And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
Paying ransom merely teaches the criminal that you're an easy mark that they should demand more ransom from in the future.
I would have used this stanza as I think it's a little more applicable in this situation:
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that plays it is lost!"
As another commenter said, individuals can prevent themselves from being victimized again by starting a regime of proper backups. It isn't as ideal as arresting the motherfuckers and sentencing them to 25 years in federal prison, but it prevents an individual from being labelled a mark.
On the other hand, when the FBI says 'just pay it', I'd argue that it makes all of North America more vulnerable. The end of this game is oppression and shame, and the nation that plays it is lost.
The U.S. Constitution actually has provisions for legally doing that. Lobby your congressmen to issue "letters of marque and reprisal", which Congress is authorized to provide precisely for businesses to engage in warlike behavior against pirates et al, which includes the modern form in "ransomware".
And while initially ransomware operators quite "solid" and for lack of a better word "trustworthy" the popularization of it lead to everyone and their mother writing ransomware in hopes to get a quick buck.
In those cases you can't even rely on the encryption being recoverable because the malware it self is utter garbage and the criminals don't care or don't even have the technical skills to operate a full ransom cycle campaign.
It's not uncommon to see even fairly fresh ransomware examples in the wild with dead BC wallet addresses, banned paypal, skrill (and other transaction providers accounts), incorrect routing numbers etc.
This ins't 5-10 years ago where some ransomware would actually give you a voip phone-number/skype/email to call or mail and you would get to speak to some Russian or Malaysian guy give them the money and actually get a key to recover your data.
Sure some ransomware operators still operate that way, some have more sophisticated automated systems with C&C servers but most figured it out that it doesn't matter because they are in it for the quick buck and well if you are going to commit a crime then what not fraud/scam your target in the same swoop.
Ironically this reality lead to the more established organized crime organizations that employ ransomware to generate income to actively fight against the new waves of quick cash ransom scams because they need people to still have some trust in the fact that they can get their data back if they pay.
And if you don't get the parody reference -- it's to the classic "You Bash the Balrog".
That one's a reference to a ST:TOS episode.
This is assuming they bother to give back your data.
First, the ransomers have every incentive to actually abide by their promise to decrypt. In essence, they're running a business. Whereas in a kidnapping situation, ransoms are high ransomers tend to stay anonymous, and risk is high, with ransomware the monetary amounts involved are low, the ransomers typically conduct their actions under an established pseudonym, and the risk in upholding their side of the bargain is low. If they were to not hold up their end of the bargain and it became known that "LeetSquad" doesn't actually decrypt data, victims would stop paying. This would be a disaster.
Furthermore, while it's correct that a victim who pays signals their ease of being shaken down, again, the economics of the situation work in the victim's favor. These attacks aren't targeted. Given an effectively endless supply of potentially-paying victims, direct targeting is unnecessary, wasted effort. And again, risk of reputational damage is high. For evidence, look no further than this FBI recommendation!
For further evidence, consider the fact that in practice, these groups overwhelmingly keep their promises and don't appear to specifically re-target previous victims. They even, no joke, have online support staff who will work with you in the event of difficulties unlocking your data!
I had the idea once that one way to combat these groups would be to run a PR and news campaign attempting to convince the general population that ransomware groups will take the money and run, and that they'll just come after you again. Even if it isn't true, a successful campaign might do some serious damage to their profit margins.
The hacker wants to be trustworthy here so that new victims will be more likely to pay the ransom because they believe they will actually get their data back.
One also wonders what's the point of all NSA's "SIGINT" efforts if they can't or won't use it to catch such usually foreign actors, so maybe they also introduced an argument against mass surveillance.
I suggest that the cybersecurity tool-set favors offense these days.
Chris Inglis, recently retired NSA Deputy Director, remarked that
if we were to score cyber the way we score soccer, the tally would
be 462-456 twenty minutes into the game, i.e., all offense. I will
take his comment as confirming at the highest level not only the
dual use nature of cybersecurity but also confirming that offense
is where the innovations that only States can afford is going on.
