1. 21
  1.  

  2. 10

    As someone who has always had backups proper and worked at places that do proper backups, I’ve actually not really cared at all about “ransomware” - it’s a regular occurrence at work and makes little to no impact beyond having the restore a backup and that employee losing a few hours of work, being schooled (again!) to not do insert-whatever-they-did-here. Seems to me a dude and I’m really shocked and in utter disbelief that any of these attacks actually caused any damage worth noting. Who doesn’t do backups? Seriously?

    I used to backup my C64 files to the other sides of old disks and onto cassette tapes. In the pre-PC and early days we had these boxes that used VCR tapes to do backups, can’t recall the names. Later, “Bernoulli Boxes”, probably 1982 or so? Then a little later QIC tape, etc. Never in my entire time of owning computers have I not done regular backups. Ransomware is barely an annoyance.

    What I find horrifying and hope never hits the mainstream would be “Leakware”. “Pay us $1mil or all your company data is suddenly available at xxxxzzzxxxxzzzzz.onion”* or maybe worse, Pay us $10,000 or your entire phone including all your pictures is available to everyone on the internet. All your nudies pics and all your SMS conversations.

    Or maybe the worst I could think of is Pay us $nnnnn or else we just SEND copies, unsolicited, to everyone in your phone book. - That would be catastrophic and would absolutely end careers and many marriages, and with the right victim, it could result in criminal cases being overturned or being thrown out, for example. Medical records being published. Maybe confidential data and maybe even nuclear secrets.

    If you care about data you have backups, so nobody should care about data being destroyed.

    Not a lot of people think about the consequences of that data they care about being ex-filtrated and published automatically.

    1. 6

      As someone who has always had backups proper and worked at places that do proper backups, I’ve actually not really cared at all about “ransomware” - it’s a regular occurrence at work and makes little to no impact beyond having the restore a backup and that employee losing a few hours of work, being schooled (again!) to not do insert-whatever-they-did-here. Seems to me a dude and I’m really shocked and in utter disbelief that any of these attacks actually caused any damage worth noting. Who doesn’t do backups? Seriously?

      Reverting from backup on many workstations for a large company means: lost work of thousands, lost business of thousands of hours, high “opportunity costs”, followup costs for cleanup and making sure the damage is contained. Possible cost for re-certification of your infrastructure. Even if you do everything properly, a ransomware outbreak can have high costs.

      This is about businesses, not about your personal data.

      I once had a client that got their version control system server turned into a spambot through an automatic hack. While this is a bit embarassing, there was no problem to get it up and running in an hour. Forensics to find out that everything is still the same was the costly part and basically halted development for 5 days.

      1. 1

        Reverting from backup on many workstations for a large company means: lost work of thousands, lost business of thousands of hours,

        Most attacks hit a small subset of workstations. Usually someone extra foolish or unlucky. There’s not much of a loss. Then, for large numbers, many can roll them out after office hours or during lunch for critical ones. Finally, there used to be hard disks to solve this problem that were write-protected by admin with them having to give permission for permanent changes to specific areas. They did updates through their own tooling at specific times when they turned write-protect off. These didn’t take off much outside of defense or high-security commercial where management wanted to cut cost per person for IT no matter what happened. And then we’re right back to things being compromised with long, recovery times. ;)

        If the key data is centralized as a backup, then there’s even more options that keep the security higher or possible fixes faster. Increased chance of leaks along with the integrity or availability benefits but most stuff is like that at many companies.

        1. 2

          Yes, I concur, in the company I work at, I’ve seen ransomware affect 2 or 3 workstations and take about 3 hours to fix (out of about 150 computers here) in a single day once and that was considered sort of a disaster. Having to halt work for 5 days would mean the IT people would be fired immediately. It usually takes less than an hour to restore a system from a ransomware attack. I can’t imagine a ransomware attack being more than trivial because most business users don’t keep important business data on their workstations, it’s checked in and archived when done and all workstations don’t write permissions to corrupt the entire companys data. I still can’t really comprehend how ransomware is an issue to any legitimate business. For the cat lady who doesn’t do backups, “give me 2 bitcoins or you never see your cat pics again!” might be a lift-changing attack, however.

          Most of the time the issue is a employee opening an attachment from a user they expect to get an attachment from which turns out to bogus caused by an outbreak at the senders side.

          The stories of hospitals or “real” companies getting affected by ransomware, to me, just indicates a complete dereliction of duty on behalf of the IT staff and a sign of major incompetence.

          1. 1

            If you ‘check in’ files by putting them on a shared drive, ransomware can overwrite the entire shared drive. Lots of companies operate this way with a nightly backup.

            Even if the backup restores cleanly, the disruption of not having the shared drive available for a day is considerable.

            1. 1

              Sorry to be so argumentative - but I feel like the lone guy living in the future here where these peoblems are solved?

