Today's Resident Evil: Ransomware crooks think local, not global, prey on schools, towns, libraries, courts, cities... Ransomware criminals have taken a particular shine to US city and state governments, infecting them with file-scrambling extortionware in hope of quick payouts. So says the security team at Barracuda Networks, who pored over a stack of its infection reports in the Land of the Free, and found a large majority of specifically …
I can see a market growing for this - naturally the insurer will do what they can to not pay, otherwise they wont make money. Think "must have latest updates to operating systems and anti virus etc installed and running"
It's pretty shit, and also big business. For the potential insurer, the companies and entities needing to hire and pay competent staff and for the arseholes themselves performing the attacks for ransom.
Think "must have latest updates to operating systems and anti virus etc installed and running"
Think also about backups. I'm surprised the insurance companies aren't pushing this.
I do think a lot of smaller cities and other targeted institutions are running systems on the cheap. The system was built way back when and having someone come in periodically for maintenance and setting things up like backups just isn't in the budget. Most libraries, many schools, and small towns are usually strapped for cash.
Update and maintenance is not enough simply because AV SW effectiveness is about 80% . Or 90% backwards. Attacks are usually targeted and based on social engineering. Statistically, around 3% of receiving spam email tend to open malware file, attachment, picture etc. The backup is in 90% untested and fails to work when needed. And in fact, backup and restore is very complex service and requires high level IT professionals to implement. I doubt that "cloud" could help in such cases as well. That is statistical reality of security life. So, let's save some money and pay. After all, miscreants do also need to get reasonable quality of life and put a lot of efforts in their business :)
Interesting article on Ars just recently about how insurance companies and their relationship with ransomware. Refusing to pay out isn't the problem (they can just crank up premiums if they need to), but rather because it's often quicker and cheaper to just pay up than try to recover yourself, places that might not want to pay up are pushed into doing so by their insurer.
https://arstechnica.com/information-technology/2019/08/how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks/
I am not a great believer in the Cloud, but can't these bozos running councils, enlarged councils ( state governments etc. ) libraries et al, see that they wouldn't lose much money by having a nightly scheduled backup, which would enable them --- providing they kept sufficient backups in place --- to cock a snook at blackmailers and miscreants ?
Backblaze has a breakdown for an initial 1000 GB with 100 GB a month extra for $100. I'm not saying make this one's primary backup, but it's not going to hurt and once configured can be quite automatic. Also, most county councils wouldn't even generate that amount of storage...
https://www.backblaze.com/b2/cloud-storage-pricing.html
They could do that, but they could pretty easily keep an offline backup, whether there or offsite, with relatively similar amounts of effort. If they're not going to do that, they aren't going to do a cloud backup either. If they don't have staff competent enough to keep proper backups, this is going to keep happening.
There's typically a common theme running through these infections - outsourcing.
You look at them and IF they have IT staff there's hardly any of them, most or all services are outsourced so nobody actually "cares" about the IT infrastructure as failures may well generate revenue and use up service tickets to resolve.
Now look at UK councils, most don't outsource and the result is MOST do the basics very well like backups. Those that do outsource will typically keep key services like that in-house specifically to ensure it's done correctly and incident response is so much faster and more effective as a result.
In theory, online backup will work.
In reality - there are several issues:
1) Backblaze and other agent based systems only back up data files. Not OS or software. Any malware that takes down MBR or encrypts system/software - the restore is going to be very difficult and manual
2) Attackers are actively going after backups: VSS, on-site hardware and cloud
3) Local government entities may well be using very old software and computers. It wouldn't shock me if WindowsXP era (or older) zoning, tax assessment, police report and other types of software are being used. In these cases, the inability to restore the software is a more critical issue than the data files
4) IT expertise. A modern hypervisor/virtualized image is the best - Veeam/Datta or whatnot, but that costs money and requires significant expertise. A local government entity just isn't set up to pay $15-$150/month/computer for a modern IT setup - regardless of their install base legacy situation.
