22nd June 2018 resource updates

Updates to Cryptocurrency/Crypto-mining News and Resources

Carl Sigler (Trustwave) for Help Net Security: Why cybercriminals are turning to cryptojacking for easy money. While another article cites a Morphisec report: Banking Trojans and cryptojacking on the rise.

Trend Micro: Drupal Vulnerability (CVE-2018-7602) Exploited to Deliver Monero-Mining Malware

ESET: South Korea’s largest cryptocurrency exchange hacked – “Bithumb has claimed that $31.5 million worth of virtual coins were stolen by hackers”

Updates to GDPR page

Threatpost: SNEAKY WEB TRACKING TECHNIQUE UNDER HEAVY SCRUTINY BY GDPR

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

SEC Consulting: TRUE STORY: THE CASE OF A HACKED BABY MONITOR (GWELLTIMES P2P CLOUD) – commentary by the Register: Don’t panic, but your baby monitor can be hacked into a spycam

The Register: Schneier warns of ‘perfect storm’: Tech is becoming autonomous, and security is garbage – “Schneier told El Reg after his speech: “Everybody understands what might happen if your pacemaker is hacked and it delivers a lethal charge, but what if I took over some inter-connected robot toy and tripped you in your house? It’s a little more subtle.”

The Register: Are your IoT gizmos, music boxes, smart home kit vulnerable to DNS rebinding attacks? Here’s how to check – “Fancy website, code emitted – Roku, Google, etc stuff at risk”

Updates to Specific Ransomware Families and Types

Paul Ducklin for Sophos: “WannaCrypt” ransomware scam demands payment in advance! – “The good news is that these particular crooks don’t actually have any malware to back up their threat.”

Updates to Tech support scams resource page

Sophos: Elderly victims conned out of millions by tech support scammer

Updates to Anti-Malware Testing

Updated anti-malware testing resources page

Updates to Mac Virus

David Harley

Advertisements

20th June resource updates

Updates to Anti-Social Media 

Lukas Stefanko : New Telegram-abusing Android RAT discovered in the wild – “Entirely new malware family discovered by ESET researchers”

Updates to Cryptocurrency/Crypto-mining News and Resources

GB Hackers: Bithump Hacked – Hackers Steal $31 Million Worth Cryptocurrency

The Register: At last, a use for Intel’s SGX – locking AI and blockchain, says Intel – “Bias-enabling algorithms and smart contract tech no one quite trusts now easier to secure”

Also from The Register: Hot new application for blockchain: How does botnet control sound? – “It could happen, warns researcher” (to be precise, Omer Zohar in a presentation at BSides Tel Aviv, called Unblockable Chains – Is Blockchain the ultimate malicious infrastructure?).

Pierluigi Paganini: Android-based devices Amazon Fire TV and Fire Stick hit by cryptomining malware

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

ZDNet: Vulnerabilities in these IoT cameras could give attackers full control, warn researchers – “Researchers at VDOO discover vulnerabilities which, if left unpatched, could allow attackers to take control of the devices or rope cameras into botnets”

The Register: Um, excuse me. Do you have clearance to patch that MRI scanner? – “Healthcare regulations working against cybersecurity, claims expert”

Updates to Specific Ransomware Families and Types

Malwarebytes: SamSam ransomware: controlled distribution for an elusive malware

Updates to Mac Virus

June 20th iOS and Android news

David Harley

June 16th updates

Updates to Anti-Social Media 

Bloomberg: Apple Tries to Stop Developers From Sharing Data on Users’ Friends – “Apple Inc. changed its App Store rules last week to limit how developers use information about iPhone owners’ friends and other contacts, quietly closing a loophole that let app makers store and share data without many people’s consent.

Updates to GDPR page

  1. The Register: EU-US Privacy Shield not up to snuff, data tap should be turned off – MEPs –
    “Civil liberties committee votes: US has until Sept to comply”
    (In case you thought all those GDPR notifications had fixed everything.
  2. Help Net, citing Avecto: With the GDPR, companies face new era of compliance and transparency – “Just 56 percent of North American professionals and two-thirds of respondents from UK and Germany were aware that the GDPR impacts any company with European customers, employees and partners.”

Updates to Meltdown/Spectre and other chip-related resources

1.

