[HN Gopher] Colonial Pipeline Paid Hackers Nearly $5M in Ransom
___________________________________________________________________
Colonial Pipeline Paid Hackers Nearly $5M in Ransom
Author : longdefeat
Score : 226 points
Date : 2021-05-13 14:26 UTC (8 hours ago)
(HTM) web link (www.bloomberg.com)
(TXT) w3m dump (www.bloomberg.com)
| purple_ferret wrote:
| >The company paid the hefty ransom in untraceable cryptocurrency
| within hours after the attack
|
| in Monero? Wonder how they converted USD.
| TacticalCoder wrote:
| I'm wondering too. Now in TFA I read:
|
| "The company paid the hefty ransom in difficult-to-trace
| cryptocurrency within hours after the attack..."
|
| I don't know why you got "untraceable" and I get "difficult to
| trace" when reading the article.
|
| Bitcoin ain't exactly difficult to trace. I wonder if Colonial
| took the "discount" of 30% and paid in Monero or if they paid
| in Bitcoin.
|
| Oh well it looks at least one company is going to give a bit
| more sh-t about its IT security ; )
|
| And another thing: often these news are followed, a few
| weeks/months later by "How the hackers who got a $5m ransom
| from Colonial got caught".
|
| Waiting for that one...
| AzzieElbab wrote:
| All that money and lawlessness that went into enabling security
| agencies must be crowned as the worst investment ever
| Mauricebranagh wrote:
| That has nothing to do with this the FBI presumably cannot
| enforce security on a company.
|
| Maybe for some industries they need to start mandating Security
| Clearances and background checks and no outsourcing of certain
| critical systems work.
| BigGreenTurtle wrote:
| I believe a judge recently signed an order allowing the FBI
| to access and patch hacked exchange servers.
|
| https://www.nbcnews.com/tech/security/fbi-might-gone-
| ahead-f...
| AzzieElbab wrote:
| I am not familiar with any details of this hack that could
| point to employees or contractors. Also, I am not sure what
| exactly are the roles of FBI and NSA when it comes to
| protecting US infrastructure, can you clarify?
| Mountain_Skies wrote:
| Many of those agencies seem more interested in making systems
| less secure so they can get in easily than in protecting
| systems from outsiders.
| ineedasername wrote:
| And the group originally though responsible for this was actually
| just a ransomware-as-a-service partner here, and seem a little
| embarrassed about the while thing. Basically they said "yeah, we
| don't want our partners doing stuff that big so we'll ask them
| not to in the future." Hopefully that doesn't stop the full
| weight if the US intelligence services from coming down on them
| and every single other ransomware scammers they can find... And
| outlawing payments to these terrorists.
| ineedasername wrote:
| Per the Boston Globe story [0] they were actually in the process
| of restoring from backups but it was going too slow. Something to
| remember: when downtime is so critical that key pieces of a
| country's infrastructure is at stake, backups can't be enough--
| there also has to be a rapid recovery plan to actually use them.
|
| [0]https://www.bostonglobe.com/2021/05/13/business/colonial-
| pip...
| koreanguy wrote:
| nobody hacked Colonial Pipeline, its a insider trading racket.
| which idiot would connect a oil Pipeline to the internet .
|
| its impossible. 5M in ransom show me the transaction
| paulpauper wrote:
| So i take it that the involved crypto addresses should be in a
| blacklist database somewhere? Who if anyone is monitoring all
| these ransomware addresses? There are probably thousands of
| addresses by now.
| _tk_ wrote:
| Disclaimer: I work as a CISO in a large corporation. The
| interesting bit in this article is not necessarily the sum of the
| ransom, but that Colonial decided to pay quasi-immediately. It
| seems as if the attackers had full control over their network.
| Another possibility: Colonial staff could not be sure that if
| they used their backups, everything would be encrypted
| immediately again - possibly the backup servers as well. My bet
| would be on scenario 1.
| Ancapistani wrote:
| Having read the release by the attacker, my initial thought is
| that the immediacy of paying was probably due to the threat of
| the release of sensitive data, not the ability to restore
| operations.
|
| I'm sitting here wondering what exactly about the release of
| their financials and internal procedures prompted them to
| immediately pay $4-5m in the hopes of preventing it from
| happening?
| Mountain_Skies wrote:
| Just spit balling here but they have had several other
| pipeline shutdowns in recent years. One was blamed on a third
| party damaging the pipeline but I believe the others were
| operational issues. Perhaps there's more information on those
| issues than the company would like the public to know? Just a
| wild guess.
| gist wrote:
| I am curious what your thoughts are on other commenters making
| as if it is possible to prevent these types of attacks by just
| taking security 'more seriously'. My guess is that you know
| that no matter how much is spent with a large entity and many
| employees it's near impossible to prevent this type of attack.
| People make mistakes people are easily fooled people don't
| follow what they are told to do and so on.
|
| I can't even begin to imagine the amount of people that could
| cause an issue in the size company you are a CISO at.
| nonameiguess wrote:
| It's certainly possible to achieve serious security but
| probably not practical for most private entities. I've spent
| most of my development career making software for the US
| intelligence community and their systems were definitely not
| going to get broken into by a ransomware gang. Security
| measures include multilevel air gapping plus heavily armed
| physical security, six foot thick concrete walls set back
| from the street by other concrete barriers, locating
| facilities on military installations, disabling USB ports on
| most devices, banning anything radio enabled from being
| anywhere near your workstations, jamming radio signals
| anyway, severely punishing, possibly executing, anyone caught
| working as an intentional insider threat, requiring multiple
| persons in the custody and approval chains to move any files
| from one network to another via write-once media like DVDs,
| having the transfer media itself in a separate locked cabinet
| in a separate locked room inside the actual classified vault
| serving as an office. Installing and running everything in a
| separately sandboxed staging environment even after it gets
| through all the walls and air gaps and DVDs and running it
| through some fairly extensive testing and analysis before
| putting it anywhere near a production system.
|
| Clearly, you can never make it literally impossible, but to
| my knowledge, nobody has ever managed to get malicious
| software onto a classified production system. Information
| leaks are, of course, another story.
| Mountain_Skies wrote:
| You cannot completely eliminate risk but you certainly can
| reduce it and be prepared for what to do when one of those
| low probability risks ends up happening.
| magicsmoke wrote:
| Parallels with the golden age of piracy anyone?
| o_p wrote:
| Should had paid for cybersecurity or not pay misery bug bounties.
| Attract talent to the blue team!
| ajay-d wrote:
| They had cyber insurance coverage[0]. But I have no idea if
| cyber insurance pays out ransomware ransoms.
|
| [0]https://www.insidepandc.com/article/28is3dljuei18ioo7fri8/ax
| ...
| DrBenCarson wrote:
| They should, most policies do cover ransomware. If their
| policy did not, CIO loses their job in 5...4...
| generationP wrote:
| So, supposedly, Colonial paid the ransom "within hours after the
| attack". And, supposedly, the attack didn't even hit any ICS,
| just the payment infrastructure (
| https://www.zdnet.com/article/colonial-pipeline-ransomware-a...
| ). Why are there still gas shortages 6 days later?
|
| Not a rhetorical question at all. To me, the idea that the
| infrastructure we rely on is controlled by middle managers with
| no sense of urgency and no grasp of their domain looks like the
| real fridge horror story here. On the other hand, I have learnt
| better than to trust everything I read in the press; thus the
| supposedlies. Either way, "the decryption tool is slow" is not an
| excuse to not deliver essential supplies.
| mgolawala wrote:
| You do not need actual disruptions in supply to create a
| shortage. The threat of a disruption or a shortage for such a
| critical commodity can create a situation that it becomes a
| self fulfilling prophecy (short term).
|
| That is what can often create bank runs and created the "great
| toilet paper shortage of 2020".
| nikanj wrote:
| All you need for gas shortages is the rumor of gas shortages.
| Remember how we ran out of TP last year, for absolutely no
| reason whatsoever?
| ppierald wrote:
| I am definitely not an expert in these areas and I'm sure someone
| 100x smarter than I am has thought of this and discounted it
| already, but is there any ability to decompile the executable
| provided to Colonial and get to patterns of source code, then
| compel github to search their repositories for any patterns of
| that code? Not sure if that is even legal or whether a judge
| would authorize that fishing expedition, but it's an interesting
| thought exercise (in my head) assuming the code is even in GH.
| dehrmann wrote:
| > then compel github to search their repositories for any
| patterns of that code
|
| Assuming we're talking private repos, compelling Github to do
| that is a pretty blatant fourth amendment violation unless
| there's a specific set of suspected repos.
| mrastro wrote:
| It's unlikely their code is hosted on GitHub because the
| hackers wouldn't want to leave such an obvious trace there.
