[HN Gopher] Alliance of 40 countries to vow not to pay ransom to...
___________________________________________________________________
Alliance of 40 countries to vow not to pay ransom to
cybercriminals, US says
Author : Beggers1960
Score : 133 points
Date : 2023-10-31 13:15 UTC (9 hours ago)
(HTM) web link (www.reuters.com)
(TXT) w3m dump (www.reuters.com)
| nimbius wrote:
| >Neuberger told journalists a new "black list" will also be
| created by the US treasury department to identify and highlight
| digital wallets being used to deposit and move ransomware
| payments.
|
| >The establishment of these information sharing platforms means
| that "if one country is attacked, others can quickly be
| defended", Neuberger said.
|
| pardon the dust whilst I apply my 14th century naval hammer to
| this clearly 21st century nail.
| tekla wrote:
| I'm fairly sure the 14th century hammer works just fine in
| hammering the 21st century nail.
| pixl97 wrote:
| Hey, but I can sell you a 21st century e-hammer with
| AuthentiCode licensing. Swing power savings of up to 2% can
| be achieved. (Requires constant internet connection).
| malux85 wrote:
| Sell?! Where's your recurring? It's a subscription model
| (paid yearly up front), with mandatory upgrades and a
| brutal depreciation policy
| hotnfresh wrote:
| Can we get letters of marque as NFTs?
|
| C'mon, anything to make the cyberpunk future less lame than
| it's turned out to be.
| jowea wrote:
| I honestly feel like the attackers operating out of Russia
| are 21st century privateers.
| OkayPhysicist wrote:
| Letters of marque aren't transferable, so making them NFTs
| is kinda silly. Their entire purpose is that the state has
| entrusted you, captain of the ship, to abide by certain
| rules (don't plunder our ships, take prisoners when
| possible).
|
| That said, cyber-privateering is actually a good idea.
| Cyberwarfare is in the same space as naval warfare was in
| the 17th century: it's not really an overt act of war, it's
| mostly committed by criminal organizations with the
| occasional big news state actor action, and there's a lot
| of money to be made.
| hotnfresh wrote:
| > Letters of marque aren't transferable, so making them
| NFTs is kinda silly.
|
| Precisely! These _would_ be! This is the kind of
| innovation the blockchain enables! /s
| bee_rider wrote:
| There have also been centuries of advancement on the idea of
| a hammer. The US and friendly countries have just a hammer,
| in the same way that a forge with a power hammer has just a
| hammer, or a wrecking ball could be seen as a complicated
| sledgehammer.
| acdha wrote:
| Could you expand why you believe an old hammer doesn't work
| with current nails? As a metaphor it seems completely the
| opposite of your intended meaning since it's a good example of
| an ancient technology which still works compatibly.
|
| Adding wallets to a black list is highly effective because
| while there was a lot of dishonest marketing around blockchains
| improving privacy they're actually perfect for censorship since
| a public ledger allows you to transitively taint every
| transaction downstream, significantly reducing the value of
| certain tokens and removing the ability of people to say they
| didn't know the funds they are receiving were connected to a
| crime.
| nimbius wrote:
| Ah yes, my Monero nails. https://en.wikipedia.org/wiki/Monero
|
| Observers cannot decipher addresses trading Monero,
| transaction amounts, address balances, or transaction
| histories, but im _sure_ my old 14th century hammer will
| address this issue somehow even though subaddresses can be
| created that arent even remotely linked to my main address.
|
| https://monerodocs.org/public-address/standard-address/
| rnk wrote:
| You just ban Monero then. If something is a problem, and
| you want to ensure financial visibility then ban all
| transaction types that hide visiblity, like banning mixers.
| This is separate from whether it's a good idea or not.
| dogman144 wrote:
| And then you mix in DeFi. Or into and out of L2/HTLCs. Or
| via atomic swaps, which went live but are buggy, and
| won't show the monero interaction. Or cross-chain. And on
| and on. Let's ban it all?
| rnk wrote:
| Yes, that's where I think financial regulators are
| heading. And anyone who thinks for one second of course
| sees that these are also problems with cash that drug
| cartels deal with by sending bales of $100 bills around.
| And so we added kyc and discourage cash.
|
| I don't think you can ban people doing crypto entirely,
| but you can make the financial exchange points where cash
| goes in and out ever more difficult.
| JumpCrisscross wrote:
| > _Let's ban it all?_
|
| It's in the process of being grey listed. Similar to
| running an all-cash lifestyle, it's possible. But you'll
| have your money frozen and seized and stolen from time to
| time. And you will hit intentional roadblocks any time
| you attempt a major financial move.
| DANmode wrote:
| > You just ban Monero then.
|
| You just ban encryption, then!
|
| You just ban liquor/drugs, then!
|
| Monero making law enforcement investigation more
| difficult due to privacy algorithms does not make it
| legal to ban.
| rnk wrote:
| Those two first things have sure been tried, over and
| over as everyone knows. I said the obviousness of banning
| monero next was separate from whether it's a good idea.
| miohtama wrote:
| There is no need to ban, because Monero is already so
| niche cryptocurrency that it is unusable for paying
| ransoms.
|
| You cannot ask ransoms in a currency the victim cannot
| access.
| JumpCrisscross wrote:
| > _yes, my Monero nails_
|
| At $3bn "market cap," Monero is not a serious problem.
