Of course, the downside of pissing off a company that has a lot of cash and hiding somewhere without an extradition treaty is that the lack of legal agreements works both ways. In the event that the insurance company successfully uses it's resources to find the perpetrators and decides to unofficially send in the heavies for a quiet chat, it might end up being pretty difficult to hold that company accountable.
Canadian insurer paid for ransomware decryptor. Now it's hunting the scum down
A Canadian insurance business struck by ransomware paid off the crooks via a cyber insurance policy – and their English reinsurers, having shelled out 109.25 Bitcoins, want it back from the alleged blackmailers. After infection the unnamed Canadian company suffered a total lockdown of all of its systems and asked its …
COMMENTS
-
-
-
Thursday 9th December 2021 18:13 GMT Alan Brown
Who needs that kind of persuasion?
A rather messy display left behind is persuasive to the surviving crooks - reminding them that they're not untouchable
Back in days of having to real with skiddies the fastest way of stopping their rampages was to doxx them and post their details as the reason their hosting ISP was barred from accessing various resources. Local users would take care of the rest (Both in kicking arses at ISPs who refused to deal with abusive users and dealing with the users themselves)
-
-
-
-
Wednesday 29th January 2020 22:03 GMT Peter2
Re: Not paying!
If your using tapes, yes. Most people do at least two weeks worth of daily backups, and then retire a tape each month as an archive.
Pull the OS and application files from however far back you need to, even if it's from a year ago. Then get patching and start pushing out the contents of the file shares from the filesystem from the day before.
Yes, offline backups via tape is now unfashionable because tapes are not new and are uncool and have been replaced by trendy stuff that in this case cost the company using them something like a million in direct costs in ransom fees, and them two weeks + downtime, plus the investigation and prosecution costs. What did that tape drive and a few boxes of tapes cost again?
-
-
Thursday 30th January 2020 12:28 GMT Peter2
Re: Not paying!
Tapes are pretty pricey, these days.
Tapes are twenty quid each. A two week rotation based on only doing weekdays costs £200 for the first set of tapes, and if you retire a tape a month then the total yearly cost of new tapes is £240.
The setup cost is about £2k for the drive if you buy brand new, and over a 5 year period you'd want 70 tapes, so at £20 each that's £1400 on media assuming that you keep everything forever. ==£3400 for 5 years. (or knock a grand off that if you only keep a years worth of archive tapes)
This gives you a daily offsite backup of up to 2.5TB uncompressed. (or about 6TB compressed)
Microsoft's cloud backup for 2.5TB appears to be about £80/pm. Over a 5 year period that's £4800 (and subject to monthly price rises) so tape can actually be cheaper than cloud. Lots cheaper if you pick up a second hand tape drive for a fraction of the retail value.
I still think tape has good uses as part of a backup strategy. It's not suitable for everything, but it's pretty good insurance against this sort of thing, even if your only backing up mission critical stuff and not absolutely everything.
Reliable tapes, if there is even such a thing, will be even more so. When was the last time you tried to reinstall from one of your 2-year-old backup tapes?
Tapes only tend to get horribly unreliable if you are constantly rewriting them. If your retiring one a month then you don't tend to run into tapes that have much in the way of data loss unless your storing them around electromagnets.
-
Thursday 9th December 2021 18:18 GMT Alan Brown
Re: Not paying!
"The setup cost is about £2k for the drive"
I'd like to know where you're getting one that cheap from. It's usually about £12-14k by the time you wrap a LTO9 inside a library with FC connectivity
Admittedly you get a lot of data on each tape but the drives are eye-wateringly expensive
-
Friday 31st January 2020 14:44 GMT LucreLout
Re: Not paying!
Yes, offline backups via tape is now unfashionable because tapes are not new and are uncool and have been replaced by trendy stuff that in this case cost the company using them something like a million in direct costs in ransom fees, and them two weeks + downtime, plus the investigation and prosecution costs. What did that tape drive and a few boxes of tapes cost again?
I'm asking because I think I'm missing something not because I think you are, but .... What advantage does tape bring in this instance? My cloud backup is versioned so I can go get a pre-infection version of any of the files, I think. (retail not commercial so I can afford not to be right)
From what you've said I think I might be missing something, I'm just not sure what that is. Please can you explain why versions on tape have a time based advantage over versions online? Thanks in advance.
-
-
Wednesday 29th January 2020 23:06 GMT Rol
Re: Not paying!
I'm currently in the very early stages of cobbling a CRM system together, some PC's, an on-site server mirrored in the cloud (server updates the mirror) Backed-up on a daily basis with about 30 cycles before they get overwritten. The pc's and server get shutdown at the close of business.
Each record has its own unique encryption, the keys for which are stored encrypted on each pc. The cloud and server are useless without the pc's, and a compromised operator's password.
Each pc will occasionally update a bogus record, (the db being salted to buggery with random encrypted guff) and then look to an historic back-up (write-protected) to compare what it directly retrieves from the mirror.
If the encrypting nasty is doing its job, the record written by the server to the cloud will not match what the pc retrieves, and hence sound the alarm.
