back to article Canadian insurer paid for ransomware decryptor. Now it's hunting the scum down

A Canadian insurance business struck by ransomware paid off the crooks via a cyber insurance policy – and their English reinsurers, having shelled out 109.25 Bitcoins, want it back from the alleged blackmailers. After infection the unnamed Canadian company suffered a total lockdown of all of its systems and asked its …

  1. My-Handle

    Of course, the downside of pissing off a company that has a lot of cash and hiding somewhere without an extradition treaty is that the lack of legal agreements works both ways. In the event that the insurance company successfully uses it's resources to find the perpetrators and decides to unofficially send in the heavies for a quiet chat, it might end up being pretty difficult to hold that company accountable.

    1. macjules

      pissing off a company that has a lot of cash and hiding somewhere without an extradition treaty

      I should think that one of the joys of having a lot of cash is being able to have some gentlemen with unsightly bulges under their arms visit said country and 'persuade' the scumbag to return.

      1. Anonymous Coward
        Anonymous Coward

        Who needs them? These are the companies that own facebook and credit agencies. If they wished to. They could make life hard, with artistic results.

        1. Sean o' bhaile na gleann

          Find the tossers who did it, then send in a wet team - it's the only way to be sure...

          1. macjules

            You left out the words 'low orbital bombardment'.

      2. Alan Brown Silver badge

        Who needs that kind of persuasion?

        A rather messy display left behind is persuasive to the surviving crooks - reminding them that they're not untouchable

        Back in days of having to real with skiddies the fastest way of stopping their rampages was to doxx them and post their details as the reason their hosting ISP was barred from accessing various resources. Local users would take care of the rest (Both in kicking arses at ISPs who refused to deal with abusive users and dealing with the users themselves)

  2. Zebo-the-Fat

    Not paying!

    Infected? OK, no prob, re format and re install from my off site backup, back in business in 90 minutes :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Not paying!

      How many backups? Snapshots taken at what intervals? What if payload says 'boo' only days after the infection? You have defence. Do you have defence in depth? In depth of time?

      1. Peter2 Silver badge

        Re: Not paying!

        If your using tapes, yes. Most people do at least two weeks worth of daily backups, and then retire a tape each month as an archive.

        Pull the OS and application files from however far back you need to, even if it's from a year ago. Then get patching and start pushing out the contents of the file shares from the filesystem from the day before.

        Yes, offline backups via tape is now unfashionable because tapes are not new and are uncool and have been replaced by trendy stuff that in this case cost the company using them something like a million in direct costs in ransom fees, and them two weeks + downtime, plus the investigation and prosecution costs. What did that tape drive and a few boxes of tapes cost again?

        1. veti Silver badge

          Re: Not paying!

          Tapes are pretty pricey, these days.

          Reliable tapes, if there is even such a thing, will be even more so. When was the last time you tried to reinstall from one of your 2-year-old backup tapes?

          1. big_D Silver badge

            Re: Not paying!

            Sorry, tapes are cheap, compared to getting caught with your pants down.

          2. Peter2 Silver badge

            Re: Not paying!

            Tapes are pretty pricey, these days.

            Tapes are twenty quid each. A two week rotation based on only doing weekdays costs £200 for the first set of tapes, and if you retire a tape a month then the total yearly cost of new tapes is £240.

            The setup cost is about £2k for the drive if you buy brand new, and over a 5 year period you'd want 70 tapes, so at £20 each that's £1400 on media assuming that you keep everything forever. ==£3400 for 5 years. (or knock a grand off that if you only keep a years worth of archive tapes)

            This gives you a daily offsite backup of up to 2.5TB uncompressed. (or about 6TB compressed)

            Microsoft's cloud backup for 2.5TB appears to be about £80/pm. Over a 5 year period that's £4800 (and subject to monthly price rises) so tape can actually be cheaper than cloud. Lots cheaper if you pick up a second hand tape drive for a fraction of the retail value.

            I still think tape has good uses as part of a backup strategy. It's not suitable for everything, but it's pretty good insurance against this sort of thing, even if your only backing up mission critical stuff and not absolutely everything.

            Reliable tapes, if there is even such a thing, will be even more so. When was the last time you tried to reinstall from one of your 2-year-old backup tapes?

            Tapes only tend to get horribly unreliable if you are constantly rewriting them. If your retiring one a month then you don't tend to run into tapes that have much in the way of data loss unless your storing them around electromagnets.

            1. Anonymous Coward
              Anonymous Coward

              Re: Not paying!

              Upvote. But sometimes we are talking 100s of Terabytes or more. And big access/storage costs. However, these still are tiny to possible outage and ransom claims. However sadly, the lowest cost solution is probably adopted. :(

            2. Alan Brown Silver badge

              Re: Not paying!

              "The setup cost is about £2k for the drive"

              I'd like to know where you're getting one that cheap from. It's usually about £12-14k by the time you wrap a LTO9 inside a library with FC connectivity

              Admittedly you get a lot of data on each tape but the drives are eye-wateringly expensive

          3. Alan Brown Silver badge

            Re: Not paying!

            Last week, actually

            LTO lasts a LONG time, even heavily used ones

            And FWIW some of these malware variants lay in wait for a long time before activating

        2. LucreLout

          Re: Not paying!

          Yes, offline backups via tape is now unfashionable because tapes are not new and are uncool and have been replaced by trendy stuff that in this case cost the company using them something like a million in direct costs in ransom fees, and them two weeks + downtime, plus the investigation and prosecution costs. What did that tape drive and a few boxes of tapes cost again?

          I'm asking because I think I'm missing something not because I think you are, but .... What advantage does tape bring in this instance? My cloud backup is versioned so I can go get a pre-infection version of any of the files, I think. (retail not commercial so I can afford not to be right)

          From what you've said I think I might be missing something, I'm just not sure what that is. Please can you explain why versions on tape have a time based advantage over versions online? Thanks in advance.

          1. Alan Brown Silver badge

            Re: Not paying!

            "What advantage does tape bring in this instance?"

            Defence against deletion

      2. Rol

        Re: Not paying!

        I'm currently in the very early stages of cobbling a CRM system together, some PC's, an on-site server mirrored in the cloud (server updates the mirror) Backed-up on a daily basis with about 30 cycles before they get overwritten. The pc's and server get shutdown at the close of business.

        Each record has its own unique encryption, the keys for which are stored encrypted on each pc. The cloud and server are useless without the pc's, and a compromised operator's password.

        Each pc will occasionally update a bogus record, (the db being salted to buggery with random encrypted guff) and then look to an historic back-up (write-protected) to compare what it directly retrieves from the mirror.

        If the encrypting nasty is doing its job, the record written by the server to the cloud will not match what the pc retrieves, and hence sound the alarm.

        I haven't finished poring over the many flavours of ramsomware, and I haven't written a stroke of code yet. As I say, it's the early stages, and bound to morph into something completely different, if for no other reason than to not have the rudimentary operational characteristics splashed across this page for anyone to see.

        Glad to hear your thoughts on my suggestion though. Even if it is a single word obscenity.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not paying!

          Access irregularities? Is that how most systems detect it currently? Lots and lots of additional access to quickly encrypt things out of place. Though a slow malware would still slip through both detection methods, as getting a hit on an irregular file is harder...

          1. Rol

            Re: Not paying!

            Seeing as the script can only work during office hours, and therefore can't leisurely go about it's business, I thought it would make sense to look at the beginning of the file structure, then the middle and then the end, while also looking at recent updates.

            If I was writing a stealth encryption script to run during office hours, it would need to sit piggy in the middle, identifying records it had already encrypted, so it could decrypt them when called by the user.

            Hence my thought to access the mirrored db by a pc that has no direct write ability to it. The script, if it is running on the pc, would be focussing on the on-site server and shouldn't identify the mirrored record as requiring decrypting.

        2. Alan Brown Silver badge

          Re: Not paying!

          decent backup systems save SHA256s of the files they're backing up. If the SHA of a file which shouldn't have changed, changes, then you know you have a problem and when it happened.

