Even on HN it's the same knee-jerk reactions every time one of these stories hit.
This is one of the most pressing technology issues of this moment and the discourse just sucks.
* Does banning ransom payments do anything? Good idea/bad idea? Historical analogues?
* Do we need to pay rewards to cyber privateers to take down cyber criminals?
* Is this an issue that can only be solved at the geopolitical level because of the role states play in enabling this activity?
* Will the hardening brought about by this eventually outpace the crappy attacker software?
* Is this a phase or the new reality?
* How much of this is enabled by technology vs the geopolitical situation?
And in my opinion it's only a matter of time till something so crucial will be affected that the big guns will be rolled out. (I.e. targeted 3 letter agencies efforts) The podcast argued that touching the energy delivery / pipeline was already it - Fox asking daily how the current administration fails to deal with securing energy may be the point when some real action happens.
I remember reading how supposedly adding a Russian or a few other keyboard layouts might fool some of the malware to ignore the machine [1].
I guess one idea for the Western intel agencies could be to play off of that, and somehow disable that check (infect their malware) such that it can and does attack the Russian infrastructure.
[1] https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...
Show: https://www.risky.biz/RB624/
Media: https://chtbl.com/track/383384/media3.risky.biz/RB624.mp3
[1] https://www.wired.com/2010/03/manipulated-stock-prices/ [2] https://www.reuters.com/article/us-cybercybersecurity-hackin...
It wouldn’t surprise me at all if our systems are on average far less secure simply because so much more is online now, to speak nothing of increases in the complexity of and opportunities for errors and misconfigurations in today’s systems.
I am inferring (perhaps incorrectly) that you're saying this is an argument against cryptocurrencies. I think that's beside the the point: even outright outlawing cryptocurrencies wouldn't stop the technology from existing, and wouldn't discourage extortionists from using it to anonymously receive payments.
It would make it harder to pay, since you'd have to go outside of safe, legal channels to get money into the system.
If the best strategy when being extorted is to never pay or negotiate, then I suppose that could be a benefit. But, in that case it would be more efficient to just make it illegal to cooperate with extortion in the first place.
For all I know, this is already true. If not, let's try that first. If it is, it doesn't seem to matter, since people are paying ransomware hackers. Still, if paying at all is illegal, but people still do it, then making paying less convenient probably won't make much of a difference: they'll still ask for payment in crypto, and leave the logistics up to the victim.
'Don't negotiate with terrorists' or:
> It is wrong to put temptation in the path of any nation,
> For fear they should succumb and go astray;
> So when you are requested to pay up or be molested,
> You will find it better policy to say:—
> "We never pay any-one Dane-geld,
> No matter how trifling the cost;
> For the end of that game is oppression and shame,
> And the nation that plays it is lost!"'
Of course, even better would be a physical switch for incremental backups, so a disk drive works like tape - it can physically only be appended to if that switch is "off".
Come on, security professionals. None of this has any technical or cost barriers. Demand it from drive vendors. My older drives have such a switch.
This is "there are no backups."
(Even if you don't anticipate a problem with your IT staff, it's just good engineering to automatically turn off the write-enable. Nobody's perfect. I've gone to the airport without my passport once. It really sux when you do that.)
Many (if not most) companies have file shares with fairly wide-open access and/or a complete lack of backups so peer-to-peer spreading within the company is enough to cause a lot of trouble.
