Paying a ransom is like defecting in a prisoner's dilemma: it benefits you at the expense of hurting everyone else who will be stuck in the same situation. Making it illegal just forces everyone to cooperate and is something everyone would prefer.
Should be possible to prosecute under existing laws: you're providing support to a criminal enterprise, sounds illegal already.
This story provides a good counterpoint. What if doing so saves lives at a hospital who needs to get back online ASAP? A "saves lives" loophole?
Not to mention every law should first be measured on whether it is at all practical to meaningfully enforce. I guarantee there has been 100x more companies who've paid the ransom and didn't release a press release like this one did.
If a whole bunch of people are going to do it anyway quietly and the law isn't going to stop them, we're just going to occasionally double up the fines on the random businesses that get caught. While these endless ransomware hackings continue.
I'd much rather we spent public resources on prevention.
I 100% disagree. Sometimes it is the only way to get things back running. I understand its the organization's fault for not having backups. It would destroy some businesses, hospitals, schools if they weren't able to pay the ransom.
When Randsomware was a new idea and seemed to be primarily targeting individuals, it made sense that paying your way out should ultimately be legal. Any law against it would be difficult to enforce, so bad actors would still be incentivized to launch attacks, and only law abiding citizens would be hurt.
But now they're attacking banks, and hospitals, and cities. I have trouble imagining large hospital systems would be able to discretely pay hundreds of thousands of dollars illegally without anyone noticing—and if they did, it would be easy to prosecute.
Ergo, outlawing these payments should very significantly reduce the number of ransomware attacks against these large targets. If no one can pay, there's no incentive to attack.
> Making it illegal just forces everyone to cooperate and is something everyone would prefer.
Doesn't making it illegal just change the cost structure? The penalty for illegally paying a ransom in your proposed system would be simply to pay a fine. It's effectively how a rich person might look at a parking ticket for a premium parking spot - it might be cheaper for them to simply pick the illegal spot than to have to drive 2 miles away and call an uber to get to their destination.
There's also no guarantee that paying gets you your data back. Either because the random holders don't care, or because a white hat killed off some part of the ransom holder's communication channel.
Sure, let use the DEA to enforce that law since they are already experts at persecuting victims.
How about instead the government proactively pentests and fines orgs for security violations,and uses the money to finance education, training, and security development?
How arrogant to comment that these hospital systems should have been secured by now, given that WannaCry has hit hospitals in the past couple of years. Shows a lack of understanding of the economics of security. I agree with the point made by others about not negotiating with terrorists. Outlawing payments would not prevent the attacks, though, the prisoner's dilemma will remain. I am not an economist, but as long as the value of the assets being rescued is greater than the value of the money handed over, the trade will occur. At some point, yes, the ransom will be too great, but the parties will continue to seek the path of least resistance.
Yeah, we should just accept their mediocrity! After all, you can’t expect people to take all these difficult security measures like installing updates and using complex passwords.
A friend of mine is an MD at a major hospital in the midwest. As I've understood it this is standard practice for them. Their computers freeze up, and the message - my friend has sent me screen shots - will say something like "Hi <hospital name>, the computer is encrypted, please contact the IT department", IT department pays the ransom and the computers kick back on.
From a financial POV, as long as the ransom costs per year is lower than the cost to replace their Cerner systems, it makes sense to simply see it as the cost of operations I guess?
> as long as the ransom costs per year is lower than the cost to replace their Cerner systems, it makes sense to simply see it as the cost of operations I guess?
Sort of. Unless the cost and frequency of ransomware incidents are absurdly low, it makes sense to borrow to upgrade. Putting aside the moral hazard of being a compliant mark, there is the risk that the next attack won't be as cheap.
Their vendor ought to figure out the hospital's mean annual ransom payment, and come up with financing for an upgraded system that comes out to that amount. Now the cost is locked in, while the variance is sharply reduced. (No risk ever goes to zero.)
Redesigning your environment is hard and expensive so it's easy to see why hospitals and similar industries are so behind and vulnerable.
BUT, given that important data needs to be backed up anyway, most commodity backup software and commodity storage platforms are sufficient to restore encrypted data. Even Windows shadow copying feature (which lots of storage platforms will expose snapshots/revisions as) is pretty sufficient to prevent significant data loss.
So unless the ransom cost is cheaper than an IT tech reimaging/rebuilding the machine + compliance costs, it doesn't really make sense.