          No extra buggering around needed

          This was a solved problem over 20 years ago

          The key for a backup system like this is that you can spot large numbers of checksum changes and go "hmmmmm" - IDS functionality without needing to deploy extra kit

      3. PyLETS

        Re: Not paying!

        If the technical attack which brought the system down can be repeated on the restored system, it matters little what medium the backup bits are restored from. Defence in depth now also means having the forensic capability with a rapid enough turnaround time to be able to figure out the nature of the technical attack and prevent it recurring. Otherwise, your restored system can be made subject to the same fate as the cracked one. If the technical capability you have is too slow to figure this out, then your business being offline for an extended period becomes equivalent to business failure or a loss of reputation you can't afford, regardless of your ability to bring the system up exactly as it was before.

        Think about why the Sony Playstation and Travelex networks were down for as long as they were and join the dots. I don't think it's realistic to imagine they didn't have backups, but it is realistic to imagine they didn't have access to the forensic capability needed to prevent re-occurrence.

    2. big_D Silver badge

      Re: Not paying!

      Yes and no. You can re-image 1,000 PCs in 90 minutes? You can recover dozens or hundreds of servers in 90 minutes? Doubtful. 90 minutes for your individual PC? Maybe. Multiply that by 1,000 to cover all of those PCs, then the bigger data volumes on the servers...

      Also, a lot of the crypto malware these days quietly encrypts in the background for an extended period, then springs the trap, encrypting the backups as well, if it can its hands on them (SMB shares, iSCSI drives etc.).

      If you have to go back a month to get a clean backup, that is a lot of missing work that has to be redone. If your backup is safe enough, that the malware couldn't get at it, that is a different matter. But there are still physical limits to recovering the data. Our automated backups, across all sites, take around 40 hours to complete (they run in parallel, none takes more than 8 hours). But they all have to be managed restores, controlled, checked for malware and then released back onto the network. That is going to take several days, even on our relatively small network (a couple of dozen servers).

      But don't forget, you have to take all the PCs offline first and ensure they are clean and re-integrate them into the network, before your users can start working. Even if you have 2 teams running around, recovering things, you are still going to be several days offline or partially offline. Then there is the question of when the last backup was and how much work has been lost...

      And hopefully, you haven't missed some undocumented PC sitting in a closet somewhere, waiting for everything to come back online to strike again... ;-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Not paying!

        This is why you should have 'kill everything' scripts.

        One script starts a shutdown of all fileservers, then blocks traffic between the SERVER and the PC VLANs, and finally shuts down all ports on the PC VLAN.

  3. Robert Helpmann??
    Paris Hilton

    Cognitive Dissonance Much?

    In October 2019 the American FBI softened its stance on paying off ransomware.

    So it is OK to deal with criminals using encryption in an illegal act but it's not OK for law-abiding citizens to use it in a presumably legal fashion? Color me confused!

  4. Phil O'Sophical Silver badge

    Scottish MSP

    When I read that my immediate reaction was "that's corrupt, even for a politician". Then I read the linked article and realized that it was a reference to a Managed Services Provider, and not one of Holyrood's finest...

  5. JohnG

    "Whilst some of the Bitcoin was transferred into 'fiat currency' as it is known, a substantial proportion of the Bitcoin, namely, 96 Bitcoins, were transferred to a specified address."

    Entities who facilitate "cashing out" are normally required to have records (e.g. copies of passports, etc.) unless they want to fall foul of the authorities where they operate.

    1. Doctor Syntax Silver badge

      "unless they want to fall foul of the authorities where they operate."

      Depending on where they operate falling foul might require no more than a brown envelope.

    2. IGotOut Silver badge

      The British Virgin Islands. You know that place that in no way is a place know for tax dodging shell companies.

