cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Paying ransomware doesn't pay

OK, I have, elsewhere, expressed my opinion that paying the ransom for ransomware is a bad idea.  First off, you are funding crime.  Secondly, you are encouraging crime.  (If nobody paid the ransoms, they'd stop doing ransomware, wouldn't they?)

 

Then there are the various reasons why paying the ransomware isn't a good idea in simply practical terms.  Some of the ransomware was never intended to allow you to recover.  Some is badly coded, and doesn't work when decrypting.  Some of the ransomware families are simply based on symmetric encryption, and one key decrypts all.  (You can find lists of those, and the ways to recover, at various places on the net.)  Some of the ransomware groups are just disorganized, and lose their keys.

 

(Then there are those who confuse ransomware with breachstortion, and are talking about people who actually do steal your data, and then threaten to publish it unless you pay up.  Most of the same reasons why paying ransom to them is a bad idea hold, with the addition of the fact that, if you pay the ransom, you are relying on the promises and integrity of a bunch of thieves, liars, and extortionists.)

 

(Oh, and that argument about the "business model" of ransomware and breachstortion being based on them doing what they promise?  That business model only works if you are talking about return or repeat business.  Are you telling me that you are going to go through ransom or extortion with the same group all over again?  How stupid are you?)

 

Now some research from Sophos backs that up.  If you pay, you've got a less than 10% chance of getting all your data back.

 

I figured I'd collect some of the previous discussions about ransomware here ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
16 Replies
Caute_cautim
Community Champion

@rsladeSo what is the definitive answer to reduce, prevent ransomware attacks from happening?  Surely they come back to good hygiene from the organisations themselves?  This is a failure all over the world? 

 

So what is the answer, we keep reporting, the media report it, the privacy commissioners report it, and yet nothing happens - and yet we all know that businesses cannot remain successful, if they do not invest in cybersecurity controls commensurate with the value of the assets they own, protect within their own organisations?

 

Simply, what is the answer ?  The universal question?  The Hitch Hikers Guide to the Galaxy?

 

Regards

 

Caute_cautim

denbesten
Community Champion


@Caute_cautim wrote:

... what is the definitive answer to reduce, prevent ransomware attacks....

Offline Backups.

Caute_cautim
Community Champion

@denbestenI would dispute this approach, as it may work for traditional organisations, but lots of organisations have spread themselves into the digital transformation movement i.e. moved to cloud.  Unfortunately a level of naive mindsets has spawned into lots of organisations - they simply do not know the value of their information/data assets, nor do they actually know who, what, has access whether authorised or not authorised access to them.   They simply do not know.

 

Then they find out that the Cloud providers shared responsibility model actually does matter, and the associated controls, which they failed to comprehend.  So their data may appear to be safe in the cloud providers hands, but in fact they just make the whole thing far worst for themselves.  Many organisations just do not realise this, and in fact have cascaded an existing issue into an even greater nightmare for themselves. 

 

As we have simply stated many times, if you visibly see your data and its whereabouts and the associated controls, you potentially have the means to protect it.  If you do not, you just made the issue far greater and so much easier for the attacker, who is sitting either internally masquerading as an individual or sitting externally waiting for the opportunity to make many organisations experience a living hell.

 

One approach is simply, ensure you encrypt your data, wherever it exists, in transit, or at rest, and perhaps apply some Full Homomorphic encryption to raise their maturity level at the same time.   This would certainly off set the nightmare that awaits the unwary.    Or those who are prepared to take a risk, and "it won't happen here" brigade. 

 

In fact came across one organisation the other day, who simply did not have "governance", an accident simply waiting to happen.

 

However, on average it may take them 293 days to discover they have been compromised, and suddenly they have friends and helpers they never knew before.

 

regards

 

Caute_cautim

Steve-Wilme
Advocate II

Better still recreate all your VMs from offline images and have you're offline differential backups on flash arrays.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
rslade
Influencer II

> Caute_cautim (Community Champion) mentioned you in a post! Join the conversation

> So what is the definitive answer to reduce, prevent ransomware attacks
> from happening?

Make a backup.

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

> Caute_cautim (Community Champion) posted a new reply in Industry News on

> @denbestenI would dispute this approach, as it may work for traditional
> organisations, but lots of organisations have spread themselves into the digital
> transformation movement i.e. moved to cloud.

In which case you back up locally.

Preferably with removeable media ...

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

HI @rslade   Yet lots of organisations don't want to back up locally, it costs money, and depending on the length of the archive requirement potentially lots of money.   And yes, they don't have a Plan B - BCP for it neither.

 

They implicitly trust the cloud, they don't want to own hardware, licenses, etc they just want a monthly charge.

 

Yes, a practical remediation is to back it up locally, but this costs money - and every five years they have to replace the encrypting storage drives, or even tape drives etc. 

 

They would prefer to delegate to a third party.

 

This takes away the pain, and they have someone to blame, if it goes wrong too.

 

As they say in Risk Management - transfer the risk.....

 

Regards

 

Caute_Cautim

Caute_cautim
Community Champion

@Steve-Wilme     Are the VM's held in a Private Data Centre or Private Cloud and who owns them - the organisation or a third party?

 

Regards

 

Caute_cautim

Steve-Wilme
Advocate II

I'm referring to an actual ransomware incident, which was recovered by deleting all the VDIs on which the infection was believed to be in memory, logging off all staff, recreating everything affected from a clean off line image and then restoring the encrypted files from the latest backups.  The systems were on premise.  No ransom was paid.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS