Why openly announce that you're paying the ransom?
Here's some major disadvantages that I can think of:
1. Announces to world that you have poor security/backup practices which encourages more attacks against you
2. Announces to world that making and distributing ransomware is good business which encourages more attacks against everyone
I understand that public institutions needs financial transparency in order to be accountable to the public. But the nature of this isn't any different from, for example, a basement flooded due to poor design and required $20,000 to fix. Someone screwed up, and it cost the university $20,000. Let's just pay the money, fix the problem, and take steps to make sure it doesn't happen again. No need to call up the local paper about it and make it a story.
> Why openly announce that you're paying the ransom?
An effective thing they could have done is to announce that they paid the ransom, but that the decryption did not work (even though it did).
That has the advantage of discouraging other people from paying up, and therefore reduces the incentive to create more ransomware attacks.
Hell, the government could step in and recruit people and companies to falsely claim that they were ransomware victims who paid up, but never got decryption keys and were screwed over. That could put a damper on ransomware psychology.
Thinking about it further however, this will probably lead to better "customer service" by the ransomware makers. They'll adapt their software to selectively decrypt part of your data for free, so they can offer you proof that that they can and will give your working keys once you pay up.
> Hell, the government could step in and recruit people and companies to falsely claim that they were ransomware victims who paid up, but never got decryption keys and were screwed over. That could put a damper on ransomware psychology.
This actually did happen to me. Paid the money, got the key, couldn't unlock my files. Damn shame.
The school’s vice-president of finance and services said why they openly disclosed it:
As for why the U of C admitted it paid the ransom, as well as releasing the cost, Dalgetty said it’s an effort to be transparent. “We’re a public sector organization and we pride ourselves on our openness,” she said. Source: http://calgaryherald.com/news/local-news/university-of-calga...
Personally, I am glad they disclosed it. For example this incident raises the awareness that having a solid backup policy is important. Maybe this very story will help IT staff from other universities convince upper management to invest funds into developing a more solid backup policy.
That can do some good in the long term. It will eventually get operating system vendors to enforce much stricter security measures by default that perhaps they wouldn't have considered otherwise or anytime soon, because they would "break legacy code" or whatever.
It's also good that this is coming at a time before the rise of self-driving cars. Because the vast majority of car makers seem to know nothing about security, yet are eagerly jumping head first into always-connected, self-updating and digital-first self-driving cars. I'm guessing people are going to raise hell when ransomware arrives for their cars. And I think the car makers will be "shocked" (shocked, I tell you), that this will be happening, and will say something dumb like "Nobody could have ever predicted this! - it's why we never implemented good security in the first place."
However, because the OS/hardware vendors are only going to be dragged kicking and screaming into implementing stricter security measures, it's going to be a while before stricter security arrives.
In the meantime, beyond alerting criminals that ransomware is big business, it will probably also be used as an excuse to pass more CISA-like surveillance laws (which will do absolutely nothing to stop the rise of ransomware).
It could also be used as yet another excuse to end strong crypto (because obviously ransomware uses crypo). But of course, it's not like the Russian or Chinese criminals doing this are going to care that the US has a ban on strong crypto. So yet again a solution that does nothing to stop the rise of ransomware, but would still make it much worse for all of us, and it could even be a step back in the fight against ransomware.
>In the meantime, beyond alerting criminals that ransomware is big business, it will probably also be used as an excuse to pass more CISA-like surveillance laws (which will do absolutely nothing to stop the rise of ransomware).
See, I actually don't think that this will change the level of deployment for ransomware. Ransomware has proven its effectiveness from the very first time it hit the web; it's a low cost high return form of malware due to the nature of its operations. Whereas other forms like scareware and annoying malware can often be dealt with, albeit at the cost of time and sometimes money, ransomware has a very clear and tangible cost to the user: their data. For home users, it's somewhat easier to suggest that while the loss of an entire photo directory is tragic, it's not worth the $400. But when you start getting to actual important data, for example, student records, accounting records, large business projects, asking users to take a stand on principle becomes a lot more difficult, especially since in some cases they have a legal obligation to try to remedy the situation.
