Learning from the huge expenses Atlanta and Baltimore incurred by refusing to pay ransomware, the Florida city of Riviera Beach decided to pay up. The ransom amount of almost $600,000 is a lot, but much cheaper than the alternative.
So the marketing, sorry targeting, people in all the other ransomware teams now know not to waste time on Atlanta or Baltimore but to target Riviera Beach (repeatedly?). Ransomware is now a business and sound business marketing, sorry targeting, decisions are as applicable here as in any other business. Repeat customers are always favorites.
Hmmm, so did it work? This sounds like it would be a gamble of $600,000. Which is a pretty tough justification if it doesn't work.
Movie Plot suggestion... Die Hard with ransomware. John Mclane is working for an upstate New York municipality that has been struck by ransomware. The attack is so successful they are struggling to keep basic services working amid a snowstorm. City Fathers decide to pay the ransomware to turn the lights back on. Except the attack wasn't just to gain money, but to destroy the city in the process. Can John lead his crack team of hackers through the crypto world and decipher the unlock code???
The city's insurer covered $592,000 of the ransom (https://www.palmbeachpost.com/news/20190619/why-riviera-beach-agreed-to-pay-600000-ransom-payment-to-regain-data-access-and-will-it-work). I see this as a good thing since insurers have the ability to influence the security policies of their customers. Insurers don't like to pay out claims and will start updating policies to include better security standards that their customers must meet or risk losing coverage or being denied the claim. It's like we're back to the old days of steam boilers. "In 1919, the Hartford Steam Boiler Insurance and Inspection Company got tired of paying the claims on all those broken boilers, so they came up with the idea of this special piping configuration and mandated it for anyone who wanted insurance on their steam boiler." (https://en.wikipedia.org/wiki/Hartford_Steam_Boiler_Inspection_and_Insurance_Company)
Once again, off-site backups and on-site snapshots and possibly OC imaging servers would have taken care of this quickly. I agree that this insurance payout will probably make insurers start enforcement of basic IT hygiene and security standards however.
Back in the 1960's and 70's aircraft hijackings were common. Somebody decided enough was enough and refused to negotiate with hijackers and by the mid 1980's the problem was close to being gone.
This spread into other areas "We don't negotiate with" kidnappers, hostage takers, terrorists etc.
There was a logic behind it that holds not just in the "Physical world" but the "Information world" as well.
The real question people should be asking is not "to pay or not to pay" but "why did it happen".
In theory well designed instalation and backup policies should mean you only loose maybe a day of work... The hard part is hunting down the vector by which the Ransomware got a toe hold in the first place and then closing it and any similar attack vectors in the same class to prevent an immediate repeate.
The planed instalation and backup proceadures should be in the "prevenrion" section of the disaster recovery manual and should be tested fairly frequently (atleast every quater these days). Not doing so is negligence by somebody. Thus Who and Why is highly pertinent.
However as we all know there is always a "budget" or other argument imposed from those above who though they have control, bever take responsibility for their actions.
Maybe it's time for a little accountability in the senior ranks such as termination without benifit etc, but that's so unlikely to happen these days that it has to fall to an outside entity to enforce things in another way.
As has been noted the insurance company has the power to force changes and in some areas it has worked well.
But the industry needs to get behind the fact that there is rather more to prevention than having "patch Tuesday done by Friday"...
One question I keep asking people but get no honest answer to is "Why should work computers in any organisation be connected to the Internet or any other external network?". Even getting people to think about it is a major hurdle.
 They were also often "state sponsored" by both sides of the cold war Super Powers.
@jay, insurance requirements improving the industry is great. I found this when looking for how the loop actually works: All manufacturers require a Hartford Loop when connected to a gravity return. The loop is normally connected between 2"– 4" below the boiler’s water line. This prevents water from being pushed out of the boiler because the steam pressure pushes equally on the supply and return (through the equalizer.) The Hartford Loop also prevents a leaking wet return from draining the boiler.
@clive, you make a good point about not paying ransoms. My guess is the the decision to take the risk to pay the ransom was cost less than the alternatives. Ultimately, it is not about the immediate cost but the long term cost. That we must also look at in advance.
It's a bit strange that paying ransoms is legal, since it involves funding and probably laundering payments to a criminal organization. Plus it increases the motive criminals have to pursue these attacks.
@Clive: One question I keep asking people but get no honest answer to is "Why should work computers in any organisation be connected to the Internet or any other external network?". Even getting people to think about it is a major hurdle.
In my particular organization (a software company), Internet access on work computers is used to:
- Install and update a variety of applications used to perform our jobs
- Access reference materials containing information used to perform our jobs (many which are owned and maintained by outside entities; e.g. APIs for computer languages and third-party libraries)
- Communicate with off-site employees and partner organizations
- Communicate with customers
- Upload digital products and marketing materials to public-facing web servers
When I first heard of the Baltimore attack I wondered why not pay the nominal ransom. They still could have rebuilt the cities' IT structure from the ground up, AFAIK, while ignoring, or referencing (perhaps at times), the paid for ransom data.
Perhaps Baltimore paid the ransom out of petty cash or through a more deniable channel.
That must be the answer. Or, a new law has to be past regulating security of state and federal systems.
In application security, working in it the past 20 years, seen things go from "zero regulation" to "increasing regulation". Only reason companies have, historically, done security is because of regulations. In that area, banks are a big driver, credit card companies, and finally, government regulation. SOX, HIPAA, and a wide variety of 'other' government mandated regulations such as on telco and critical infrastructure.
The concept of "we are going to do something because some guy in IT Security says we should" is Alien. This does not happen. Maybe the poor guy figures out how to use FAIR methodologies to show a risk/loss to the board/upper management, without regulations but never seen that happen by its' self, without real regulations.
Audio about 10-12 minutes, IIRC, and a few take-aways may have been:
1) cyber command acts relatively independently; speed and the # of approvals that might be required otherwise
2) Trump may have been in the dark; US IC appears not to have trusted Trump to not leak details to Russia or thought he didn't qualify to need to know
3) Trump had a hissy-fit, threw around words like treasonous press, although the USG had 'no reservations' about the reporting in advance of NYTimes article (1st link below)
From The-1A: "Power Off: The U.S. Intensifies A Cyber Warfare Campaign Against Russia
The United States is intensifying its digital attacks on Russia’s power grid, according to exclusive reporting from The New York Times [ [www.nytimes.com] ] .
From reporters Nicole Perlroth and David Sanger:
Advocates of the more aggressive strategy said it was long overdue, after years of public warnings from the Department of Homeland Security and the F.B.I. that Russia has inserted malware that could sabotage American power plants, oil and gas pipelines, or water supplies in any future conflict with the United States.
But it also carries significant risk of escalating the daily digital Cold War between Washington and Moscow.
In sum, “the program, as described by current and former unidentified American officials, would enable an attack on the Russian power grid in the event of a major conflict between Moscow and Washington,” the Times reported [ [www.nytimes.com] ].
The Russian government said it was fully capable of defending itself against these attacks, and noted its concern that President Trump “was reportedly not informed” about the efforts.
Slate [ [slate.com] ] summarized the implications of this program:
One thing is clear: Cyberspace is now seen by officers and officials as just another “domain” of warfare—along with air, land, sea, and space. But there’s something different and more dangerous about this domain: It takes place out of sight, its operations are so highly classified that only a few people know what’s going on there, and it creates an inherently hair-trigger situation, which could unleash war in lightning speed with no warning.
"Doesn't anti-virus protect against this? How does this stuff keep happening?"
Nope. Not typical anti-virus, which typical organizations will have. The hackers just have to change around their virus a bit - and voila - AV has never seen it before, and it runs just fine.
IT Security departments (if they have one) tend to only have so much of a budget, so some systems internet facing will be out of date. They will have open vulnerabilities, known vulnerabilities the vendor has fixed, but they have not updated their server. From one unpatched server, the attacker can worm their way in. Once they have the right credentials, they can start updating all the systems with their ransomware.
A lot of organizations don't even have an IT Security department, so won't be patching servers like they should. If, at all. Hackers scan the internet for these unpatched servers, or find them via search engines, depending on the vulnerability.