Lawrence Abrams for Bleeping Computer: New Lazy FP State Restore Vulnerability Affects All Intel Core CPUs – ‘According to Intel this new vulnerability affects all Intel Intel Core-based microprocessors and is a bug in the actual CPU, so it does not matter what operating system the user is running. It could be Windows, Linux, BSD, or any other operating running an an Intel Core-based CPU and using “Lazy FPU context switching”.’

2.

The Register: Intel chip flaw: Math unit may spill crypto secrets to apps – modern Linux, Windows, BSDs immune – “Malware on Cores, Xeons may lift computations, mitigations in place or coming … In short, the security hole could be used to extract or guess at secret encryption keys within other programs, in certain circumstances, according to people familiar with the engineering mishap.”

3.

The Register: Boffins offer to make speculative execution great again with Spectre-Meltdown CPU fix – “Good thing too because Intel’s planned chip changes may break Google’s Retpoline”

“In a paper distributed this week through the ArXiv preprint server, “SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation,” computer scientists from University of California, Riverside, College of William and Mary and Binghamton University describe a way to isolate the artifacts produced by speculative execution so that they can’t be used to glean privileged data.”

Updates to Specific Ransomware Families and Types

Everbe: Pierluigi Paganini – Experts released a free decryptor for Everbe Ransomware

Bleeping Computer: New MysteryBot Android Malware Packs a Banking Trojan, Keylogger, and Ransomware

Updates to Chain Mail Check

Updates to Mac Virus

  1.  ADB.Miner and a continuing vulnerability

“Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He cites the following from Android’s developer portal:

“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”

“The ADB.Miner worm exploited the Android Debug Bridge (ADB) … used for troubleshooting faulty devices …  some vendors have been shipping Android-based devices where the ADB over WiFi feature has been left enabled in the production version…”

2.

The Register: Apple will throw forensics cops off the iPhone Lightning port every hour

“Initially, Restricted Mode required a passcode after one week. But Apple confirmed yesterday that a plugged-in iPhone will require a passcode every hour for the data transfers to continue. … Since cracking the six-digit passcode may take up to 22 hours (or longer for a passphrase), then brute-force methods used by the cracking tools are likely to cease to work.”

3.

Josh Pitts, for Okta, goes into extensive detail about a “vulnerability [that] exists in the difference between how the Mach-O loader loads signed code vs how improperly used Code Signing APIs check signed code and is exploited via a malformed Universal/Fat Binary.” I can be Apple, and so can you – A Public Disclosure of Issues Around Third Party Code Signing Checks

For Bleeping Computer, Lawrence Abrams summarizes: Mac Security Tool Bugs Allow Malware to Appear as Apple Software.

John Leyden for The Register: Hello, ‘Apple’ here, and this dodgy third-party code is A-OK with us – “Subtle attack thwarts macOS code-signing process”

4.

Lukas Stefanko for ESET: Android users: Beware these popularity-faking tricks on Google Play
– “Tricksters have been misleading users about the functionality of apps by displaying bogus download numbers … …since unknown developer names are no use for popularity-boosting purposes anyway, some app authors have been setting fictitious, high numbers of installs as their developer names, in an effort to look like established developers with vast userbases.”

5.

Bloomberg: Apple Tries to Stop Developers From Sharing Data on Users’ Friends – “Apple Inc. changed its App Store rules last week to limit how developers use information about iPhone owners’ friends and other contacts, quietly closing a loophole that let app makers store and share data without many people’s consent.

6.

Bleeping Computer: New MysteryBot Android Malware Packs a Banking Trojan, Keylogger, and Ransomware

David Harley

Cryptomining – it’s off to scam we go

1.

ADB.Miner and a continuing vulnerability

“Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He cites the following from Android’s developer portal:

“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”

“The ADB.Miner worm exploited the Android Debug Bridge (ADB) … used for troubleshooting faulty devices …  some vendors have been shipping Android-based devices where the ADB over WiFi feature has been left enabled in the production version…”

2.

Catalin Cimpanu for Bleeping Computer: Ethereum “Giveaway” Scammers Have Tricked People Out of $4.3 Million – Online crooks promoting fake “giveaways” have tricked people out of 8,148 Ether, currently worth around $4.3 million, according to statistical data compiled in EtherScamDB.”