"private companies are usually somewhat more diligent on security and are more likely to be up to date on patching and anti-malware than poorly-funded government facilities."
I've worked for local government in the UK in the past and the waste of money I've seen with my own two eyes can be described as [looks up dictionary] profligate, imprudent or sometimes downright reckless or negligent.
Things which don't cost a lot of money in the grand scheme of things:
Educating your users about the dangers of lax security, both cyber and in real life.
Physical backups, stored offsite and tested every once in a while.
Patching your machines
An up-to-date antivirus solution.
I know it's an old chestnut, but we taxpayers are the ones who foot the bill when government screws up.
Also worked for a UK council, thing is even though there is waste things like backups were still considered incredibly important and has proper processes in place unlike just about everything else. Office backups, regular testing of backups etc was all done.
Room for improvement but the picture is no where near as bad as the US in this one case IMHO.
. . because they know insurers will pay up.
But you give an example where the insurer specifically did not pay up, because recovery would be more expensive.
And you cite multiple people saying that small government organizations would take the least costly route.
So, if crims are increasing their cost, it means they are getting closer to the point where recovery would be less costly.
Not very logical.
Think of the ransomeware criminals as providers of a product (the decryption key). It is a common strategy to enter a new market with low prices to prove demand before raising them to find out what the market will bear.
To me, I see sophisticated criminals dealing with shockingly naive insurance companies.
"Yeah, its cheaper to rebuild after a fire with wood than with stone. What could possibly go wrong?"
So, it turns out that those here who have been hoping that the insurance companies would provide sanity finally have been...overly optimistic. Historically, it is the reinsurance companies that have driven change--looks like, if change comes from this sector, it will again be them.
My considerable experience of local authorities is that scrimping and saving is the norm.
There is waste an inefficiency, of course there is. But often that's the result of "savings". The (another old chestnut) waste of money long term because of savings short term, that sort of thing. If there's no budget for disaster prevention there is going to be an expensive disaster.
"My considerable experience of local authorities is that scrimping and saving is the norm.
There is waste an inefficiency, of course there is. But often that's the result of "savings"."
One of my first jobs as a field service contractor involved driving around the west of Scotland for three weeks installing CD-ROM drives in hundreds of newly-deployed PCs.
The genius who specced the PCs didn't include the drive in the bill of materials to save money. Another genius with seniority signed off on this spec without questioning whether the drive was actually needed. Turns out it was needed in the majority of cases...and I made a fortune on my mileage alone. That's just one example of many.
The senior guy was promoted to Director of IT, and the other guy was promoted into senior guy's position not long after. The Dilbert Principle in effect.
Oh yes.
We had a very high tech photocopier that could be networked once. One of a vast contract. Ours wasn't set up as a networked machine because the brass didn't think we needed it and the manager of our team didn't understand how any kind of tech worked.
I got a promise from everyone that our machine could be networked at a later date. As soon as the value of that became obvious ( fewer inkjets etc) I asked for it to be done. They agreed, the savings in staff time and print costs were really obvious.
Nothing happened. Engineers came and went. No network printing.
Eventually they admitted that the network card had been omitted to save money.
"the city's insurer, who pointed out that paying the demand would be cheaper than a data recovery effort "
Long or short term thinking by the insurers?
They can save money by paying the ransom. That encourages more ransomware attacks but paying more for recovery would make ransomattacks less profitable and would save insurers money in the longer term. However, in the longer term the insurers can just raise premiums to cover it.
Yes, even in the long term insurers make more money by paying ransoms instead of recovery costs.
By *not paying" criminals you obtain:
1) Cities must improve their defenses and learn from mistakes - if they think "if I'm attacked, I'll just pay" means they will keep the actual situation, today could be a ransomware, tomorrow could be something worse.
2) Money spent for recovery efforts go to honest people (as long as they are reputable companies that aren't building a ransomware business, of course), which in turn will pay taxes, etc. Money sent to criminals, maybe abroad, don't. Money spent to rebuild systems with better resilience and improved practices and policies are money well spent anyway.
