The poor IT guys there probably asked for a couple thousand for backups instead and were previously denied. Ransomeware first rose to prominence three years ago.
I know the university I attended has learned nothing at all. State university in a wealthy US area with over 30,000 students. They still think security is forcing everyone to change passwords once every 6 months. No offer of 2fa of any sort for any service.
I stopped using my email address between transcript requests because the whole student/faculty directory is rampant with student employees of local businesses sending spam within the system.
A permanent link is a complete mystery of a concept to them as well. Every time sun shines on an article in public media for them the glory is sure to be short lived, because google's link will be broken in 6 months tops.
> A permanent link is a complete mystery of a concept to them as well. Every time sun shines on an article in public media for them the glory is sure to be short lived, because google's link will be broken in 6 months tops.
I am baffled that universities (and so many others) don't just use WordPress for publishing their media.
What type of insurance does UCSF have for ransomware? Last year, ProPublica noted how some insurance companies like to pay ransom for their business [0].
That poses at most a minor roadblock. You just take over the backup-and-restore service for a little while and corrupt the backups as they get made. If anybody tries to verify the backups they just restore them correctly until they make their demand. Would probably add between $10K and $100K to the cost of attack (probably closer to $10K), so would probably be immaterial to the profitability of this attack. Therefore, even if they did it they would almost absolutely still be attacked with exactly the same consequences if they did not pay the ransom.
Simple "common sense" solutions are pretty close to useless in these scenarios since they provide no meaningful impediment to halfway competent attackers. They stop children and script kiddies which is helpful in that there are a lot more of them, but essentially every actual economically-motivated attack remains viable.
To provide an analogy, the fence around a military base does good work stopping people from just walking onto base, but it does not stop the enemy tanks. That does not mean the fence is useless, it stops one kind of threat, but if tanks might actually attack the base you either need to have a way to stop them or be willing to take the loss. Throwing up more fences so it takes longer for the tanks to roll over all of them is not really meaningful if losing the base is still an unacceptable loss.
Ehh, a decent backup service (https://www.tarsnap.com/) will give you the ability to make write-only backups over time, i.e. you should be able to roll back to 6 months ago without any chance of something corrupting the backup process.
Of course, it depends how much data you're backing up.
To clarify I meant at the time of backup. When the data is being sucked out of the system to the backup they encrypt. All that requires is taking over the system pushing the data out to the backup for however long you want to deny backups. Obviously this requires not getting caught during that time, but the median time to discover a data breach is 279 days (~9 months) according to IBM [1] and this is actually easier to hide in many senses than a data breach since you are just messing with an existing data flow instead of trying to do the much more suspicious data exfiltration.
Large compromises of sensitive data also have to consider the release of sensitive info, not just recovery. So even with backups there's an incentive to pay.
Paying ransoms should be a criminal offense. That's the only way to remove the incentives for ransomware attacks. If that means some businesses fail or government agencies get temporarily shut down then that's acceptable collateral damage and will serve as an object lesson to others about the importance of IT security.
There are reasonable precautions that organizations can take to mitigate a ransomware attack before they happen. You might even say that organizations should be obligated to have some minimum IT infrastructure in place if they're going to be responsible for customer (or student) data in any fashion.
Organizations that try to pinch pennies year after year by avoiding paying for the basics are harming IT in general and they're further harming society by sending money out to criminals that will go on to spend that money on attacking other people and organizations.
Well cyberinsurance can be spent on things besides paying a ransom, such as hiring a security firm to investigate and a data recovery firm to try to recover data from backups. It can also cover revenue losses due to outages, and payout damages to your users if your users' data was stolen.
I guess theoretically kidnapping insurance might be spent on things besides a ransom as well, such as hiring mercenaries to recover the kidnapped person. But I doubt that's very likely.
Maybe a prohibition on paying off ransomware is needed, but it's not sufficient and I don't think it's the low hanging fruit. John Dillinger once made headlines because he was better armed than the locals. Then he ran across state boundaries because law enforcement didn't coordinate well. It took a federal response specialized to that type of crime to bring it under control.
