December 16, 2019

As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.

The message displayed at the top of the Maze Ransomware public shaming site.

Less than 48 hours ago, the cybercriminals behind the Maze Ransomware strain erected a Web site on the public Internet, and it currently lists the company names and corresponding Web sites for eight victims of their malware that have declined to pay a ransom demand.

“Represented here companies dont wish to cooperate with us, and trying to hide our successful attack on their resources,” the site explains in broken English. “Wait for their databases and private papers here. Follow the news!”

KrebsOnSecurity was able to verify that at least one of the companies listed on the site indeed recently suffered from a Maze ransomware infestation that has not yet been reported in the news media.

The information disclosed for each Maze victim includes the initial date of infection, several stolen Microsoft Office, text and PDF files, the total volume of files allegedly exfiltrated from victims (measured in Gigabytes), as well as the IP addresses and machine names of the servers infected by Maze.

As shocking as this new development may be to some, it’s not like the bad guys haven’t warned us this was coming.

“For years, ransomware developers and affiliates have been telling victims that they must pay the ransom or stolen data would be publicly released,” said Lawrence Abrams, founder of the computer security blog and victim assistance site “While it has been a well-known secret that ransomware actors snoop through victim’s data, and in many cases steal it before the data is encrypted, they never actually carried out their threats of releasing it.”

Abrams said that changed at the end of last month, when the crooks behind Maze Ransomware threatened Allied Universal that if they did not pay the ransom, they would release their files. When they did not receive a payment, they released 700MB worth of data on a hacking forum.

“Ransomware attacks are now data breaches,” Abrams said. “During ransomware attacks, some threat actors have told companies that they are familiar with internal company secrets after reading the company’s files. Even though this should be considered a data breach, many ransomware victims simply swept it under the rug in the hopes that nobody would ever find out. Now that ransomware operators are releasing victim’s data, this will need to change and companies will have to treat these attacks like data breaches.”

The move by Maze Ransomware comes just days after the cybercriminals responsible for managing the “Sodinokibi/rEvil” ransomware empire posted on a popular dark Web forum that they also plan to start using stolen files and data as public leverage to get victims to pay ransoms.

The leader of the Sodinokibi/rEvil ransomware gang promising to name and shame victims publicly in a recent cybercrime forum post. Image: BleepingComputer.

This is especially ghastly news for companies that may already face steep fines and other penalties for failing to report breaches and safeguard their customers’ data. For example, healthcare providers are required to report ransomware incidents to the U.S. Department of Health and Human Services, which often documents breaches involving lost or stolen healthcare data on its own site.

While these victims may be able to avoid reporting ransomware incidents if they can show forensic evidence demonstrating that patient data was never taken or accessed, sites like the one that Maze Ransomware has now erected could soon dramatically complicate these incidents.

127 thoughts on “Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up

  1. Ed

    Ransomware is bad enough, but this is now terrorism and should be classified and prosecuted under counter-terrorism legislation. Irrespective of their citizenship or country of origin. Hit them and hit them hard.

    1. techvet

      I was thinking of a nice, comfy place for the perps located near the Rocky Mountains in beautiful Florence, Colorado.

      1. Rob Shein

        Err…what definition of “terrorism” are you using?

        The U.S. Code of Federal Regulations (since you reference counter-terrorism legislation) defines terrorism as “the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives.” This is not that. Nearly all other definitions (either from different organizations in the US or even in other countries, including Israel) also cite political and social objectives, and with good reason. The point of that distinction is to avoid use of military force when dealing with criminal organizations. Yes, it is very nice to think of how the Cosa Nostra would have turned tail and fled if the US had been able to deploy the USMC to get rid of them…but that level of overreach brings its own problems, and the cure can be worse than the disease. And laws that are focused around dealing with terrorism take that fact into account. The exceptions to that are totalitarian states, who love calling all kinds of things “terrorism” to justify using however much force they want to quash them.

        Also keep in mind that the current fashionable response to terrorism would have another definition if it were used in this case…it would be considered an “act of war.”

