Get the top HN stories in your inbox every day.
MattGaiser
The poor IT guys there probably asked for a couple thousand for backups instead and were previously denied. Ransomeware first rose to prominence three years ago.
Yet seemingly little has been learned?
RNCTX
I know the university I attended has learned nothing at all. State university in a wealthy US area with over 30,000 students. They still think security is forcing everyone to change passwords once every 6 months. No offer of 2fa of any sort for any service.
I stopped using my email address between transcript requests because the whole student/faculty directory is rampant with student employees of local businesses sending spam within the system.
A permanent link is a complete mystery of a concept to them as well. Every time sun shines on an article in public media for them the glory is sure to be short lived, because google's link will be broken in 6 months tops.
MattGaiser
> A permanent link is a complete mystery of a concept to them as well. Every time sun shines on an article in public media for them the glory is sure to be short lived, because google's link will be broken in 6 months tops.
I am baffled that universities (and so many others) don't just use WordPress for publishing their media.
ElCapitanMarkla
Why would you use crappy free Wordpress when you can pay a couple hundred thousand for a vastly superior MS SharePoint setup...
hhs
What type of insurance does UCSF have for ransomware? Last year, ProPublica noted how some insurance companies like to pay ransom for their business [0].
[0]: https://www.propublica.org/article/the-extortion-economy-how...
Veserv
That poses at most a minor roadblock. You just take over the backup-and-restore service for a little while and corrupt the backups as they get made. If anybody tries to verify the backups they just restore them correctly until they make their demand. Would probably add between $10K and $100K to the cost of attack (probably closer to $10K), so would probably be immaterial to the profitability of this attack. Therefore, even if they did it they would almost absolutely still be attacked with exactly the same consequences if they did not pay the ransom.
Simple "common sense" solutions are pretty close to useless in these scenarios since they provide no meaningful impediment to halfway competent attackers. They stop children and script kiddies which is helpful in that there are a lot more of them, but essentially every actual economically-motivated attack remains viable.
To provide an analogy, the fence around a military base does good work stopping people from just walking onto base, but it does not stop the enemy tanks. That does not mean the fence is useless, it stops one kind of threat, but if tanks might actually attack the base you either need to have a way to stop them or be willing to take the loss. Throwing up more fences so it takes longer for the tanks to roll over all of them is not really meaningful if losing the base is still an unacceptable loss.
sillysaurusx
Ehh, a decent backup service (https://www.tarsnap.com/) will give you the ability to make write-only backups over time, i.e. you should be able to roll back to 6 months ago without any chance of something corrupting the backup process.
Of course, it depends how much data you're backing up.
Veserv
To clarify I meant at the time of backup. When the data is being sucked out of the system to the backup they encrypt. All that requires is taking over the system pushing the data out to the backup for however long you want to deny backups. Obviously this requires not getting caught during that time, but the median time to discover a data breach is 279 days (~9 months) according to IBM [1] and this is actually easier to hide in many senses than a data breach since you are just messing with an existing data flow instead of trying to do the much more suspicious data exfiltration.
sliken
Large compromises of sensitive data also have to consider the release of sensitive info, not just recovery. So even with backups there's an incentive to pay.
MattGaiser
Ah yes. NetWalker seems like a particularly bad variant as it does at least claim to steal the data.
TedDoesntTalk
How big is their endowment? Why do people donate to universities when they squander money like this?
conanbatt
Having personally dealt with UCSF IT, I'd say that they don't deserve sympathy.
nradov
Paying ransoms should be a criminal offense. That's the only way to remove the incentives for ransomware attacks. If that means some businesses fail or government agencies get temporarily shut down then that's acceptable collateral damage and will serve as an object lesson to others about the importance of IT security.
smabie
How about kidnapping insurance? Should that be illegal?
thaumaturgy
There are reasonable precautions that organizations can take to mitigate a ransomware attack before they happen. You might even say that organizations should be obligated to have some minimum IT infrastructure in place if they're going to be responsible for customer (or student) data in any fashion.
Organizations that try to pinch pennies year after year by avoiding paying for the basics are harming IT in general and they're further harming society by sending money out to criminals that will go on to spend that money on attacking other people and organizations.
AbrahamParangi
Yes. Paying ransom funds the next kidnapping.
mc32
There is already Cyberinsurance for this kind of scenario... so unless poster would like to make that illegal too...
Thorrez
Well cyberinsurance can be spent on things besides paying a ransom, such as hiring a security firm to investigate and a data recovery firm to try to recover data from backups. It can also cover revenue losses due to outages, and payout damages to your users if your users' data was stolen.
I guess theoretically kidnapping insurance might be spent on things besides a ransom as well, such as hiring mercenaries to recover the kidnapped person. But I doubt that's very likely.
bananamerica
That is not a reasonable comparison.
cheriot
It's insurance that negotiates and pays ransom. How is that not comparable?
newbie789
How so?
MattGaiser
What if they threaten to release the data? Is it really preferable to let personal info flood the net rather than pay?
brianwawok
Of course not.
But if it was illegal to pay a ransom, the frequency of the crime would go down.
webdestroya
More likely the _reporting_ of the crime would go down. This hurts everyone
conanbatt
But it would still happen. With this policy idea you are doubling the amount of criminals.
ineedasername
I guess it depends on the nature of the personal info. By this point a significant portion of the population's basic personal info is already out there. If we're talking detailed medical records, then sure, I might say "pay". But if it's names & SS#, I don't know.
Marsymars
At the very least, it should be non-negotiable government policy for no government, government agency or public body at any level to pay ransoms.
mrtnmcc
Agreed - paying ransom is funding and facilitating a criminal operation.
captn3m0
Always been curious about the tax accounting for ransoms.
Does anyone know how it is reported usually? Going public must make it harder I guess?