I haven't finished poring over the many flavours of ramsomware, and I haven't written a stroke of code yet. As I say, it's the early stages, and bound to morph into something completely different, if for no other reason than to not have the rudimentary operational characteristics splashed across this page for anyone to see.
Glad to hear your thoughts on my suggestion though. Even if it is a single word obscenity.
-
-
Thursday 30th January 2020 23:07 GMT Rol
Re: Not paying!
Seeing as the script can only work during office hours, and therefore can't leisurely go about it's business, I thought it would make sense to look at the beginning of the file structure, then the middle and then the end, while also looking at recent updates.
If I was writing a stealth encryption script to run during office hours, it would need to sit piggy in the middle, identifying records it had already encrypted, so it could decrypt them when called by the user.
Hence my thought to access the mirrored db by a pc that has no direct write ability to it. The script, if it is running on the pc, would be focussing on the on-site server and shouldn't identify the mirrored record as requiring decrypting.
-
-
Thursday 9th December 2021 18:20 GMT Alan Brown
Re: Not paying!
decent backup systems save SHA256s of the files they're backing up. If the SHA of a file which shouldn't have changed, changes, then you know you have a problem and when it happened.
No extra buggering around needed
This was a solved problem over 20 years ago
The key for a backup system like this is that you can spot large numbers of checksum changes and go "hmmmmm" - IDS functionality without needing to deploy extra kit
-
-
Monday 3rd February 2020 15:49 GMT PyLETS
Re: Not paying!
If the technical attack which brought the system down can be repeated on the restored system, it matters little what medium the backup bits are restored from. Defence in depth now also means having the forensic capability with a rapid enough turnaround time to be able to figure out the nature of the technical attack and prevent it recurring. Otherwise, your restored system can be made subject to the same fate as the cracked one. If the technical capability you have is too slow to figure this out, then your business being offline for an extended period becomes equivalent to business failure or a loss of reputation you can't afford, regardless of your ability to bring the system up exactly as it was before.
Think about why the Sony Playstation and Travelex networks were down for as long as they were and join the dots. I don't think it's realistic to imagine they didn't have backups, but it is realistic to imagine they didn't have access to the forensic capability needed to prevent re-occurrence.
-
-
Thursday 30th January 2020 07:43 GMT big_D
Re: Not paying!
Yes and no. You can re-image 1,000 PCs in 90 minutes? You can recover dozens or hundreds of servers in 90 minutes? Doubtful. 90 minutes for your individual PC? Maybe. Multiply that by 1,000 to cover all of those PCs, then the bigger data volumes on the servers...
Also, a lot of the crypto malware these days quietly encrypts in the background for an extended period, then springs the trap, encrypting the backups as well, if it can its hands on them (SMB shares, iSCSI drives etc.).
If you have to go back a month to get a clean backup, that is a lot of missing work that has to be redone. If your backup is safe enough, that the malware couldn't get at it, that is a different matter. But there are still physical limits to recovering the data. Our automated backups, across all sites, take around 40 hours to complete (they run in parallel, none takes more than 8 hours). But they all have to be managed restores, controlled, checked for malware and then released back onto the network. That is going to take several days, even on our relatively small network (a couple of dozen servers).
But don't forget, you have to take all the PCs offline first and ensure they are clean and re-integrate them into the network, before your users can start working. Even if you have 2 teams running around, recovering things, you are still going to be several days offline or partially offline. Then there is the question of when the last backup was and how much work has been lost...
And hopefully, you haven't missed some undocumented PC sitting in a closet somewhere, waiting for everything to come back online to strike again... ;-)
-
-
Wednesday 29th January 2020 17:11 GMT JohnG
"Whilst some of the Bitcoin was transferred into 'fiat currency' as it is known, a substantial proportion of the Bitcoin, namely, 96 Bitcoins, were transferred to a specified address."
Entities who facilitate "cashing out" are normally required to have records (e.g. copies of passports, etc.) unless they want to fall foul of the authorities where they operate.
-
Thursday 30th January 2020 18:10 GMT Cynic_999
In this case the bad guys used an online service to store their bitcoin, which means it was easily traced. Had they been a bit more savvy, they would have created a wallet on their own PC and had the ransom paid directly into that wallet. Then do nothing for a few years until the investigation dies down, then transfer the bitcoin into several chains of other untraceable wallets, maybe via bitcoin mixers, before cashing out. It would be impossible to prove that the people eventually receiving the cash were the same people who controlled the original receiving wallet.
-
Wednesday 29th January 2020 17:40 GMT OssianScotland
Danegeld
Does no-one read their Kipling any more?
It is always a temptation to an armed and agile nation
To call upon a neighbour and to say: --
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation,
To puff and look important and to say: --
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: --
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that pays it is lost!"
Personally, I like the Leslie Fish version:
https://www.youtube.com/watch?v=IvNtaCFe_KE
-
-
Wednesday 29th January 2020 23:14 GMT Claptrap314
Re: Danegeld
He was not wrong. He was just pointing out poetically, that to pay Danegeld is to pay tribute--that is, to cease to be an independent sovereignty.
