ZH version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
61% Positive
Analyzed from 3713 words in the discussion.
Trending Topics
#data#ransom#pay#hackers#ransoms#group#paid#illegal#ransomware#https
Discussion (123 Comments)Read Original on HackerNews
He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.
His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.
Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.
Instead of paying ransom, and creating a ransomware criminal industry out of thin air, its better to force companies to recover and restore from backups and remove monetary incentive for crime.
and the executives who failed to carry regular backups obviously should face the music
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.
https://en.wikipedia.org/wiki/Collective_action_problem
https://en.wikipedia.org/wiki/Prisoner%27s_dilemma
https://www.kiplingsociety.co.uk/poem/poems_danegeld.htm
You're then a target known to be vulnerable and pay ransoms, so best focus on security.
For any individual within the ransom group, they can get a big payout by selling the data.
Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.
Grades? Could be a FERPA violation.
Critical PII such as SSNs? Probably not in the LMS to begin with.
They've already proved themselves to be untrustworthy simply by ransoming you in the first place.
The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.
But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.
The day the USD falls, ransoms will simply be denominated in something else and the same underlying collective action problem will remain.
This is just way of avoiding the core issue by blaming something unrelated that you don't like.
A: U should clean your room, it would be better for you & the rest of your family
B: FU dad, everyone knows there's no such thing as a clean room under capitalism!!!!!
The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.
It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.
This is the same problem that crypto addresses in an unregulated market - it provides attestation and continuity, but not much else.
New actors are untrusted. Trust must be built through small transactions until someone trusts you enough for larger transactions. Survive long enough without major reputational harm and you can even offer to act as an escrow service for parties with less trust.
Reputation is everything in a collective.
What could go wrong? ;)
0: https://wiki.roshangeorge.dev/w/Benevolent_Terrorist#Poisoni...
Realistically, the only people that could check that it's true are buyers, and those benefit from keeping a low profile
We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.
I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.
Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally
https://en.wikipedia.org/wiki/Grey_hat
Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".
Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.
Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.
This is shockingly naive
[0]: https://cyber.acmucsd.com/canvas (disclosure: I was involved with this org when I was a student)
I don't know for sure, but I think it probably had to do with some kind of misconfiguration on an Salesforce Experience Cloud site. I have heard that ShinyHunters often exploits this type of service and that it is very easy for companies to forget to set the right permissions to data and they end up throwing a bunch of different data into Salesforce.
It's unclear to me if that means they'll publicly release this or only relese it to their tenant admins.
https://www.instructure.com/incident_update
Hmm. I thought all these agencies say NOT to pay a ransom.
I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.
This will all be forgotten in a few months.
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
[1] https://www.youtube.com/watch?v=IeTybKL1pM4
[2] https://search.brave.com/search?q=monero+price&rh_type=cc&ra...
[3] https://xcancel.com/zachxbt/status/2012212936735912351
[4] https://archive.ph/4zD7f
[5] https://archive.ph/NYWbJ
The very next line from what you quoted:
> We received digital confirmation of data destruction (shred logs).
Now, color me surprised if they didn't delete it, but I'm guessing this is why they call it "returned", since from their beliefs, the data was deleted after it was "returned".
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
Although of course returning is a weird term in the sense that the attackers will almost certainly keep the data as well.
(1a) Multiple have suggested that the US made it illegal to pay kidnapping ransoms. This is a misconception. The US adopted a policy that the government itself would not pay ransoms, but explicitly noted this did not apply to the victims. "The U.S. Department of Justice does not intend to add to families’ pain in such cases by suggesting that they could face criminal prosecution."
(1b) Despite this policy, the US pays ransoms anyways. Usually in the form of prisoner swaps, but in 2023 it released $6 billion in frozen Iranian funds in exchange for the release of 5 hostages[1].
(2) The belief that paying ransoms should be illegal is predicated on the belief that criminals will be less likely to commit the crime if there is no money to be made. This may be true for kidnapping, but that does not mean it would be true for hacking. Kidnapping is a high-stakes, high-commitment crime that requires physical presence and exposes the criminal to significant danger. If the criminal anticipates no reward, the risk-reward calculus skews them away from kidnapping. However, hacking is a low-risk crime. Even if the chance of reward is low, the risk is also low, so hackers are unlikely to be deterred from hacking. Many hackers will do it just for fun or to prove that they can. Moreover, hackers can profit in other ways, for example by selling the data on the black market, or by making use of the data themselves as a nation-state or corporate espionage actor. Hacking will undoubtedly continue as long as things can be hacked, regardless of whether ransoms are ilegal.
(3) I think that making ransoms illegal pushes the burden onto people who have no real ability to do anything about it. When a company fails to pay ransom, it is the customers who suffer. It does not materially affect the company in any way to have customer data leaked. The market has already shown, overwhelmingly, that it will not punish companies that leak user data. That a company pays a ransom to begin with indicates that they don't actually understand the market and/or have some small shred of a conscience. Rather than making it illegal to pay ransoms, I would rather see penalties for having a data breach in the first place, but once a data breach is assured, companies should be paying ransoms to try to mitigate the damage to their customers.
(4) The idea of trying to solve hacking by making it illegal to pay ransoms is ridiculous on its face. As long as systems are insecure, hackers will exist, so the legal emphasis should be on consequences for data security. The collection of PII that is not essential to providing a service to customers should be discouraged, and there should be real consequences for negligent security. There should be an investigative board similar to those for airline crashes and infrastructure collapse, which examines the circumstances in depth and identifies whether the company is at fault for negligent handling of PII.
[1]https://2021-2025.state.gov/briefings/department-press-brief...
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
I certainly do think it's crazy that schools are selling out education to SaaSification, but that is normal in the world we live in.
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
[1] - https://en.wikipedia.org/wiki/ShinyHunters
(https://www.instructure.com/incident_update#:~:text=STATUS%2...)