At its root these are technological problems that we could choose to solve:
1. The program is not the user. Code running as a user shouldn't necessarily have permission to access everything the user can access. 2. New code is not treated with suspicion when it should be. New code should have its file access throttled in proportion to how many files it accesses. 3. Our systems do a terrible job of spotting unusual behavior. How many processes actually need to rewrite every file the user has access to? Almost none... rewriting 10% of the user's files should trigger an automatic throttle/stop and raise red flags. 4. As a variation on #3, most OSes these days ship parsers for a lot of common file formats... if the OS sees lots of user documents being rewritten and the parsers can no longer parse them stop allowing new rewrites and alert the user. If the user is encrypting their content on purpose they can approve it. If not you can at least limit the damage. 5. Similarly a network user that usually accesses a limited set of files should not be able to suddenly start rewriting thousands of files without some kind of intervention. 6. Our systems completely fail to take advantage of ancient technology called "file versions" (see VMS). Excess disk space should store old versions of files in a way that cannot be deleted (or the ransomware would just call that API or generate random writes to consume the space). Combine with 2/3: when there is suspicious activity on the system move into CoW mode and preserve previous versions of all files or an entire system snapshot and don't allow purging the snapshot without special intervention (eg rebooting into a special mode). 7. To go along with all of the above code should be tagged with its provenance in a system-tracked way. If a process writes a new binary to disk track that responsibility. Track it all the way back to the URL or email it came from. This entire audit trail should be attached to any of the mechanisms listed above. It should also be attached to any sort of activity monitoring program that shows you disk accesses, including historical accesses. If I see 50GB of disk reads/writes from a process group "JGjthjsfgl.exe, downloaded from p0wnme.example.farts" that is a huge red flag. Let me suspend that entire process group with a single click.
I'm sure smarter people could come up with even better ideas... but ransomware is absolutely something we can and should make nearly impossible. We could engineer operating systems to be resilient and limit the damage (eg: macOS prompting you to approve access to Desktop/Documents/Downloads) but it means giving up some sacred beliefs about how desktop operating systems should work that tends to make a subset of the HN audience extremely angry.
Zero days are indeed often not required, however, IMHO the initial attack is less preventable than that lateral movement and further exploitation - if attackers are in your systems for a week while they spread everywhere and kill your backups preparing to pull the switch to "ransomcrypt" everything at once, then that was your opportunity to detect it and kick them out, but the victim organizations obviously were not capable of that. This needs to be fixed, perhaps by methods similar as you describe.
As how much is being spent on these payments overall each year? How would that compare to the massive IT fortification project people are demanding?
We don't meaningfully fight bike theft for this reason. The cost of doing so relative to the benefits is just too high. We can debate whether that is reasonable, but that is essentially what has been decided as a society. Most low level crime is not meaningfully investigated.
And this erodes trust in society and rule of law, and gradually leads to vigilantism, privatization of security, and segregation due to middle-class flight from high-crime areas.
Having a physical write-enable switch on the backup devices costs about three cents.
War analogies are inapplicable, privateer analogies are inapplicable. Create the incentives, organizational and software structure required to stop this or it will continue. Holding single companies accountable shifts the burden without solving the problem.
Have standards, standards bodies, defensive organizations.
Like for foods, hostels, stuffs on the roads. There is some analogies.
Or do you mean banning both the US on-ramps and the foreign off-ramps? Are you optimistic that the US could get, for instance Russia, to enforce such a ban?
I'm not necessarily opposed to this "just ban cryptocurrency" talking point, but I'm never sure I understand what people mean by it in practice.
We need to start holding companies criminally liable having security vulnerabilities that get breached. It is true that there will always be exploits but the issues are usually much more wildly irresponsible security practices and not “didn’t know about the latest 0day”
There needs to be a statutory liability to customers and required insurance. Let the insurance company figure out the regulations instead of bureaucrats and politicians, insurance company rules are optional and noncompliance is just more expensive.
It is an increasing trend but the current uptick in awareness is mostly media coverage. This stuff has been going on forever, a few particularly newsworthy things happened now everyone is going out of their way to report each new instance. Trends in reporting instead of trends in exploits (to a degree)
Sure, whitelisting is annoying to say the least, but these are critical systems, you don't need to install new software daily or even monthly.
To protect your company, application whitelisting needs enough usability to be easily supportable for the workstations of your accountant, office receptionist, and the VP of Marketing (those three are all good examples of valuable entry points for targeted attacks), which all may get management approval to throw out application whitelisting if it inconveniences them enough - there's no reasonable tradeoff between security and usability, you must get both as usability is mandatory and usability deficiencies will result in security features getting removed in all but the most critical circumstances.