Ones and zeroes on a hard drive and humans lives are fungible.
I don't get this alternate point of view outside of perhaps a belief in god and god may control things without a soul like a hard drive and can't control things with a soul.
I've never met anyone like that, but then I've never been to the bay area, nor have I worked in finance or in NYC.
But my point is that I'm unaware of the stereotype. Saying "don't you think it's true" is a digression once removed from that.
It was in the news that Patagonia or someone was refusing to provide vests to financial companies that they were putting their own brands on. So it seems like that is in the category of "everybody knows" that is a thing. Also, I think I've seen a few pictures of Jeff Bezos in one.
You're trying to change the subject again, to whether it's true. What I was wondering is whether the stereotype is a thing, not whether it's true. I already said that and I guess you're ignoring what I write?
Why are you wasting your time being argumentative instead of raising my awareness?
I was originally curious if you are "trying to make fetch happen" or whether it's a stereotype that is widespread.
The Patagonia vests are quite nice though. Fortunately for me I live in a very non-hip locale where nobody else wears them or is aware of their association.
Wasn’t sure if Apple had rebranded vests as sleeveless jackets. Tim Cook like, “You’re going to love what we’ve created and we can’t wait to see how you use it to keep warm while waiting in line at Philz.”
I guess it depends on the nature of the personal info. By this point a significant portion of the population's basic personal info is already out there. If we're talking detailed medical records, then sure, I might say "pay". But if it's names & SS#, I don't know.
You don't usually have to report money you spend, at least if you're an individual. You only have to report money you make. If you're a victim you don't make any money. I doubt the attacker is reporting the income for tax purposes, so the attacker is breaking tax law most likely.
I'm imagining a scenario where a UCSF insider could coordinate this with someone by deliberately getting their system infected and then splitting the money with whoever is behind that NetWalker instance. Do you guys think that would work?
* Anytime any ransom is paid it is in the most literal sense funding ransom, even more directly than funding terror in the most direct way possible: when you send a check to ISIS that may or may not actually fund terror. Maybe whoever you sent it to is just good at making an ISIS recruitment page and doesn't do much real terror, just marketing.
* But paying a ransom by definition directly funds ransom, far more directly than sending money to ISIS directly funds terror.
* Whoever gets the money at ISIS might spend it at a brothel, there's no proof of terror.
* But whoever gets your ransom when you are ransomed by definition engages in ransom.
* You are funding ransom by definition.
* Additionally, since all rich nations are generally pretty law-abiding, making paying a ransom strongly illegal means that the companies have no choice. They're simply not able to write the check or wire the funds.
* Finally, another strong reason to make it illegal: anyone could claim falsely to be ransomed. If I wanted to fund ISIS I could literally write on a piece of paper which messages to send me in what sequence, and then I could send them money and claim falsely to be ransomed by them.
* Paying a ransom should be strongly illegal.
* Also note that this is a good analogy with "possession of stolen goods" - the fact that such is a crime largely destroys the market for stolen goods. The market would be much stronger if possession of stolen goods weren't a crime.
* There is an argument made about direct consequences: "But if we don't pay they will actually kill my daughter!" The same argument applies directly to paying bribes: "But if we don't pay, we actually can't get a license to sell in that country!" Still, paying bribes abroad for routine administrative work is illegal. Companies can't do it. If they do it, they get fined. Result? 1) (immediately) companies stop doing it. 2) administrators stop requiring it.
The world becomes free of bribery. This proves that making paying bribes illegal works.
Why wouldn't it work for making ransoms illegal? UCSF just funded a ransomist $1M. That should be illegal.
The going rate for a thug in a third world country might be $800 per month. UCSF just paid for one thousand two hundred and fifty man-months of abduction.
It is true that making a law is how you deal with the conflict between self interest and public interest.
However, if you make something illegal that people have a strong motivation to do, they may just keep doing it, only not as publicly. And in that case, the people who demand ransom will not be particularly discouraged. Their business may improve, because victims will have an incentive to keep the whole thing secret.