|
| I think you're right that unless there is evidence code is
| hosted there, the judge wouldn't authorize a "fishing" exercise
| to search random sources for the code. In a hypothetical, what
| would this even give? The IP addresses of the authors? They are
| likely running through a proxy anyways so it wouldn't help. The
| private key? It might have been generated server-side or using
| an algorithm outside the code so might not help.
|
| What I'm saying is getting the code source might not even be
| helpful depending on how it was implemented and if only the
| client code can be found.
| axiosgunnar wrote:
| are you assuming the ransomware is collaboratively coded on
| github?
| Mountain_Skies wrote:
| The authors of the ransomware might have non-ransomware
| projects on github where an analysis of coding style gives
| them away. It's sounds like it would have a low probability
| of working but this is essentially what got the Unabomber
| caught. But writing styles in English might be easier to
| identify than in code. Maybe they'll use "cool headed
| logician" as a procedure name.
| Mountain_Skies wrote:
| It should be noted that Colonial had several infosec openings at
| the time of the attack. While having those filled might not have
| prevented this attack, it also might have or at least put them in
| a better response position.
|
| There are lots of infosec openings across the country but
| compensation doesn't seem to be rising in response. It appears
| that companies are fine with leaving these positions open for
| long periods of time. As long as the position actually exists,
| they're not all that concerned with filling it. This might be
| complacency creep. Everyone staffed up after the cluster of
| breaches that happened around the time of the Target and Equifax
| breaches. A lack of other high profile breaches or attacks might
| be why many companies have become lax in keeping their staffs
| full.
| sneak wrote:
| You don't need infosec staff to know that you should have
| backups of the data on your important computers/servers.
|
| Being hit by ransomware is not an indicator of total IT
| incompetence.
|
| Having no good options but to pay the ransom absolutely is.
|
| All ransomware is doing is exposing the existing hope-based DR
| plans (that is to say, lack thereof) in the industry.
| MattGaiser wrote:
| Are there enough Infosec people to fill every open job for it
| in the USA? I would imagine that it is like software
| development, where the unemployed software devs are the kind
| that can't figure out git.
| Mountain_Skies wrote:
| I doubt there are enough infosec people which means in theory
| that compensation should rise which will then attract more
| people into the field. Until they're trained and experienced,
| whoever provides the best place to work (compensation and
| intangibles that lead to satisfaction) would get the help
| they need while others would be more vulnerable to attack.
| But from what I've seen, this isn't happening. There's lots
| of complaints about there not being enough workers but
| instead of boosting compensation and/or quality of
| employment, the positions simply stay open for extended
| periods of time.
| lawnchair_larry wrote:
| This is basically accurate but with an added problem. When
| devs do their job, the product is software. When security
| does their job, the product is "not getting hacked", so if
| you act busy enough, it's easy to appear as though you're
| doing important work, until it's too late.
|
| Then, paradoxically, you aren't actually punished, but
| usually rewarded, when you do get hacked. That's the one time
| you're needed most, and you get to act like the hero for
| saving the company.
| orev wrote:
| For many companies, security threats are all theoretical, but
| they are required to have the positions to meet some compliance
| requirement. They need to have them, but don't really want
| them, which would explain the lack of enthusiasm (as
| demonstrated by the low salaries) in getting the jobs actually
| filled.
|
| Also, a lot of infosec positions are just chugging through
| audits and ticking boxes to say whether you have some control
| in place or not. Those are more clerical positions that don't
| require deep technical knowledge that could command a higher
| salary.
| lawnchair_larry wrote:
| The issue is less about people unwilling to take those wages,
| and more about a lack of people whose breath can even fog a
| security mirror so to speak. I work in security and have been
| involved with hiring at several "brand name" companies
| including FAANGs in hot tech markets, and it's always been a
| talent pipeline issue more than anything. Given how difficult
| it is for the biggest players to keep security staffed up, and
| they still get hacked routinely, I can't imagine how low
| quality the applicant pool is at Colonial, and doubt it would
| have made a difference. Almost every company of moderate size
| perpetually has openings for security roles.
|
| The other problem is that the industry has an oversupply of by-
| the-book certified security people who can configure firewalls
| and run scanners, but who have never dealt with live hackers or
| hacked anything themselves. But hackers are clever and
| artistic, and defending against them isn't like following a
| recipe for baking a cake.
|
| And as an employer looking to introduce security, there is no
| way to really evaluate a good security leader vs a charlatan,
| and then it's either bad hires all the way down, or talented
| people on the bottom who lack leadership and are ineffective in
| the bureaucracy.
| socialist_coder wrote:
| Is being a "good" security person really more involved than:
|
| * making sure you have all your ports locked down
|
| * limit connectivity between all instances to only the bare
| minimum
|
| * any public access is via protocols such as ssh which have
| zero-to-none vulnerabilities
|
| * any 3rd party software you dont know is secure should never
| be public
|
| * routinely run employee training on how not to let
| themselves get hacked via social engineering
|
| I'm sure I'm missing other stuff, but I feel like if you
| follow these "best practices", you have just made yourself a
| very hard target and hackers will probably skip over you
| unless they have some weird reason to target your org
| specifically. So for 95% of companies out there, this level
| of security should be sufficient.
|
| I'm legitimately asking - is this sufficient? Or are hackers
| so creative that even following these basic rules will still
| not make you a hard target?
|
| This stuff seems fairly easy to do but I agree you need
| training or an info-sec person making sure your dev teams are
| doing it all. You can't have any slip ups. Your devs /
| managers have to take it seriously.
| notyourday wrote:
| > The issue is less about people unwilling to take those
| wages, and more about a lack of people whose breath can even
| fog a security mirror so to speak. I work in security and
| have been involved with hiring at several "brand name"
| companies including FAANGs in hot tech markets, and it's
| always been a talent pipeline issue more than anything.
|
| Oh come on. It is just an excuse. Look up what FAANG pays for
| those jobs ( total compensation ). Pay 2x. Get people from
| FAANG to work for you.
| grumple wrote:
| The problem I see is that there are tradeoffs between
| security and usability, and again between developing security
| vs developing features. Security doesn't make money next
| quarter, while features and ease of use do.
|
| Any software engineer can do security if they spend time
| learning and working on it. But executives don't seem to care
| about it.
| Veserv wrote:
| No. The security problem is not a lack of effort or laxness, it
| is a fundamental inability to solve the problem. At a $5M
| payout there are essentially 0 commercial IT systems in the
| world that can stop such an attack. The absolute best of the
| best commercial IT systems implemented as envisioned with full
| support can _maybe_ protect up to the $10M level and I am just
| extrapolating upwards since I have never had any security
| professional or executive in a Fortune 500 company with a
| budget in the tens to hundreds of millions of dollars ever
| assess their own systems as more than $1M. With an ROI of 5 is
| it only a matter of time before criminal enterprises can
| bootstrap themselves up to exploit the entire total addressable
| market. At best, better, but still inadequate, security means
| that the thousands of hungry bears eat the slower fish in the
| barrel first to get the energy to reproduce and make more bears
| to eat the rest.
|
| This is not a failure to live up to potential or incompetence,
| though there is a fair amount of both of those. We need
| solutions that are literally 100x better than the best systems
| currently available before we get to even _adequate_ for
| critical infrastructure whose disruption can literally cause
| hundreds of millions or billions of dollars in damage let alone
| potential human lives. Anything less than that keeps extortion
| economically viable for the attackers and paying off extortion
| economically sound for the victims. That is how far away we
| are.
| abraae wrote:
| > At a $5M payout there are essentially 0 commercial IT
| systems in the world that can stop such an attack.
|
| Even if that's true, it doesn't affect backups.
|
| Back your fucking systems up properly, and if you are
| attacked by ransomware, then do a scorched earth restore.
| Veserv wrote:
| It absolutely does affect backups. If you stand to gain $5M
| from an attack you can also target the backup systems and
| still easily end up profitable. Only if you stand to gain
| less than $100k does the budget actually start to get
| tight.
|
| As for how you attack the backup system it depends. If it
| push based you send your payload during the push. If it is
| pull based you craft your payload in the data that will be
| backed up. If it is not append-only you can easily nuke the
| entire available history. If it is append-only, but that is
| only done in software you just need to take over the
| software. If it is in hardware you just infiltrate then
| silently encrypt any new data until it would be painful to
| revert that far back in time. Given that the mean-time to
| discovery is on the order of months that is quite painful.
| If they regularly test their backups you just silently
| decrypt the data on restore until it is time to strike.
| There are plenty of ways to beat vulnerable backup systems
| in that sort of budget.