| DANmode wrote:
| Its max supply is uncapped.
|
| The tech and established network are unlikely to go back
| in the box.
| JumpCrisscross wrote:
| > _Its max supply is uncapped_
|
| Sure. If it gets bigger, it can be addressed then. As it
| stands, it isn't a problem.
| acdha wrote:
| First, you misunderstood the point: the hammer is a poor
| metaphor because it's something which _hasn't_ changed
| massively over time - for the 14th century, if you took the
| ancient Roman who was used to working with these to Home
| Depot, they'd they'd immediately know what to use work with
| their modern counterparts:
|
| https://www.britishmuseum.org/collection/object/H_1982-0103
| -... https://www.britishmuseum.org/collection/object/H_1956
| -0403-...
|
| Now, back on topic. Monero's claims have been lightly
| tested but never against a nation-state level adversary, so
| I'd be hesitant putting anything onto a blockchain which
| would be problematic if a flaw is discovered since there
| is, of course, no way to remove it. That said, let's assume
| that everything works exactly as planned and they've
| perfectly nailed the implementation. Do you ever wonder why
| cryptocurrency people call what they're building cash?
| That's because while a 14th century treasury officer
| wouldn't known a thing about hash functions, they were
| already very familiar with the problems caused by a truly
| anonymous means of exchanging value: actual cash.
|
| If you've ever read old novels where people had to show
| explain their source of wealth, maintain accounts at
| specific banks with good reputations, visiting traders were
| required to store funds at state sanctioned banks, etc.
| that's because while it's impossible to tell where
| someone's coins came from you can make crime, especially
| tax evasion, considerably harder by requiring people to
| show positive proof of income and adding points where other
| people would have to collaborate with you. That certainly
| doesn't prevent fraud but it can reduce it considerably by
| increasing the cost and likelihood of being caught.
|
| Obviously we have a big shift in the technology, but that
| same basic approach works well now: you don't need to
| control every blockchain transaction if the gateways into
| the real financial system are required to follow money
| laundering laws like everyone else. That's one of the
| reasons why almost no businesses used Tornado Cash, Monero,
| etc. because they didn't have a need to and when your
| accountants ask "how will we avoid the drug cartels using
| us to launder money?" and you say "we can't, that's a
| feature!", they're going to start asking questions like
| who's going to go to prison.
| hanniabu wrote:
| It's not like a bank account. Creating a new address is
| trivial and scalable.
| kube-system wrote:
| Adding text to a blacklist is also trivial and scalable.
| acdha wrote:
| Now think about how you get funds into that wallet: if your
| shiny new account has a transaction chain tracing back to a
| banned address, legitimate merchants aren't going to accept
| transactions from you and you're going to be selling a
| discount.
|
| If you use a mixer, that expands to cover all of your
| transactions. Any legitimate business has to worry about
| complying with local laws and they're going to stop using
| options which don't allow that or cost too much.
| MichaelZuo wrote:
| It's unclear who in the USG is actually responsible for enforcing
| this, especially against those organizations that do send
| payments anyways.
| kube-system wrote:
| Any executive action on this would be via sanctions, I presume.
| MichaelZuo wrote:
| Action by who? The President himself?
| kube-system wrote:
| The Treasury's Office of Foreign Assets Control is the
| executive branch department tasked with enforcing
| sanctions.
| amima wrote:
| So let's imagine a company like Garmin experiences a ransomware
| attack. Their business is paralyzed. What would stop them from
| paying the ransom and what could possibly be an alternative to
| that?
| Workaccount2 wrote:
| An insurance fund that requires periodic air gapped backups. So
| you roll back to the last snapshot and get money to cover
| losses incurred.
| pc86 wrote:
| There are a handful of problems with this approach, which is
| part of why these types of insurance policies are incredibly
| expensive. The entire MO of these operations is to infect a
| company's systems, and wait until most or all of the backups
| are affects before locking the system down. They will wait
| months or for bigger targets, years.
| Workaccount2 wrote:
| Sorry, by air-gapped I was envisioning things like tapes or
| disconnected disk drives.
| pc86 wrote:
| That doesn't help. The system is already infected when
| the backups are taken, therefore the backups are
| infected. That's why these criminal organizations wait
| months until actually locking your system down, so that
| your oldest backups are deleted by retention policy. If
| they have access to your system and can figure out what
| your backup retention policy is, they'll set it to go off
| at the point when all your backups are infected.
| zmgsabst wrote:
| Infected how?
|
| Our backups were the data, not code or systems (which
| were IaC and rebuilt as needed).
| pixl97 wrote:
| Are user accounts data or systems? Compromise of AD is a
| very common means. This said this can still be fixed
| before putting it back where it could reach the internet
| and cause trouble.
| xur17 wrote:
| For a concrete example, someone could infect an image
| storing service with code that encrypts (and silently
| decrypts) the data when it's stored / retrieved. When the
| hacker removes the decryption key from the running
| service, the backups will also be inaccessible because
| they are also encrypted.
| Workaccount2 wrote:
| Wouldn't this be a bright red flag that is trivial to
| check for?
| jowea wrote:
| Can't they check their backups once every few months from
| an isolated infrastructure?
| vkou wrote:
| If they could check the backups for evidence of an
| intrusion, they would be able to check production for
| evidence of an intrusion.