I’d guess that recognizing that a given computer is now critical infrastructure is also part of the problem.
Whitelisting is the cool buzzword again, but it doesn't do much against human operated ransomware. It's a huge effort to implement (I know you want to say it isn't; try it and learn) and it's not very useful.
That's why most shops skip it.
Writing a law with proper disincentives is also trivial -- forget about fines. Proper jail time for senior execs and board members.
Execs and boards will be damn sure not to pay ransoms, and additionally damn sure that any company they hire to help knows in no uncertain terms that they are also not to pay any ransoms.
It really isn't that hard to write laws that disincentivize paying ransoms and aren't possible to route around with wink-and-nod bullshit.
Loopholes exist, but in general the government is not terrible at figuring out basic schemes like this and adapt administration of the law.
Insurance. Back-ups. Bail outs. Go out of business. That ransom paid has negative externalities that manifest nationally.
There is definite economic attack damage incentive still in place.
In fact - if ransoms are banned - then it would seem that such types of attacks become more of a state sponsored attack to affect the economy of your enemy/competition
What if it were apple attacking FB or something like that. Surely we will see this in the future, just as originally foretold in Neuromancer.
Unencrypting for vicitims in the US that couldn't pay would just add more exposure risk to them of getting caught, so they would have no incentive to actually do it. It would take a large bit of money out of the system, but it seems like you need all countries to coordinate and that one country doing so on its own, enforcing a no pay out rule, won't have much effect on non-targeted attacks.
How many of these attacks are fully automated in the initial attack/encrypt phase vs. human operators explicitly working to more fully infiltrate a target?
Given the effectiveness of social engineering in hacking's history, that's a very good question. I wouldn't be surprised if randomized attacks are used to create a "sales funnel" of high value targets with poor IT ops/outdated equipment/etc that can be exploited for big payouts. All it takes is a few hundred or thousand dollars to bribe a low level employee so the vast majority of the cost is likely in finding targets. Once they've identified a target, the exploitation process is probably mechanical.
The argument for banning payment of ransom for a ransomware attack applies just as much to any other situation where a ransom is demanded.
No, that’s what our military is for. That said, we have limited evidence any of these recent attacks were state backed.
For those of us who make money when cybersecurity dollars are spent, yes. Practically, you’d get a federal agency writing checklists.
Ban cryptocurrencies. They are the cause of the ransomware epidemic.
This is meant sincerely, not glibly: How? How can cryptocurrencies be banned in any meaningful sense?
We can "ban" them in a legal sense ("Use of cryptocurrencies are illegal after 1 Jan 2022"), great. But how can they be practically banned so long as computers themselves are not invaded by governments to observe every detail of their operation and private overlay networks are still technically feasible?
In what world does a ban on paying ransoms get wantonly evaded while a ban on cryptocurrencies does not?
To ensure that you don't have holes in your security posture... The technology you deploy is important, but also important that your security and governance model on top of the technology is also in place.
Most of the blame is going to Russia, though North Korea is a possible source of this, as are a few random countries scattered around. Most stand to lose more than they gain from allowing such crime. (their military might be interested in the ability, but those will be more careful about who they target)
Unforced error.
Whether they'd listen to them still is another matter but that's the same with a regular cybersecurity team.
And that is to say we have institutional standards where unsafe practices are considered OK and will be followed because they save X dollars and time now.
For example, let's look at the recent major Colonial Pipeline case. Their pipeline systems weren't connected to the Internet, and did not get compromised. What got compromised was their business billing and customer communications systems - and those do need to be connected to internet, that's their whole point, and they apparently were critical enough to make them shut down the (uncompromised) pipeline anyway.
It doesn't matter if your meat packing plant machinery SCADA systems are isolated, your inventory, logistics and sales systems are critical for your operations and need to be connected to the internet, so a ransomware attack will kill you even if your plant equipment works fine.
It doesn't matter if your chemical plant sensor network is isolated, your payroll and shift scheduling system is critical to your operations and needs to be connected to the internet.
