable ransom is no guarantee that your data can be restored (there is no honor among thieves.) You’re just as likely to pay and get nothing in return. Try explaining that decision to your board.
Today’s news article is here (note some bad links on that page due to stupid copywriters who don’t check their work).
I must be in the wrong business. Nobody pays me $40,000 for sending an email threat. Maybe the dark side is where it’s at.
I recall a hospital paying off the attackers. They lost access to their network. IT staff and outside cyber security experts couldn’t crack it. They chose to pay and I believe their system was restored.
I assume that everything was backed up, but I also assume that restoring a system that large would leave them closed for at least a few days as well as having all their data since the last backup gone.
ETA, here’s the (or at least one of the) places it happened to. I supposed for $17,000 it’s probably worth a shot for a business that large.
It’s not usually just a threat. Their data is actually encrypted. It becomes a choice between paying hundreds of thousands to restore, or paying a small amount to the hackers.
I haven’t seen a lot of stories where the DIDN’T restore it. Besides, if they don’t, the business is only out a small fraction of what they have to pay to restore it on their own. That’s why a lot of businesses are taking that route.
Well, I’d ‘trust’ them to give the decryption key, yes. Basically, if they didn’t then it would rapidly break their business model, since no one would even bother trying to pay the ransom.
Hopefully the folks who fell for this have taken future steps to prevent it from happening again. A lot of companies, even big companies, never seemed to grasp the level of the threat and have paid the price for that. Sadly, many places still haven’t learned their lessons and still haven’t taken even minimal precautions to ensure this doesn’t happen to them.
The “best thing” is to have a properly constructed network that has protected backups that are refreshed daily so that you can tell ransom hackers to fuck off.
Since I’ve been here, we have been successfully attacked once by ransom software. We just purged the server and restored it from protected off-site backups. Problem solved before school the next day.
Ahhh…the crooks that are in it for the long haul. They have prepared a long-term business model, and presented it to the investment community, showing a favorable rate of return. Deviating from that would negatively impact their stock price and might result in are-shuffling of the board. Yep, that’s how these bastards work. Rational as can be.
I think the OP is making a point that CBS News really shouldn’t be telling people to support crime. I have to admit, I did not pay close attention to the 60 Minutes report, but IMHO, if they felt the need to air the story, they should have pointed out that paying a ransom in untraceable bitcoin is always a sketchy thing and should be avoided.
Again, IMO, instead of telling people that paying the ransom worked, they could have recommended not to pay the ransom and given some pointers as to how to avoid being held to such an attach (making backups, virus detection, multi-network systems, etc…). I’m with the OP on this one, CBS was irresponsible.
It’s rationality based on keeping that going. Basically, the same rationale that loan sharks use. If you pay them back and they STILL bust your knee caps, well, they probably aren’t going to be able to get anyone else to borrow money in the future. Or drug dealers…if they adulterate their drugs to the point it kills the customers or doesn’t actually get them high then they probably won’t have repeat business. Once the cyber crooks get a reputation for a bait and switch and not actually providing the keys to de-crypt the data they basically aren’t going to get the next sucker to pay up. And really, giving the key is basically not a big deal, so I don’t see any upside in the cyber crook to NOT do it (unless they lost it or some other stupid shit). Seriously, you are talking about cut and pasting a 15 or 20 character code into a text or email. No additional exposure for you, no real risk (not greater than doing this in the first place), so why not?
Actually, yes-that does seem to be the way they are working. They aren’t asking for incredibly large amounts of money that can break the bank, and they are(for the most part) providing the keys needed.
What’s the upside of not restoring it ?
I suppose there could be a scenario where it goes “Pay us… ONE MILLION DOLLARS !” “Errr, that’s chump change, OK, no problem, done” “Wait, wait, wait, then, pay us… TEN BILLION DOLLARS !” but the real world doesn’t really operate on Austin Powers rules.
OTOH there is a clear upside for L33tH4ckCr3w to restore your shit upon payment : they can then go and hijack the shit of the next guy over. And the next guy over will be more likely to pay up, because they know when the first guy paid up blablabla. Like, I’m aware you shouldn’t pay the danegeld, but the thing is : the Dane only had a small handful of possible chumps to threaten. L33tH4ckCr3w has a target rich environment because everybody clicks “remind me later” on their software security update. Even IT guys.
Get rid of the Dane. He *might *be back… in 20 years. Which hopefully gives you some time and motivation to invest in ITsec in the meantime. File it under “the cost of doing business while being an idiot on the internet”.
… yes ? I mean, you have to be at least a little smart to do cybercrime. Not very smart, but at least a little. Why do you assume tech ransom crews are irrational, terminally short-sighted morons ? I mean, even Attila the Hun (reasonable, famously measured and moderate guy that he was) knew there was absolute value in not breaking his mass-murdering racketeer’s word.
If even I can see the column A, column B assessment, why wouldn’t they ? I’m too dumb to do any kind of crypto, FTR. Anything more complicated than a straight alphabet cipher and I’m out.
You Are Marked As A Sucker :
Sure. But again, now you know which exploit they used to infiltrate you, so that’s one option they don’t have any more. And you’ve patched up all of your other shit while you were at it, because I’m going to assume you’re not a moron. And Debbie from Accounting has probably been sacked so she won’t click on the dodgy email attachment again, either. So you might be a sucker, but now you’re a difficult to reach sucker. There are a million other suckers out there. Why harass you specifically ? Not to mention, repeating the scam on you makes you all the less likely to pay up - fool me once, you can’t fool me again and that. What’s one lone, isolated upside of doing it again ?
No Guarantee : adressed already
Enable Crime to Continue : yup. But it’s not your job or responsibility to stop it. You’re a victim, not an enforcement agency. Why should you suffer just so others can prosper ? The FBI can suck it and do its fucking job.
To me, that sounds like a good reason to pay. You have about a 50-50 chance of getting your data back (if you link down, 19.1% paid the ransom and got their data back, and 19.6% paid and didn’t get their data back.) Versus not getting your data back or paying way more money to try to recover, it’s the rational choice, in my opinion. I mean, yes, they’re assholes. Back up your data to avoid this.
If you look past the text from the site I quoted above to “Why you should consider paying,” you will find (positive) reasons to pay the ransom, which I did not quote. That site doesn’t appear to be as biased as I might have suggested – not that I agree with either conclusion.
Personally, although I am not the admin for a large hospital, I would spend all the time and money it might take to restore my data, even if that were more than the ransom amount, just on the principle of the thing.
If it is a large business and the ransom is (relatively) modest, paying the ransom is a no-brainer.
It is no different than handing a thief your wallet when he has you at gunpoint. Yea, he might shoot you after he gets your wallet, but it is the option with the best likely outcome.
If it does work out, consider it a lesson that your security sucks and needs an upgrade.
If it doesn’t work out…well, the lesson is the same.
Maybe not, but in some cases, your choices aren’t very good. Criminals who take sensitive computer systems hostage are no different than criminals who take humans hostage. They hold something of value that people want returned in good condition. The hijackers want your money, and you want your access back. It’s possible they’re acting in bad faith, but trusting them, even if you don’t want to, them may be your best option. There are worse options.