        1. Joe

          Rob is 100% correct.
          Hyperbole isn’t good. Use the right words, use a measured response…. no need for rhetoric.

        2. Azrael

          Agreed terrorism is the wrong response. Hacking should actually carry the death penalty automatically and recruiting by law enforcement such as FBI should be made illegal.

          1. Ha

            There’s a lot of shady folks with a lot to hide. As the good guy say – Darkness to Light.

        3. ASB

          I agree that terrorism isn’t the right word, but it certainly deserves its own word.

          It is effectively a doubling down on extortion…

          Mind you, I think that any number of organizations that have been attacked successfully with ransomware have insisted that they weren’t “breached”. This significantly undermines their argument.


          1. Joe

            Yes, extortion is the right word.
            Doubling down doesn’t make it something new.
            Two counts of extortion maybe.

            But this nonsense hyperbole of calling it terrorism is pathetic. We would do the real threat of terrorism an injustice by watering down the word to include attacks like this.

      2. TooFunny!

        Alcatraz of the Rockies!! Oh yeah, they would fit in nicely there 🙂

    2. Maria Hill

      Terrorism is consequences of reckless people working in a bad companies as it was with 11-th September. Digitalization just brought this to completely new level. Nothing new. We must nuke Russia, North Korea and Iran. Maze is russians who are testing 0days to commit disruption of 2020 elections. Brian continue your important work! But dont forget what was in city of Salisbury.

      1. Ch

        Nuke Russia, Korea and iran… For god sake. Who you believe your are? Do you know how many people live there? You and your terrorism.

        1. P Pedersen

          Well, according to GDPR, if the criminals has access to the data, it could be conidered lost, and it should be reported as a data breach.
          The data authorities would then judge if the IT Security paperwork is in order, and if it is, and the it security controls are not completely bad, then no fine will be given. So it is not a major GDPR risk. The new thing is, that we likely need to report any cryptolocker as a potential breach.
          As for how this can be stopped, then it is likely impossible. We cannot bomb the USA, and other countries behind most Internet Crime. And I have a feeling, that in most non-democratic / pseudo-democratic countries, it is acceptable as long as you do not hit your own citizens.
          Actually, I think that in some states it is considered very good. It gives a cashflow of foreign currency into the country. Why should the government do anything to stop that ? Rumors are that it is a major source of income in North Korea.
          If we can not stop drug smugglers – which should be way easier to do, why do people expect us to be able to stop Internet Criminals ?

          1. David McKay

            Actually, under GDPR, as soon as the data is encrypted it counts as a data breach and should be reported to the appropriate Supervisory Authority. In the UK that’s the ICO.

      2. Holy Cow

        From declaring ransomware terrorism to straight-up demanding Russia, North Korea and Iran to be “nuked”, wow..

    3. Maria Hill

      Terrorism is consequences of reckless people working in a bad companies as it was with 11-th September. Digitalization just brought this to completely new level. Nothing new. We must nuke Russia, North Korea and Iran. Maze is russians who are testing 0days to commit disruption of 2020 elections. Brian continue your important work! But dont forget what was in city of Salisbury.

      1. Liz

        Your comment here and below are over the top, Maria Hill, and don’t add anything constructive to the discussion. If I were the suspicious type, I might think you’re a “plant” trying to sow seeds of dissension, the kind that riddled Facebook to stir the pot. We’re all frustrated by cybercriminals and bad actors, and as guilty as Maze and their cohorts are, there’s blame to go around ……. like the lax cybersecurity of the companies and government agencies who fell victim to these cybercriminals. And what about us, the consumers? We’ve traded security and privacy for convenience.
        I have family who are actual vvictims of nuclear war ……. Hiroshima and Nagasaki. So don’t go throwing around comments like “nuke” them!!!!!!!!! Get a grip.

    4. Jack

      I fear about elections next year… It may be GRU testing their new weapons.

    5. Chris H.

      Excellent point Ed! While it is obviously incredibly difficult to prosecute, let alone extradite, convict, and penalize a foriegn actor, elevating the seriousness of the crime is a necessary next step in this event chain.