|
| Like, seriously, with a $5M budget you can literally
| purchase and burn multiple zero days for every system in
| the chain and still come out ahead. You can hire 10-50 full
| time software engineers for a year _per_ attack. Most
| systems have serious vulnerabilities discovered by lone
| individuals working for a few months in their free time let
| alone a team of _50_ people. The current backup systems
| survive because most of these attacks are being done with
| budgets closer to $10k-$100k to maximize profit and growth
| rate and that is not really enough money to pay for the
| second arm of the attack. But with a $5M return they could
| easily allocate a few million to capitalize on the
| opportunity if that is what is needed once all the juicier
| targets have been eaten.
| hn8788 wrote:
| From my experience, the problem is that most infosec positions
| are powerless to do anything to increase security at the
| company, and are primarily there for PR or compliance reasons.
| The positions seem to be mostly filled with people who wanted
| to make a career change for the money; experienced people
| usually leave to work at private security companies, or FAANG
| sized companies.
| coldpie wrote:
| I mean, let's address the elephant in the room: there is no
| such thing as computer security. As we see with new leaks and
| hacks and vulnerabilities every single week, the idea that a
| computer that is connected to the Internet can be secure is a
| joke. The whole industry is built on protocols and tools that
| assume there will never be any bad actors, and we're reaping
| the rewards of that now. It will take decades of layering on
| band-aids to approach anything like security, and more likely
| we will have to rebuild the entire industry from the ground up
| without that assumption. Both will take a very long time and a
| lot of money. Hiring some guy with an infosec cert would not
| have stopped this attack, because there is no way to stop this
| kind of attack.
| TameAntelope wrote:
| There are companies that get hacked a lot and there are
| companies that don't. It is for sure true to say everyone is
| vulnerable, but it's also true to say that you can reduce
| your risk without reducing your revenue.
| Mountain_Skies wrote:
| Risk cannot be eliminated but it certainly can be reduced.
| Also response plans for when something happens can be funded
| and regularly tested. You can't anticipate every possible
| successful attack but you can reduce the risk of being
| unprepared to respond to whatever attack happens.
| Aperocky wrote:
| > Idea that a computer that is connected to the Internet can
| be secure is a joke. The whole industry is built on protocols
| and tools that assume there will never be any bad actors
|
| This is just flat out wrong.
| mistrial9 wrote:
| the assumption that there is no security in open protocols is
| badly misinformed here.
|
| "Hiring some guy with an infosec cert would not have stopped
| this attack, because there is no way to stop this kind of
| attack."
|
| blovation
| medicineman wrote:
| I mean, if you ignore how H1B's work, yeah you could call it
| complacency.
| dang wrote:
| Recent and related:
|
| _AAA warns on gas prices, North Carolina invokes emergency as
| hackers apologize_ -
| https://news.ycombinator.com/item?id=27117515 - May 2021 (111
| comments)
|
| _US passes emergency waiver over fuel pipeline cyber-attack_ -
| https://news.ycombinator.com/item?id=27101092 - May 2021 (448
| comments)
|
| _U.S. 's Biggest Gasoline Pipeline Halted After Cyberattack_ -
| https://news.ycombinator.com/item?id=27086403 - May 2021 (202
| comments)
| drcode wrote:
| So they paid a penetration-testing firm a consultancy fee to help
| harden their network.
| commandlinefan wrote:
| Well, all we really know for sure is that they paid a
| penetration-testing firm a consultancy fee to identify where
| the network needs to be hardened. No guarantee they'll actually
| prioritize doing it.
| PaulDavisThe1st wrote:
| Not even that.
|
| Well, all we really know for sure is that they paid a
| penetration-testing firm a consultancy fee to identify _THAT_
| the network needs to be hardened.
| _tk_ wrote:
| Could you elaborate on where you see the hardening taking
| place? Colonial had a threat actor in their network and by
| paying the ransom, they supposedly left without doing any more
| damage. I don't think they patched a lot of systems or hardened
| their servers.
| tolbish wrote:
| They "helped harden", as in they verified that the network
| needs hardening.
|
| /s
| bleair wrote:
| Assuming the ransom was paid, it's an interesting example of how
| cryptocurrencies contribute to the viability of this new
| "business model"
| coldcode wrote:
| Too many companies prefer to skimp on security since it has no
| apparent payoff until it's too late.
|
| What I want to know are the circumstances of the hack; how did it
| work, what systems did it affect, what security were they
| lacking. Sadly these details are often ignored or hidden from
| view. Attacks of this kind should get a public report so that
| other companies can learn or at least be shamed into changing.
|
| It seems like it's more important to cover up your inadequacy and
| not help the next victim.
| swiley wrote:
| We need something like a fire diamond for software and data:
|
| some tuple like ((fails to)conform to spec/testing(and
| production) only (ie contains PII or is garbage
| data)/(permissive,restrictive,free) license/(un)safe library
| calls or language) or so.
|
| Some stuff is pretty subjective but so are the fire diamond
| numbers sometimes, plus we can pick objective boundaries (calls
| to gets cannot be safe for example.) I think it could probably
| work.
| edoceo wrote:
| A Fire Diamond:
|
| https://en.m.wikipedia.org/wiki/NFPA_704
| [deleted]
| ben509 wrote:
| Part of the problem is it's very hard to value security
| because, frankly, so much security is theatrics and snake oil.
|
| For instance, look at the consumer market, which is where an
| executive without security knowledge is coming from. All the
| big VPN vendors make security promises that are, frankly, false
| advertising. AV products are notorious for including warnings
| for viruses that pad their counts. That's not counting all the
| security applications that are malware.
|
| And if they talk to someone familiar with the industry side,
| they should hear some skepticism. All the static analyzers are
| full of flags for things that are there to drive up their
| numbers. There have been a few HN stories on junk CVEs that are
| filed so people can put them on their resume. I had to set up a
| WAF at work that proudly said it mitigated the OWASP top-ten
| (why the top ten? is #11 not important?) which include
| recommendations like logging that a WAF is plainly not doing.
| And then I tested its defense against SQL injection and it was
| trivial to bypass.
|
| And if a business that isn't a tech company hires contractors
| to fix security issues, most of the time, those guys will do a
| lot of check the box BS. It's fundamentally difficult, from a
| business operations perspective, for a company to do security
| because: 1. the horizon problem that you bring up 2. it's a
| cost-center 3. it's not their core expertise 4. if you even ask
| what secure looks like, you either get filibustered with long
| lists of best practices, or a lot of hand waving but strident
| proclamations.
| Aperocky wrote:
| The fact that are so many ads and info sessions about IT-sec
| from people who seem to have never written a line of code in
| their entire life is worrying.
| AbrahamParangi wrote:
| Paying ransom should be illegal.
|
| Ransom funds illegal activities. Not indirectly, like buying
| coffee or poppyseed or whatever, but literally money that is
| directly reinvested in criminal activity- like ransomware.
| mattnewton wrote:
| I am not a lawyer, but my understanding is that while paying a
| ransom is not illegal itself, anything that facilitates the
| payment of a ransom is. There is a chance some party that
| handled the ransom money broke this law by doing so.
|
| There is another much greater chance that some party with a
| fiduciary duty to shareholders could be sued for
| misrepresenting the risk of this happening to shareholders.
| [deleted]
| colinmhayes wrote:
| Ransoms would still be paid. We just wouldn't know about it. I
| think it's better to allow companies to be transparent.
| teruakohatu wrote:
| The next group will want more than $5 million, and so on. If
| the lottery didnt allow advertising of big wins that were
| made, a lot less people would buy lottery tickets.
| ben509 wrote:
| No, there's a hard upper limit on ransoms; the cost of
| recovery.
| nstj wrote:
| What about when the cost of having the data exposed to
| the public is higher than that of recovery
| xphos wrote:
| That requires you to have that kind of data. The company
| could have be operating legally and not have compromising
| stuff. The ransomware team gains nothing if a company
| refuses to pay and has everything to lose by hacking. If
| there price is to high they are taking on a lot of risk
| for no reason. Hacks are smart people (I find breaking
| the law to be a bad decision but if one does it knowing
| the consequences and mitigations then they aren't dumb
| just unethical)
| ben509 wrote:
| Yeah, I was pushing that all under "recovery." Say it all
| sums to $C.
|
| Arguably the bigger problem is you don't know that the
| ransomer will actually give you a valid key, but suppose
| you guess a likelihood P that they do.
|
| Now you have some scenarios:
|
| 1. Don't pay. We're out $C.
|
| 2. Do pay, and get a valid key. We're out $R.
|
| 3. Do pay, and get no key. We're out $R + $C.
|
| So the limit is at scenario 1 being equal to the
| combination of 2 and 3.