Ransomware is a low risk venture for ne'er-do-wells because it's shooting fish in a barrel. Point your spambot at any major institution and you're bound to get a hit on something that has essential data to that institution. Combine this with the fact that even after decades of home computer hard drive failure and nearly a decade of cloud storage being common place, people are still really bad at backing up their important things.
Our reliance on data and our poor (often inability) to mitigate the damage done by dataloss is what will keep ransomware firing, regardless of how many institutions are able to take a public stand against the extortion. The barrier of entry is so low that a failure to collect from victims is virtually meaningless. The attackers are out virtually nothing, and can attack ad-nauseum because they know sooner or later they'll get a hit where the cost of the dataloss far exceeds the cost of the decryption key; and as long as the attackers occasionally make good on the sale of the decryption key, there's always going to be the hope from users that "maybe if we pay we can fix this".
A principled stand isn't what is going to be necessary to fix ransonware; major changes in how the public handles its data and in how OSes work with/detect ransomware is going to have to happen first. Until then, anyone who refuses is pretty much just getting a pyrrhic victory; the attackers might not get their payout, but the cost to the victim is far greater.
I'm not really sure these threat scenarios apply when it comes to ransomware. Often ransomware attacks are not targeted but instead just the result of your standard drive-by attack or the classic shotgun e-mail approach, since usually university email listings are pretty easily scrape-able, especially if they're a Google Apps for Education (GAFE) university, as GAFE has pretty generous in-domain sending policies on email and there's an implicit trust in most people when they get something from an in-domain email.
So the initial point, while it may be true to some extent, is not really the common method of attack; the truth is that for the most part there is no need to really "craft" an attack against most users within a large enough organization. Just compromising one or two accounts or using one of many means to impersonate an official sounding account is often enough to get access to a few in-domain accounts. Once you have that, you can easily get past the majority of people's mistrust and get them to run just about anything you send them. When I did support for a small private university in the US, our GAFE accounts were constantly plagued by phishing and spam emails, and despite our best efforts to educate our user base, people just kept on clicking and giving out information. The entire process was basically automated from the attacker's side, as when we compared notes with other universities suffering the same issue, the emails sent out were verbatim copies, save that the university names were swapped out and a different logo.jpg was added to the emails for authenticity. Attacking a major organization really doesn't require a careful eye and dedication, just changing a few entries in some program and starting the process.
As for why to disclose? There's probably some degree of a necessary public accountability - I actually doubt that the university itself called up a paper and said "man have we got a story for you" so much as someone at the publication got wind of the information and plugged the university for a brief interview. Honestly, reading through the article, it's incredibly terse as far as actual details from the University as to what happened. Since it's a Canadian University, I'm not sure on their responsible disclosure requirements, but if it was in the US, I believe they have a timeframe in which they have to admit that student data has potentially been leaked.
Really, these sorts of impersonal attacks do need a lot more attention, since as recently as just a year ago, I found myself talking with somewhat major institutions around the US who had no real good idea how to deal with ransomware, (spear) phishing emails, and so on within their organization. Creating effective user awareness is really tough, since rather frustratingly, getting "phished" seems to be one of those lessons everyone wants to learn the hard way, or arrogantly thinks will never happen to them. We used a Twitter account in combination with a threat blog to try to notify our users, as well as warnings on our log-in page, but even after doing that for 4ish years we still had people giving out their information, and we had an okay-ish following on both.
I'm not saying that it was "good" of them to release that they decided to pay, but I also do question, given how easy ransomware is to deploy, whether or not more discretion would actually have a larger impact. Schools in particular are kind of over a barrel if/when they get hit by ransomware, and a lot of it has to do with poor data retention practices by both the University IT and by offices across the organization. Often times it's not just a mild inconvenience if someone's computer gets locked up by ransomware, you can potentially be irreparably damaging hundreds or more students' academic careers. Should this data be in a position that it can happen like this? Absolutely not, but that doesn't change the fact that it often is.