I also recommend considering Jacob Appelbaum's response to this question[2] from the audience - from someone currently working for the NSA. The summary is that we need people doing NSA-style work, but on the defense side, and we need it now. If the NSA isn't doing that, then maybe people that want to actually protect their country should find somewhere else to work that is actually working on defense.
What is a good way to protect against ransomware? Symantec buries the lede with the answers (possibly because of conflicting business interests) which are
1. Limit end user access to mapped drives
2. Deploy and maintain a comprehensive backup solution
http://www.symantec.com/connect/blogs/ransomware-dos-and-don...
But really, how do we justify spending thousands of dollars on hardware? I hate myself for saying this but there are real risks of doing too much as well. We could have our own mini tyrannical regime of secure computing a la the TSA security theater.
Effective user education is challenging. Even developers are prone to use elevated user permissions where none is strictly required just for the sake of convenience. I know I've found myself right-clicking visual studio and clicking "Run as administrator" reflexively after just a few months of working on ASP.NET and IIS.
This is a little off-topic but I imagine the whole funding offense vs defense might be a little more "natural" than we like to admit. Imagine you're a defense manager and there's this other guy who is an offense manager. Just as a football analogy, how do you justify your team's worth when the other team says that there is no good way to quantify the worth of the work you're doing and there is a good way to quantify their team's work? I guess what I'm asking is how do we put a dollar and cent value to defensive cyber security? Can we just ask "How much does the business stand to lose if we lost all our data to ransom ware or worse to a competitor?" or would business think that is overreaching?
Hasn't "a great offense is always the best defense" always been the name of the game? We've gone from fists, to stick and rocks, to spears, to swords, to Greek Fire, to gunpowder, to nuclear weapons. Why not now be the ones to own the power to take down any computer or network?
Great efforts in defense aren't necessarily successful or rewarded either, e.g. Reagan's "Star Wars"/SDI https://en.wikipedia.org/wiki/Strategic_Defense_Initiative which was widely criticized and failed miserably.
While cyberdefense is not in the same unrealistic realm as SDI was in the 80s, the ways that most people think about security- firewall on the perimeter and/or securing each node, pen testing, patches, and locking down what can be installed/used- don't really solve the problem of having a wide attack vector. Imagine if you could shoot a single soldier out in the field and it would kill his/her whole battalion, the base in which he/she was stationed, and perhaps destroy or weaken the entire army or even armed forces to which he/she belonged? That is the situation now.
Playing ultimate defense requires much more isolation. We shouldn't be on the same network, we shouldn't always be connected, and we should really limit how the outside world can affect each node. That isn't often the case with the networks we have currently.
Seems NSA is obsessed with penetrating everywhere using 'terrorism' as a means to ensure continued funding. Thus the 'defense' nature is quite boring and sadly ignored.
Expect the same behavior from the NSA. They will use their power first and foremost whenever it benefits themselves, not to protect all citizens or corporations.
The Brits acted sparingly using the cracked Enigma code precisely because they were trying to protect as many citizens as they could -- if they acted every time, the Germans would have figured out the code was compromised and switched to a stronger code.
It would be like if the British "blew their cover" and the Germans could only respond by completely ceasing all encrypted communication. Not the best possible outcome if they do, but still a positive outcome.
It's an even better outcome for cybercrime, since ceasing all communications would mean ceasing everything. If the NSA did this, the criminal would probably just stop operating, which means they might not be brought to justice, but at least the attacks would stop.
Can you imagine the FBI saying, just pay the mafia?
I hesitate to say something so pedantic, but with the number of people who attribute crazy properties to the concept of "free markets", etc. I think we should just be clear on this one.
There is also a defensive side to NSA's mission that is defense-oriented (IAD), but the most recognizable contributions that most of the HN crowd may be familiar with are SELinux and perhaps a modest body of research involving how to secure your systems (the defense side is much more open than the offensive side). The problems I see there is that these measures are all very much aimed at large corporations, not start-ups (seriously, I can count the number of start-ups outside the intelligence / DoD space I've ever heard of that use SELinux or follow NSA hardening guidelines on two fingers) and there is clearly a huge gap between how much big businesses take security seriously compared to start-ups from both a cultural and business driven set of motivations.