|
| Set C = PR + (1-P)(R + C), and your max ransom R = CP
|
| (You could probably work in additional costs for cleaning
| up even if the ransom is paid.)
| paulpauper wrote:
| it should be illegal if the government wants to help recoup the
| losses.
|
| If a have a firm that makes $100,000,000 a year in net-profit ,
| paying a $5 ransomware is a cost of doing business, an
| unfortunate one nonetheless
| TheCoelacanth wrote:
| It incentivizes more crime and should be illegal.
|
| Businesses don't have a right to do whatever they want just
| because it is profitable.
| UncleOxidant wrote:
| Indeed, not only should it be illegal, but the US Gov should
| offer any and all assistance for helping organizations get back
| online after such an attack. If organizations quit paying
| ransoms pretty soon the bad guys would give it up.
| FDSGSG wrote:
| Ransomware actors could easily punish such legislation. By
| continuing ransomware attacks they would place many companies
| in an impossible situation, either break the law by paying or
| face imminent collapse.
|
| How many jobs are you willing to lose in order to stop
| ransomware attacks?
|
| One ransomware attack probably costs the ransomware operation a
| few thousand dollars, any legislation would have to be
| extremely successful to result in a negative ROI.
| vortico wrote:
| Giving up your wallet while at gunpoint should also be illegal!
| gist wrote:
| > Paying ransom should be illegal.
|
| Perhaps instead it should not be legal to say publicly you paid
| a ransom but ok to pay the ransom. That would tamp down a bit
| the publicity that encourages more actors. That would be a
| quick and easy fix along the lines of insider trading.
| sithadmin wrote:
| >Paying ransom should be illegal
|
| In certain cases, it is:
| https://www.sidley.com/en/insights/newsupdates/2020/10/offic...
| savanaly wrote:
| It should be illegal on another basis as well. Paying it
| contributes to a norm that randoms will be paid that will
| encourage more randomware in the future against other
| companies. So you're harming other people when you pay it.
| That's an externality that won't be factored into the decision
| to pay the ransom.
|
| Suppose god handed down powers that allowed you to smite from
| the earth anyone who ever paid a ransom with perfect accuracy
| and you made a credible commitment to do so. If this fact was
| well known, presumably random-paying would disappear overnight
| and ransomware attacks would soon cease to exist as well
| (ironically rendering the power to smite ransom-payers
| redundant). We won't ever live in that world but we can move
| marginally toward it by severaly penalizing clear cut cases
| where a company or individual pays a ransom.
| tlb wrote:
| It's as direct any other revenue => business activity
| connection. More direct than how buying coffee causes fields to
| be planted with coffee trees.
|
| Of this $5M, expect $4M to be spent on salaries in the next
| year or 2, funding 20 person-years of malicious hacking. 20
| skilled people paid to hurt the internet instead of building it
| up. A terrible crime.
| rblatz wrote:
| Now we have one less critical piece of infrastructure that
| could be trivially knocked out by a hostile state.
| dmingod666 wrote:
| They are installing more software from the hacker
| voluntarily after paying the ransom. At this rate it looks
| more like they just hired a competent and highly unethical
| vendor..
| FredPret wrote:
| That's one hell of a way to provide "red-team" security
| testing services
| rsync wrote:
| They didn't need security experts for that- all they had to
| do was not connect it to the Internet ...
| PaulDavisThe1st wrote:
| How do you know that? What evidence is there that it's any
| more secure than it used to be?
| Nextgrid wrote:
| The 5M ransom plus all the other damage such as
| reputation loss, increased government scrutiny and
| potential damages to pay to partners (I'm sure they
| provide some sort of SLA for their oil delivery
| services?) is a good enough deterrent from allowing this
| to happen again.
| akomtu wrote:
| 5M is nothing to that pipeline management firm. I think
| nothing will change because the "fine" is tiny and later,
| when a VP of opsec gets to decide between a massively
| expensive hardening of security which includes big
| recurring costs to keep an opsec team on payroll and just
| pocketing a multimillion dollar bonus for optimizing the
| opsec budget, he will choose the latter. There's no risk
| of getting jail time and any reputation damage won't be
| to his personal reputation, but to that firm he will have
| left long ago.
| kortilla wrote:
| > keep an opsec team on payroll and just pocketing a
| multimillion dollar bonus for optimizing the opsec budget
|
| This is not how companies actually work. This is a fun
| "incompetent executive" fantasy that floats around but in
| real businesses you don't pocket a huge bonus solely by
| cutting costs.
|
| You're gonna have a lot of explaining to do on why that
| money was being spent in the first place and why it's not
| needed now.
| edoceo wrote:
| These pirates have committed to not hitting the same
| target again?
| leesalminen wrote:
| Ah yes, the code of the pirates. The epitome of ethics
| and morality.
| pomian wrote:
| I dont think it's a code. It's more of a guideline.
| headmelted wrote:
| I'm sure at some point they must have just asked if
| they'd give them the password for free on account of all
| the collateral damage.. but it looks like they were
| disinclined to acquiesce to the request.
| toomuchtodo wrote:
| And what about the others?
| ryanlol wrote:
| Can you name some examples of orgs getting hit twice?
| HeyLaughingBoy wrote:
| As someone who had their home broken into twice in the
| same week, probably by the same people, I prefer to
| subscribe to the theory that there's no honor among
| thieves.
| xphos wrote:
| But they could have made holes in the system or not
| disclosed all system holes which other hackers might take
| advantage of in the future
| koheripbal wrote:
| Imagine making it illegal to hand over your wallet to a mugger
| holding a gun to you.
|
| All you are doing is incentivizing companies to not report
| these attacks.
| freshair wrote:
| If the mugger isn't bluffing, then he'll get your money one
| way or the other. This makes it different from paying
| ransoms.
|
| Furthermore, a corporation's bottom line is not truly
| comparable to a human life. However it is my understanding
| that paying ransoms to save human lives is technically
| illegal to. If paying a ransom to save your family member's
| life is illegal, then corporations paying ransoms to protect
| their finances should certainly be illegal.
| mrtesthah wrote:
| It would in incentivize more people to fight back rather than
| acquiesce, and therefore likely reduce the number of
| muggings.
| motbob wrote:
| Not a good analogy, for two reasons. First, workers who don't
| have equity in a company don't really have a gun to their
| head even if the existence of the company is at risk. The
| real "gun to the head" is the threat of jail time. Second, it
| has historically been difficult to convince dozens of people
| to coordinate with each other and do something illegal for
| little to no personal gain.
| debt wrote:
| The ransom payments are covered by insurance. It's the
| insurance companies making the payments.
| [deleted]
| ryoshu wrote:
| A greyhat should launch ransomware and then not decrypt when
| the ransom is paid. Make the ransomware industry unreliable.
| cgb223 wrote:
| This is the chaotic evil way of dealing with the problem
| xvector wrote:
| I think a lot of businesses would still pay. Pay $2M for a
| 50% chance of getting out of the situation, versus $200M in
| losses if you don't - you'd take the gamble.
| fvv wrote:
| This fees will support next 1000's attacks , if someone gets
| attacked next i think should sue colonial pipeline
| jsight wrote:
| I feel the same way. It seems like the government wouldn't do
| it, but was practically encouraging the company to pay.
| Meekro wrote:
| I understand the sentiment, but you'd end up re-victimizing the
| victim. Someone who felt like they had no choice but to pay
| could later be prosecuted, while the the actual criminal walks
| free in anonymity.
| nradov wrote:
| That is an acceptable outcome. Let the victims suffer. That
| protects the rest of us, and serves as an object lesson in
| proper cyber security.
| aqme28 wrote:
| That's pretty easy to say when it's not e.g. your child
| being held for ransom.
| ben509 wrote:
| I don't think people here are considering all forms of
| ransoms, but you hit on an interesting aspect of it all
| the same.
|
| It's why, I think, such a law wouldn't pass
| Constitutional review.
|
| If your person is threatened with imminent danger, you
| have a right to self-defense, we'll even let you commit
| intentional homicide if the threat is serious enough.
|
| And self-defense also covers your property and livelihood
| to a lesser extent.
|
| I think it'd be extremely hard to convince courts that
| this right to self-defense doesn't include negotiating
| with an attacker. Imagine if it were a crime to toss some
| money at a mugger and run away, for instance.
| nradov wrote:
| The US Constitution contains no explicit right to self
| defense. There are a variety of state and federal laws
| covering justifiable use of force but none of them are
| even remotely applicable to paying ransoms. If you
| disagree then please cite a specific legal case.
|
| https://www.natlawreview.com/article/us-government-warns-
| com...
| ryanlol wrote:
| This would only protect those without proper cyber
| security. Why is it acceptable to let random targets suffer
| as opposed to everyone without proper security?