| jowea wrote:
| I meant check for evidence of corruption not an intrusion
| itself. How do you hide the fact that the data is
| unreadable?
| raverbashing wrote:
| The dumbest take of companies was assuming insurance
| companies would keep paying their ransom because they were
| thinking fixing their networks was less important
|
| Oh well turns out it is not like that
| mcpackieh wrote:
| No reason such an insurance company couldn't be run in the
| early/mid 20th century manner, entirely with paper records.
| Send carbon copies of all documents to two remote locations
| to eliminate the threat of a fire wiping out the records.
|
| This is easy. It requires you to hire a lot of human clerks,
| but since the customers are large businesses that means there
| aren't a whole lot of customers in the first place. And if
| you can't get enough typewriters, there's no reason the clerk
| work couldn't be done on computers connected to printers,
| with all document storage still being done on paper. If the
| computers get pwned, throw them out and buy new ones; it
| doesn't matter because the documents weren't being stored on
| those computers.
| pc86 wrote:
| > What would stop them from paying the ransom
|
| They can bring their systems back up and operational for less
| cost (both immediate, but also payroll during the fix, lost
| revenue from both downtown and reputationally after they're
| back, and opportunity cost off the top of my head).
|
| Your only two options and rebuild on your own at significant
| cost or pay the ransom. There were long, heated discussions
| about what to do, and several people suggested paying the
| ransom but we ultimate decided not to and it ended up costing
| more than the ransom if you factor in payroll and lost revenue.
|
| I still think out of principle you shouldn't pay the ransom,
| ever. Assume whatever the ransom would cost is already gone, if
| you can rebuild for less than that (you probably can't) it's a
| win.
| beardyw wrote:
| > I still think out of principle you shouldn't pay the
| ransom, ever
|
| There may have been a time when a company would act on
| principle, but I think it's very rare today. You hardly even
| expect people to do that. It's the world we have made.
| FredPret wrote:
| All human activities, including things like principles,
| charity, sacrifice, and duty, are ultimately self-serving
| attempts by the biological DNA and cultural memes that
| constitute us to replicate and improve it's standing.
| m-p-3 wrote:
| But even when paying the ransom, you still need to roll back
| a portion of your environment after you've assessed the
| intrusion. Can you really trust you've patched everything and
| removed all trace of persistence that was put by the attacker
| as a contingency to get back in the system?
| miohtama wrote:
| The easiest targets are those that are publicly known to be
| vulnerable.
| jupp0r wrote:
| I was assuming that countries would make it illegal to pay
| these ransoms.
| pc86 wrote:
| The article doesn't seem to suggest that anywhere.
| jupp0r wrote:
| You are right. It's kind of a toothless tiger without that
| part though.
| kube-system wrote:
| The data sharing mentioned in the article will help
| authorities to target the criminals directly.
| amalcon wrote:
| Nothing, so far. The alternatives to that would be to legislate
| penalties for paying, to mandate certain precautions like
| regular offline backups (which could usually be done through
| regulation), to forbid the government from doing business with
| entities that have paid in the past X time (procurement
| regulations are somewhat flexible) and/or to task some
| government agency with aiding private sector entities in
| recovery if they don't pay (which has varying difficulty
| depending on the jurisdiction).
|
| Obviously none of these make it impossible, but the goal needs
| to be to tip the value proposition the other way.
| zx8080 wrote:
| First of all, it's not a nation who pays in case of a breach.
| It's some company. Nation as countries do not have anything to do
| with it, unless they create some laws denying payments. Which
| would tight control of any businesses in hands of politicians
| signing off indulgences (exceptions to pay as "too big to fail").
| InitialLastName wrote:
| I would guess that the affected entities here are not
| companies, but public entities. Federal departments, the state
| governments, and municipal governments all run their own IT
| systems and have been affected by ransomware; if there is a
| top-down policy of "don't pay the ransom" it presumably affects
| policy for all of those.
| londons_explore wrote:
| Even if there is a top down policy of not paying ransoms, the
| attackers still have an incentive to format the drives and
| leak the data to gain credibility for their next attack.
|
| Many types of attack don't actually know where they're
| breaking into at the time they break in. And once you're in,
| you might as well try running a ransom attack.
| pixl97 wrote:
| Nations setting up financial regulations on who you can and
| cannot pay is a standard accounting practice these days. If you
| consider that a tight control, then we're already far past
| that.
| acdha wrote:
| "These days"? Nations have been restricting trade for
| millennia.
| kube-system wrote:
| Essentially all countries do this, regulating trade is a very
| basic governmental function.
| varjag wrote:
| So there's that woman I follow who used to work in hostage and
| ransom negotiation business, and she's adamant there's no such
| thing as "no negotiations with terrorists" no matter public
| rhetoric or legislation. When push comes to shove, side channels
| and loopholes are inevitably found and third party contractors
| like her are getting hired.
|
| I strongly suspect this too will end up mostly a
| jurisdiction/accounting nuance rather than a substantial change.
| salamanderss wrote:
| It wouldn't surprise me if places like Nigeria have a bunch of
| semi-whitewashed English speaking faces/voices to perform this
| kind of grey area work. Even better if some of their family is
| part of a hostage taking gang so they can burn the candle from
| both ends.
| boeingUH60 wrote:
| Nigeria (my country) is pretty bad, but we don't do
| ransomware, lol.