3.

Graham Cluley: Bitcoin price takes a dive after another cryptocurrency exchange hack
– “Billions of dollars worth of wealth were wiped out this weekend after a South Korean cryptocurrency exchange was hacked … The exchange in question is called Coinrail…”

4.

Lisa Vaas for Sophos: SHOCK! HORROR! SURPRISE! Bitcoin priceplosion may have been market manipulation – “Last year’s meteoric rise in the value of Bitcoin and other cryptocurrencies might well have been artificially inflated, according to a paper released on Wednesday by University of Texas finance professor John Griffin and graduate student Amin Shams.” Maybe not an outright scam, but a bit shady, if true.

David Harley

AVIEN resource updates 8th June 2018

Updates to Cryptocurrency/Crypto-mining News and Resources

Help Net Security: Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines – “Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.”

Updates to GDPR page

James Barham of PCI Pal for Help Net: Shape up US businesses: GDPR will be coming stateside  – “European consumers have long been preoccupied by privacy which leaves us wondering why the US hasn’t yet followed suit and why it took so long for consumers to show appropriate concern? With the EU passing GDPR to address data security, will we see the US implement similar laws to address increased consumer anxiety?” And yes, Facebook gets more than one mention here.

Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary – you may not be able to read this without a router. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface. And sometimes even necessary devices entail security risks.]

Stephen Cobb for ESET: VPNFilter update: More bad news for routers 
“New research into VPNFilter finds more devices hit by malware that’s nastier than first thought, making rebooting and remediating of routers more urgent.”

The Register: IoT CloudPets in the doghouse after damning security audit: Now Amazon bans sales “Amazon on Tuesday stopped selling CloudPets, a network-connected family of toys, in response to security and privacy concerns sounded by browser maker and internet community advocate Mozilla.” Commentary by Graham Cluley for BitDefender: Creepy CloudPets pulled from stores over security fears

Updates to Tech support scams resource page

Help Net Security: Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines – “Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on.”

Updates to Chain Mail Check

Tomáš Foltýn for ESET: You have NOT won! A look at fake FIFA World Cup-themed lotteries and giveaways

“With the 2018 FIFA World Cup in Russia just days away, fraudsters are increasingly using all things soccer as bait to reel in unsuspecting fans so that they get more than they bargained for”

Updates to Mac Virus

John E. Dunn for Sophos: Apple says no to Facebook’s tracking
“Later this year, users running the next version of Apple’s Safari browser on iOS and macOS should start seeing a new pop-up dialogue box when they visit many websites…this will ask users whether to allow or block web tracking quietly carried out by a certain co”mpany’s ‘like’, ‘share’ and comment widgets.” And the dialog text in the demo to which the article refers specifically mentions Facebook.

Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

And from the New York Times: Facebook Gave Device Makers Deep Access to Data on Users and Friends –
“The company formed data-sharing partnerships with Apple, Samsung and
dozens of other device makers, raising new concerns about its privacy protections.” And commentary by Help Net Security: Facebook gave user data access to Chinese mobile device makers, too

David Harley

Apple on Safari, gunning for Facebook?

Updates to Anti-Social Media 

John E. Dunn for Sophos: Apple says no to Facebook’s tracking
“Later this year, users running the next version of Apple’s Safari browser on iOS and macOS should start seeing a new pop-up dialogue box when they visit many websites…this will ask users whether to allow or block web tracking quietly carried out by a certain co”mpany’s ‘like’, ‘share’ and comment widgets.” And the dialog text in the demo to which the article refers specifically mentions Facebook.

On the other hand: Caleb Chen for Privacy News Online: Apple could have years of your internet browsing history; won’t necessarily give it to you – “Apple has years of your internet browsing history if you selected “sync browser tabs” in Safari. This internet history does not disappear from their servers when you click “Clear internet history” on Safari  … Additionally, the data stored and provided seems to be different for European Union based requesters versus United States based requesters. Discovering these sources of metadata is arguably one of the side effects of GDPR compliance. ”

New York Times: Facebook Gave Device Makers Deep Access to Data on Users and Friends –
“The company formed data-sharing partnerships with Apple, Samsung and
dozens of other device makers, raising new concerns about its privacy protections.” And commentary by Help Net Security: Facebook gave user data access to Chinese mobile device makers, too

James Barham of PCI Pal for Help Net: Shape up US businesses: GDPR will be coming stateside  – “European consumers have long been preoccupied by privacy which leaves us wondering why the US hasn’t yet followed suit and why it took so long for consumers to show appropriate concern? With the EU passing GDPR to address data security, will we see the US implement similar laws to address increased consumer anxiety?” And yes, Facebook gets more than one mention here.