| FredPret wrote:
| So let people who aren't experts at physical security
| suffer break-ins, and physically weak people get beaten up?
|
| We have law enforcement so everyone can be free to focus on
| their own value-add in life without having to learn 1000
| skills to cover their own ass. I love security but 99% of
| people don't, and shouldn't
| throwawaygh wrote:
| _> So let people who aren't experts at physical security
| suffer break-ins, and physically weak people get beaten
| up?_
|
| First, in many jurisdictions, paying protection money for
| physical security _is_ illegal.
|
| Second, Colonial Pipeline has an operating revenue of
| $1.32 billion. I suppose in the USA it's technically a
| person, but... it's not actually a person.
|
| _> We have law enforcement so everyone can be free to
| focus on their own value-add in life without having to
| learn 1000 skills to cover their own ass. I love security
| but 99% of people don't, and shouldn't_
|
| I submit that oil pipeline operators, hospitals, and
| large corps are part of that 1%.
| Vrondi wrote:
| So, you are saying that there are jurisdictions where
| home security systems are illegal? Night
| watchmen/security guards and body guards are illegal?
| Where would these jurisdictions be located?
| throwawaygh wrote:
| I don't think that's even close to what I'm saying. I'm
| not even really sure what you are trying to communicate
| here; are you insinuating that ADT or Ring hire roving
| bands of bandits who break into houses that aren't
| protected by their security systems? If not, I genuinely
| don't know what you're trying to say here.
| FredPret wrote:
| You have a point. They should do minimum due diligence to
| harden their networks.
|
| However... how much do you want to bet that the CEO of a
| pipeline company has the knowledge to make this happen?
| One has to be an intelligent customer to make something
| like this happen.
| WJW wrote:
| Well then, perhaps there should be minimum requirements
| to become CEO of a large corporation in regulated areas
| like pipelines? If the alternative is large harm to the
| public, this seems like a no-brainer to me for future
| legislation.
| briandear wrote:
| So should the president of the United States be an expert
| on tactical jet engines? And also have a PHD in
| economics? And also be an expert in immunology? And power
| plant operations? How about the national airspace system?
|
| People are quick to conclude that Colonial's security was
| "bad." But do we know that to be true? A sophisticated,
| potentially state-sponsored organization initiated this
| attack. The best security in the world is not 100%
| secure. It might be wise to get the facts before rushing
| to judgement.
| FredPret wrote:
| It's probably cleaner and easier to run this if the
| spooks set up a bureau of cyber security standards and
| fine strategically important companies for non-
| compliance. The gov can do security audits on these
| corps.
| Siira wrote:
| He's a CEO. His job is to ask others to find him the
| experts needed and manage them. He doesn't need to know
| any actual security engineering.
| FredPret wrote:
| He needs to know the basics. How does he know someone is
| a real expert?
| nradov wrote:
| That's a non sequitur. Certainly law enforcement should
| aggressively pursue criminals who engage in assault,
| burglary, and extortion. But that has nothing to do with
| paying off ransomware gangs.
| FredPret wrote:
| Yes it does, it's a crime, in this case a class of crime
| perpetrated, prosecuted, and prevented by experts. It
| falls under law enforcement
| dumpsterdiver wrote:
| > We have law enforcement so everyone can be free to
| focus on their own value-add in life without having to
| learn 1000 skills to cover their own ass.
|
| No, that's why we have division of labor. Law enforcement
| is just another brick in the wall. If a company is
| already making massive profits from the public by running
| critical services, why should tax payers fund their lack
| of diligence? Should we just fund their entire payroll
| while we're at it?
| AbrahamParangi wrote:
| Here we have a coordination problem, like the prisoner's
| dilemma. People who pay ransom are the defectors, improving
| their situation at the cost of making the problem much worse
| for everyone.
|
| If fewer people paid ransom, ransomware would be less
| profitable and would happen less often and we'd all be better
| off.
|
| The government can help coordination by making defecting more
| costly (with criminal penalties).
| sameboat632746 wrote:
| I think criminal penalties is too much. I think at some
| point paying ransom is better than not paying, for example,
| in case of attacks on hospitals. People can literally die.
|
| What needs to happen is that when an organization that
| skips IT security practices, it should have large monetary
| penalties and its executives held responsible, no golden
| parachutes for them. You can imagine any factory where they
| don't practice OSHA safety guidelines will get in major
| trouble.
| kortilla wrote:
| > in case of attacks on hospitals. People can literally
| die.
|
| Setting aside the appeal to emotion, there are a couple
| of things to unpack. In real-world ransom kidnappings,
| life and death was always at stake and the government
| still errs on the side of not paying.
|
| Second, you presume ransomware authors are prepared to
| commit murder. If a hospital cannot legally pay, the only
| thing to gain by shutting it down is murder.
| ls612 wrote:
| Kidnapping for ransom is basically a dead enterprise in
| the US because of laws essentially forbidding the paying
| of ransom. Your appeal to emotion is exactly the sort of
| thing that ransomware gangs want people to hear because
| its how they make money. In the long run though its a
| terrible idea.
| UncleOxidant wrote:
| > The government can help coordination by making defecting
| more costly (with criminal penalties).
|
| not just sticks, but also carrots: The federal government
| should commit to doing all it can to help organizations
| that refuse to pay ransoms. This would include help from
| 3-letter agencies as well as bringing in alternative IT
| infrastructure. Obviously the federal government doesn't
| have all of these capabilities now, but this should be a
| priority going forward.
| candiodari wrote:
| Nobody in their right mind will consider a lot of
| attention by three letter agencies a reward or help. They
| may, and can, do a lot more damage than 0.4% of revenue,
| and can do a lot of damage to the individuals making the
| decisions as well.
|
| Even if they help out, it will alert everyone and
| everything in 5 governments to all details about their
| firm.
|
| Three letter agencies have used (and destroyed) companies
| for unrelated reasons and then left everyone without any
| recourse. With smaller companies, this happens regularly.
|
| Those governments will have representatives from their
| lenders, from their investors, from their large clients
| and so on in them, who will get a lot of details they
| wouldn't normally get access to.
|
| This is not happening.
| UncleOxidant wrote:
| It's the 3-letter agencies where the expertise lies.
| Maybe a new agency needs to be created outside of the
| intelligence agencies?
| walshemj wrote:
| Yet another one :-)
| taurath wrote:
| Yes, at least a 16-letter agency consisting of uppercase
| lowercase letters and special characters would be much
| better ;)
| Sohcahtoa82 wrote:
| I like to use foreign letters like ss and o in my
| passwords.
|
| Good luck guessing that password. I'm not even German.
| slavik81 wrote:
| Civil penalties may be more palatable. If organizations are
| willing and able to pay a ransom, there should be no
| problem with paying a fine as well.
| dboreham wrote:
| You've finally found a way to fund open source
| development.
| jeffbee wrote:
| Let's be clear that the victims here are the public and the
| perpetrators are the computer operators at the pipeline firm.
| UncleOxidant wrote:
| The federal government should commit to doing what it can to
| help make organizations who refuse to pay ransoms whole
| again.
| nradov wrote:
| That role can be better handled by private insurers in the
| same way they make policy holders whole after physical
| thefts.
| jaywalk wrote:
| Why should this be a problem that the federal government is
| required to solve? Or in other words: why should my tax
| dollars go to help an organization that couldn't manage
| their security properly?
| Vrondi wrote:
| Because this organization endangered the economy of a
| significant chunk of the country by their negligence,
| then your tax dollars should go to setting standards and
| holding them liable when they fail to meet those
| standards.
| walshemj wrote:
| Some board member resignations might be in order and
| being banned from being directors for 10-20 years
| jaywalk wrote:
| That's not what the OP said though. That is something
| completely different.
| nneonneo wrote:
| Ugh. This ransomware crap _doesn 't stop until the money stops_.
| At this point, ransomware operators are bribing insiders to
| install their custom, AV-evading ransomware directly on company
| servers (e.g. https://www.secureworldexpo.com/industry-news/fbi-
| sting-the-...). No need to trick someone into running a malicious
| Word attachment when you can just wire someone $1M to do it
| deliberately! And, best of all, you can set this up in a totally
| plausibly deniable way - the employee just "accidentally" opens
| that attachment and off you go.
|
| A lot of ransomware operators are on sanctions lists. Paying them
| is _already_ illegal. The US DoJ might want to check if Colonial
| has violated any laws in making these payments - and if they
| have, punishing them to serve as an example could well discourage
| future ransomware payers. As long as ransomware operators know
| they can get paid for their work, they 're going to keep doing
| it.