| salamanderss wrote:
| I responded to a comment on hostage and ransom negotiation
| business. Hostages aren't normally considered ransomware,
| although said negotiators would have excellent overlapping
| skill set.
|
| Travel.gov has an advisory for hostage taking in your
| country. I can assure you there are well spoken negotiators
| in your nation to deal with that.
| nerdypirate wrote:
| I'm afraid, you are wrong, criminal gangs or masterminds
| are not that organized in Nigeria
| salamanderss wrote:
| Cool here's a documentary with an English speaking
| hostage negotiator in Nigeria with family in the other
| side of the business (talks start around 4:30).
|
| I'm afraid, YOU are wrong. My opinion wasn't idle thought
| but derived from research on Nigeria rather than some
| weird borderline racist baseless rhetoric that Nigerians
| don't have this level of organization.
|
| https://youtube.com/watch?v=nG09Bo3uvAw
| edgyquant wrote:
| Didn't vice catch a bunch of flack for over
| sensationalizing their "reporting?" Regardless I'd be
| more inclined to believe an actual Nigerian than a
| YouTube video. That person didn't say there were zero
| people doing this, they said it wasn't likely Nigeria had
| a widespread and systemic issue with organized crime
| doing this.
| salamanderss wrote:
| Cool let's deconstruct:
|
| >Didn't vice catch a bunch of flack for over
| sensationalizing their "reporting?"
|
| Awesome ad hominem against the people recording actual
| Nigerians testimony.
|
| >Regardless I'd be more inclined to believe an actual
| Nigerian than a YouTube video
|
| And I provide video with actual Nigerians yet it's
| crickets from you when some guy just flippantly says I'm
| wrong with no supporting facts. Unless by actual
| Nigerians you want one to jump through the screen and
| talk to us... we're going to have to settle for
| electronic communication. It's what worth noting the
| Nigerian commenter above denied ransomware related
| activities but never denied the rest.
|
| >That person didn't say there were zero people doing
| this, they said it wasn't likely Nigeria had a widespread
| and systemic issue with organized crime doing this.
|
| They said what they said, not what you've retranslated
| them to say. I never said the issue was systemic, but if
| they really said that then their flippant dismissal was
| just as invalid as they'd be addressing a strawman.
| costco wrote:
| Except a few billion a year in gift card, business email
| compromise, and romance scams. But yeah, Nigeria is not
| really a ransomware source country.
| JumpCrisscross wrote:
| One, this article is not about banning crypto ransom. Two, if
| you wanted to do that, you'd criminalise it with the threat of
| sanctions. At that point your K&R retiree and anyone who signed
| off on paying them would be fugitives in almost anywhere in the
| world.
| varjag wrote:
| As long as you have a non-signatory among otherwise first
| world nations (and there's always a handful on any treaty)
| there absolutely will be a legal way that you can't do much
| about.
| JumpCrisscross wrote:
| > _there absolutely will be a legal way that you can 't do
| much about_
|
| No, that's what the sanctions threat is for. It may be
| possible. But now you're in the company of money launderers
| and terrorism financiers.
|
| To be clear, I don't think this is necessary. But it's
| naive to imagine it's beyond D.C.'s capacity.
| bombcar wrote:
| DC doesn't go after these "security consulting firms
| located in non-signatory states" just precisely because
| they want to be able to use them if the need arises.
| JumpCrisscross wrote:
| > _DC doesn 't go after these "security consulting firms
| located in non-signatory states" just precisely because
| they want to be able to use them_
|
| You are vastly overestimating the federal government's
| coherence and coordination. Yes, we use black hats. Yes,
| we still jail and sanction them.
| bostik wrote:
| Which is straight out of Macchiavelli's playbook.
|
| The first thing you do after conquering the throne is to
| bundle up all your pending atrocities in one and
| eliminate competition. The second thing you do is
| slaughter the mercenaries you had hired to win your war
| of ascension.
|
| No reason to leave them around and let the next usurper
| hire them to dethrone you.
| JumpCrisscross wrote:
| In practice, it typically happens across administrations,
| _i.e._ the effect is accidental. (We forget what an asset
| having a fresh executive every decade makes.)
| varjag wrote:
| It took what, over two decades to convince Switzerland
| and Austria to get on board for (part of) money
| laundering treaties? And ransom(ware) is not anywhere as
| pressing.
| JumpCrisscross wrote:
| > _took what, over two decades to convince Switzerland
| and Austria to get on board for (part of) money
| laundering treaties_
|
| Yet they still complied with U.S. sanctions. (Or were
| arrested abroad for defying them.)
|
| You seem to misunderstand that sanctions are not a treaty
| obligation. If your country deals with a sanctioned
| entity, it gets sanctioned as well. That enforces
| compliance indirectly. America and and does unilaterally
| extend sanctions.
| varjag wrote:
| Thanks, it's great to know that money laundering is a
| solved problem.
| JumpCrisscross wrote:
| > _it 's great to know that money laundering is a solved
| problem_
|
| We don't sanction money launderers generally. And no,
| terrorism finance isn't a solved problem either. Hence
| why I said one would need to keep company with that
| category of people were such a measure enacted. But
| again, your K&R retiree cum schoolteacher was describing
| a political constraint. Not a functional one.
| bee_rider wrote:
| The only case in which ransomware seems actually similar to
| hostage taking is when a hospital or something is hit. And I
| think that is actually a morally complicated situation,
| because lives are actually at risk.
