SoylentNews is people
SoylentNews
from the getting-the-horses-back-after-closing-the-barn-doors dept.
Why you can't bank on [just] backups to fight ransomware anymore:
[...] [The] belief that no personally identifying information was breached in [a] ransomware attack is common among victims of ransomware—and that's partially because ransomware operators had previously avoided claiming they had access to victims' data in order to maintain the "trust" required to extract a payment. Cyber insurance has made paying out an attractive option in cases where there's no need for an organization to reveal a breach, so the economics had favored ransomware attackers who provided good "customer service" and gave (usually believable) assurances that no data had been taken off the victims' networks.
Unfortunately, that sort of model is being blown up by the Maze and Sodinokibi (REvil) ransomware rings, which have adopted a model of using stolen data as leverage to ensure customers will make a payment. Even in cases where a victim can relatively quickly recover from a ransomware attack, they still will face demands for payment in order to avoid the publication or sale of information stolen by the attackers before the ransomware was triggered.
Maze and REvil are targeted ransomware attacks that break from the established norm of ransomware attacks in other ways. Telling users not to click on email attachments and to recognize phishing sites isn't stopping these attackers from getting in. Both have relied on exploits of known weaknesses in Internet-facing infrastructure of their victims—be it an Oracle WebLogic vulnerability, a long-ago patched weakness in Pulse Secure VPN servers, or hacks of managed service providers' systems.
Being able to quickly get back up and running after a breach is a very good thing. It is also not enough. Preventing attackers from exfiltrating confidential information is likely more difficult and potentially more costly. Especially since Europe enacted GDPR (General Data Protection Regulation) and some other jurisdictions in the US have enacted laws requiring prompt disclosure and notification after a breach.
(Score: 0) by Anonymous Coward on Monday February 10 2020, @06:02PM
While this sounds plausible and makes a lot of sense (like how everything is made of 4 elements: earth, fire, water, air), it is overly simplistic and somewhat wrong.
As a counter-example, consider piracy (as in the literal pirates on the high sees 200 years ago). Media would have you believe that they were savage plunderers... which was true, but not really. Pirates actually treated their victims very well. It behooved them to make surrender to them pleasant. The last thing they wanted to do is to have a reputation for raping the women and killing the men, because then the merchants they wanted to steal from would fight to the death against them. (This is the exact same thing that happened on 9/11. Before then, a hijacker could have a fairly easy time hijacking a plane as everybody cooperated. Once 9/11 happened, passengers will fight to the death against a hijacker because "we're going to die anyway.")
So in regard to paying off blackmailers, it's a trade-off. True for any individual they could be squeezed more and more. However, if a ransomware gets a reputation of "we'll screw you anyway," they'll never get any more money from their victims. So they have a strong incentive to play by the proverbial rules (most of the time, if they got leverage on a single person who can pay enough to be worth more than all future trouble, all bets are off).
Also, in regard to Dane-Geld, that is also overly simplistic. The key point is that Dane-Geld is a short-term solution. As long as it is treated that way, you're fine. For example, "all our soldiers are in the Middle East in the 2nd crusade, we need to buy a year of time," it makes perfect sense (as anybody who has played a war-game or 4X game can tell you). It's when you think of it as a long-term solution, and/or you get the reputation of being a weak country, that it becomes a problem.