It's not really fair to bring Cerner into this. The security vulnerabilities that enable these malware attacks are unlikely to be in Cerner applications. Instead it's usually an OS or email problem.
Perhaps a dumb question... How does ransomware propagate from end-user PCs to the servers that host critical applications and data? Surely, they don't allow end-users to run email or access the web from "secure" servers?
That makes me wonder whether the usual malware came from phishing or vulnerabilities.
If it's phishing, typical staff clicking suspicious emails and opening URLs and attachments, there isn't a lot the hospital can do to stop it. A bit of blocking around external emails and shady attachments will help, but people will still fall for it quite often.
If it's remote vulnerabilities, probably some unpatched systems, it's risky because that could parallelize the whole hospital anytime, but as long as the vulnerability is patched by the ransomware it's still cheaper than doing the maintenance.
Sure, that user can encrypt all the documents that they have access to and care about, so that can be the target of a ransom. Also, in many smallish organizations users have access to e.g. a common network share, so in the absence of proper backups, a single compromised user (e.g. the owner/manager's administrative assistant with access to all kinds of documents) may be able to seriously disrupt the whole organization.
For starters, have reliable backups. If you can just go offline for a day or two, wipe your system, restore, and come back online, you have little reason to pay the ransom.
Ugh I hate when reports are published but lack basic information like malware family and indicators of compromise. The FBI FLASH reports are the worst offenders. I suspect in this case the hospital did not share maybe due to legal reasons?
The untold story in these things is the role of forced EMR regulations. I've worked in healthcare for some time, as does my spouse and my family.
These record systems used to all be developed in-house systems, fully self supporting, with little outside involvement. Then in the 2000s gov regulations started mandating adoption of EMRs.
Especially here this seems like a no-brainer but in actuality for many hospitals they were unnecessary and introduced with massive cost overruns as hospitals were forced to buy them from a limited pool of vendors that were approved by deadline rather than by intrinsic need.
How does this relate to the ransoms? Because if the EMRs were adopted organically, my guess is it would have happened more gradually, with more diversity of systems, more open source, more testing, and more emphasis on security, backup, and self-reliant reliability.
It's hard to overemphasize the change in records infrastructure in hospitals due to mandated EMRs, and a lot of it has been for the worse. EMRs would have been implemented eventually without the mandates, but at lower cost and greater security probably.
It's just another example of how overregulation in healthcare that sounds good but in practice ends up creating unnecessary costs and causing problems. It also once again doesn't get attention in healthcare price discussions, because it's structural, indirect, and removed from the immediate billing.
I blame these types of ransomware attacks in part on EMR mandates and those who encouraged them. Should bthe federal gov, which encouraged this mess, pay the costs, either of the ransoms, or the cost of not paying?
[+] [-] ikeboy|6 years ago|reply
Paying a ransom is like defecting in a prisoner's dilemma: it benefits you at the expense of hurting everyone else who will be stuck in the same situation. Making it illegal just forces everyone to cooperate and is something everyone would prefer.
Should be possible to prosecute under existing laws: you're providing support to a criminal enterprise, sounds illegal already.
[+] [-] dmix|6 years ago|reply
Not to mention every law should first be measured on whether it is at all practical to meaningfully enforce. I guarantee there has been 100x more companies who've paid the ransom and didn't release a press release like this one did.
If a whole bunch of people are going to do it anyway quietly and the law isn't going to stop them, we're just going to occasionally double up the fines on the random businesses that get caught. While these endless ransomware hackings continue.
I'd much rather we spent public resources on prevention.
[+] [-] chelmzy|6 years ago|reply
[+] [-] Wowfunhappy|6 years ago|reply
When Randsomware was a new idea and seemed to be primarily targeting individuals, it made sense that paying your way out should ultimately be legal. Any law against it would be difficult to enforce, so bad actors would still be incentivized to launch attacks, and only law abiding citizens would be hurt.
But now they're attacking banks, and hospitals, and cities. I have trouble imagining large hospital systems would be able to discretely pay hundreds of thousands of dollars illegally without anyone noticing—and if they did, it would be easy to prosecute.
Ergo, outlawing these payments should very significantly reduce the number of ransomware attacks against these large targets. If no one can pay, there's no incentive to attack.