How do you explain a bitcoin purchase from a business account without an invoice to the taxman otherwise?
secabeen
It's a business expense like most others. In this case, it's considered theft, but you still can deduct it: https://www.forbes.com/sites/robertwood/2017/05/16/if-you-pa...
Thorrez
You don't usually have to report money you spend, at least if you're an individual. You only have to report money you make. If you're a victim you don't make any money. I doubt the attacker is reporting the income for tax purposes, so the attacker is breaking tax law most likely.
Ghjklov
I'm imagining a scenario where a UCSF insider could coordinate this with someone by deliberately getting their system infected and then splitting the money with whoever is behind that NetWalker instance. Do you guys think that would work?
mc32
They had better had well though out plans to make a new life in France...
ineedasername
Why, are you "asking for a friend"? :)
logicallee
Why isn't paying ransom illegal?
Points:
* Anytime any ransom is paid it is in the most literal sense funding ransom, even more directly than funding terror in the most direct way possible: when you send a check to ISIS that may or may not actually fund terror. Maybe whoever you sent it to is just good at making an ISIS recruitment page and doesn't do much real terror, just marketing.
* But paying a ransom by definition directly funds ransom, far more directly than sending money to ISIS directly funds terror.
* Whoever gets the money at ISIS might spend it at a brothel, there's no proof of terror.
* But whoever gets your ransom when you are ransomed by definition engages in ransom.
* You are funding ransom by definition.
* Additionally, since all rich nations are generally pretty law-abiding, making paying a ransom strongly illegal means that the companies have no choice. They're simply not able to write the check or wire the funds.
* Finally, another strong reason to make it illegal: anyone could claim falsely to be ransomed. If I wanted to fund ISIS I could literally write on a piece of paper which messages to send me in what sequence, and then I could send them money and claim falsely to be ransomed by them.
* Paying a ransom should be strongly illegal.
* Also note that this is a good analogy with "possession of stolen goods" - the fact that such is a crime largely destroys the market for stolen goods. The market would be much stronger if possession of stolen goods weren't a crime.
* There is an argument made about direct consequences: "But if we don't pay they will actually kill my daughter!" The same argument applies directly to paying bribes: "But if we don't pay, we actually can't get a license to sell in that country!" Still, paying bribes abroad for routine administrative work is illegal. Companies can't do it. If they do it, they get fined. Result? 1) (immediately) companies stop doing it. 2) administrators stop requiring it.
The world becomes free of bribery. This proves that making paying bribes illegal works.
Why wouldn't it work for making ransoms illegal? UCSF just funded a ransomist $1M. That should be illegal.
The going rate for a thug in a third world country might be $800 per month. UCSF just paid for one thousand two hundred and fifty man-months of abduction.
perl4ever
It is true that making a law is how you deal with the conflict between self interest and public interest.
However, if you make something illegal that people have a strong motivation to do, they may just keep doing it, only not as publicly. And in that case, the people who demand ransom will not be particularly discouraged. Their business may improve, because victims will have an incentive to keep the whole thing secret.
Think about how people worry that enforcing immigration laws will lead to violent crime being ignored.
ineedasername
>The world becomes free of bribery. This proves that making paying bribes illegal works.
Have I misunderstood your tone here, or do you actually believe this? Because bribery is illegal, and happens all of the time. The few who get caught get in trouble. Heck, Goldman Sachs does it when it's needed to land deals! [0]
I imagine the same would happen if ransom for ransomware was made illegal. Thieves would wouldn't care, what they do is already illegal. If someone they infect with ransomware can't figure out how to get them their money, what do they care? I'm sure their profits would go down, but it wouldn't stop. If anything it might just drive them to hit many smaller targets to get through volume what they can no longer get through big hits.
logicallee
I don't think there are any countries left where international companies can't operate at all without paying bribes. Maybe they won't get their permits as fast, but they can still operate.
The fact that GS acts criminally is on GS. The fact that you can do business without being criminal like GS proves that this works.
See how I just shifted the conversation to the fact that GS is criminal? That's what we want. Not some routine transaction.
ineedasername
Sure, yes, bribes are criminal. But making them criminal didn't make them go away. Now you are shifting your claim from saying the world id bribe-free to simply saying it's not necessary. Which is also not true anyway:
I know someone, in the US, who was unable to get a health-inspection sign off without making a separate "gift" to the inspector. The permit languished for months , with no apparent progress or response. Money was being lost. Finally the inspector showed up and made a reference to this "gift". The person I know said he might take his issue to the head of the health department. The inspector said "that's fine, you can do that. When you speak to him, tell my father that I said hello." Other areas of the same business were unable to get a certain supplier to either show up, or when they did, to provide usable product, until a kickback was given. Why not choose a different supplier? Because the type of supplier had to have a specific license to distribute the product, and suppliers had divide up territory so there was only one supplier in any area.
Bribery is alive & well. All making it criminal has done is ensure that when it's discovered, it is punished.
joemazerino
How many breaches does it take for the right policies to be put in place?
MattGaiser
It usually need to be an expensive or embarrassing breach to bring change.
signa11
hello equifax...
julianeon
Has anyone considered designing an IT infrastructure from the ground up that would be maximally resistant to ransom ware?
I think past generations are excused for not preparing this, simply because it was theoretical. It is real now. So designing systems that assume some part will be captured eventually, and then work to minimize that before they are even deployed, would be timely now.
cosmodisk
Why I'm not surprised? The first two minutes doing google dorks returns all sorts of private stuff from quite a few US universities.They are easy targets to say the least.
pengaru
Apparently when you're accustomed to paying SF cost of living $1.14M loses its sting. /s
Get the top HN stories in your inbox every day.
Previous thread: https://news.ycombinator.com/item?id=23659590