David Harley

June 6th 2018 resources update (MacVirus)

Updates to Mac Virus

[Posted to Mac Virus as the article iOS and Android developments, and all those Apple updates]

Oleg Afonin for Elcomsoft: iOS 11.4.1 Beta: USB Restricted Mode Has Arrived – “As we wrote back in May, Apple is toying with the idea of restricting USB access to iOS devices that have not been unlocked for a certain period of time … Well, there we have it: Apple is back on track with iOS 11.4.1 beta including the new, improved and user-configurable USB Restricted Mode.”

I haven’t paid much attention to news-recycling sites (apart from The Register, maybe)  in recent years, but these two ZDNet reports actually mildly impressed me. 

Adrian Kingsley-Hughes for ZDNet: Your iPhone is tracking your movements and storing your favorite locations all the time. He says: “Now, you may be like me and not care about this data being collected, and might even find it a useful record of where you’ve been over the previous weeks and months. But if you’re uncomfortable for any reason with this data being collected, then Apple offers several ways you can take control over it.” Even if you don’t mind these data being collected by your operating system, you also have to think about the apps that may be accessing it at second hand.

Kind of weirdly, Larry Dignan (also for ZDNet) tells us that Apple, Google have similar phone addiction approaches with iOS, Android. Well, it’s always nice (if unexpected) when Big Business displays a sense of civic responsibility. However, Dignan is probably right when he remarks: “The research is just starting to be compiled on smartphone addiction and what happens when your life is overloaded by apps and notifications. Think of the digital health push from Apple and Google as a way to provide talking points before screen time becomes a Congressional hearing someday.”

Related story from the South China Morning Post: New Apple tools to limit screen time, and stop Facebook tracking, revealed at developers’ conference – “Digital tool ‘Screen Time’ in Apple’s iOS 12 will show how long you spend on each iPhone app and let you set daily limits, while its web browser Safari will get security upgrades to stop users being tracked by other companies”

Andrew Orlowski for The Register: You know what your problem is, Apple? Complacency – “Let’s praise the cosy mobile duopoly working so hard to make things so much better” So much cynicism around this week…

For Help Net, Zeljka Zorz summarizes the latest crop of Apple updates to practically everything: Apple security updates, iOS and macOS now support Messages in iCloud

Plus:

Updates to Meltdown/Spectre and other chip-related resources

Mark Pesce for The Register: ‘Moore’s Revenge’ is upon us and will make the world weird – “When everything’s smart, the potential for dumb mistakes becomes enormous”.

David Harley

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary (routers, for instance, in the story that leads below). But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is always necessary, or even desirable, given how often that connectivity widens the attack surface.]

Stephen Cobb for ESET: Router reboot: How to, why to, and what not to do – “The FBI say yes but should you follow this advice? And if you do follow it, do you know how to do so safely?”

Catalin Cimpanu for Bleeping Computer: The VPNFilter Botnet Is Attempting a Comeback – “…APT28 appears to be unphased by the FBI’s takedown of its original VPNFilter botnet and is now looking for new devices to compromise, and maybe this time, get to carry out its planned attack.”

Talos: VPNFilter Update – VPNFilter exploits endpoints, targets new devices “In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints.”

Mark Pesce for The Register: ‘Moore’s Revenge’ is upon us and will make the world weird – “When everything’s smart, the potential for dumb mistakes becomes enormous”.

Zeljka Zorz for Help Net Security: How Mirai spawned the current IoT malware landscape (with particular reference to Satori, JenX, OMG and Wicked.