Even if an organization has an IT Security department, they may be underfunded, may be ringing alarm bells but not allowed to patch the servers. Or, they may not be good at their jobs, and not even have a good update and patch management program.
Oh yeah, because there are some open server bugs going around, forgot a main transmission point: phishing. Send the administrator an executable, trick them to run it, voila. They have administrator's credentials and can worm their way through the network that way. :(
Again, bad or non-existent IT Security department, which should have an anti-phishing program instigated, training people, stopping known or likely phishing attacks, etc.
"The ransom amount of almost $600,000 is a lot, but much cheaper than the alternative. What was the cost of the alternative? Without the numbers, who knows? Now, Baltimore took a $17M or so hit, which could have been reduced with a $76K payout.
But the much smaller Riveria Beach - how much was saved. I think it was cheaper because the insurance was paying (less a small deductible). But, I wonder how much was saved, if we remove who's paying.
IIRC insurers were also behind the formation of Underwriter's Laboratories. (Kind of in the name, too.) They got tired of cheap electrical devices catching fire and burning houses down.
We need some kind of equivalent in the security world. Manufacturers won't do it themselves because whomever does it bears all the costs and everyone will claim that level of testing anyway, without someone to say no.
First off my appologies for being late in responding, but unfortunately I'm back in hospital again being checked out for sepsis again :-(
You make a reasonable case for rhe engineers developers and marketing but what about admin staff?
Some companies in fact the majority in my experience are admin heavy and they are unfortunately often the ones where problems get traced back to (again due to lack of training or time to do their work load).
If you look at the Telco industry, it's rare for the Internet to get anywhere close to the core buisness and most I've spoken to working in that area are fully aware of why and generaly agree with the "no Internet" rule.
It's a thorny problem and often the arguments you get from managment actually demonstrate their lack of knowledge...
Also as our host @Bruce has noted in the past, it's hard to get people to do things when in fact keeping their job involves them doing almost the exact opposit...
Since we can't upvote on this blog, the ppl/ideas, I agree with & promote:
@Jay, @ Clive Robinson, @David Rudling, @Alejandro - and those similar.
Don't pay the extortion. If paying, pay less than asked. Yes, all gov't doesn't care about spending someone else's money. If insurer's have to make payouts, then, insurance companies will start demanding good IT security. At first glance, everyone in IT should be fired. But, maybe it wasn't their fault. Maybe then warned and their superiors refused to do nothing. Maybe IT wasn't given funds to implement security.
As for down votes:
Bitcoin is bought for cash.
As for the conspiracy theory of these being Russian hacks/attacks:
Could be. Is this what the first cyberwar attacks look like?
Payment opens up the gate for insider attacks especially when insurance gets involved. Mandatory training dictated by insurance companies helps but it won't do anything against an admin that can be bribed to click on an executable. Making sure that admins get paid well so that they won't be tempted by bribes seems like a good idea.
"We need some kind of equivalent in the security world. Manufacturers won't do it themselves because whomever does it bears all the costs and everyone will claim that level of testing anyway, without someone to say no."
Government regulations have been a partial solution in the industry to drive security. No joke. But, main drivers tend to come from the corporate world, such as the drivers behind PCI-DSS.
It would be a good project for us hackers to create free programs that could help these impoverished and poorly educated IT Security departments (or IT departments without security). I will think about it my own self as a project to do, it would be a good idea.
Harsh love, but where I am, the admin who used admin credentials for non-admin work, such as email, would probably be dismissed if this happened. Any kind of work that changes the system has to have an appoval chain also, or else ... . And as the great ones, the flinty-eyed, grey haired long time admins always remind us green morons, it all comes down to “Think first, then act.”
"So we're primarily concerned with Windows servers that aren't well maintained? To what degree are Internet-accessible Windows desktops vulnerable?
Don't most typical antivirus software solutions have behavior-based protection? "
It can be Windows or Linux. Phishing is a primary route of attack, as well.
Traditional AV still does not cut it, which is why there is a big market for products like cylance, sentinelone, carbon black, etc.