And if you attempt to apply that rule to individuals verses some State, I can assure you that the invading nation is quite capable of taking whatever they please, so you best negotiate your tax lightly.
-
Thursday 30th January 2020 00:02 GMT Doctor Syntax
Re: Danegeld
The Domesday survey was essentially a survey for tax purposes. The term used was "geld" but no longer paying off Danes. e.g., from Scafe's translation of Yorkshire Domesday: " In Tatecastre (Tadcaster), Dunstan and Turchil had eight carucates of land for geld, where four ploughs may be."
Yes it was a poetic expression of an idea. But historically collection of geld by government long outlasted the original purpose.
-
Thursday 30th January 2020 18:18 GMT Cynic_999
Re: Danegeld
Income tax was promised by the British government of the time to be a temporary measure that would only last until the end of the Napoleonic war.
Most of us in the UK are presently giving in the region of 80% - 90% of what we earn to the government in the form of taxes of one type or another. I am by no means convinced that what we get from the government in return amounts to reasonable value for that amount of money.
-
Friday 31st January 2020 12:11 GMT Anonymous Coward
Re: Danegeld
"Most of us in the UK are presently giving in the region of 80% - 90% of what we earn to the government in the form of taxes of one type or another."
Where the hell are you getting 80-90% from? The top rate of tax is currently 50%, and even if you add NI, VAT and council tax on top you're not getting anywhere near 80%. That top rate is for those earning over £150K, so it's hardly "most" people either. The majority of the population are either in the 20% tax rate or not paying income tax at all (income under ~10K). Even though the non-income based taxes hit the less wealthy proportionately harder you'll still be hard pressed to find anyone paying 80-90% to the government.
I don't have any issue with you calling out the UK government on a value for money basis but pulling figures out of your arse like that makes you sound like a lunatic. Or possibly a foreign troll who hasn't researched the actual tax rates in the UK.
-
Friday 31st January 2020 14:16 GMT Cynic_999
Re: Danegeld
Where I am getting it from is adding *all* the money the governments takes from us, directly or indirectly. Some goods you buy have far more tax than VAT applied. e.g. Motor fuel, alcohol and tobacco. Then there's the new "sugar tax". You pay indirectly for the fuel tax used by the vehicles that deliver the goods to the shops and the corporation tax levied on the companies that make the goods as well as the rates paid for by the owner of the shop. Then there's the tax you paid on your house.
-
Saturday 1st February 2020 21:08 GMT Da Weezil
Re: Danegeld
You forgot to mention that the UK govt manages to tax taxation... they add "Fuel Duty" to the cost of road fuel, which is then subject to "Value Added Tax" on the whole sum - so they actually tax the tax they have already levied.
I hate hearing politicians talking about lowering taxes when in reality all they do is hide them from plain sight. Of course if we conducted our affairs that way it would probably be called fraud.
-
-
-
-
-
-
Thursday 30th January 2020 01:39 GMT veti
Re: Danegeld
Tax collectors predate Danegeld by some thousands of years.
cf. 1 Samuel 8:11-17:
And he said, This will be the manner of the king that shall reign over you: He will take your sons, and appoint them for himself, for his chariots, and to be his horsemen; [...] And he will take your fields, and your vineyards, and your oliveyards, even the best of them, and give them to his servants. And he will take the tenth of your seed, and of your vineyards, and give to his officers, and to his servants. And he will take your menservants, and your maidservants, and your goodliest young men, and your asses, and put them to his work. He will take the tenth of your sheep: and ye shall be his servants.
We've always known this. And yet, every civilisation in history has chosen to pay taxes anyway.
Contrast with Danegeld, of which Thomas Jefferson said: "[We] prefer war in all cases to tribute under any form and to any people whatever".
-
-
Wednesday 29th January 2020 22:19 GMT Dave 32
Re: Danegeld
Perhaps a bit of "Gunboat dipolmacy" then? I seem to remember that happening not quite 220 years ago, in the First Barbary War, and, subsequently in the Second Barbary War. Oh, well, it produced a passably good tune.
https://en.wikipedia.org/wiki/First_Barbary_War
https://en.wikipedia.org/wiki/Second_Barbary_War
-
Wednesday 29th January 2020 23:06 GMT tfewster
Title unclear - which scumbags are we talking about?
I got the gist of the article, that scumbags are taking money off "victims", but I'm not clear whether the scumbags in question are:
- The ones collecting the insurance premiums and then complaining when they have to pay out on a bet?
- The ones being too cheap to protect their business with backups (in which case the true victims would be their customers)?
- Or the talented, hard-working software entrepreneurs who saw a market opening and took it?
-
Thursday 30th January 2020 04:39 GMT Aseries
So you think you got back your files
Criminals have been rooting around in your system locking down your files. You had great archives and recovery is looking pretty good. You think you are out of the woods? They could also have been hiding back doors all over and now your system actually belongs to crooks and you may not know it. Pretty soon the other shoe will drop.