      1. BrianKrebs Post author

        What needs to become the norm for the US Govt response to these gangsters is for them to get in the habit of doing what they did in the Evil Corp case: Once the offenders are positively identified, get the Treasury to issue financial sanctions on them that prevent the crooks from transacting with people and businesses outside their home country.

        This is perhaps the most effective tool in law enforcement’s hands to combat cybercrime — short of apprehending the bad guys. None of these dudes want to be stuck in Russia, and they sure as hell don’t want all their money kept their either. Rather, they tend to launder it by investing in properties and other businesses outside their own country. Making it a crime for others to accept their money is an extremely effective way of frustrating these criminals.

        1. jdgalt

          That’s a good idea but it’s not enough! I’d like to see all connections to the bad guys’ IP addresses and domain names blocked, or better yet spoofed by law enforcement. And if some DNS or certificate authorities won’t cooperate then declare them hostile and revoke THEIR access.

        2. Robert Michaels

          . . . and even better is soliciting an ever expanding network partners in the struggle, offering serious rewards $$$ to all those in foreign countries whom the perps are investing in to LURE the perps to physically show up for signing papers on real estate, whatever lame excuse it takes – – – and the FBI is waiting for them in Cyprus or wherever.

        3. Mot

          While you have a good point (disrupting the receiving end’s finances) it doesn’t address the source of the funds (similar to the “War on Drugs”). From that perspective it just become s a risk/reward game for the perpetrators.

          I question the legality of organizations being -allowed- to pay the ransom. It’s gotten to the point where its common practice for orgs to say “we have a bitcoin account funded if something were to happen that we couldnt recover from”. This is just feeding the monster.

          The solution you propose is kinda like making the food taste bad. Making it Illegal for US Orgs to pay would go along way to starve the monster. Unfortunately, now we have to deal with a big hungry monster that thinks its owed something.

          IM very HO

    6. PattiM

      If anything, these things have gotten exponentially worse over the years I’ve been following Krebs’ – for some time I’ve felt this may be the dark horse that brings down the international monetary system, and with it, complex civilization. It’s already killing medical patients, and so qualifies as terrorism. But it’s not actually terrorism, it’s business-practice for these folks, not unlike corporations which have extorted people for decades (such as suing nearby farmers when gen-mod seeds wind up on their adjacent land), but, of course, far worse.


        I don’t know if it should be classed as terrorism. However, I have often wondered if and when it does result in a patient’s death what should it be called.

        I suppose it doesn’t really matter what we call it if there are very limited responses even possible though.

        1. Steve

          Any loss of life while in the commission of a felony crime is classified as murder in the 1st degree.

        2. Joe

          It will be called murder.

          If the specific threats in the ransomware attempt to invoke fear of patients dying… then it will start to overlap with terrorism.

          Just like hacking industrial systems in order to blow up power plants, the intent does matter. If the intent is to cause only equipment damage (sabotage), and NOT to cause a huge explosion to harm humans… then that is an important distinction.
          Otherwise, would the Stuxnet attack on Natanz be considered a terrorist act?

    7. Matt

      Like they will ever find out who did it. It’s a waste of time.

    8. Wait wut

      Comments like this affirm my belief that humanity is not ready for direct democracy. Hell it goes further to show that many people are not qualified to vote in a representative democracy either and especially so if they don’t know the meaning of the words they use on a regular basis or words that could dramatically impact their life or the lifes of others. Please take take the time to form opinions based in fact instead of dangerous word salads

    9. Ed

      Here’s another, just released story, about an act of cyber terrorism …

      “LifeLabs says it paid ransom to secure millions of customers’ stolen medical data”

      I have no qualms about referring to Ransomware as terrorism – “the unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims.”

      I guess this definition omits “… in the unlawful pursuit of financial gain.”

      The effect is still the same: “intimidation of civilians”.

      The Life Lab hack and extortion shortens the lives and disrupts the health and well being of millions, and may even directly kill people whose medical information is not provided to them and their physicians.