|
| Otherwise ransomware payments are just a collective action
| problem, paying them builds this harmful ransomware industry,
| but might be cheaper than losing or restoring your data.
| Making it costlier to pay the ransomware groups is a great
| strategy, in the sense that even if it isn't perfect it might
| bump some cases from "pay" to "don't pay," damaging the
| industry.
| DavidPeiffer wrote:
| >...there's no such thing as "no negotiations with terrorists"
| no matter public rhetoric or legislation.
|
| I've heard this as well. A professor was flying into a less
| than stable area or Afghanistan and for some reason they were
| descending just like a normal commercial flight.
|
| "What are you doing, we're going to get shot down!". He was
| used to a steep descent or a spiral to the runway to minimize
| the risk of getting hit.
|
| They then explained they had a deal with the local warlord. The
| military provided barrels of used oil from all their ground
| vehicles, and in exchange they don't fire on the airplanes as
| they takeoff or land. The warlord burns the oil for heating,
| and the military doesn't need to deal with (hopefully
| correctly) disposing of large quantities of used oil.
| gnfargbl wrote:
| You have to wonder how much of that transaction is saving
| face? The warlord doesn't have to deal with the messy
| business of trying to shoot down jets belonging to a well-
| funded army; the military doesn't have to deal with the
| difficult business of engaging a warlord with local
| connections and support. Both sides get to wink and imply
| that they each got the better end of a "business deal". It's
| Clausewitz in reverse -- commerce as a de-escalation of war
| by other means.
| savanaly wrote:
| It's the Coase theorem [0] in action! No matter what the
| laws may or may not be against shooting down planes, the
| socially efficient outcome of planes not being shot down
| was arrived at through negotiation.
|
| [0] https://en.wikipedia.org/wiki/Coase_theorem
| filoleg wrote:
| Ayup, another example I can remember of is that swedish
| professor who went ahead and hired services of a PMC to
| extract her grad student and his family from Iraq[0].
|
| Background: the student vent to visit his family back in Iraq
| as his town was under an ISIS attack, which is how he ended
| up getting stuck there.
|
| 0. https://www.nbcnews.com/news/world/how-swedish-professor-
| hel...
| fragmede wrote:
| The untold stories from the security department of all the
| FAANGs from the invasion of Ukraine would take more movies
| than there are Marvel movies.
| ahhppahjh6698 wrote:
| Or they could go after them like we went after those damn
| pirates in the late 1700s.
| nradov wrote:
| We should make it a criminal offense with severe penalties to
| pay any sort of ransom regardless of the consequences. Use the
| Foreign Corrupt Practices Act as a model. Even if it means
| hostages will die or businesses will be destroyed, that is an
| acceptable price to pay in order to cut off funding to
| terrorists and other criminals.
| diego_moita wrote:
| > is an acceptable price to pay
|
| It is acceptable for you, since you won't suffer the
| consequences, the burden of damage isn't on you.
|
| It is similar to consuming drugs: when people buy meth
| they're helping the drug dealers. But they just can't help
| it, they're desperate.
|
| Despair is above reason. Laws are useless to stop desperate
| actions.
| nradov wrote:
| We're not talking about desperate drug addicts here. The
| threat of criminal prosecution and being sent to federal
| prison is a pretty effective deterrent for most people.
| Especially the corporate officers who would ultimately have
| to authorize any ransomware payment. They won't take that
| risk to help their employer.
| goda90 wrote:
| You just said "hostages will die" in your first comment.
| Saving human life is a pretty desperate.
| bombcar wrote:
| And in those cases, there will likely be a relative
| willing to do the _illegal step_ to save their relative.
|
| The only way to actually have a "hostages will die"
| policy is to ensure you destroy whoever took them,
| despite the deaths of hostages.
| mensetmanusman wrote:
| They are not useless, they bend the curve. Micro harms are
| everywhere.
| rjbwork wrote:
| >they bend the curve
|
| Upwards. Second order effects of schemes like prohibition
| are much worse than the original problems.
|
| It's also not quite analogous to the ransomware
| prohibition, because it's more akin to a prisoner's
| dilemma, and there's no inherent desire to pay ransomware
| criminals in the human psyche like there is to alter
| consciousness.
| edgyquant wrote:
| > Second order effects of schemes like prohibition are
| much worse than the original problems.
|
| There are loads of countries that have illegalized
| alcohol and not devolved into levels of organized crime
| that the US did. Specifically, nearly every Muslim nation
| on earth. I feel this one example is way overplayed by
| advocates of legalization
| bee_rider wrote:
| I think ransomware is not really like drugs or hostages.
|
| For drugs, there's some inherent desire for some people to
| consume them. Maybe they harm society a bit (in the sense
| that they might destroy the people that take them), but the
| main cost for the rest of us is that they fund criminal
| enterprises _because they are illegal_. People want drugs,
| if they could buy them at CVS I suspect they would.
|
| Ransomware is already illegal, we don't create a new
| criminal enterprise by making it illegal to do business
| with them, we just make it harder.
|
| Also, lots go the biggest ransomware gets have been big
| institutional entities where everything is documented.
| People just buy drugs in small amounts and consume them,
| two parties, neither of whom wants to get caught, minimal
| paper trail. Basically impossible to ban.
