I don't think I would ever pay ransom under any circumstances. Not for data or system functionality. I'd throw the computers in the river. I know this about myself because I had to deal with a kidnapping and extortion of my best friend in south america around 15 years ago.. and a few years later a ddos extortion attempt on one of my servers (the criminal was released from prison recently and I won a federal judgment against him for damages). Not a day goes by that I don't wish misery and sickness on those people. But something emerged in me during those crises that was not necessarily something I liked about myself in the long run. I wouldn't negotiate. I'm ashamed to admit I risked a friend's life by lying to the kidnappers. But I couldn't believe a word they were saying or even know if she was alive. I went cold and stopped cooperating. It was terrifying but I was in shock. I played poker with someone's life. It's something you don't really know about yourself or ever want to know until you're in the situation. I still have nightmares about it.
For the attacker, this may just be another bullet, another target. Killing or erasing your company's data, for the attacker, may mean absolutely nothing.
How do we go from here? Your job as a negotiator is to get them get them off their "fight mode" through the use of time, dialogue, and empathy.
By saying "I wont negotiate" you're building a gloom vision that there is no future. If the threat is real, you're out of time and out of luck. As Voss says, "She's dead"*
Further readings:
Stalling for Time: My Life as an FBI Hostage Negotiator ( by Gary Noesner)
Never Split the Difference (Chris Voss)
Ego, Authority, Failure (Derek Gaunt)
Movie: A Hijacking (IMDB)
* "60 seconds or she dies" challenge on Youtube (Chris Voss).
There's a bunch of videos (some better than others), that's why i didn't link to one or another.
The goal of this exercise is to control your emotions and behavior. Easier said than done. I can see how the author above had a problem being logical about the situation. I still have those issues myself even knowing what needs to be done, things just happen. Tough skills and even tougher for a "natural born assertive".
I just delved into this. Fascinating stuff. I think in part it's not that I'm naturally assertive but that I'm the opposite. I can't put myself in the mindset of the attacker. So I'm looking for a technical fix, a way around. I also thought clearly, if I pay, they'll just ask for more. Because how can you possibly expect someone doing something like that to keep their word? So to me it's a bit like the boundary described in that video where giving the hostage-taker a car is just not a viable option.
Tangentially related to technical fixes: There was an incident recently where my brother had his phone simjacked, and the attackers changed his google password. He recovered access by email but they kept changing the password as quickly as he did. Both parties were still logged in. I called his phone number, someone picked up and then hung up. So I got on Skype on a couple different machines and basically DOSd the phone with calls from random skype numbers nonstop. After about 15 minutes of this they either turned off the phone or the 4G. It bought enough breathing room to change the 2FA on the account and lock down his bank accounts that used gmail as his verification address. If they'd been smart or fast enough to change both the recovery email and the SMS 2FA it would have been game over.
Right. True. But I mean I'm not sure if my decisions would be based on logical priorities. The first experience really primed me. Terrorized me. Made me want to kill people who do things like that. The second, the one that didn't involve a human life, brought down a transatlantic cable and cost mid six figures not including me working 72 hours straight trying to get into my own servers to migrate them. I not only refused to pay the ransom, which was around $2k, I didn't even disclose the ransom letter to the clients who were down until it was over. I got on the phone with the FBI and devoted a solid chunk of time over the next year to hunting down the attacker. That's not a good priority. It came from deep damage and unresolved anger about the earlier situation.
From a practical viewpoint, the question is simply whether the money multiplied by the chance of success is a better option than the money needed to rebuild.
But I'd rather compare this to a natural disaster you were ill-prepared for. A lightning strike or tornado can also wipe all your data. You can't negotiate ransom with nature. And giving in to ransomware makes it worse for everybody else since it makes ransomware financially viable. IMHO it needs to become socially unacceptable to be ill-prepared for a ransomware attack. I don't care if it was a 0day or whether your security was sloppy. It was your job to be prepared for this.
At CCC events you commonly find a sticker at the exchange tables that reads "Kein Backup, kein Mitleid" - "no backup, no compassion".
But the post makes a good point - you don't need backups. You need restore. Which takes time and is frequently ill planned. Sadly.
Ransomware really is the best possible kind of data loss, at least there’s a recovery path built into it.
On three occasions in my career I’ve been involved in events which led to large scale data loss. The first time the backups failed, and there was no recovering from it, ever since then I’m religious about testing backups. If you’re in a position to just restore from offsite backups not only can you just flip the bird to people trying to ransom your data, you’re also in a good position to deal with anything else, up to and including the data centre containing all your servers being burnt to the ground.
Yeah, I hate the $×t argument because generally it only factors in your $ and t. The impact to others and other secondary costs are frequently not included.
The ransomware I've come across has lots of special heuristics to try and not destroy your data... Things like taking a copy and then doing an atomic replace...
Admittedly I've only had to deal with ransomware once, trying to help a friend. That one was way too shoddily written for anything like atomic replace or DB identification heuristics…
I think this is wrong. It’s Bitcoin alone that is the problem. Ransom demands will exist as long as it’s viable money making enterprise. Asking humans to not to be human isn’t usually an effective strategy for anything. The only solution to remove the incentive, the value of crypto. Bonus for the planet since crypto also incentivizes coal burning and other pollution.
Before it gets mentioned here is a good post why ransomware gangs love (traceable) Bitcoin. Most of ransomware gangs are more or less well known, not really anonymous.
The FBI could set up a website where you can check whether your Bitcoins were involved in some crime.
This would set up an interesting experiment. Would you accept a $20 dollar bill in the supermarket if you knew it was used in some ransom case? And what if suddenly you knew you owned such a $20 dollar bill? Would you try to get rid of it as quickly as possible?
Does the bill’s involvement in a ransom reduce the value of the bill or implicate me in any way? I’ve never considered someone morally responsible for the provenance of their money outside their control. Maybe I’m missing the point.
That's exactly as stupid as invalidating, say, a 20€ note that I got in change from paying a taxi ride, and the driver received in good faith from some crook who took a ride with him before me. By "invalidating" it, you're robbing me of the worth of that note, those 20€, even though I had nothing to do with that crook.
Tracebility has been hideable for long time with coin join transactions and Ethereum bridges. However ransomware gangs have not utilized them, so it is a sign that they do not care.
First off, I remember reading that it was not control of their infrastructure that the hackers had, it was control of the accounting systems. They are separated functions and the pipeline could not bill folks that’s why they shut it down... think about that... these folks shut it down cause they were worried about counter-party risk in payments...
> So you’re like, “Oh great. We have backups, the data is there, but the application to actually do the restoration is encrypted.”
From my experience dealing with ransomware, most encrypted applications are not recoverable, even with the key. Those app servers need to be rebuilt or restored. File servers and individual files can be decrypted using the key, but applications get scrambled.
They need to be rebuilt. There’s no ifs or buts about that, once a server has been compromised by a malicious actor it can no longer be trusted. Even if you could just restore functionality you have no guarantees that there’s not a time bomb ticking away to hit you again at some later date now they’ve established you’ll pay out.
So many businesses don't do DR/BCP or security properly. 99% of businesses cannot survive losing data, so it's crazy to not have proven backups and automated infrastructure restoration.
It's like with cloud and microservices, most of the time backups, monitoring, and security aren't even considered.
The U.S. Constitution permits “Letters of Marque and Reprisal”, essentially Congress giving individuals permission to wage outright war on foreign entities. Ransoms (be it for life or data) are absolutely an appropriate application.