[+] [-] mbesto|6 years ago|reply
Doesn't making it illegal just change the cost structure? The penalty for illegally paying a ransom in your proposed system would be simply to pay a fine. It's effectively how a rich person might look at a parking ticket for a premium parking spot - it might be cheaper for them to simply pick the illegal spot than to have to drive 2 miles away and call an uber to get to their destination.
[+] [-] tyingq|6 years ago|reply
[+] [-] lonelappde|6 years ago|reply
How about instead the government proactively pentests and fines orgs for security violations,and uses the money to finance education, training, and security development?
[+] [-] ngneer|6 years ago|reply
[+] [-] tinus_hn|6 years ago|reply
[+] [-] jakewins|6 years ago|reply
From a financial POV, as long as the ransom costs per year is lower than the cost to replace their Cerner systems, it makes sense to simply see it as the cost of operations I guess?
[+] [-] JumpCrisscross|6 years ago|reply
Sort of. Unless the cost and frequency of ransomware incidents are absurdly low, it makes sense to borrow to upgrade. Putting aside the moral hazard of being a compliant mark, there is the risk that the next attack won't be as cheap.
Their vendor ought to figure out the hospital's mean annual ransom payment, and come up with financing for an upgraded system that comes out to that amount. Now the cost is locked in, while the variance is sharply reduced. (No risk ever goes to zero.)
[+] [-] joe_the_user|6 years ago|reply
Just think when stealing patient and financial information becomes more profitable than what regular ransom ware demands net.
Even more, perhaps targeted assassination based on screwing up data? Demanding silence and cooperation for whatever the cyber-criminal do?
[+] [-] KingMachiavelli|6 years ago|reply
BUT, given that important data needs to be backed up anyway, most commodity backup software and commodity storage platforms are sufficient to restore encrypted data. Even Windows shadow copying feature (which lots of storage platforms will expose snapshots/revisions as) is pretty sufficient to prevent significant data loss.
So unless the ransom cost is cheaper than an IT tech reimaging/rebuilding the machine + compliance costs, it doesn't really make sense.
[+] [-] nradov|6 years ago|reply
[+] [-] alistairSH|6 years ago|reply
[+] [-] user5994461|6 years ago|reply
If it's phishing, typical staff clicking suspicious emails and opening URLs and attachments, there isn't a lot the hospital can do to stop it. A bit of blocking around external emails and shady attachments will help, but people will still fall for it quite often.
If it's remote vulnerabilities, probably some unpatched systems, it's risky because that could parallelize the whole hospital anytime, but as long as the vulnerability is patched by the ransomware it's still cheaper than doing the maintenance.
[+] [-] newhotelowner|6 years ago|reply
If the user is using Windows 10 Professional and doesn't have admin access, can they still be a victim of a ransomware attack?
[+] [-] nradov|6 years ago|reply
https://docs.microsoft.com/en-us/windows/security/threat-pro...
[+] [-] PeterisP|6 years ago|reply
[+] [-] bobbylarrybobby|6 years ago|reply
[+] [-] kodablah|6 years ago|reply
You don't (well, not with 100% certainty anyways), you mitigate the harm.
[+] [-] post_break|6 years ago|reply
[+] [-] selectodude|6 years ago|reply
[+] [-] vuln|6 years ago|reply
[+] [-] ga-vu|6 years ago|reply
[+] [-] gyuserbti|6 years ago|reply
These record systems used to all be developed in-house systems, fully self supporting, with little outside involvement. Then in the 2000s gov regulations started mandating adoption of EMRs.
Especially here this seems like a no-brainer but in actuality for many hospitals they were unnecessary and introduced with massive cost overruns as hospitals were forced to buy them from a limited pool of vendors that were approved by deadline rather than by intrinsic need.
How does this relate to the ransoms? Because if the EMRs were adopted organically, my guess is it would have happened more gradually, with more diversity of systems, more open source, more testing, and more emphasis on security, backup, and self-reliant reliability.
It's hard to overemphasize the change in records infrastructure in hospitals due to mandated EMRs, and a lot of it has been for the worse. EMRs would have been implemented eventually without the mandates, but at lower cost and greater security probably.
It's just another example of how overregulation in healthcare that sounds good but in practice ends up creating unnecessary costs and causing problems. It also once again doesn't get attention in healthcare price discussions, because it's structural, indirect, and removed from the immediate billing.
I blame these types of ransomware attacks in part on EMR mandates and those who encouraged them. Should bthe federal gov, which encouraged this mess, pay the costs, either of the ransoms, or the cost of not paying?