[verandaguy]

Optimistic counterpoint: a high-profile, (relatively) high-value ransom payout like USC's may incentivise other orgs vulnerable to this kind of attack to take steps to prevent this kind of issue.

Anything from restricting program capabilities/permissions for external executables, to keeping "colder" backups of business-critical data, to monitoring and responding to software that looks like it's traversing the whole filesystem, could reduce the harm ransomware causes.

[masonic]

  like USC's

UCSF is University of California, San Francisco. USC is University of Southern California, a private school.

[verandaguy]

Good catch, thanks!

[garmaine]

You can't really protect against this sort of thing. A lot of our IT security runs on trust. The only way to really prevent this is to make sure that ransom attacks don't pay out.

EDIT: I should mention that I've managed IT services for a major private university earlier in my career, and I am now a software security consultant. When I say it is not possible, I mean that pragmatically. A FAANG company can control their IT well enough to make sure this doesn't happen to them, but a hospital or university relies on computer systems running software way outside of their control. That MRI machine? Its controller is probably running some ancient version of Windows Server 2003 with proprietary drivers. That university registration app? Custom coded by generations of CS student interns running on a shared system whose operating constraints are set by the Novell GroupWise instance that is co-hosted on it.

As a practical matter, one of these organizations simply cannot reduce their risk to zero or near zero. There's too many attack vectors they don't have control over. The IT departments can't mandate proper security because they don't have the budget to enforce.

[verandaguy]

You can't fully protect, sure, but you can have a person or team alerted on suspicious behaviour. You could also try to configure your infrastructure so that any code imported via vectors that ransomware usually uses is compartmentalized in a VM, container, or other chroot-like env.

And honestly, having even week-old cold backups makes this kind of attack _considerably_ less scary and cheaper, and it enables you to skip the payout (and I'm on the same page as you on that — if there's no money to be made, ransomware attacks will drop off).