  2. NA NA

    Little sunshine for the madness, at least these corporations will be more proactive about reporting Ransomeware breaches *one can hope* if they know the breach will be made public anyway.

    1. Goofus47

      i agree, seems a little like reversed psychology on the part of the bad guys: instead of sweeping this under the rug and have us little guys pay the consequences corporations may actually do the right thing and treat this is a breach and report it.

    1. BrianKrebs Post author

      No, and I hope the reason is obvious. Anyone posting the link here will see their comments held for moderation, permanently.

      1. The Doctor

        Unfortunately, this makes it difficult to keep tabs on the list. A few of us have a vested interest because our clients don’t tell us everything (“No, no, no, we just need you to do a routine refresh of our servers.”) until it’s far too late.

      2. Readership1

        Will you at least tell us all 8 companies that have not revealed their data breaches?

  3. Jack

    It’s plenty much of strains from 3rd-world countries like North Korea, Russia, Iran, China. Why don’t we have our own ransomware to target these scumbags? We must call to @demonslay335 and @malwarehunterteam to make our own powerful virus and destroy their homes, families, businesses as they do this with us.

    1. 44

      Time for a cyber an armed force with funding like army navy. This is an invasion. Going to get worse. We need to attack before more innocent businesses are destroyed.

      1. Jack

        Can you give me your contacts? I have a programmer. Let’s create virus to attack them.

    2. TAMPER

      The scariest part about all of this, you and Maria hill are likely a component of whatever Western Intel house actually carried it out. actor spoofing is the most resilient and cheapest form of warfare the west employs. It serves the double purpose of canning companies the west doesn’t like and subsequently blaming this action on a traditional foe, or, Russia China Iran and North Korea. Personally I would say the two of you are involved with vested interest in fomenting the belief that this is the fault of nation state actors. This is VERY dangerous. For my part, I will contact the Russian and Chinese antiterrorism offices as well as interpol. I will submit to them your comments and your namea

      1. JFT

        Threatening people on a forum? That’s cute. The problem here isn’t the hyperbole from commenters, it’s the apathy from companies who are breached. We don’t do enough to train people who work with networked computers how to handle them. That alone is a significant hole in our defenses. But couple that with a lack of spending by companies on basic security, and you have a situation that is ripe for exploitation.

        The problem is countries like Russia, North Korea, Iran, etc. are funding these criminals to do their dirty work, and if we don’t make sure companies that have US citizens’ data aren’t protected, we’re just letting these countries win (or at the very least, letting them destabilize us as much as they are.)

        In the broader picture, China is the most adept at this form of warfare. Don’t be fooled, this is the next Cold War. The only difference is information security, rather than nukes is going to be the solution. And we can end it just like the US ended the Cold War: starving the enemy by making it overwhelmingly costly and difficult to attempt data breaches.

        Until that time, we will have to rely on Mr. Krebs for insight and keep our own information secure.

        1. SeymourB

          Given that he unwittingly admitted to having contacts in both Russian and Chinese intelligence agencies, there chance of that true is so close to 100% as to be almost interchangeable.

          The things non-native disclose while trying to act tough is impressive. Though they’re probably just as impressive as what non-native Russian speakers unintentionally say on Russian forums.

  4. leonell

    Yakubetz aka “AQUA” works on Russian Intelligence FSB according to FBI reports. It’s just a crime state. Why don’t we treat it like declaration of war? Where is NATO, where is UN?

    1. Rob Shein

      Why don’t we treat the actions of a handful of criminals like a declaration of war by a nuclear-armed nation-state?

      Did you really just ask that? Can you really not see the obvious answer? What could possibly go wrong if any putz with a computer is allowed to force another country to declare war…gee, let me think a second…

      1. TAMPER

        There are driven commenters here attempting to sway the suspicions of the readers towards Russia/China. I suspect they’re a component or organ of whatever state or group actually carried this out. I will be bringing this to the attention of my state senator come office hours tommorow.