There is little reason for a ransomware binary not to be detected, however. These will tend to be encrypted. Mainstream AV has had behavioral modules for a long time, but for a very long time they were very bad at what they do. As if they were saying, "signature is the only way to go, we have been doing it right all along". As if behavioral modules do not also operate on signatures... which, they do.
Nowadays, the top brand AV *should* do the trick on something as absurd as ransomware, which is easy to profile separate from legitimate applications. But, these products are more expensive then the plethora of AV products out there which do not have nearly as good behavioral modules.
And even then, they are not going to cover serious attacks - even ransomware - as well as products specifically designed to detect 'previously unseen malware'.
Best practice is often have two layers of defenses, but small organizations can barely afford one.
This does not mean AV is the only weak link, either. There is the weak link of having no anti-phishing program in place. And the weak link of not updating your servers. All three problems are big -- and mainstream.
It is difficult for companies to do this without an IT Security department. And IT Security departments are often hobbled. It costs money to update servers, it can break programs which are custom on those servers. Those custom applications have to be updated and tested on the later version of the server. That can take months.
There are products for servers which can keep them safe while the update work goes on - if they are even bothering to do the update work - but, these too, require a lot of money.
Anti-Phishing require a strong program in place, and that requires education, research, and purchasing.
Finally, for a lot of organizations, there are no regulations they have to abide to. Only reason many companies have started to take security seriously is because of regulations forced on them. Such things as PCI-DSS, and lesser regulations like SOX and HIPPA. Cites don't have PCI-DSS regulation, so they have been relatively regulation free.
Therefore, that leaves it up to a poorly funded IT department to make their own pleas -- for money. And this is very difficult to do. Bureaucrats are all too used to waving away such pleas, saying, "OH pooh pooh".
Best bet is for some regulations to be passed, which will happen if these attacks continue. And why should they not continue, they are profiting.
Federal and DoD have their own strong regulations.
State and Cities have nada.
Looks like this needs a federal set of regulations on all state, city, and county organizations.
Yeah, those are other weak links, and I noticed one release by the Government on "best practices" addressed the administration privileges problems.
Approval chains can be good, but they can also be extremely painful bureaucracy when you have hundreds of servers that are out of date.
I hate to say it, but I think there needs to be federal regulations in place demanding that there be strong security on all governmental organizations. Outside of DoD and to a lesser degree, federal, there hardly are any regulations at all. So they have no impetus to hire people, buy programs, maintain systems at all, practically.
I have contracted a lot and never seen a situation where an organization is hiring without having some regulations as an impetus. I have also led campaigns to purchases products deeply needed where regulations are lacking, and it is a truly painful, lengthy battle to take on.
"Why should work computers in any organisation be connected to the Internet or any other external network?"
For the same reason that work computers should exist at all in any organization. Or telephones, fax machines, and vehicles for that matter.
Most organizations are no more prepared to create a soloed intranet from scratch with every service their employees need to do their jobs than they are to fabricate their own CPUs in house. And that's presuming they could even do their jobs without simple communication to the outside world.
My business needs to order new inventory when it runs low. My business needs to share information between geographically distributed offices. My business needs to stay in touch with our customer base. My business runs a customer facing web service or app. My business needs mapping, vehicle tracking, SEO and marketing, software updates, DRM dialback, public databases, vender support, freelancer collaboration, product feedback, digital delivery, NVR, collaboration and project management, time synchronization, or even just explicitly granted access to personal communications and entertainment. Which is a lot more common now that we're not all sending our 6 year old children to work 16/6 at the coal mines anymore.
I can understand a question like "why weren't all of the doors to that building secure?" I can't understand "why does that building even HAVE doors?" :P
I can understand a question like "why weren't all of the doors to that building secure?" I can't understand "why does that building even HAVE doors?" :P
It's actually not a "why are there doors" question
It's more a "why do some need individual offices, shared offices and some cubicals" question. Every connection to the Internet represents a risk, even text only emails can be a risk.
Yes some need Internet access but many don't, those that don't in effect reoresent an unacceptable risk especially when not sufficiently traibed which is usually the case.
A sensible organisation manages risk as can often be seen with physical security. However when it comes to sight unseen information security it all goes out the window needlessly.
