Dear customers...
Due to an increase in [ahem] operating costs, our plans will be increasing in price by...
A South Korean web hosting company is forking out just over US$1 million to ransomware scum after suffering more than eight days of nightmare. Nayana first announced the attack on June 10, saying customer video files and its database had been encrypted, and promising to work to recover the data. More than 150 servers were hit …
They will have to prove compliance, fire and replace a few lazy sysadmins and layout a pile of money on new gear. To win back or retain customers, they will probably offer a more secure and better supported environment, so it might be okay to go there again if they show lessons were learned and the experience has made them tougher. Just saying... I run my own hosting service, update and replace operating systems every year or two, backup offsite constantly, manage as-built documentation... all the stuff I learnt from not doing that stuff. I could still get hit for sure with some malware, but I can just rebuild elsewhere in under a day.
Probably had backup solutions which were incorrectly configured, never tested and never verified.
There a complacency in seeing green ticks on the screen, but if you never check the data is on the backup drives/tapes and check you can restore it successfully you've not really covered the basic requirement to backup.
They believed they were safe. They were using Linux and Apache, so they were told they weren't hackable. In fact, it's impossible. They didn't tell the true, all those systems have to be Windows and IIS to have been so thoroughly p0wned. If you use Linux, no one will attack you and succeed, it's written on the internet.
Is there a case for making it illegal for companies to pay off these ransomware blackmailers? If it becomes very unlikely that the victim will pay up, then the business model of the blackmailers disappears.
You could argue that while it may be financially rational for a particular business to pay off a blackmailer, in doing so they're making things worse for everyone else by encouraging and funding the criminals. Hence a justification for outlawing the practice.
In that case everything will be done under the table.
Compliance reporting will go down the drain, exposure of the events will never happen.
Blame what has happened on the:
- UPS
- solar flares
- the flux capacitor
- wrong metal in the cables
Plus imagine if not paying up results in patients dying due to lack of pharmacological information/etc.
Too easy to just say 'outlaw the practice'.
Instead put fines and custodial sentences of the top management of companies which had been had due to negligence.
Suddenly there will be money to recruit/buy competent sysadmins/IPS/vulnerability scans/etc/ad nauseum.
I think it's already the case that exposure doesn't happen. Companies are being blackmailed by attackers all the time, and an admission like Nayana's is an extreme rarity.
Enforcement would be challenging, certainly. But dealing with these sorts of attacks involves a lot of people in a company, including techies at the coal face who aren't paid enough to commit a crime for their employer.
There are all sorts of laws on data protection and other forms of compliance that companies can theoretically evade by everyone keeping their mouth shut, but that doesn't necessarily make such laws ineffective.
The TrendMicro article makes a really stupid mistake: "Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts."
The Apache web server, which is what they run, is not related to Apache Struts in any way except for both being part of the Apache Software Foundation.