|
| For physical hostages--people _are_ desperate to get their
| friends and family back, and so they'll go to desperate
| measures to pay. For ransomware, it is usually an economic
| decision, nobody's life is at risk (other than when, like,
| a hospital is hit). Increasing the cost increases the
| chance the decision will go the other way. And increases
| the incentives to keep IT defenses up to date. (I know you
| didn't bring up the hostage analogy, I think it is worth
| noting that the desperation you point to here is really an
| artifact of the tangent we're on from the analogy leading
| us astray).
| miohtama wrote:
| In the case of corporate, it is often not despair but
| incompetence and lack of consequences: CEO will get their
| yearly bonus if the ransom is paid. If the ransom is not
| paid, the information might leak out that the company lacks
| good cybersecurity practices and there will be a new CEO.
|
| Or even worse, like shareholder or regulator action, see
| SolarWinds
|
| https://news.ycombinator.com/item?id=38076636
|
| Note that in the EU under GDRP companies are still liable
| for privacy violations and related fines if ransomware
| attackers gain access to your personal details, random or
| no random (a hack is enough).
| varjag wrote:
| Right, everyone's a hardliner until it's your grandson's
| finger in the envelope.
| Analemma_ wrote:
| Have fun being the DA who presses charges against a mother of
| three who paid so their kids could see daddy again instead of
| watching him get beheaded by terrorists.
|
| It's sounds nice in the abstract; in practice it's political
| suicide.
| sgjohnson wrote:
| > It's sounds nice in the abstract; in practice it's
| political suicide.
|
| Depends on how you spin it. I suspect it would be quite
| easy to spin the narrative on this one. "So you knowingly
| funded a terrorist group that's likely going to use the
| money to commit further crimes against US citizens?" or
| something of the sort. Have some experts testify on that
| too, preferably ones in officers uniform.
| Gibbon1 wrote:
| Yeah what's the point of extorting a company that can't pay.
| You're just risking getting stuffed in the trunk of a car and
| driven to some place with an extradition treaty.
| LouisSayers wrote:
| If it's a criminal offence it'll still happen, it just won't
| be reported.
|
| The gov will pat themselves on the back telling everyone how
| they've caused a drop in the number of incidents.
| makeitdouble wrote:
| > that is an acceptable price to pay in order to cut off
| funding to terrorists and other criminals.
|
| You're offering to increase the stick, what's the carrot for
| the people/corporation losing everything ?
|
| Making the punishment bigger also means victims have stronger
| incentives to work closely with the terrorists so the whole
| thing never gets public or never gets labelled as a ransom.
| rnk wrote:
| You should have pointed out that her view is self-serving. if
| you are a hostage negotiator (retired even or whatever), it's
| natural to argue that we will still negotiate with terrorists.
| Just like programmers argue about whether we'll still have a
| job even as ai gets better and better ;-)
| varjag wrote:
| She's now an elementary school teacher so really doubt she
| has anything to sell.
| KMag wrote:
| As a father of 3, I can tell you elementary school teachers
| negotiate with terrorists on a daily basis.
| rnk wrote:
| Best comment of the year. Maybe she's hoping to be
| rescued if she can get her old job back without so much
| conflict ;-)
| artisin wrote:
| Perhaps it's time I hang up this old keyboard, rally
| together a ratpack of seasoned elementary school
| teachers, and swiftly bring an end to the Global War on
| Terror.
| Spivak wrote:
| I mean "people still keep hiring me, even people who have a
| policy of not negotiating" is a pretty neutral take.
| guerrilla wrote:
| Umm, no. A well-known sales technique is inflating your own
| demand. There's no way to know whether she's telling the
| truth or doing that.
| varjag wrote:
| Inflating what, sorry? Unless you have someone who's been
| kidnapped you're hardly in the market.
| guerrilla wrote:
| You're mistaking what someone says for the way things
| actually are. I'm talking about them exaggerating how in
| demand their own services are. The danger of this is
| especially acute if they do more than one thing.
| LeafItAlone wrote:
| Well who do you think is kidnapping people? Clearly she
| has hired kidnappers to be able to drum up business for
| her negotiating services.
| jstarfish wrote:
| Everybody makes exceptions. There's nothing self-serving in
| pointing out the obvious.
| arbuge wrote:
| I suspect if this coalition of nations actually criminalized
| paying ransoms, that would go a long way towards closing up all
| those loopholes. Perhaps that is what needs to happen next.
| creer wrote:
| Until a government organization or close enough public need
| arises where a new loophole would be created PDQ? Also "close
| all the loopholes" has a ridiculously poor record in law. On
| the one hand, people with no incentives, on the other people
| whose entire line of work is to extract the maximum result of
| whatever the law happens to be.
| 616c wrote:
| Any lawyer or cyber insurance rep can tell you yes it already
| exists, and it is called cyber insurance. Lol
| wdr1 wrote:
| Chris Voss, a former FBI hostage negotiator, discussed this
| policy on Lex Friedman's podcast. Here's the clip:
|
| https://www.youtube.com/watch?v=gm4hb5yNxyE
|
| The policy has been widely misreported as "we don't negotiate
| with terrorists", which is wrong. The actual policy is we won't
| make concessions to terrorists.
| brightball wrote:
| It's about dang time. Years ago I attended a security conference
| where an FBI guy was actually advising people to pay the ransom.
| I was shocked.