| ttul wrote:
| Absolutely this. Paying a ransom should be illegal and company
| officers should face personal criminal liability for allowing
| it. If the CEO of Colonial was facing jail time, there is no
| way the payment would have happened.
| Guest42 wrote:
| I would sooner have security negligence be criminalized as
| there are a number of products that are critical to the
| economy and peoples health. Having a companies systems get
| wiped out can have a monumental amount of collateral damage.
| silexia wrote:
| Paying Ransoms should be criminalized as there is far more
| damage from allowing this to continue then having a few
| systems wiped and restored from backups.
|
| Not taking steps to have cybersecurity in companies should
| be criminalized as well... I am a CEO and thinks CEO's
| should be held directly criminally responsible for this.
|
| Finally, any nation that allows hackers to operate from
| within their borders should be subject to 100x over damages
| caused sanctions. Countries without strong governments to
| enforce this should have direct airstrikes conducted
| against the individual hackers.
| mjevans wrote:
| If you think the 100X damages is overkill please
| reconsider within this framework:
|
| Any nation that harbors international terrorists by not
| at least attempting to hold them accountable is
| implicitly operating an outsourced covert activities
| team. The actions of any such team should be considered
| representative of that country and thus this would be an
| act of guerilla warfare.
| warlog wrote:
| Nukem from orbit, it's the only way to be sure.
| briandear wrote:
| The Obama administration secretly organized an airlift of
| $400 million worth of cash to Iran that coincided with the
| January 2016 release of four Americans detained in Tehran,
| according to U.S. and European officials and congressional
| staff briefed on the operation afterward.
|
| Wooden pallets stacked with euros, Swiss francs and other
| currencies were flown into Iran on an unmarked cargo plane,
| according to these officials. The U.S. procured the money
| from the central banks of the Netherlands and Switzerland,
| they said.
| monocasa wrote:
| To be fair, that was Iranian money in the first place that
| had been frozen.
| briandear wrote:
| It was still a ransom. "I'll give you money, you release
| our hostages."
| jjoonathan wrote:
| "I'll give you [back your] money, you release our
| hostages" -- but that doesn't fit the agenda as well,
| does it?
| skinnymuch wrote:
| I'll go to prison for some time for being their new CFO. If
| some cash goes to myself or a close family member after I pay
| the ransomware as CCO.
|
| Obviously this would be too transparent if done in the span
| of a week.
| comboy wrote:
| I think ransomware is the best thing that happened in computer
| security in a long time.
|
| All these companies keeping lots of people data or even being
| relevant to national security having completely no incentive to
| stay secure. Now There is incentive to test their security.
|
| A single person being able to compromise your company when paid
| a lot is a security issue that needs to be addressed.
| [deleted]
| chubs wrote:
| I know what you're getting at... but as far as I see it, all
| it means is that every company i've contracted to lately
| installs horrifically limiting corporate safety-dreck that
| ruins your battery and performance, it's really becoming a
| lot less fun working with computers nowadays. Everything is
| so slow and limited.
| AnIdiotOnTheNet wrote:
| This sounds like the kind of argument a ransomware developer
| would use to delude themselves... or quite a lot like the
| "Bitcoin is actually _good_ for the environment! " people.
| fastball wrote:
| Maybe let's try more substantive arguments than a genetic
| fallacy.
| HarryHirsch wrote:
| Wasn't that what Jesus said about Judas Iskariot? To
| paraphrase: there must necessarily be evil in the world,
| but woe to the one who makes himself its conduit.
| HarryHirsch wrote:
| They could have started incentivizing after the Equifax hack.
| Personal data of hundreds of millions of people spilled over
| the web, everyone plus their dog gets to monitor their credit
| report or swap credit cards, yet Equifax still exists, and no
| meaningful consequences for anyone, including the CEO who
| sold his shares before the intrusion become public. Why is
| that even permitted?
| hellbannedguy wrote:
| I was going to say fine these companies a fair amount if
| there's a data breach;
|
| But they would just turn around and add their costs on to
| the consumer.
|
| I'll get hammered for this, but there's a part of me that
| would like to just outlaw all bitcoins worldwide, and even
| that might not work unless every country banned them?
| nslice wrote:
| To add, I'm pretty sure ransomware groups provide tips on how
| to beef up security and how they got hacked in the first
| place.
|
| Like dentistry, you can pay a little upfront for a better
| toothbrush or you can pay the dentist way more to repair your
| teeth later on.
| miohtama wrote:
| The proper Milton Friedman / Reagan capitalism solution is to
| let the hacked oil company to bankrupt, wipe out the cap
| table and then competent new owners can take over for cheap
| andy_ppp wrote:
| I wonder how long you'd sit it out losing money before you
| paid. I think it's very easy to talk a big game until you've
| lost many multiples of the ransom with no end in sight. It's
| literally just a waiting game for the hackers, they have
| nothing to lose and everything to gain. So what if you don't
| pay, you can just leave them screwed and move on to the next
| one.
| viraptor wrote:
| Or if you're running a service which can't wait. Like a
| medical clinic with no access to patient records.
| andy_ppp wrote:
| Or you know people's power, heating, electricity, ability
| to drive, ability for services to run generally. etc. etc.
| panny wrote:
| >ransomware
|
| I prefer to think of them as bug bounties. Too often, bugs are
| reported now to bug bounty programs and are either grossly
| underpaid for the bug's actual value, or deflected as not a
| real issue at all. Ransomware is ultimately the result. "Fuck
| you, pay me."
|
| https://www.youtube.com/watch?v=3XGAmPRxV48
| sudosysgen wrote:
| Realistically, ransomware will just never stop until IT systems
| are sufficiently hardened.
| lurquer wrote:
| Nah. It will never stop.
|
| The problem is information density.
|
| So long as billions of records that are needed for the
| business exist in a device the size of a shoebox, we're
| fucked. An insider can always take the shoebox, lock the
| shoebox, etc.
|
| Three stories of paper files in file cabinets can't be
| ransomed short of a physical bomb threat.
|
| Don't know what the solution is. But I do know the problem.
| Exfiltrarion is similar: the odd quirk of technology that has
| enabled these massive thefts is the ability to load millions
| of pages in a few seconds into a thumb drive. Odd pickle
| we've got ourselves into.
| mrtesthah wrote:
| Your metaphor works both ways: the ability to fit billions
| of records in a shoebox means that it's perfectly
| manageable to keep another shoebox as a backup, under
| independent control.
| hellbannedguy wrote:
| There is a part of me that would like to go back to the way
| we dud business before the internet, and computers.
|
| I think three daily encrypted backups mandated by law would
| be enough to stop the multi-million dollar ransoms.
|
| We will still see companies paying ransom for a business
| days loss, but not complete shutouts? And infrastructure
| specific operations, like this pipe line, should be air
| gapped.
| throwaway6734 wrote:
| And if the penalty for hacking systems for malicious purpose
| goes up.
|
| Hopefully every member of DarkSide ends up in court if
| they're US or friendly nation citizens or in Gitmo otherwise
| jorvi wrote:
| Some ransomware is time-delayed because of this, so it isn't
| clear which backup is still untainted.
| user3939382 wrote:
| Or sufficiently backed up, right? If you've got a backup and
| quick recovery process ransomware is impotent.
| speed_spread wrote:
| If hackers take the slow route, all backups may be
| encrypted too. Or at least, compromised.
|
| Also, backups are often taken but rarely is their actual
| recoverability tested.
| viraptor wrote:
| Not quite. The attacker still got access to the system in
| some way. They may have a permanent backdoor now and
| opportunity for messing with your backup operation.
| salawat wrote:
| This is by far the cheapest solution.
| phkahler wrote:
| unless your data is legally required to stay confidential
| under HIPPA or similar law. Then a backup just keeps you
| operating but not immune to the threat of data
| publication.
| johnvaluk wrote:
| While the threat of publication is a risk, the data has
| already been breached and you are no longer compliant
| with the law.
| mateo- wrote:
| I wonder if companies still get fined if the data is just
| encrypted without any exfil
| dragontamer wrote:
| What data needs to be confidential in the case of the
| Colonial Pipeline?
|
| I'm sure that there's proprietary data. Maybe knowing how
| much oil / gasoline is flowing might allow some traders
| to make unfairly informed trades (or maybe not: only
| inside trading is illegal. If someone figures out the
| information some other way, its not illegal IIRC).
|
| And maybe employee data should be kept private, but
| there's no HIPPA requirement on that. Its not like
| there's payment processors on this thing either, so no
| PCI compliance here.
|
| So I'm not exactly seeing why backing up data would be an
| issue in this case.