Heck, for so many companies their email systems are critical to their operations (and leaking the contents would cause a massive liability) and those obviously need to be connected to the internet.
Not connecting is helpful in some cases, but it's nowhere close to a sufficient solution.
I'm not sure what it would be called, but has there been any investigation in a sort of "transparent by default" database system? Ideally if this were possible people wouldn't need to care about data being stolen (though in this case it's unclear what the attack did, but many times it's more like we'll reveal/block your data unless you pay up)
Crypto is really what's made ransomware at the scale we see it now possible.
Another interesting shift is that complete administrative takeover is often less compelling: Software is more secure covering administrative functions, but users, which have access to all of your business data, are vulnerable as ever.
The remote server knows to unlock your computer and cleanse it of the ransomware upon receipt of payment.
Many also leave a marker on your system/network preventing reinfection. Most ransomware is from the same vendor rented out which prevents reinfection, for now.
Ransomware in cryptocurrency could be easy to stop naturally. Miners just need to know that there is a nonzero chance of their blocks being forked off if they help them. It’s a technical problem of out-of-band governance protocols among miners, not unlike what is already being done for positive gain (MEV) by FlashBots. That’s the incredible possibility of cryptocurrency. It’s designed to turn selfishness into a public good, with no coercion, recognition, or good will. And sure, they could include a massive reward to convince miners to include the block, but then that also goes for every coinbase and transaction afterward, until there is nothing left, and no incentive at all for ransomware.
The present reality, of course, is that miners are just not that sophisticated. For the most part they’re just aping the repos that are released by the foundations. But the foundations certainly should understand that it’s in their interest to protect their currency by at least giving the miners information about transactions in the mempool or utxos, and perhaps some kind of out-of-band signaling mechanism to indicate unwillingness to accept blocks that include them. Perhaps better yet, a price for inclusion demanded in the form of an MEV burn added to the next block, which would of course fetch its own price. There is some criticism of the foundations here, as there is also some criticism of some PoS implementations that do not allow fork selection, but ultimately I think that they can solve it.
So that takes care of economic hackers. I’m far more concerned with non-economic or peri-economic agents. There is a doctrine of “unrestricted warfare” that everybody should know about. It explains many things about how and why things do not make sense. It is because we are under attack, and it’s a truly brilliant offensive, for which all of our defenses only work in their favor. I don’t have the answers for this. But it does give a warning. The effect they seek is not the damage they’ve done, but our reaction to it. Our reaction, by regulation that cripples our competitiveness, by restricting our own freedoms, could be disastrous to our country and our way of life, which is exactly what they want. And these attacks, although they may be carried out by economic agents, almost certainly find their roots in exploits created by long-standing programs of infiltration. Nature too, has learned this trick; SARS kills by turning the immune system against the host.
When the real failure is somewhere else: bringing these perps to justice. The fact that they can get away with this over and over again hiding behind anonymity is what enables these crimes.
If major infrastructure continues to be hit I think we will eventually see this happen, but we absolutely cannot count on foreign states to 'do the right thing.'
I agree the problem is that these criminals are sheltered from prosecution.
I get that you might not be able to do anything about it if they are sheltered from prosecution where they cash out.
But I don't get why we can't at least, to some reasonable degree of accuracy, say Address A took the ransom and eventually it ended up with Address Z cashing out through Exchange B. Then if either Exchange B or Address Z has anything at all to do with the US-dominated international financial system, you've got serious leverage.
If I'm Coinbase, am I not worried about unwittingly laundering money for terrorists? Don't I have a staff trying to prevent that?
Just like when they hit the vehicle inspection system in March, the wealthy hemmed and hawed about how nobody should get away with thumbing their nose at state authority but the little guys were just happy it wasn't them getting the shaft for once.
Or is it more like "well as long as it doesn't hit us we don't care"
It's the classic antagonist to the Colonial pipeline hysteria, which stopped their pumps because they would not be able to account for the exact gallons delivered to which customer. So they rather stopped a critical infrastructure. Hilarious. Plus Windows.