| Mistletoe wrote:
| I wish my health provider had paid the ransom. They screwed up
| and got hacked and wouldn't or couldn't pay the ransom, now the
| entire clinic has no health records for their patients. My
| doctor can't see any health info older than a few years. I
| couldn't believe what she was telling me.
| mensetmanusman wrote:
| It hurts, but it's the only way we can get the wealthy to
| take security seriously. Otherwise, to take an exaggerated
| example, only rich hospitals will be able to pay ransoms and
| poor people /hospitals will have no records (globally).
| digging wrote:
| Or instead of banding together to not pay,
| organizations/nations could pool money to help poorer
| hospitals pay. Maybe that, too, would make the rich think
| more about global security.
| qup wrote:
| So some asshat will be in charge of IT at [poor
| hospital], some rich people will foot the bill, and
| somehow that will improve...what? What is "global
| security?"
| digging wrote:
| Oh, I forgot the poor are meant to suffer.
|
| Global security meaning: Perhaps, if the rich found that
| the cost of supporting poor hospitals was high, they'd
| determine that they would prefer to invest in
| cybersecurity in poor hospitals. (Not likely, considering
| how few wealthy organizations care about cybersecurity in
| their own organizations.)
| HeyLaughingBoy wrote:
| There is no "the rich." Please be more specific about the
| people you're talking about.
| makeitdouble wrote:
| Doesn't this lead to perverse incentives ?
|
| If they had to pay the ransom there would be a price set on
| security complacency, and that becomes the yardstick to use
| on further investments to harden their systems.
|
| In contrast, losing all patient data is now associated with
| a malicious attack, so they can hide behind the victim
| status, the actual damage isn't directly on their bottom
| line but on the quality of the care to their patient, and
| they can keep underinvesting in security as long as they
| have plausible deniability of wrongdoing in the next
| attack.
| JohnFen wrote:
| > I wish my health provider had paid the ransom.
|
| In practice, this is the same as wishing that other people
| get hit with ransomware attacks.
| Atreiden wrote:
| I don't think that's quite fair. Each organization,
| especially ones that possess sensitive customer data, have
| a custodial duty to secure that data. Most of these attacks
| are very preventable by following well documented best
| practices and industry recommendations.
|
| I think that "I wish my health provider paid the ransom"
| and "Health organizations should be responsible for
| protecting my data" are completely compatible views to
| hold.
| JohnFen wrote:
| If nobody paid the ransom, ransomware attacks would be
| reduced to nearly zero. Paying the ransom means that
| other people will get ransomware attacks. So, effectively
| speaking, wishing someone paid the ransom means that
| you're also wishing that other will get hit with attacks
| because that's a direct consequence of paying.
| Atreiden wrote:
| I follow your logic, I just think your conclusion is
| vastly oversimplified. Not paying the ransom also means
| that other people will get ransomware attacks. There is
| not direct causality here.
|
| There is some game theory, sure (a prisoner's dilemma,
| really). If nobody ever paid ransoms, there would be very
| little incentive for ransomware (though still not zero,
| some people just want to create chaos).
|
| But I don't think in a world-sized game with billions of
| actors that you can ascribe causality to the actions of a
| single actor. Wishing that you had driven to work instead
| of taking public transit (perhaps you missed an important
| meeting as a result) is not equivalent to wishing for
| public transit to be defunded (there is an equivalent
| feedback loop - decreasing ridership corresponds to
| reduced funding for public transit programs).
|
| Then consider that ransomware is only possible because of
| cybersecurity failings, and investing money into
| reasonable (some might even call them "common sense")
| security measures would also reduce these incidence rates
| to nearly zero.
|
| To be clear, I'm not advocating for paying ransomware
| ransoms, generally. I think this coalition is a good
| thing. But if a healthcare provider loses years of
| customer health data, that could lead to measurably worse
| health outcomes, and even excess mortality, for real
| people. An institution getting financially punished for
| not investing adequately in security seems like a better
| outcome than jeopardizing the health of real patients in
| the name of 'solidarity'. Meanwhile, a dozen other
| institutions pay the ransom and business continues as
| usual.
| nitwit005 wrote:
| The randsomware seems like a side issue. Evidently, your
| health provider doesn't care that much about your health
| records. Even ignoring security issues, they had no reliable
| backup. A fire would have produced this result.
| ooterness wrote:
| The HN title matches the article headline, but the article
| headline is horribly inaccurate.
|
| This is not about making ransom payments illegal, as many
| commenters have assumed. They are setting up an international
| information-sharing system to help track cryptocurrency wallets
| that are receiving ransom payments.
| arbuge wrote:
| Indeed. "take steps to try to end" would have been more
| accurate.
| kube-system wrote:
| The headline isn't inaccurate. "End ransomware payments"
| doesn't necessarily mean "make illegal the act of victims
| sending ransom payments", even though many are presuming that.
|
| Most of the action on this is on the receiving end of the
| payment process -- making it difficult for criminals to cash
| out, freezing their assets, or finding them.
| dang wrote:
| (The submitted headline was "US-led coalition of nations agrees
| to end ransomware payments to hackers". We since changed the
| URL - more at https://news.ycombinator.com/item?id=38088780.)