    3. Cynic_999

      In this case the bad guys used an online service to store their bitcoin, which means it was easily traced. Had they been a bit more savvy, they would have created a wallet on their own PC and had the ransom paid directly into that wallet. Then do nothing for a few years until the investigation dies down, then transfer the bitcoin into several chains of other untraceable wallets, maybe via bitcoin mixers, before cashing out. It would be impossible to prove that the people eventually receiving the cash were the same people who controlled the original receiving wallet.

  6. OssianScotland
    Pint

    Danegeld

    Does no-one read their Kipling any more?

    It is always a temptation to an armed and agile nation

    To call upon a neighbour and to say: --

    "We invaded you last night--we are quite prepared to fight,

    Unless you pay us cash to go away."

    And that is called asking for Dane-geld,

    And the people who ask it explain

    That you've only to pay 'em the Dane-geld

    And then you'll get rid of the Dane!

    It is always a temptation for a rich and lazy nation,

    To puff and look important and to say: --

    "Though we know we should defeat you, we have not the time to meet you.

    We will therefore pay you cash to go away."

    And that is called paying the Dane-geld;

    But we've proved it again and again,

    That if once you have paid him the Dane-geld

    You never get rid of the Dane.

    It is wrong to put temptation in the path of any nation,

    For fear they should succumb and go astray;

    So when you are requested to pay up or be molested,

    You will find it better policy to say: --

    "We never pay any-one Dane-geld,

    No matter how trifling the cost;

    For the end of that game is oppression and shame,

    And the nation that pays it is lost!"

    Personally, I like the Leslie Fish version:

    https://www.youtube.com/watch?v=IvNtaCFe_KE

    1. Imhotep

      Re: Danegeld

      Do I like Kipling? I don't know, I've never kippled.

      1. Phil O'Sophical Silver badge
        Coat

        Re: Danegeld

        I hear it's exceedingly good.

    2. Doctor Syntax Silver badge

      Re: Danegeld

      Unfortunately Kipling was wrong. We no longer have the Danes but we still have the geld (taxation). It's the tax collectors you never get rid of.

      1. Claptrap314 Silver badge

        Re: Danegeld

        He was not wrong. He was just pointing out poetically, that to pay Danegeld is to pay tribute--that is, to cease to be an independent sovereignty.

        And if you attempt to apply that rule to individuals verses some State, I can assure you that the invading nation is quite capable of taking whatever they please, so you best negotiate your tax lightly.

        1. Doctor Syntax Silver badge

          Re: Danegeld

          The Domesday survey was essentially a survey for tax purposes. The term used was "geld" but no longer paying off Danes. e.g., from Scafe's translation of Yorkshire Domesday: " In Tatecastre (Tadcaster), Dunstan and Turchil had eight carucates of land for geld, where four ploughs may be."

          Yes it was a poetic expression of an idea. But historically collection of geld by government long outlasted the original purpose.

          1. Cynic_999

            Re: Danegeld

            Income tax was promised by the British government of the time to be a temporary measure that would only last until the end of the Napoleonic war.

            Most of us in the UK are presently giving in the region of 80% - 90% of what we earn to the government in the form of taxes of one type or another. I am by no means convinced that what we get from the government in return amounts to reasonable value for that amount of money.

            1. Anonymous Coward
              Anonymous Coward

              Re: Danegeld

              "Most of us in the UK are presently giving in the region of 80% - 90% of what we earn to the government in the form of taxes of one type or another."

              Where the hell are you getting 80-90% from? The top rate of tax is currently 50%, and even if you add NI, VAT and council tax on top you're not getting anywhere near 80%. That top rate is for those earning over £150K, so it's hardly "most" people either. The majority of the population are either in the 20% tax rate or not paying income tax at all (income under ~10K). Even though the non-income based taxes hit the less wealthy proportionately harder you'll still be hard pressed to find anyone paying 80-90% to the government.

              I don't have any issue with you calling out the UK government on a value for money basis but pulling figures out of your arse like that makes you sound like a lunatic. Or possibly a foreign troll who hasn't researched the actual tax rates in the UK.