              Why would a shared resource be unavailable an entire day? That is insane. If you check your files into a repository it’s usually just a single command to revert to the previous commit. Most important data is stored these days in versioned repositories, on versioned filesystems or databases or on append-only media, is it not? This has essentially been my experience since the late 1970s to mid 1980s. Microsoft has VSS/Shadow available for about 15 years and a setup with hourly snapshots combined with daily backups seems the norm.

              I’ve just never heard of any legitimate company operating the way you describe and there is simply no excuse for it, if so.

              Edit: Maybe this is just culture shock, not being a Linux guy but coming from the world of big iron and enterprise administration and bringing my mindset with me. The tools in the Unix “small systems” world these days are there to provide a lot of the same functionality. Why aren’t they used?

              Are most admins and operators really decades behind in best practices?

              1. 1

                Software companies manage code in a VCS, but smaller non software companies frequently manage their systems by putting an excel document on a network share.

                This is getting less common but there’s plenty of it about. As malware gets smarter it’ll be able to also wipe git repos, google apps documents etc.

      2. 3

        What I find horrifying and hope never hits the mainstream would be “Leakware”. “Pay us $1mil or all your company data is suddenly available at xxxxzzzxxxxzzzzz.onion”*

        HBO hack?

        1. 2

          Sony Hack but for a drug or technology company with non-patented stuff. Alternatively, the kind of places that invest in high-availability or fault-tolerant solutions since downtime costs them so much. Maybe even a data broker.

          1. 2

            Actual tech they probably don’t care. Using illegally acquired trade secrets from a competitor is bad news bears. Remember, when somebody tried to sell Pepsi the secret formula for Coke, Pepsi called the FBI. I don’t think drug company A wants anything to do with drug company B’s secret documents.

            1. 1

              What? A direct competitor in same area buying them is significant liability esp against brand the buyer has developed. Plenty of others in same country or esp foreign will buy. Russia and China are especially popular for making this into a big part of their economy. Many others, too.

              If routers or mobile, then Huwei stands out recently.

      3. 3

        This is a good one :).

        I think this article misses an important part about ransomware: it doesn’t pick its targets or at least not obviously. There’s enough cases around where companies have huge cost due to bad security, a prime example being Sony, which lost roughly 500 Million in a year due to two hacks (PSN and the movie hack). PSN suffered a “hard loss” of 171 million, lost business is not counted. Still… you’re not Sony and that wouldn’t happen to you, right?

        Ransomware, though, not so much. It has the air that it can hit anyone and do real, quantifiable damage (not just make your computer slower and send spam to someone else in the country).

        1. 2

          Both Sony attacks were unusual even though they’re great examples for what you can loose. The first one might have been due to Sony essentially pissing off hackers by backtracking on supporting their fun with PS3 things like other OS. Between that and Sony Music’s rootkit, they were becoming a company worth hating or hitting for black hats more than respecting. The second is reported to be North Korea or a group that wants us to believe that as a response to The Interview. It’s the kind of targeted, destructive attack that rarely happens to any company with the media cementing North Korea (aka “attacked by resources of entire country”) as the reason it happened.

          I mean, people in INFOSEC and IT folks reading their articles know how terrible security was at both. The press would have most others, esp managers you’re selling to, convinced those are scenarios unlikely to affect them. They’ll probably try to dodge Sony being a reason to spend large money on security.

        2. 2

          The article certainly rings true to me, though I can’t confirm it. Anyone inside security at a large organisation who can speak to whether the author’s claims hold up in reality?

          I do find it interesting that while “ransomware” is relatively new, data-destructive malware certainly is not (though there was a long period, perhaps more than a decade, between the technovandalism of the late ‘90s and early 2000s and modern ransomwhere where malware mostly ran bots and spyware and so had an incentive to operate subtly) and destructive worms never motivated a huge investment in IT security. Is it just that there’s now a revenue stream attached to “destroying” data, so the attacks are more widespread? Digital data wasn’t worth enough in the ’90s to protect? Some recent victims of ransomware have been very high-profile? Something else?

          1. 6

            Data point: Maersk reported a loss in the hundreds of millions of dollars from petya. That’s pretty motivational if you ask me (even if still only a fraction of their total profit).

            Blaster and slammer and other worms of yore weren’t as destructive. Maybe they bring the network down, but they mostly just spread without nuking data. Also probably less reliance on computer systems. Reliance (and exposure) only increases over time.

            1. 3

              I don’t work in a “large organization” but ransomware has been generally a non-concern. We already have backups.

              The bigger concern that actually did scare a lot of people and turned out to be nothing, in retrospect, were the rumors of hardware destructive viruses. As I recall, there were quite a few of those. AntiCMOS and Chernobyl

              1. 2

                I wonder if it’s just the very direct price tag attached. Loss of data can sort of be waved away as something that happens, a normal cost of business; paying a ransom is a separate line item that’s going to stand out. Even if you don’t pay it, it provides an anchor, making you ask “is this data loss costing the business more or less than $x?”