| uses wrote:
| Nowadays the attackers will threaten to disclose the
| sensitive data publicly, as they did in this case. So
| ensuring your own access to your data, i.e. backups, is not
| the only concern. It's still important, of course.
| splithalf wrote:
| Every corporation in the US should be lobbying to abolish
| Bitcoin. It's an existential threat that could be eliminated if
| they pooled their financial and political resources.
| GartzenDeHaes wrote:
| We should start calling Bitcon etal cyber crime futures, since
| that's what it is. The only people that have to use it are
| crime victims and the people who are making money on it are
| criminals and speculators.
| tommoor wrote:
| Bitcoin has nothing to do with this news? It seems like you
| have an unrelated axe to grind.
| bostonsre wrote:
| Not sure if I agree with the sentiment or not, but I think he
| has a point that crypto currencies can make paying ransoms to
| international ransomware gangs much easier. Using the
| traditional banking system would have been extremely
| difficult and have a low chance of success for that gang.
|
| I could definitely see this reasoning being used as
| justification for anti crypto currency laws in the future.
| fortran77 wrote:
| They paid the ransom in Bitcoin.
| drcode wrote:
| Isn't it better that these networks are getting hardened in
| exchange for a small cryptocurrency payment, instead of waiting
| for all the exploits to be used by an adversary in World War
| Three?
| megablast wrote:
| How are they getting hardened?? Magically??
| 55555 wrote:
| idk, considering humans are the weakest link and socially
| engineering them is easy, I don't think they're going to end
| up much safer. A determined nation state will always be able
| to get in, at least with how computers currently work.
| splithalf wrote:
| I've thought about this. No.
| ben509 wrote:
| It'd have to be an international effort as there are big mining
| operations are in Russia, Switzerland, China, Iceland as well
| as the US.
|
| Being legal means that you can run big mining operations, so
| you could clamp down on those and slow mining. That would not
| stop it, though.
|
| Being legal means that it can be used to trade goods and
| services, and you could clamp down on that and harm its value
| as a currency.
|
| And being legal means that legal businesses can exchange it for
| other currencies, so clamping down on that harms its liquidity.
|
| Even if you can make it broadly illegal across the globe, it's
| hard to see how effective that would be. Illegality has made
| anything else on the black market go away, after all, and the
| whole point of a crypto-currency is to thrive despite
| government suppression.
| maccam912 wrote:
| Maybe we should abolish the USD so US patent trolls can't be
| paid?
| notsureaboutpg wrote:
| I had a feeling this was the case and even had a discussion with
| some colleagues about whether they paid up or not. Like the
| article says, they couldn't afford not to.
| belatw wrote:
| That's retirement money. Live on an island, doing drugs and
| drinking champagne for the rest of your life money.
|
| Im in the wrong line of work.
| xwdv wrote:
| Yea, crime really does pay here. If I was a lone hacker in a
| nation with loose laws I'd be ransoming foreign systems and
| building a fortune.
| [deleted]
| antattack wrote:
| Correction: Consumers Paid Nearly $5M in Ransom to Hackers.
| whall6 wrote:
| In Cambodia, people buy dirt to increase their property's
| elevation so that their neighbor's house floods when the monsoon
| comes. Then the neighbor has to pay for more dirt and so on
| throughout the whole neighborhood.
|
| It seems like the attackers are finding the paths of least
| resistance. Beefing up security at each organization isn't fixing
| the underlying problem. It's just making the next entity the more
| likely target.
|
| I don't even know what the underlying problem is though...
| petermcneeley wrote:
| What a great story reminds me of this:
| https://slatestarcodex.com/2017/02/22/repost-the-non-liberta...
| syrrim wrote:
| Suppose that everyone has raised their house up on a pile of
| dirt. The rain comes down. It fills up the large ditches
| between people's houses, and leaves the houses dry.
|
| Suppose I implement better, but imperfect, security. It now
| costs an attacker $6 million, in salaries, paying for exploits,
| whatever, to hack my system. They still can only get $5 million
| in ransom. The attack isn't worth doing anymore, so they find a
| different business.
| supertrope wrote:
| Like The Netherlands
| pawsforapplase wrote:
| >I don't even know what the underlying problem is though...
|
| Lack of accountability for either criminals or negligent
| operators?
|
| Monsoons are not directly caused by individuals, and they
| cannot be prevented.
| nimbius wrote:
| Colonial is being widely lambasted for a culture of absolutely
| lackadaisical security. Call me callous but numerous federal
| agencies exist to issue security best practices and exploit
| announcements. numerous vendors also exist. play stupid games,
| win stupid prizes.
|
| Not paying the ransom would have been tantamount to complete
| dissolution of the company. it would have tirggered a much wider
| investigation into the company with shareholders abandoning it as
| the outage dragged on at the hands of an incompetent leadership.
|
| Unfortunately it seems to have been a Pyrrhic victory as paying
| the ransom puts their shareholders at risk of serious sanctions
| and indictment from the US Dept. of the Treasury.
|
| https://home.treasury.gov/system/files/126/ofac_ransomware_a...
| HarryHirsch wrote:
| You'd damn well hope so. In civilized countries, when you leave
| the key in the ignition the cops will go after the thieves. The
| next thing that'll happen is that they'll also go after you
| because you just made the roads unsafe.
|
| And this isn't a car, this is infrastructure with national
| security implications. Someone needs to go and do time.
| ethbr0 wrote:
| If the US were to be serious about corporate IT security,
| they'd empower and indemnify DoD, NSA, private industry red
| teams to pentest against everything with a US point of presence
| or customers, using commercial available / in the wild methods.
|
| This would have the beneficial side effect of flushing all the
| incompetent paper-pushers / requirement-box-checkers out of the
| security industry.
|
| If you're found vulnerable, that's a fine. If something gets
| accidentally broken in the exercise, that's the price of
| commitment.
|
| Nothing is going to change until you increase the frequency /
| likelihood of breaches for these companies. If it's a yearly
| cost, it gets addressed. If it's a catastrophic possibility, it
| gets ignored.
| Miner49er wrote:
| The market has already solved this in the form of ransomware
| groups. No need to have the government do it and issue a
| fine, ransomware groups literally are doing what you said.
|
| I guess the government could legalize ransomware hacking to
| encourage it, but that'll never happen.
| beardbandit wrote:
| I'd rather the money and fines flow to the US government,
| not random hacker groups.
| meepmorp wrote:
| But the hacker groups let me pay in crypto.
| rini17 wrote:
| They could do it indirectly, by requiring insurance against
| security holes.
| kingaillas wrote:
| >If the US were to be serious about corporate IT security
|
| What happened to the responsibility of corporations for
| corporate security? Including corporations that are the
| victims of attacks, and corporations that sell buggy
| operating systems and applications?
|
| Why does the government have to provide the red teams? The
| general attitude is all government agencies are wasteful and
| incompetent, except in this circumstance where the wealthiest
| corporations in the history of the world apparently can't
| spend enough to fix their own crap. But the government not
| only can but should??
|
| This just sounds like externalizing costs to the public while
| banking record private profits.
|
| How about rather than subsidizing software corporations we
| talk about liability laws and fines, like any other physical
| industry that releases dangerous, broken products. Or an
| insurance system that is funded by a portion of the profits
| the software industry makes. Then we're actually making the
| software vendors feel some pain which will incentivize them
| to release higher quality code.
| miohtama wrote:
| "Too big to fail" and investors do not get hurt.
|
| The problem does not fix itself until the investors start
| truly losing money, the care, unlike the Equifax case.
| Until the portfolio value cannot go down 90% there is not
| going to be a change in corporate actionism.
| TechBro8615 wrote:
| I wasn't aware of this policy. Is it totally apolitical or does
| the WH need to initiate the sanctions process? Consider the
| optics of sanctioning the domestic company providing your own
| country's critical infrastructure, right after you spend a week
| discovering just how critical it really is.
| ggm wrote:
| Charge the board and top execs: Take the $5m payment out of their
| bonus and KPI and share stock.
| kjrose wrote:
| The fact this was paid off, and paid off so rapidly means that
| targeting major infrastructure for massive payoffs is going to
| become more and more prominent. The next time though, it'll be
| $50M. I work with people in the oil fields and I know the numbers
| they are playing with and the fact that a single well being down
| can easily be $100,000 lost per hour. So obviously they want
| these systems back up fast.
|
| $5M for shutting down that major of a pipeline seems like too
| little, unless, of course, they weren't expecting the company to
| even pay. Now that these actors know that the oil (and quite
| likely other utilities) are more than willing to pay big bucks to
| get back online, they will be targeted far more.
|
| There are so many reasons this is very very bad.
| charlesju wrote:
| Yeah, but now there is also a massive bounty out for these
| hackers. Money needs to get out at some point and that's when
| they'll get nailed.
