DE version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
61% Positive
Analyzed from 3152 words in the discussion.
Trending Topics
#ransom#data#pay#group#paid#ransomware#hackers#https#reputation#paying
Discussion (92 Comments)Read Original on HackerNews
He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.
His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.
Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.
Instead of paying ransom, and creating a ransomware criminal industry out of thin air, its better to force companies to recover and restore from backups and remove monetary incentive for crime.
and the executives who failed to carry regular backups obviously should face the music
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.
https://en.wikipedia.org/wiki/Collective_action_problem
https://en.wikipedia.org/wiki/Prisoner%27s_dilemma
https://www.kiplingsociety.co.uk/poem/poems_danegeld.htm
You're then a target known to be vulnerable and pay ransoms, so best focus on security.
For any individual within the ransom group, they can get a big payout by selling the data.
Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.
Grades? Could be a FERPA violation.
Critical PII such as SSNs? Probably not in the LMS to begin with.
They've already proved themselves to be untrustworthy simply by ransoming you in the first place.
The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.
But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.
The day the USD falls, ransoms will simply be denominated in something else and the same underlying collective action problem will remain.
This is just way of avoiding the core issue by blaming something unrelated that you don't like.
A: U should clean your room, it would be better for you & the rest of your family
B: FU dad, everyone knows there's no such thing as a clean room under capitalism!!!!!
The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.
It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.
This is the same problem that crypto addresses in an unregulated market - it provides attestation and continuity, but not much else.
New actors are untrusted. Trust must be built through small transactions until someone trusts you enough for larger transactions. Survive long enough without major reputational harm and you can even offer to act as an escrow service for parties with less trust.
Reputation is everything in a collective.
What could go wrong? ;)
0: https://wiki.roshangeorge.dev/w/Benevolent_Terrorist#Poisoni...
Realistically, the only people that could check that it's true are buyers, and those benefit from keeping a low profile
We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.
I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.
Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally
https://en.wikipedia.org/wiki/Grey_hat
[0]: https://cyber.acmucsd.com/canvas
I don't know for sure, but I think it probably had to do with some kind of misconfiguration on an Salesforce Experience Cloud site. I have heard that ShinyHunters often exploits this type of service and that it is very easy for companies to forget to set the right permissions to data and they end up throwing a bunch of different data into Salesforce.
Unclear if that means they'll publish this publicly.
https://www.instructure.com/incident_update
Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".
Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.
Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.
This is shockingly naive
I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.
This will all be forgotten in a few months.
Hmm. I thought all these agencies say NOT to pay a ransom.
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
I certainly do think it's crazy that schools are selling out education to SaaSification, but that is normal in the world we live in.
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
[1] https://www.youtube.com/watch?v=IeTybKL1pM4
[2] https://search.brave.com/search?q=monero+price&rh_type=cc&ra...
[3] https://xcancel.com/zachxbt/status/2012212936735912351
[4] https://archive.ph/4zD7f
[5] https://archive.ph/NYWbJ
Although of course returning is a weird term in the sense that the attackers will almost certainly keep the data as well.
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
[1] - https://en.wikipedia.org/wiki/ShinyHunters
(https://www.instructure.com/incident_update#:~:text=STATUS%2...)