from the getting-the-horses-back-after-closing-the-barn-doors dept.
Why you can't bank on [just] backups to fight ransomware anymore:
[...] [The] belief that no personally identifying information was breached in [a] ransomware attack is common among victims of ransomware—and that's partially because ransomware operators had previously avoided claiming they had access to victims' data in order to maintain the "trust" required to extract a payment. Cyber insurance has made paying out an attractive option in cases where there's no need for an organization to reveal a breach, so the economics had favored ransomware attackers who provided good "customer service" and gave (usually believable) assurances that no data had been taken off the victims' networks.
Unfortunately, that sort of model is being blown up by the Maze and Sodinokibi (REvil) ransomware rings, which have adopted a model of using stolen data as leverage to ensure customers will make a payment. Even in cases where a victim can relatively quickly recover from a ransomware attack, they still will face demands for payment in order to avoid the publication or sale of information stolen by the attackers before the ransomware was triggered.
Maze and REvil are targeted ransomware attacks that break from the established norm of ransomware attacks in other ways. Telling users not to click on email attachments and to recognize phishing sites isn't stopping these attackers from getting in. Both have relied on exploits of known weaknesses in Internet-facing infrastructure of their victims—be it an Oracle WebLogic vulnerability, a long-ago patched weakness in Pulse Secure VPN servers, or hacks of managed service providers' systems.
Being able to quickly get back up and running after a breach is a very good thing. It is also not enough. Preventing attackers from exfiltrating confidential information is likely more difficult and potentially more costly. Especially since Europe enacted GDPR (General Data Protection Regulation) and some other jurisdictions in the US have enacted laws requiring prompt disclosure and notification after a breach.
(Score: 4, Interesting) by Anonymous Coward on Sunday February 09 2020, @06:09PM
Maybe this can be the stick to effect the goals of the GDPR: data frugality.
(Score: 4, Funny) by Runaway1956 on Sunday February 09 2020, @06:40PM (3 children)
If you're depositing your backups in the bank, do they draw interest?
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2) by looorg on Sunday February 09 2020, @07:53PM
Sure, but most of it comes back corrupt.
(Score: 5, Funny) by barbara hudson on Sunday February 09 2020, @08:26PM
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by All Your Lawn Are Belong To Us on Monday February 10 2020, @05:26PM
The bit rot multiplies... does that count?
This sig for rent.
(Score: 5, Insightful) by barbara hudson on Sunday February 09 2020, @07:25PM (2 children)
Say you're an in the closet lgbt and someone gets proof of that. You can pay them to buy their silence, but they'll keep asking for more because now you've established that you're an easy mark. You can say "I'm not paying" and alert the law - extortion is illegal. And you can really screw them over by going public. Can't be blackmailed if it's no longer a secret.
As for stuff that needs to be confidential by law, your only option is to go public about the breech. And not pay. Because blackmailers will just keep coming to the well. You trusting them to honour an agreement shows just how smart they were to target you.
You never give in to blackmail. The hurt will never end, even if the original source drops dead - someone else will acquire the "contract."
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 5, Insightful) by RandomFactor on Sunday February 09 2020, @09:07PM (1 child)
It is always a temptation to an armed and agile nation
To call upon a neighbour and to say: --
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation,
To puff and look important and to say: --
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: --
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that pays it is lost!"
---Rudyard Kipling
В «Правде» нет известий, в «Известиях» нет правды
(Score: 0) by Anonymous Coward on Monday February 10 2020, @06:02PM
While this sounds plausible and makes a lot of sense (like how everything is made of 4 elements: earth, fire, water, air), it is overly simplistic and somewhat wrong.
As a counter-example, consider piracy (as in the literal pirates on the high sees 200 years ago). Media would have you believe that they were savage plunderers... which was true, but not really. Pirates actually treated their victims very well. It behooved them to make surrender to them pleasant. The last thing they wanted to do is to have a reputation for raping the women and killing the men, because then the merchants they wanted to steal from would fight to the death against them. (This is the exact same thing that happened on 9/11. Before then, a hijacker could have a fairly easy time hijacking a plane as everybody cooperated. Once 9/11 happened, passengers will fight to the death against a hijacker because "we're going to die anyway.")