| m3kw9 wrote:
| If stakes are high enough nations will pay, this is different
| than enforcing corps not paying. It will be hard to detect at a
| national level if there was a hack or a payment unless they
| decide to declassify it
| diego_moita wrote:
| Sorry for my cynicism but it seems that any cryptocurrency that
| is able to solve the traceability problem has now one more
| business opportunity.
| simiones wrote:
| Except that if this gains any teeth, it's likely to receive the
| Tornado Cash treatment: ban its use and (possibly illegally)
| jail its developers.
| denismenace wrote:
| Monero is already untraceable.
| kube-system wrote:
| Previous statements by the white house on this indicates they
| intend to implement KYC requirements.
|
| https://www.whitehouse.gov/briefing-room/statements-releases...
| Jemm wrote:
| How is this being reported without a list of the countries?
| JohnFen wrote:
| Good. Paying those criminals is unethical and makes the problem
| worse for everyone.
| jokoon wrote:
| Yup.
|
| Maybe it's also time that companies take cybersecurity more
| seriously, and maybe not just companies, but governments too.
|
| If insurance companies would cover ransomware damage, you can be
| certain those insurance companies would IMMEDIATELY lobby the
| government to enforce cyber security standards, audits,
| pentesting etc.
|
| It's not happening as long as the NSA is on top of the race of
| cyberweapons, but once that changes, you can be certain that
| software is going to be more secure.
| colatkinson wrote:
| Not sure if you're aware, but ransomware insurance is already a
| significant industry, and the contracts usually stipulate that
| the client company undergoes some type of regular auditing.
|
| From what I've heard, insurance companies are actually kinda
| souring on the business because it's incredibly bad from an
| actuarial perspective: many of those targeted are SMBs (i.e.
| they're not paying the kind of premiums that would make it
| worthwhile), but even for large corps as time passes the odds
| of a ransom event approach 1. I mean, can anyone think of a
| large non-tech enterprise that doesn't have that doesn't have
| that one load-bearing Windows Server 2008 machine in a closet?
|
| So to an extent, this seemingly represents the industry
| collectively declaring that even massive monthly insurance
| premiums are insufficient for companies to get their security
| posture together, and so they're trying to cut it off at the
| source by making ransomware as an endeavor unprofitable.
| dukeyukey wrote:
| > that one load-bearing Windows Server 2008 machine in a
| closet
|
| Hah, that is literally how an old employer of mine got hacked
| and ransomwared big time.
| arbuge wrote:
| > This will see the launch of two new information-sharing
| platforms for participating countries. One will be created by
| Lithuania while another will be jointly created and hosted by
| Israel and the United Arab Emirates.
|
| Nice to see smaller countries taking the initiative and also
| being trusted for projects like this.
| willcipriano wrote:
| > The members of the International Counter Ransomware Initiative
| (CRI)-- Australia, Austria, Belgium, Brazil, Bulgaria, Canada,
| Croatia, Czech Republic, Dominican Republic, Estonia, France,
| Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania,
| Mexico, the Netherlands, New Zealand, Nigeria, Norway, Poland,
| Republic of Korea, Romania, Singapore, South Africa, Spain,
| Sweden, Switzerland, United Arab Emirates, United Kingdom, United
| States, and Ukraine, and the European Union..
|
| https://www.whitehouse.gov/briefing-room/statements-releases...
| 2OEH8eoCRo0 wrote:
| A good way to prevent crime is to make it not profitable. Why
| invest in security when you can just pay the ransom?
| fortran77 wrote:
| I think this needs to be combined with ways to make companies
| more resistant to ransomware attacks, and more able to restore
| their computers if an attack does happen.
|
| If companies could get back on line within 24 hours, they
| wouldn't pay the ransomware.
| dang wrote:
| The submitted URL
| https://www.itpro.com/security/ransomware/coalition-of-natio...
| doesn't seem to link to the reporting it's drawing on, so I
| changed it to a reasonable candidate.
| billpg wrote:
| "I have your lottery winnings. Send (amount) to me to process
| sending you the money."
|
| That's a scam, right?
|
| "I have encrypted your files. Send (amount) and I'll decrypt them
| for you."
|
| Not a scam?
| jerf wrote:
| It often isn't. The criminals know that the game theory is such
| that the criminals know that if they don't actually provide the
| files when paid, _none_ of them will get paid in the future as
| people will just assume the files are destroyed unrecoverably
| and move on. The scam critical depends on you being able to be
| confident that the files actually are recoverable and thus that
| paying the ransom is a viable option.
|
| Encryption viruses are probably some of the best QA'ed code in
| the world.
| billpg wrote:
| I've heard of enough cases where the ransomware gang have not
| followed through after payment of the ransom, that I think
| that time ("if they don't actually provide the files when
| paid") has already passed.
| snapetom wrote:
| Two thoughts:
|
| 1) There's no way to enforce this to private companies in the US
| without passing some sort of Federal law. I'm pretty certain no
| states have passed anything like this either.
|
| 2) So, we can assume the alliance is government agencies not
| paying ransomware. For the US, it's only the Federal government
| agreeing to this. If the County Court of Middle of Nowhere
| Nebraska gets ransomwared. The Feds can put all the pressure they
| want on them not to pay, but at the end of the day, they can't
| stop them from paying.
| rurban wrote:
| Of course, because they do have backups. Lol.
|
| So far only the central bank of Sambia had a backup and could
| just ignore the ransom.
___________________________________________________________________
(page generated 2023-10-31 23:02 UTC)