But probably some officials are so used to ask for bribes to perform their duties they see no issues in paying criminals.
And as long as this "business" pays so well, I'm afraid it won't be confined to IT system. Nothing forbids you to ask a ransom in cybercurrency for other crimes as well, that may happen in the physical realm.
I've said it before on here but the current method of ransomware attacks isn't that dissimilar to old Saxons ponying up the silver to the Vikings in the 800s-900s etc.
Sh!t happens
Person in charge panics or realises they are defeated.
They pay up.
Person in charge doesn't bother improving defences.
Rinse and repeat again later on. They never learn.
You lot think backups is the answer to this problem.
The time and money it would take to restore from backup and get everything working again is massive. Modern DR is based on replication/mirroring and built-in resilience. Even though people take backups, restoring from scratch isn't part of most companies DR plans, It's rarely fully tested and even the testing requires time, money and infrastructure.
People just pay for the keys because its the cheapest and often best option to get everything working again asap.
Yes, we think backups are the solution. Backups isn't just the big box of tapes with all the data from last weekend on them; it includes everything that allows data recovery when data is lost. Whether that be snapshots, extra copies, or the big box of tapes.
You're right that having to restore from backup at the level of off-site external media is costly in time and money, but there are some things to keep in mind:
1. We only suggest doing that if you have to, I.E. the backups that are online and easy to restore from don't work. Frequently, more persistent ransomware will have found those and screwed them up. Yes, you can configure them not to be vulnerable to the typical attacks, and that will protect you from the majority of lazy ransomware. If it does, that's great. If it doesn't, fall back to offline media.
2. Restoring media may be an expensive DR option, but that's to be expected. This is disaster recovery; you only do it when there's been a disaster. There are lots of other disasters where you'd have to do the same thing, but having to rebuild from scratch would cost much more. If the cost is too high for the business, it might be worth constructing a cheaper backup system or one that restores more easily.
3. Paying the ransom is a terrible idea. It guarantees that you have the same problem that let the ransomware get in. They might also stay resident in order to hit you again in a few months or maybe just to add your machines to a botnet.
4. Paying the ransom is immoral. It funds criminals when there is another option, and increases the probability that an attack like this will happen again. If you pay the ransom, you are making someone else pay the real cost for you. That's bad.
"You lot think backups is the answer to this problem.
The time and money it would take to restore from backup and get everything working again is massive"
Guess what. You're wrong.
Also, paying the ransom is a bad move because you show the attacker two things:
1. You're unprepared to deal with a ransomware attack, and could be worth hitting a second time.
2. You've got money and you trust strangers.
"Modern DR is based on replication/mirroring and built-in resilience."
Where are those replicates and mirrors? If they're all on the same site as the primary system then consider that they don't exist. The fire that takes the primary will take them as well. You've not had a fire yet? Note that word "yet".
I am reminder of an observation about accident rates have an inverse U with organizational size. Very small and very large organizations have low rates (for different reasons) while mid-sized organizations have the highest rates. Something suggests that very small organizations are relatively immune because their size means the IT staff is not dealing with a complex situation and backups are relatively easy to do and test. Very large organizations actually have dedicated experts. But mid-sized organizations have enough complexity that doing backups, etc. requires more skill and knowledge that is somewhat hit or miss but they do not often have dedicated experts to do these tasks. Thus the optimum target size for a municipality or company are the ones with enough complexity but are likely not to have staff with the required depth of knowledge in all areas.
Even if you pay for an encryption key, how much time and effort is needed to make sure the entire IT operation has been cleaned of malware and updated/protected enough to make a simple repeat attack likely to fail?
It might be less expensive to toss out the hard drives, rebuild the systems with clean software, and restore from backups.
Why the F--K did you click on that link.
Security ends with the tip of the mouse finger and 3 brain cells for critical thinking.
Even if you know a person, remember the email you got from them could be a fish, if you are not currently having a conversation.
If their email has a link, CALL THEM and VERIFY.
Never ASS-U-ME [assume]
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