So in regard to paying off blackmailers, it's a trade-off. True for any individual they could be squeezed more and more. However, if a ransomware gets a reputation of "we'll screw you anyway," they'll never get any more money from their victims. So they have a strong incentive to play by the proverbial rules (most of the time, if they got leverage on a single person who can pay enough to be worth more than all future trouble, all bets are off).
Also, in regard to Dane-Geld, that is also overly simplistic. The key point is that Dane-Geld is a short-term solution. As long as it is treated that way, you're fine. For example, "all our soldiers are in the Middle East in the 2nd crusade, we need to buy a year of time," it makes perfect sense (as anybody who has played a war-game or 4X game can tell you). It's when you think of it as a long-term solution, and/or you get the reputation of being a weak country, that it becomes a problem.
(Score: 1, Interesting) by Anonymous Coward on Sunday February 09 2020, @08:29PM (3 children)
My computer has two hard drives. An SSD for the OS and certain applications and an HDD for non-sesitive data. Sensitive data is kept on an external drive (with backups), may be encrypted, and is only put in the computer when I need it.
(Score: 2) by Kell on Sunday February 09 2020, @11:48PM
I also do this - I have five computers over two different sites where I back up my valuable data.
Scientists ask questions. Engineers solve problems.
(Score: 2, Interesting) by Anonymous Coward on Monday February 10 2020, @04:21AM (1 child)
I use a cheap WalMart ONN Android tablet these days for browsing the net. That is it's primary use for me. For the same reason I use tongs to touch unknown objects I find on the sidewalk.
I have a 128GB SD card in the tablet. And many ways of downloading things of interest for later vetting for transfer into my main personal system, which no longer sees the net at all. My main system is WIN7, multiple CloneZilla images, and hasn't seen a security update since Microsoft sent out that FTDI Chip Killer under disguise as a security patch. Not only did that piss me off big time, it also destroyed my trust of Microsoft and the methods they use... which they gingerly call a "service". Microsoft's meaning of the word "Trust" is so highly different than my concept of that word. But, I have to consider the business aspects. That FTDI interface chip and the robustness of my stuff means a lot to me. For many top corporate business executive types, this kind of thing is just a trivial bullet point line item on a boardroom meeting. They get paid top salary whether or not the thing works. No wonder they take this kinda stuff, no skin off their back.
(Score: 2) by takyon on Monday February 10 2020, @04:36AM
This is the way to go. If you want security, keep it off the internet. If you want the internet, find a sacrifice.
Just don't get a Walmart EVOO tablet: https://www.youtube.com/watch?v=2XABj1cCJiE [youtube.com]
https://slickdeals.net/f/13830260 [slickdeals.net]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by edIII on Monday February 10 2020, @12:10AM (1 child)
Define "winning" here.
If winning is suffering no damage, no financial penalties, no loss of public perception, then winning is impossible.
Backups, specifically those are incremental, store different versions of data, are definitely still enough to fight ransomware. If you define winning as still having access to clean data after the attack, and the ability to restore operations quickly.
If you redefine ransomware to include extortion using exfiltrated data, than not only backups are rendered failed strategies. You can just easily say, "strong application firewalls" are no longer enough to fight ransomware.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 4, Informative) by sjames on Monday February 10 2020, @12:37AM
If the bad guys got code onto your network with sufficient access to encrypt all of your files, all bets are off as far as data leaks are concerned whether they throw in some extortion of not. That might be their backup plan, or perhaps they intend to sell off customer data for an extra paycheck (even if they do extort you about data release and you pay, crooks aren't always honest, ho figure).
(Score: 3, Interesting) by Snotnose on Monday February 10 2020, @01:39AM (1 child)
It's no longer enough to buy insurance, now you actually have to spend $$$ on fixing your damned (in)security. Guess that MBA needs to actually pay attention to those poor SOBs who only have a BS and 10 years experience managing computer networks.
Is there a gofundme where I can encourage these ransomware folks, cuz it seems to me they're doing us a favor.
Of course I'm against DEI. Donald, Eric, and Ivanka.
(Score: 2) by pkrasimirov on Monday February 10 2020, @12:15PM
> insurance
Don't forget the "it was an act of war" excuse so the insurance is ruled void.