      2. TAMPER

        These commenters are likely a component of whatever organ actually conducted this attack. They’re clearly trying to direct the suspicions towards a state actor. I’m fairly certain these folks, Maria hill, Jack, Lionel are possibly working together as their comments are suspiciously similar. I’ll be contacting my state senator about this as soon as office hours open.

        1. JFT

          Please spare me the hyperbole. You’re the only one on here who seems to be stressed about hyperbolic comments regarding the state-sponsored cyber warfare (Just yestarday, the article regarding Evil Corp’s actions pointed to the Russian government “contracting out” cyber criminals to do its work involving espionage and information theft.)

          So the only one here who is acting suspiciously is you. Tread lightly with your accusations of “state actors”, Tamper. Your fake exasperation doesn’t mask the origin of a person(s) who is employed by the very Russian government word salad agencies Krebs warned us about.

  5. Ed

    I’m just curious, do they pay you for all of these articles? It looks like well funded PR company to convince victims to payment, doesn’t it?

    1. Jamison

      That’s the most ignorant thing I’ve read all week. Do a little homework before you smear Brian Krebs.

  6. Maria Hill

    We must find out personalities behind Maze and REvil gangs! We must put them under death penalty! There is no mercy for such a jerks! You wrote about possible connection between REvil and GandCrab. Why can’t we find Mr. Prokopenko?

  7. John Jorsett

    Maybe it’s time for Congress to start issuing letters of marque and reprisal or set bounties against foreign hackers. Incentivize the private sector to pursue them.

  8. Richard

    Possible to give an estimated number of firms that Maze lists currently? What is the rate of growth in the list population per week as an indicator of ransomware infection? Thx.

    1. BrianKrebs Post author

      The number of victims currently listed is in the second paragraph of the story (8). And the site just went up a couple of days ago.

      1. Richard

        Thank you for catching my reading oversight.

        Surprising, and fortuitous, that only 8 sites are reported given the apparent viral nature of ransomware infection.

        From popular news reports, private sector and government countermeasures combating persistent threats apparently rival Manhattan Project scope and cost.

        As noted in earlier comments, one wonders if a tipping point is rapidly approaching when internet-based commerce and civil/government operations seize up?

  9. Charles Kamoun

    DEATH PENALTY ! That what these murdered deserve. There are literally not oy killing business but also people and clients working with them.

    1. Cossaque

      Charles Kamoun is an Israeli programmer. His comments are perfectly in line with the comments I mentioned before posted by Jack CH Maria hill and others. I believe Israel is trying to direct suspicions towards Russia and China and Iran, purposely to direct suspicions away from themselves. I’ll be notifying the Iranian Consulate in Luxembourg about this as soon as possible, as well as Russia China and Interpol.

  10. Greg

    Are we seeing the beginning of the collapse of the internet? Maybe we should never have chosen this path. Is it THAT important to interconnect all nodes in the world together? At what cost? Looks like private dedicated networks are going to be the solution and perhaps will prove to be cheaper in the long run.

    1. JFT

      I wouldn’t say that. What we’re seeing is in the rush to “get online”, we’ve skipped over basic security practices and now we have to retroactively apply them. The Internet is just a tool. Of course a great deal of companies’ information should never be on a public-facing server, which is part of the initial problem.

      Education is the key. Encryption shouldn’t be an inconvenience. And anything you don’t want anyone else to see shouldn’t be “in the cloud” (which is a fancy term for “someone else’s hard drive”) 🙂

      1. Greg

        The human factor is the problem. You can spend a lot of capital ‘training’ people but I am no longer amazed at the stupidity of the corporate average Joe(sephine). Time and again ‘trained’ personnel go ahead and open anything sent to them. The human factor is the one thing you cannot encrypt.

        1. JFT

          Agreed. The weak factor is always human. 🙂 Software development for certain high-security applications generally do one thing properly… limit the human factor.

          Perhaps we should have that bar lowered a bit. 🙂

  11. Moike

    The extortion being practiced here is a dead end – sure the information will be released, but companies would have no reason to pay the extortion demand to prevent its publication. Because that is a certain path to a never-ending stream of future extortion demands for the same information.