The number of start-ups derailed / completely wiped out by extortion attempts is rather small compared to the number that actually exist but the legions of security consulting companies around the DC beltway wants everyone to think that it's really terrible and that everyone's a target. The truth is that everyone needs to be secure "enough" to not be as vulnerable as the really stupid guys and that while it might sting a lot to be down for a few hours or so and lose revenue / trust from users, diverting your company's resources towards hardening so much is quite costly for smaller companies and it's just more practical to have really fast re-provisioning set as a priority for your devops / ops engineers (most start-ups can do this far better than larger companies).
To be blunt, if you think like this and make legal arguments like this, you don't understand western civilization and should go and think for a while about all of society.
Unless of course you're kidding and being cynical.
It's 2015: computing is part of society, and computing free from attacks is little different from walking about in public unharmed. It takes massive contortions of perception to feel otherwise. Everyone is online! (Just as everyone goes out now and then.)
Ransomware is almost literally still just ransom.
https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-real... has the official statement:
The FBI doesn't make recommendations to companies; instead, the Bureau explains
what the options are for businesses that are affected and how it's up to
individual companies to decide for themselves the best way to proceed.
That is, either revert to back up systems, contact a security
professional, or pay.I'd guess that the malware users are being quite clever in keeping the ransom demands (relatively) small, to make it easy to choose to pay. They then profit in scale because targetting thousands of people is simple.
Since the ransom payments are in Bit-coin, it's possible to track the payments and work out how much money the scammers are making. Some estimates put it as high as $325 million: http://www.coindesk.com/cryptowall-325-million-bitcoin-ranso...
Whoever is advising people to "just pay the ransom" is a fool.
Meanwhile, "don't pay the ransom" is not an honest answer to "what's the best thing for me to do now that I'm infected".
Just telling people to pay the ransom is idiotic. It actually leaves the malware in place, and what guarantee is there that they won't be blackmailed again the next day?
Is this an either/or scenario?
From removing advice that you should encrypt your data, to arguing for backdoors, to advising that you should pay ransoms, Comey has been a complete buffoon.
Still, the Boston head of cyber said that organizations
that have procedures in place for regularly backing up
their data can avoid paying a ransom at all, by simply
restoring the infected system to a state prior to the
infection.The other important thing to consider is that you data is already tainted so the cost of the ransom are meaningless compared to the cost of re-evaluating all the data once you manage to decrypt it, as well as the cost of the decryption it self it's not like you'll get an easy tool do it.
But considering that recovering data from backups also costs a small fortune it might be a reasonable gamble after all.
Maybe we should defund the FBI if this is the best advice they can think of.
The FBI has already confirmed this "just pay the ransom" was completely misquoted and taken out of context.
Stop spreading this clickbait FUD.
really?
If you have any evidence about authors, you can report to local police who will contact with Interpol and then Russia's police. Russia has all necessary laws to punish cyber criminals.
"..FBI’s most wanted list of cybercriminals: Russian hacker Evgeniy Bogachev. Bogachev, the authorities believe, was responsible for operating both viruses... GameOver Zeus and CryptoLocker" http://www.slate.com/articles/technology/technology/2014/06/...
"still appears to be at large in Russia, where officials have shown little interest in helping the FBI"..."What a talented guy," said Mikhail, 23, who recognised Bogachev's FBI photo as the man he would see in the lobby with his wife and nine-year-old daughter. "Sitting at his computer at home, he broke into our enemies' camp, but did not harm his fellow Russians." http://www.telegraph.co.uk/news/worldnews/europe/russia/1088...
"His alleged bank heists topped $100 million"..."Bogachev, 30, who lives luxuriously in Anapa, Russia, a beautiful seaside resort town of 60,000 on the northern coast of the Black Sea, and often sails his yacht to various Black Sea ports, remains a fugitive." http://www.usatoday.com/story/news/nation/2014/06/03/fbi-bus...
Guess the authorities can't find him because yachts are pretty tricky to spot.