              1. Cynic_999

                Re: Danegeld

                Where I am getting it from is adding *all* the money the governments takes from us, directly or indirectly. Some goods you buy have far more tax than VAT applied. e.g. Motor fuel, alcohol and tobacco. Then there's the new "sugar tax". You pay indirectly for the fuel tax used by the vehicles that deliver the goods to the shops and the corporation tax levied on the companies that make the goods as well as the rates paid for by the owner of the shop. Then there's the tax you paid on your house.

                1. Da Weezil

                  Re: Danegeld

                  You forgot to mention that the UK govt manages to tax taxation... they add "Fuel Duty" to the cost of road fuel, which is then subject to "Value Added Tax" on the whole sum - so they actually tax the tax they have already levied.

                  I hate hearing politicians talking about lowering taxes when in reality all they do is hide them from plain sight. Of course if we conducted our affairs that way it would probably be called fraud.

      2. veti Silver badge

        Re: Danegeld

        Tax collectors predate Danegeld by some thousands of years.

        cf. 1 Samuel 8:11-17:

        And he said, This will be the manner of the king that shall reign over you: He will take your sons, and appoint them for himself, for his chariots, and to be his horsemen; [...] And he will take your fields, and your vineyards, and your oliveyards, even the best of them, and give them to his servants. And he will take the tenth of your seed, and of your vineyards, and give to his officers, and to his servants. And he will take your menservants, and your maidservants, and your goodliest young men, and your asses, and put them to his work. He will take the tenth of your sheep: and ye shall be his servants.

        We've always known this. And yet, every civilisation in history has chosen to pay taxes anyway.

        Contrast with Danegeld, of which Thomas Jefferson said: "[We] prefer war in all cases to tribute under any form and to any people whatever".

    3. Dave 32
      Coat

      Re: Danegeld

      Perhaps a bit of "Gunboat dipolmacy" then? I seem to remember that happening not quite 220 years ago, in the First Barbary War, and, subsequently in the Second Barbary War. Oh, well, it produced a passably good tune.

      https://en.wikipedia.org/wiki/First_Barbary_War

      https://en.wikipedia.org/wiki/Second_Barbary_War

  7. Steven Guenther

    Blackwater

    Find them and flay them alive. Put it on YouTube as a warning to the next script kiddie.

    I HATE these jokers. I am forced to have locks on everything, costing me money.

    Have few laws, but enforce them! We would need fewer locks and fewer lawyers.

  8. tfewster
    Joke

    Title unclear - which scumbags are we talking about?

    I got the gist of the article, that scumbags are taking money off "victims", but I'm not clear whether the scumbags in question are:

    - The ones collecting the insurance premiums and then complaining when they have to pay out on a bet?

    - The ones being too cheap to protect their business with backups (in which case the true victims would be their customers)?

    - Or the talented, hard-working software entrepreneurs who saw a market opening and took it?

  9. Anonymous Coward
    Anonymous Coward

    5 days and 10 business days

    Surely it would have been quicker to restore the servers from backup and re-image the desktop PCs?

    1. Anonymous Coward
      Anonymous Coward

      Re: 5 days and 10 business days

      At a hint. As the insurance company are trying to recoup costs... it was cheaper to claim on the insurance, than to use the recovery option.

  10. Aseries

    So you think you got back your files

    Criminals have been rooting around in your system locking down your files. You had great archives and recovery is looking pretty good. You think you are out of the woods? They could also have been hiding back doors all over and now your system actually belongs to crooks and you may not know it. Pretty soon the other shoe will drop.

  11. Anonymous Coward
    Anonymous Coward

    Clay tablets!

    Papyrus is so yesterday.

  12. mr-slappy

    The cure could be worse than the problem

    "the decryption tool provided had to be run on each and every affected device on the company's network"

    ...and presumably hoovered up a load of sensitive information and password files, and probably dropped a load of malware in the process too.

  13. Anonymous South African Coward Bronze badge

    It is things like these that make me want to get out of IT. I'm getting too old for this sort of scheiße.

  14. Anonymous Coward
    Anonymous Coward

    Good job

    I would enjoy a job to find and apply punishment (in international waters) to criminals.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like