Gareth Corfield for The Register: UK.gov lobs £25m at self-driving, self-parking, self-selling auto autos – “Not just the vehicle tech but a data marketplace too” What could go wrong? Well, maybe stay away from Westworld and Jurassic Park…

John Leyden for The Register: Crappy IoT on the high seas: Holes punched in hull of maritime security – “Researchers able to nudge ships off course … Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking and worse”

David Harley

(Anti-)Social Media – news updates June 6th 2018

The Register: ‘Tesco probably knows more about me than GCHQ’: Infosec boffins on surveillance capitalism – “Cambridge Uni powwow broods on Facebook, Wannacry” There seem to have been a lot of good points made there. I’m rather sorry I didn’t get to it, but it’s a long way from my part of the world…

Surveillance by cookie isn’t, of course, confined to social media. Perhaps more people have become aware of them recently with the pitter-patter of GDPR-inspired pop-ups on sites noting that they use them, and on occasion requiring visitors to agree to their being used if they’re to continue using the site. What could go wrong? Here’s an interesting, mildly techie paper from Digital Interruption: Are Your Cookies Telling Your Fortune? – An analysis of weak cookie secrets and OSINT. OSINT, by the way, is Open-Source Intelligence, information gathered from publicly available sources.

Sophos: Facebook faces furious shareholders at annual meeting – “Another investor, Will Lana of Trillium Asset Management, said that his firm has been keeping track of the scandals in which Facebook is embroiled. It’s tallied “at least 15 distinct controversies,” he said, as he spoke in favor of a proposal to change the board’s approach to risk management”. [But don’t worry:  Zuckerberg and the Board of Directors managed to ’emerge from the meeting unscathed’. Well, you can worry if you like…]

Thomas Claburn for The Register: Facebook insists device data door differs from dodgy dev data deal – “Facebook on Sunday said an arrangement that gave some 60 mobile device makers access to data about device users’ Facebook friends is not at all like the deal it made with app developers that gave rise to the Cambridge Analytica scandal.” Oh, good…

Given the number of Facebook denizens who are interested in genealogy and heredity, this seems a suitable place to mention a Brian Krebs article: Researcher Finds Credentials for 92 Million Users of DNA Testing Firm MyHeritage

Catalin Cimpanu for Bleeping Computer: Washington State Sues Facebook and Google Over Election Ads – “Washington State Attorney General Bob Ferguson filed two lawsuits on Monday against Facebook and Google on the grounds of breaking local campaign finance laws.”

Here are a couple of items I’ve also posted to the Mac Virus site, and which are also relevant to the anti-social media page. I haven’t paid much attention to news-recycling sites (apart from The Register, maybe)  in recent years, but these two ZDNet reports actually mildly impressed me.

Adrian Kingsley-Hughes for ZDNet: Your iPhone is tracking your movements and storing your favorite locations all the time. He says: “Now, you may be like me and not care about this data being collected, and might even find it a useful record of where you’ve been over the previous weeks and months. But if you’re uncomfortable for any reason with this data being collected, then Apple offers several ways you can take control over it.” Even if you don’t mind these data being collected by your operating system, you also have to think about the apps that may be accessing it at second hand.

Kind of weirdly, Larry Dignan (also for ZDNet) tells us that Apple, Google have similar phone addiction approaches with iOS, Android. Well, it’s always nice (if unexpected) when Big Business displays a sense of civic responsibility. However, Dignan is probably right when he remarks: “The research is just starting to be compiled on smartphone addiction and what happens when your life is overloaded by apps and notifications. Think of the digital health push from Apple and Google as a way to provide talking points before screen time becomes a Congressional hearing someday.”

David Harley

Ransomware – should you pay up?

According to Help Net Security, the 2018 Risk:Value Report from NTT Security reveals some disquieting facts about how organizations deal with ransomware:

  • 33% would pay a ransom demand rather than invest in better security.
  • 16% are not sure whether they’d pay up or not.
  • Just over half would be prepared to invest actively in information security.

For the report, NTT “surveyed 1,800 C-level executives and other decision makers from non-IT functions in 12 countries across Europe, the US and APAC and from across multiple industry sectors.”#

I haven’t downloaded the actual report, as to do so requires registration and I don’t particularly want to be regarded as a potential customer by NTT. And, in fact, while there are evidently lots of other interesting data in the report, I want to focus here on the willingness of so many organizations to accede to the demands of the criminals. Let me refer you to an article by Kevin Townsend from 2016, in which he quoted me at some length (and I discussed those issues at greater length here). Better still, here’s a longer section from the text I originally sent him in response to this question:

“…some figures suggest that 40% of corporate victims pay up. Many AV companies say there is little chance of recovery without the keys. FBI says corporates have a risk decision to make. Europol says simply ‘don’t pay’. Is Europol being realistic?”