HT, Finance, R&D, Marketing and other departments are physically kept seperate often with "card key access" but the internal network, mostly flat with nearly all computers able to see each other at the lowest levels, which is required for an attacker to get to the higher levels.
There are ways to segregate the computers effectively and only give safe access to resources where there is a verified requirment to do so. They can be a lot less expensive than that of physical access controls, but...
If we were privy to its place of origin, that would probably turn out to be somewhere north of Seoul.
That is a political cheapshot.
It's the same sort of evidence less allogations the US make all the time to for fill an Orwellian need to have a distant faceless enemy to lie to their own population with, so they won't ask why they are being kept on a continual war footing so their rights and freedoms can be stripped away from them.
"Traditional AV still does not cut it, which is why there is a big market for products like cylance, sentinelone, carbon black, etc."
For whatever odd reason, these products aren't extensively tested by independent labs. One test, albeit outdated, I found here, [www.av-comparatives.org] indicate that Sentinel One and Carbon Black significantly underperform relative to "traditional" antivirus, which is wholly contrary to your claim. Cylance did way better, but its false alarm rate is high. What gives?
I don't really understand why any city officials in their correct minds would pay ransomware(?!) If every other rational person could simply read about or converse about several reasons to NOT pay ransomware and not fall for the scams, why would city officials fall for the scams? Or are city officials simply auto-complying with certain scripts/algorithms/prompts?
And WHY are we still using CAPTCHA's since they really don't work in favor of people and don't block bots either and therefore don't work for decent people nor decent non-hostiles either?
[www.shapesecurity.com] (link to article about CAPTCHA failures and why digital fraud leads to actual severe losses)
By the way...
0) Do NOT forget to nurture the most important elements and components required for more stable survival. 1) rename all of your most needed tools if you can. 2) edit all of your most needed GUI's to match your needs 3) if you need a low-energy consumption GUI, set-up a low energy consumption GUI, don't fall for glitzy gleaming animated waste. 4) if your GUI and program GUI's advertise your private items to the whole world of witnesses, that ALSO jeopardizes your safety. 5) program designers, you really need to STOP creating situations where your otherwise great products put us at risk simply because you want to impress us with flashiness 6) defensive hackers, please don't attack those of us who are innocent 7) defensive hackers, please don't attack the machines and tools of the innocent 8) defensive hackers, please choose your vectors of retaliation more carefully, lest you turn innocent victims caught in the digital (and other) crossfires against you
9) music composers, start composing music with 9 beats per measure ( there will be more to explain on that topic later) we have multiples, of 2,3,4, rarely 5, 6, rarely 7, 8, we need nines, Also, implied is a need for 11 beats per measure and more twelves, thirteens, fifteens, seventeens, eighteens, nineteens, and twenty beats per measure, etc. There are specifics within both music and modulus math and soundtracks and security techniques that need not be fully explained yet.
10) If your systems are knocked down too much, temporarily switch to a different toolset and rebuild from there.
11) If you can't work out a technical solution yet, teach others some of the best of what you know, to bring them updated with alternative problem-solving techniques.
12) Do NOT forget to nurture the most important elements and components required for more stable survival.
Turn off everything that you do NOT need UNLESS it is necessary for something else's survival. PLEASE Do NOT destroy what several of us most need in order to implement something of yours. Let's try and find a compromise activity or lack of activity or combination instead.
13) Programmers and designers and other, please do NOT use words and icons of hostility to name or label items or devices or lives which are NOT hostile. For example, do not name your program "Boot and Nuke" for example, if it does NOT do that. However, if you have a steganography program, do NOT name it with the term "steg" nor "stega" nor stegan" nor stegano", ETC. Think about it. As soon as you make it's purpose obvious, you destroy it's functionality by virtue of turning it into a data-logging and surveillance target.
Did I really need to spell this out? Yes, finally.
14) Veterans of Foreign Wars, please immediately stop advertising about and explaining and doing interviews or documentaries explaining how covert operations were accomplished in the past. Even though much of those successes were, yes, in the past. The present and future are still very much involved in what needs to be protected and the spacetime continuum is not limited to polite linearities of polite minds, and neither are traversers of boundaries who are already implied to eventually exist if they don't already. What used to be fiction, often ends up as futuristic, then eventually discovered or rediscovered or created. Then it becomes fact.