Microsoft really needs to build ransomware behavior detection directly into Windows. The behavior of these programs is quite distinctive. The advent of cryptocurrency was the missing link to enable all manner of anonymous extortion schemes, and this one in particular seems to now be a mainstream threat. Microsoft should be all over this.
Ransomware detection is just a (perhaps necessary) band-aid.
By default all applications should be sandboxed. Why should a random application be able to read/write to every user directory? We enforce process separation in memory, we should do the same on disk.
not a bad plan, but also, all data should be backed up. In this 'cloud age' of computing, there's no reason, and no excuse. I certainly don't want to blame the victims of ransomware, but if that data was so important that they paid ransom to get it back, why didn't they back it up ?
Except the way most people do backups, by the time they are made aware of the ransom, their backup files are already overwritten with the encrypted ones.
I would also add, multiple backups in multiple places.
Just for my Windows PC I have three backups. One on the machine, one on an external hard drive and one more in the cloud.
How much did it cost me? $80 for the 2TB hard drive and $8 a month for unlimited cloud storage and backup. A small amount to pay to make sure you're covered in nearly any disaster scenario, including ransomware.
It certainly could do this. I don't think Time Machine protects its data in any way.
Backups have to be coupled with some kind of way of noticing that something is wrong. If the ransomware encrypted your data slowly over the course of months and you didn't notice you might be out of luck regardless of your backup system.
That's exactly what UWP(universal windows platform) is - it sandboxes every app. But I am sure you will agree that having this as default behavior on windows would be disastrous, breaking compatibility with every app written before Windows 10, not to mention that the reason why we use PCs is to have low-level access to hardware, many applications require it and sandboxing isn't going to be a good option here. I guess MacOS way of doing things is a good in-between - by default, every app not from the app store is blocked, and you have to go through a slightly cumbersome process of unblocking it manually in security settings. I'm sure it beats the default windows permission popup, which I imagine 99% of users just accept without looking at, or disable outright.
Ranked 151-200 in the QS rankings for CS. I bet if they handed this problem over to the CS people in the university they would have willingly helped them out to fix it.
Information security is even listed as one of their main research areas.
You missed this quote under the picture: "University IT workers tried to crack the ransomware for more than a week before the payment".
BTW, are you implying that a strong CS university can break asymmetric encryption? Why is everybody assuming that hackers are stupid all the time, and only they are smart...
RSA has some tools to assist with decryption from a few ransomware flavors. I would assume a few of the other big security firms do as well. We did this for a hospital that got hacked. It is not 100% successful and depends on the variant but is possible.
Even if they were ranked first, I doubt that they can do anything against properly encrypted files. As the article states, they already tried and couldn't find a mistake in the encryption
The most interesting part of the article was that some ransomware sites have threatened to publish their files if they don't pay - no backup strategy will save you there.
Since this exploits user level privileges, perhaps a good idea would be to have a privileged version control system for user data. In that, you need admin/root access to actually DELETE anything, and any file system changes by users are simply versioned away. This means if you had ransomware that fucked up your files (since this software typically runs at user level), you could just instruct said versioning system to roll everything back as an admin?
I think that's what many enterprise deployments do with shadow copies, mostly for file shares. It would probably make sense for Microsoft to push this feature for personal usage/smaller networks as well (not sure if you can currently use it in that scenario).
The way I do it is I create backups locally and then copy them to my NAS over ftp(with a password), instead of samba. Hopefully, that way any ransomeware would not be able to encrypt my nas as well, as it does not have any publicly accessible folders on the network.
The problem is that ransomware doesn't have to activate immediately, so you can end up with multiple copies throughout your backups before it takes effect. Hence, restoring from backups may not solve an infection.
Obviously you back up changes, but not to the same place as the old file. Backups should be append only. So that if you at some point you realize you've started to back up encrypted data you can just roll back to the point where the data wasn't encrypted.