[Perhaps it’s a positive that the later report suggests a lower figure of victims that pay up, but there are probably too many variables to rely on that being a definite trend. Anyway, since the question seems to have been put hypothetically, it’s quite possible that respondents would react quite differently if they actually found themselves in the position of ransomware victims, by gritting their teeth and ponying up.]

Anyway, this was my (very slightly edited) response:

 In the abstract, there’s an undeniable argument that if you give in and pay the ransom, you’ve directly contributed to the well-being of criminality. In many cases, it’s a purely economic decision: it’s cheaper to pay up than lose the data. In fact, you’re sustaining a protection racket. On the other hand, if you don’t pay up, you probably don’t get your data back – sometimes there is an effective free decrypter available, but most of the time we can’t provide one – and maybe the damage is so severe that you go out of business. You can’t blame people – or companies – to prefer paying up to economic suicide, any more than you can blame them for giving their wallets to people who threaten them with knives. In fact, since we’re talking about corporates rather than individuals, it might be seen as being more responsible to pay up rather than destroy the livelihoods of all staff, including those right at the bottom of the hierarchy who are generally less likely than the Board of Directors to survive the damage to their finances.

If people and companies didn’t pay up, then ransomware attacks would become uneconomic, which wouldn’t stop criminality, but would force crooks to explore other avenues – or maybe I should say dark alleyways. However, the attacks will remain economically viable as long as people aren’t prepared or able to defend their data proactively. It’s easy for those who have the knowledge and resources to implement adequate defences – not as easy as many commentators point out – to say that it’s ‘wrong’ to give in to ransom demands. Of course companies should implement such defences, and that would impact on the viability of the attacks. If they don’t do so because it’s cheaper to pay up than to spend money on a backup strategy, then that is reprehensible. I don’t know how often that happens, though: after all, sound backup practice is a defence against all sorts of misfortune, not just ransomware.

I was taken to task by a commenter on one of my ESET blogs for implying that paying the ransom is sometimes acceptable, pointing out that (I’m paraphrasing) failing to ensure that all an organization’s data could be backed up and recovered as necessary is essentially a symptom of management failure. I’m inclined to agree, in general, as I think my quoted text above bears out. Do incompetence and clinging to false economy make it unacceptable to pay a ransom? Well, that’s a more complicated question. After all, the people who are penalized if an organization chooses not to pay ransom and therefore loses its data are by no means always the people whose incompetence and penny-pinching put their data in jeopardy. I’ll come back to that.

He also asserted that apart from the fact that payment perpetuates the problem, some of the money paid in ransom goes to fund organized crime and even terrorism. Well, that’s a very good point. And while I don’t think it’s necessarily up to me to decide what is or isn’t ‘acceptable’ behaviour on the part of a victim of ransomware, I would at least agree that a ransomware victim (individual or organization) should take into account that possibility. I don’t know how much money paid to ransomware gangs actually does go to organized crime or to fund terrorism, but I’m certainly not going to say it doesn’t happen.

But does that mean that paying ransom should in itself be a crime? Well, we don’t usually go after people who pay up in cases of kidnapping, protection rackets, and so forth, even though those payments may subsidize all sorts of undesirable activities, so I’m not convinced. The more so since I can think of several scenarios that might be seen as being in mitigation. To quote myself again (again, lightly edited):

  • An individual is faced with losing decades worth of family photos or other irreplaceable data.
  • A healthcare organization faces an ethical dilemma because the medical records of thousands of clients are at risk: if they pay, criminals benefit, but if they don’t, the health of many is put at risk. It’s easy to say it’s the victims’ own fault in these cases, but it isn’t necessarily the case: data might be backed up but unrecoverable for a variety of reasons – a failed or incompetent 3rd-party provider, or natural disaster, for instance.

There might be an argument for criminalizing ransom payment where a company could access backups but chooses not to because it’s cheaper to pay up, but that’s still penalizing the victim for the actions of the criminal.

David Harley