| brightball wrote:
| What I have heard regarding ransoms like these is that the
| perpetrators goal is to incentivize the transaction goes
| smoothly, or it won't continue to work.
|
| So they have to follow through with unlocking and they have to
| use an amount of money low enough to make the decision obvious.
| TechBro8615 wrote:
| Sounds like a $50m incentive to hire a security team.
| alasdair_ wrote:
| I agree. I'd give 60% odds that there is at least one
| significant attack (ransomware plus shutdown) on US power grids
| in the next 18 months.
| ed25519FUUU wrote:
| "That if once you have paid him the Dane-geld, You never get rid
| of the Dane."
|
| It's going to be a tough few years being in security in the
| industrial control field for the next few years.
|
| https://www.poetryloverspage.com/poets/kipling/dane_geld.htm...
| mikewarot wrote:
| I was thinking that now is a good time to go INTO computer
| security, you now have a solid example to use justifying your
| actions.
|
| In the past we worried about exfiltration of data, now we'll be
| worried about infiltration of control.
| ed25519FUUU wrote:
| Good point. If only they paid software engineers who work on
| critical infrastructure the same as they paid software
| engineers who work on ads.
| aazaa wrote:
| > Once they received the payment, the hackers provided the
| operator with a decrypting tool to restore its disabled computer
| network. The tool was so slow that the company continued using
| its own backups to help restore the system, one of the people
| familiar with the company's efforts said.
|
| I thought the protocol for these attacks was to send the
| decryption keys, not provide a "decrypting tool."
|
| If some kind of software was provided by the attackers, and
| Colonial installed it, this could be far from over.
|
| Also, if the company has backups, then why not use them instead?
| If they're incomplete, then that's the real problem.
| londons_explore wrote:
| The ransomware typically has both the encrypter and decryptor
| built in.
|
| It's a simple matter of copy-pasting the key into a box, and
| the decryption will happen.
|
| Over a slow network link (like a VPN to a remote NAS), I could
| totally imagine it taking days/weeks/months to scan every file
| though...
| capableweb wrote:
| Probably a reporter/reporting issue. No company that just have
| been hacked would run a binary received from the hackers in
| order to restore the systems, they cannot be that stupid. But
| then again, they did pay the ransom and also seemingly can't
| restore their systems from backups, so who knows how stupid
| they really are?
|
| More charitable reading is that the encryption key was sent
| over, and they started restoring with that but using standard
| OSS tooling.
| solarkraft wrote:
| > No company that just have been hacked would run a binary
| received from the hackers in order to restore the systems,
| they cannot be that stupid.
|
| Uh, why? The system is already compromised. They're already
| in.
| bellyfullofbac wrote:
| Well if the company is already that messed up to not have
| backups and desperate that they paid criminals...
|
| One would hope they'd just run the decryption program on
| each computer, not connected to the network. Or maybe hire
| some experts to extract the decryption key.
| smsm42 wrote:
| > they cannot be that stupid
|
| Oh yes they can.
|
| Also, assume you have the key - what you do with it? You
| don't know how the files were encrypted, in which way they
| were stored afterwards, etc. There are many ways one can
| encrypt and write data, even with the same key - you
| obviously need the algorithm, but also there are often
| parameters (e.g. block sizes), storage formats etc. The
| easiest way to deliver all that is to provide a program.
|
| Otherwise, what a random "press any key" IT person would do
| with an encryption key? They probably don't even have any
| tools that can do encryption on any of the systems. Do they
| have to write those themselves? Use OSS tools - which ones?
| With which parameters? What if it doesn't work?
| hangonhn wrote:
| > More charitable reading is that the encryption key was sent
| over, and they started restoring with that but using standard
| OSS tooling.
|
| That would make a lot more sense but I also bet there's a
| non-zero chance that in a day some dumb media outlet will
| conflate those tools as "hacker tools" and the headline will
| be "Hacker tools used in Colonial pipeline hack available
| freely on Internet. News at 10."
| Red_Leaves_Flyy wrote:
| These inane arguments didn't kill GTA, or virtually
| anything else. How are they going to kill OSS that hasn't
| needed mainstream appeal and still doesn't? So, maybe some
| high school kids end up on the github pages and become 1337
| hackers? Quite a stretch..
| megablast wrote:
| How do they decrypt it then?? Just show the key to the
| computer??
| stefan_ wrote:
| What? No, the ransomware people truly do send a decryption
| tool, or the decryption functionality is built into the
| ransomware. Do you think they are sending people some AES key
| and then everyone goes off and builds some python tool to
| decrypt his data?
|
| This is a fundamental misunderstanding of the ransomware
| business. The whole reason people pay up is because the
| hackers don't run and leave you hanging; if you pay they will
| decrypt your data. Trust and convenience are essential to
| making this work.
| [deleted]
| axiosgunnar wrote:
| Great, we should get the word out then that some don't.
|
| Perhaps a few cases of high-profile companies falsly
| claiming ,,wow, what a load of shit! we got ransommed and
| after paying up the hackers disappeared! we had to restore
| from backup, AND the money is gone".
|
| What are the hackers gonna do, sue those companies? :-)
| abrawill wrote:
| Oh I don't know. Maybe the hackers will hold their
| operation hostage for ransom? Get the money and get some
| nice PR all at the same time!
| Nextgrid wrote:
| > If some kind of software was provided by the attackers, and
| Colonial installed it, this could be far from over.
|
| To be fair, malicious code has already ran on the affected
| machines, so if the ransomware authors wanted to do further
| damage they wouldn't need a malicious decryptor to do that.
|
| So you'd either:
|
| 1) not trust the ransomware authors, rebuild everything from
| scratch (potentially paying the ransom and reverse-engineering
| the decryptor or running it isolated from the internet) and
| make sure to not carry over any executable code that could
| allow potential malware to persist
|
| 2) trust the ransomware authors and not rebuild everything, in
| which case you may as well run their decryptor
| ben509 wrote:
| Don't rely on technical details from Bloomberg.
| yodelshady wrote:
| > I thought the protocol for these attacks was to send the
| decryption keys, not provide a "decrypting tool."
|
| Fair, but anyone who pays me $5M and wants a powershell script
| gets one, and an air freshener of their choice.
| Neil44 wrote:
| I've only helped people pay a couple of times but they always
| provided a shoddy .exe decryptor.
|
| Consider that most victims are small fry who would not know
| what to do with just a key.
| booleandilemma wrote:
| I don't think the hacking group would want to show future
| targets that paying the ransom won't get them un-hacked. People
| would stop paying them. It would be bad for business.
|
| If anything they're working on speeding up their decrypting
| tool for the next release :)
| thedogeye wrote:
| I'm kinda surprised the CIA doesn't randomly disappear hackers
| like they've done to so many terrorists the last few decades.
| aynyc wrote:
| I'm willing to bet state actors blend into random ware group.
| wonderwonder wrote:
| One thing that this attack has proven is that if we ever reach
| the point where we engage in military conflict with either Russia
| or China we are going to be functioning as if we experienced a
| country wide emp within a few days. Our infrastructure is
| massively vulnerable.
| TechBro8615 wrote:
| Wait til you hear about the satellites.
|
| A global hot war between super powers would be disastrous for
| everyone involved. That's why it probably won't happen. I'd be
| more worried about rogue actors, terrorists and other "mad men"
| who might get their hands on a dirty bomb or fry the power grid
| in New York in January.
| loveistheanswer wrote:
| It's better to have criminals who are only interested in a
| relatively small payout exposing to the general public how
| vulnerable critical infrastructure is than people who are
| interested in causing mass destruction.
| [deleted]
| demadog wrote:
| They should have just called it a bug bounty and then everyone
| would be happy.
| dmingod666 wrote:
| - Got Hacked by installing malware for free.
|
| - Liked it so much, sent 5M to download another program from the
| same people.
| ineedasername wrote:
| I'm not really anti-crypto, but a strong disadvantage to society
| is that these attacks are made much more easily because they can
| bypass traditional financial institutions.
| podgaj wrote:
| Why is everyone taking the word of colonial pipeline and all
| this?
|
| I could think of several scenarios where they would want to shut
| down by making up the whole story. Or maybe even hired the
| hackers them selves.
| drzoltar wrote:
| Dumb question: why can't crypto currencies and exchanges place
| the ransom tokens on some kind of blocklist, thereby forever
| tainting those coins? As I understand, the rise of "privacy
| wallets" has greatly increased the anonymity of such
| transactions. But, at the end of the day, don't we always have a
| ledger of the coin ids? I'm curious how the coins actually get
| laundered back into cash.
___________________________________________________________________
(page generated 2021-05-13 23:00 UTC)