Easy solution - the government writes into law it's illegal to pay ransomware hackers. Sure hackers might get the occasional payee after this but the likelihood goes down dramatically removing much incentive, especially for larger organisations to be targeted.
They reference another article that contains a quote from an Intel employee...
"Ransomware and crypto malware are rising at an alarming rate and show no signs of stopping," said Raj Samani, European technology head for Intel Security.
That statement instills a confidence in me that makes me so glad Intel bought McAfee six years ago.
Could one mimic the human imune system when it comes to security? All shared data is blockchained and if one producer shows lacking response all his contact partners get quarantined. Infections.. Yes on a large scale (even local) no
Someone should make a usb hard disk that doesn't allow existing files to be modified on it unless you flip a physical switch. Then you could back your data to that and not worry about it being wiped / encrypted.
I take it you have never tried to buy and set up a really nice backup system in a large heterogeneous university or office environment. $20,000 is nothing.
If you're a Windows programmer, might be a good idea to write a Windows Service that watches for drive encryption. Then you could stop it before it does anything. For now, I think most of the methods are known, so they are easy to watch for.
That's the sort of thing that should already exist in anti-virus software or host intrusion detection systems. I presume that the university wasn't running such software, or that it didn't work correctly, or that the ransomware was smart enough to bypass it.
The moment Microsoft try to be proactive and integrate a defence mechanism I would suspect people would then try to hold them liable if another ransomware attack succeeded.
Microsoft could do without the overhead, or the headache, and so despite the PR upside it's probably not worth their effort.
Might be an opportunity for an ISV to make a utility though?
The headline could also be "University willingly supports criminals with $20.000" - and it would be more honest.
That's really something that bothers me with the whole ransomware thing: People seem to be completely ignorant to the fact that by paying they're not only getting back their data - they're paying the bills for the people who will launch more attacks against other people. And thus they're themselve guilty of supporting the same crime that just hit them.
That's why it's termed 'ransom'. Because people who don't pay, have things taken from them. You don't really get to condemn ransom payers on ethical grounds without being an asshole.
Paying a ransom encourages the criminal behaviour; it therefore negatively affects all potential victims by making them more likely to become actual victims.
Also, in some jurisdictions paying a ransom is actually a criminal offence so one could end up causing further negative consequences for your family, friend, colleagues, or the institution you work for.
But with how easy it is to deploy ransomware and how frequently you can get a major hit, it's a pretty pyrrhic victory to not pay. Right now there's no reason to not keep on shooting out ransomware - it's an impersonal, easy to deploy, low cost, scalable form of malware which has a very high and noticeable impact on end-users, who often have little to no recourse or means of mitigating the damage. It's of virtually no risk to the persons deploying the ransomware to deploy the software or collect the money. With other ransom scenarios, the cost and risk to the attacker is far greater for every part of the ransom act; refusal to pay has a greater cost to the attacker in every which way. There is no such cost with ransomware at the moment, aside from the initial financial venture to get/make the software.
Knowing that the ransomware folk are just going to keep on spamming their software against institution after institution, is it really worth the potential cost of the lost data? If it's student data, is it worth ruining students' academic careers over a principled stand? Is it worth losing a novel you've been working on for 8+ years? Is it worth losing business documents that could cripple your business?
It's not as clear cut with ransomware as it is with other forms of ransom and extortion just because of how stinking' easy it is to do ransomware.
Here's some major disadvantages that I can think of:
1. Announces to world that you have poor security/backup practices which encourages more attacks against you
2. Announces to world that making and distributing ransomware is good business which encourages more attacks against everyone
I understand that public institutions needs financial transparency in order to be accountable to the public. But the nature of this isn't any different from, for example, a basement flooded due to poor design and required $20,000 to fix. Someone screwed up, and it cost the university $20,000. Let's just pay the money, fix the problem, and take steps to make sure it doesn't happen again. No need to call up the local paper about it and make it a story.