Here again the Windows office PCs were affected, but the steamships themselves didn't care much. They kept going, you only had to pay for your ticket onboard, not online. Online reservations were not honored.
I don't think this is really anything new. Just different targets.
1.) There is a cottage industry in this space that sells kits for these randomware compromises. Everything provided is off the shelf, this is why you’re seeing such an emergence in this space. It’s not that the barrier to exit from a ransomware attack cost decreased (cryptocurrency). The barrier to entry lowered, any jerk can pay a small amount of funds to buy a software kit and instructions on how to do it.
Furthermore this is also why you’re seeing so many public defacement go politically neutral (ironic given the times). It’s simply a relatively lucrative, with a low amount of risk, and only requires the technical aptitude of someone capable of using BitTorrent/Tor/Warez.
2.) Hiring / Managing security teams - unless you’re in technology or selling security as a part of a product you can’t afford a quality team/tools. Most business are trying to optimize their cost centers to maximize their profits. As such most of the time that means it’s a race to the bottom to get them to be “insurable”. Salary + Software is expensive. 500k minimum investment for an meat processing company or whatever is not the easiest pill to swallow.
3.) companies that pay this are not good judges of security talent. They don’t know if the herjavec group really is an effective detection company. They judge almost entirely on feeling. Same with that one fast talking hoodie wearing self proclaimed hacker talking out of their ass.
Not understanding what you’re hiring for also creates friction, since any deviation from the fantasy security hire they imagined will be met with extreme resistance. “I thought they were going to sure up our servers, why do we have to log in on our email every 8 hours now”. Often times when an executive leader does not understand why security trade offs are made they just make the decision themselves (pro tip they’ll accept the risk) and you’ve failed regardless as an employer and employee.
4.) the industry does very little in a practical sense in preparing people for these job functions (with a few exceptions). Security engineers often have technical skills in spades.However, if they don’t understand anything outside of security they are going to fail. Civil Communication/ debate, the ability to navigate political issues, understanding the business etc are actually super important. The biggest tragedy was that someone internally probably saw this coming but couldn’t actually get the messaging across.
When you combine all of these elements you have a confluence of shit. It’s once again getting less expensive to perform a wide attack with little know how intersecting an industry that has yet to course correct.
For cities, recurring plauges began occurring during Roman times and limited maximum city populations to about 1 million until the advent of modern sanitation, hygiene, public health, waste removal, and food quality. (Actual medical care and treatment had little to do with this, though vaccines and antibiotics helped.)
Industrial pollution lagged industrial development by about 50--100 years, with air and water quality and material contamination (heavy metals, asbestos, organic solvents, synthetic hormone disruptors and other bio-active contaminants, etc.).
Increases in travel, transport, and communications almost always directly facilitate fraud. The Greek/Roman gods Hermes/Mercury represented communication, messages, travel, transportation, commerce, trickery, and theives. The term "Confidence Man" arose from Herman Melville's novel of the same name, set on the first great highway of the United States, the steamboat-plied Mississippi.
Mail begat mail fraud. Telegraph and telephones begat wire fraud. Cheap broadcast radio and television, payola and game-show fraus. Email begat spam and phishing.
The 1990s and 2000s computerised business practices employed computers with shitty security, but those systems were saved by the general lack of networking, the relatively small size of global computer networks, limited disk storage, limited network bandwidth, and the effectual air-gapping of paper-driven steps in processing. Billing might be submitted or computed electronically, but a paper check still had to be cut and signed. Draining accounts or data simply wasn't possibly without running up against the inherent limitations of computer infrastructure at the time even had a payment mechanism similar to today's cryptocurrencies been available.
If my assessment is correct, we'll be seeing much more of this.
Attackers have low costs. Victims have highly-interconnected, but poorly-defended systems, comprised of multiple components, each complex on its own, and lacking any effective overall security accountability. End-to-end automation exists, facilitating both productive work and effective attacks. A viable and tracking-resistant payment mechanism exists. Regions from which attacks can be made with impunity exist, and are well-connected to global data networks.
Backups alsone are not an effective defence as these protect against data loss but not data disclosure. Full defence will require radically different thinking, protection, risk assessment, and law-enforcement capabilities.
Until then, get used to more of this, at both large and small scales.
There are some potential bright lights.
- I suspect attackers aren't targeting specific facilities but are instead conducting automated and scripted attacks against vulnerable facilities.
- For data-encryption ransom attacks, this means that the decryption key is all but certainly derivable from information on the attacked system, perhaps encoded as filenames or contents. Determining this mechanism may at least allow for data recovery. (It of course does nothing against data disclosure, long-term surveillance, or access denial attacks.) The likelihood that attackers have some database of victims + passwords seems low.
- Attackers are themselves subject to trust and suspicion attacks, and turning members or safe-harbours against attackers is probably a useful countermeasure.
- State-level sanctions, flling short of military attacks, may also prove effective.
My impression is that most of these start with phishing, and probably even tailored phishing for larger organizations. A particular phishing campaign then just needs to include an encryption key, while the decryption key is kept elsewhere; this process is still quite easy to automate.
Hell, you could even just let loose lots of malware with different encryption keys, with the decrypting keys stored in a spreadsheet. When one succeeds, display a hash of the encryption key to the victim, and have them read it back to you when they call in to negotiate. And then just look up the paired decryption key when it's needed. No need to track anything, or bother with command+control.
Releasing "lots of malware" either means a finite keyset, or a key-generation mechanism. At least as I see it.
(I'd really like to find a detailed analysis of the malware software. There was an earlier version of the Darkside attack which used a weak mechansim for key generation.)
This may be our last chance to maintain global power through the use of force at all, given that so many competitors are gaining foothold in every other area.
We need bullet proof IT infrastructure, instant backtracing, and effective retaliatory responses ready to deploy, yesterday!
Why the hell isn't the attacker's computer compromised when they access the data? (rhetorical)
The countries protecting these criminals are behaving like the taliban when they controlled Afghanistan.
Poisoning dissidents, hijacking airplanes, crashing hospitals and pipelines, we'd better be careful because eventually someone's going to get hurt.
... Right.
We have to protect our satellites, see what other nations are up to (perhaps even intercepting their sat comms), and make sure our hypersonic game is on point.
It's worth noting that "cyber warfare" is what the NSA already does.
Are there CTOs or IT heads going into board meetings or other meetings, and telling people that these systems are secure? Because if so, they need to be tried for fraud.
If it's on the internet, it is not secure.
Imagine if all the hacks we've seen in the last year happened all at once. We'd be screwed.
https://newrepublic.com/article/162589/ban-bitcoin-cryptocur...
Imagine encypting whole Maersk network and then asking ransom in cash? Wherever you decide to do the exchange there will be couple Apache/Eurocopters/Mis hovering around and watching you. With crypto just send them your XMR address, then wait couple years for heat to come down before mixing/cashing out.
Many store open after 19:00 don't have much cash on hand so robbing them is not really attractive any more. There are almost no bank robberies, as even banks doesn't actually have cash.
The people who get mugged are normally forced to go to an ATM to withdraw cash.
I'm not suggesting we just randomly ban stuff to avoid the criminals from exploiting it, but it is working.
By "Ban" I mean they no longer make them, and possibly destroy them once they get circulated back to the central bank. They're still legal tender.
See also 500 euro note... (edited to clarify "ban" meaning)
Banning crypto exchanges is actually a much more effective solution to the problem because it at least forces someone to show up in person to collect the money.
If you ban paying ransoms, desperate people will just do it in secret, something bitcoin works hard to enable.
Enable activity instead of futilely trying to ban activity. Instead of focusing on punishing the victims and unrelated third parties, focus on punishing and disrupting the perpetrators.
Or if not letters of marque, they could at least just issue a notice that certain activity will have a blind eye turned towards it, to mirror the policy of some of the governments that bear most of the responsibility for ransomware activity.