Think about how people worry that enforcing immigration laws will lead to violent crime being ignored.
>The world becomes free of bribery. This proves that making paying bribes illegal works.
Have I misunderstood your tone here, or do you actually believe this? Because bribery is illegal, and happens all of the time. The few who get caught get in trouble. Heck, Goldman Sachs does it when it's needed to land deals! [0]
I imagine the same would happen if ransom for ransomware was made illegal. Thieves would wouldn't care, what they do is already illegal. If someone they infect with ransomware can't figure out how to get them their money, what do they care? I'm sure their profits would go down, but it wouldn't stop. If anything it might just drive them to hit many smaller targets to get through volume what they can no longer get through big hits.
I don't think there are any countries left where international companies can't operate at all without paying bribes. Maybe they won't get their permits as fast, but they can still operate.
The fact that GS acts criminally is on GS. The fact that you can do business without being criminal like GS proves that this works.
See how I just shifted the conversation to the fact that GS is criminal? That's what we want. Not some routine transaction.
Sure, yes, bribes are criminal. But making them criminal didn't make them go away. Now you are shifting your claim from saying the world id bribe-free to simply saying it's not necessary. Which is also not true anyway:
I know someone, in the US, who was unable to get a health-inspection sign off without making a separate "gift" to the inspector. The permit languished for months , with no apparent progress or response. Money was being lost. Finally the inspector showed up and made a reference to this "gift". The person I know said he might take his issue to the head of the health department. The inspector said "that's fine, you can do that. When you speak to him, tell my father that I said hello." Other areas of the same business were unable to get a certain supplier to either show up, or when they did, to provide usable product, until a kickback was given. Why not choose a different supplier? Because the type of supplier had to have a specific license to distribute the product, and suppliers had divide up territory so there was only one supplier in any area.
Bribery is alive & well. All making it criminal has done is ensure that when it's discovered, it is punished.
So I have a different perspective on what you just wrote. To me a world where you have to pay a bribe is very different to one where it is possible to do business without one. If anyone is doing business in a country without paying a bribe, then everyone can. It's like the difference between being able to run a restaurant without paying the mob and basically ignoring them, and not being to run that restaurant because they will come and beat you up until you do. That is a huge difference. The mob might still sell heroin or do other stuff the city doesn't want them to do but they are not beating up business people who refuse to pay them. That is a huge difference. When it is illegal for you to pay a bribe you can always say that you are not able to, because it's illegal and you're law-abiding. It's that simple.
Regarding your example: to me "that's fine, you can do that. When you speak to him, tell my father that I said hello" sounds like a scared bluff. After all the father in this situation has even more to lose than the son does! (Because of the father's higher rank.)
So the conversation is totally shifted. It might not even be his father in this case. It is always easy to be on the side of lawfulness. When there's a law behind you.
Without that law, it is just you and the ransom seeker, making a private arrangement. No, that's not the way the world should work.
I think making paying bribes illegal is fantastic, and the same thing should be done for paying any ransom. People respond to incentives. The government has to destroy that business model.
Let me paint you a picture: imagine if you were scared to go on the Internet right now, from any of your devices, because it is similar to going to a gang-infested part of the city where you will get beaten up. That's the world you think is okay: one in which you are being cyber attacked and forced to pay a ransom for "protection". No.
Actually that's not the world we live in: when I connect a device to the Internet, I don't feel like I'm about to get beaten up, and neither do you. This works. When someone pays $1 million to change that world, they're doing something very wrong, and it must be strongly illegal.
Has anyone considered designing an IT infrastructure from the ground up that would be maximally resistant to ransom ware?
I think past generations are excused for not preparing this, simply because it was theoretical. It is real now. So designing systems that assume some part will be captured eventually, and then work to minimize that before they are even deployed, would be timely now.
Why I'm not surprised? The first two minutes doing google dorks returns all sorts of private stuff from quite a few US universities.They are easy targets to say the least.