Please do not put yourselves, us, and your living legacy at risk in acts of pride and glory whether enticed into such public displays or invited or otherwise.
It has been said that the threat of __________ cannot be contained within time or space. That also implies that some battles are not to be thought of as started, and ended. Consider us defenders as more of an immune system; we don't simply exist once and are done with a mission. We are a living barrier. Please don't drop your guard and please don't drop our guard, and please don't drop us either.
Peace be with you. Thanks for existing. Too much to say and it shouldn't really be said anyway. If it was worth doing at all, it was worth doing correctly. And it still is.
Basically, what I am saying is these "endpoint solutions" are designed to protect against *previously unseen malware*. Some of them are designed to complement traditional signature based AV. They effectively replace that behavioral component of the signature based AV. But, you can run these systems without traditional AV, depends on the solution. Carbon Black/bit9 is my favorite solution, though Cylance and SentinelOne both have very interesting technologies, and there are some other companies.
Problem, historically, with AV tests is the tests have been rigged by the AV companies.
Further, testing known malware, signature based solutions may pull out stronger. However. Even though the known malware tested isn't anything that actually goes wild. And that is the problem, it is an unrealistic test.
So, the appropriate test is difficult to do: you have to test entirely previously unseen malware. Or 'zero day malware' against these systems. That is a rigorous test which requires the creation of new malware. And, to a lesser degree, it requires the editing of existing malware in the way hackers do it: testing against signature based AV solutions to make sure it is not detected.
That kind of test AV signature based companies blocked and protested against for a long time, complaining creating new malware for tests was equivalent to literally being a malware author and letting them loose on the wild. That industry has been very corrupt, or was.
I think, today, however, the top brand name solutions are very good. But, their behavioral components do lag significantly behind the endpoint solutions. Some of these endpoint solutions can entirely replace the need for signature based AV. Some can not.
Some of these simply have a really strong behavioral based solution. Some have a strong network of systems which are designed to catch the latest new attacks, effectively using their customers as a giant honeypot. As well as devising their own clever honeypot strategies. Some of these utilize both strategies.
Some solutions utilize entirely different strategies, such as carbon black's white listing strategy. Which strategy I do believe is the best. Marcus Ranum has a great paper on this. But, it basically is designed to disallow anything not approved.
Initially, white listing strategies were very poor. Difficult to manage. But, today, they are slick and easy to manage.
All that said, these organizations getting hit often can not even afford the brand name leading products. Or won't.
And they have no rules demanding security compliance, so they often do not follow the rules.
Cities are a good "for instance". Publicly traded companies have SOX compliance, and often PCI-DSS compliance. Federal organizations have federal compliance mandates which can be strong, especially for DoD systems. Profitable private companies often have business partners, such as banks, with their own compliance requirements that are well thought out. Or, they have the money at risk and available to fix problems.
But, cities are out of the loop of all that, so they are very vulnerable targets.
These attacks could be nation based. If we wish to get imaginative, the money could be being used to fund black ops projects off the books. But, that is unlikely and unnecessary. As these attacks most likely are simply rogue hackers looking for a buck. Cities are the 'low hanging fruit' for them.
On why are they paying the ransom: it is actually *lack* of regulations why they are in this mess. They are ungoverned. They don't have any rules at all, so they are making a very bad decision. I would not be surprised if some who pay are not hit again. Whatever the case, we can expect more cities to be hit and to pay.
Someone pointed out 'insurance' paid in one case. And, hopefully, insurance can take up the slack. Force them to secure their systems and operations.
Creating new regulations would require time, and a lot of expertise. Nations remain bad at this. It takes them a long time to come up with new regulations, and when they do, they tend to do it poorly.
My biggest question is: Where are the backups? This should have been an inconvenience rather than catastrophe. They're a coastal city in Florida. At the very least, they should have backups for hurricane recovery.
Next, I'm willing to bet decent money that this attack was caused by some idiot opening up a phishing e-mail, then forcing the computer to run a macro virus. All of the security in the world does nothing when your employees help the attackers gain entry.