    1. KFritz

      Would you like it if your personal info, left in the care of an asleep-at-the wheel business entity, was uploaded to be seen by one and all?

      1. Moike

        Having private information published is a disaster and can ruin a company or someone’s personal life. But there’s no world in which it makes sense to pay a criminal to keep it hidden and expect it to remain hidden forever. (Assuming that the original leaker could figure out how to protect it in the future)

  12. Mahhn

    And it will only get worse. I said it for years, until they start punishing people in relation to the effects of their crime and stop calling it a computer crime (computers are cheep, a life time of savings isn’t) it will motivate more crime using data as a weapon.
    (violent suggestions for punishment withheld)

  13. RansDUMBware

    The saddest part in all of this is the fact that these morons think this is a legitimate business. I’m sorry, but encrypting patient data and causing hospitals to not be able to serve their patients is not a business. It’s so sad that this is how these low-lifes make their money. It blows my mind how they can be okay with what they’re doing.

    I remember reading a couple months back that the US Govt was in talks of making some sort of counter-hacking bill where it would be legal to “hack back”, so to speak. I always wondered what happened to that and if it made any traction. It sounds very interesting, but in the case of ransomware, I’m wondering what “hacking back” even looks like.

  14. Papa C

    Given the popularity of false flag tactics, and given our inability to reliably enforce the death penalties we have, the death penalty is a stupid waste of resources for ANY crime, much less cybercrime.

    World War III has already started. Arguably, Stuxnet was the opening shot. Between the Equation Group and their progeny, and the Cyber Brigades in our armed serrvices, trust me, the US is participating. We are still (as with all other World Wars) understaffed and ill prepared. This is why I teach CyberSecurity and I encourage everone to help be part of the solution by helping to get kids interested in this field, particularly young women!

    If you’re frustrated about breaches, start teaching everyone how to put in better practices. Quit screaming and start being part of the solution.

    1. security vet

      stuxnet was hardly the first shot, it was just the first to get publicized. 100x got shot before then, by all sides.

  15. Jeffrey Strubberg

    There’s only one solution to this in the end. It’s simple to say, and damned hard to do.

    Hunt them down.

    You cannot appease an attacker by paying them off. The English and French learned that lesson in the tenth century dealing with the Vikings. It been repeated over and over, right up to US foreign policy with North Korea.

    “Once you pay the Danegeld, you will never be rid of the Dane.”

  16. Dhirendra talpada

    My All Data curpted Ransomwear virus
    My all file Extension name “Redman”
    Plzz help me

  17. Stéphane Moureau

    The only solution is to stop paying ransomware.
    Just like never pay a ransom for kidnapped people.
    Instead of investing millions trying to find them, support victims and reverse-engineering

  18. security vet

    let’s be real – organizations need to be a lot better about defending themselves, there’s no excuse for falling victim to ransomware today…the military, law enforcement, congress, can’t come to the rescue…

    1. Joe

      Let’s be honest…

      Victim blaming isn’t in fashion. It’s a cat and mouse game, and an arms race between defenders and attackers.
      There is no such thing as a 100% unhackable system. Companies still have to do business and still employ human beings.
      Phishing will never be 0% effective in any organization.

      And anyone who tells you this is possible, is selling you false security.

      1. Ben Dover

        100% agreed. If someone breaks in your house, you don’t blame the victim because they didn’t have 2 deadbolts on their door instead of 1. That argument could go on forever because there’s always should-haves that the victim could have done.

      2. kingdave

        agreed, nothing is 100% hackerproof as long as humans are involved. Don’t blame victims but find and prosecute the attackers.
        Problem is resources to stem this rampant hacking is lacking.

        1. security vet

          who do think will save them all? where do think the resources will come from? a white knight on a horse? help won’t come from anyone. not government, not industry, not consultants. it will come when people stop doing stupid things.

          1. Joe

            What is with your obsession with being “saved” by someone.
            Change your mentality that it is anyone’s single responsibility to prevent crime.

            Half the job of the NSA is to help industry with cybersecurity with standards and techniques.
            NIST creates standards for industry to follow too.

            For the private energy sector, they get a lot of assistance from the government in the form of consultation and other services.

            Everyone must work together to create a reasonably secure environment. And even then, it will still not be “unhackable”. If you are a high value target of some APT group… it is only a matter of time.

            It isn’t always “stupid things”… because good cybersecurity is actually hard. The more a company is connected… the bigger the attack surface. That is the cost of doing business in the Internet age.

  19. Pete 2

    How can the small/medium business protect itself?

    I’ve already noted how a industry standard backup can be safe from recent sophisticated attacks, for the cost of some high quality external drives currently $100 at a office supply store.

    To go a long way toward preventing data exfiltration, the next step is high-end (user friendly) capability to already have the data encrypted (intentional & internal). That unfortunately is presently an exorbitant cost for the small business.

    So the next step in practical solutions, achievable now, is bringing quality real-time data encryption (for the PC/server) to the masses.

    Nothing is perfect, but all we need is adequate.

    1. H Davis

      Yes, make it illegal to pay ransom. This would accomplish 2 things; it would cut off funds to the bad guys and it would force the victims to get their act together and do what’s needed to avoid being infiltrated.

      1. Brian Fiori (AKA The Dean)

        It might also completely stop businesses from reporting breaches. Too FEW companies currently report their ransomware. Making it illegal would likely stop many more from admitting they were targeted. So you’d never know if they paid the ramsom.

        Before suggesting what you think are clever solutions, try to think through the possible negative impact of the solution itself.

        And starting with punishing the victim is rarely a good place to start.

  20. Todd Thiemann

    Will be interesting to see if there are healthcare companies with electronic patient health information (ePHI) affected by this ransomware. Ransomware might not trigger HIPAA reporting if ePHI was not exfiltrated, but this ransomware exfiltrates and encrypts the data. If a covered entity loses ePHI, they have to report it. It might not otherwise be known publicly (aside from the bad guys posting a company name).

    1. security vet

      yes and no. ePHI should encrypted already (HIPAA, HITECH, etc.) so you don’t really lose it if an encrypted file is exfiltrated. So what if they got a file they can’t use? If ePHI at the provider (the covered entity) is not encrypted than you have a different issue.

  21. Charles Weis

    New plan when you get a ransomware attack: don’t pay, then wait for your data to be published so you can get it back unencrypted.

  22. vb

    It’s going to get worse until US businesses find someone who will “provide for the common defense”. Because businesses are outgunned.

    These ransomware soldiers of fortune have almost no deterrence and nearly infinite opportunities. For example, attempted ransomware is not considered a crime. So why not try a 100 billion times? Successful ransomwares have no, or little, punishment when done from a unfriendly country.

    It’s not rational to think ransomwares are going to cease – until something changes the risk/reward ratio.

  23. rich

    There is a cyber force for offensive actions, it is called Cyber Command and is separate but works with NSA.

  24. Mike

    Im glad for this. I deal with businesses who have been ransom-wared. Here’s why im glad: every healthcare provider we’ve dealt with got infected because they’ve forsaken their responsibility to protect their patient data, im talking, we see unsupported windows versions, years behind on updates EVERY SINGLE DAY, because the provider was paying a kid $15 an hour to a run their IT. While never paying an outside auditor to test the industry compliance. So they get ransomed as a result. Then, 9/10 providers elect not to report it to the state or relevent body. These providers should be named and shamed because failing to report a breach is just another non compliant act in a history of not caring about their patient data security. Which is what caused the infection to begin with. If i run an ssl check on your owa and it comes back an F or a D, then there’s no admin at the wheel of that target, you can be positive that a little pounding will knock the door down. I know servers and good engineers are expensive, but thats the cost of doing business and it’s what patents trust providers are doing. They’re throwing their own patients to the dogs to cover their irresponsible, cheap business decisions. I’ve never seen an infected dr’s office who’s lifecycles and updates were well maintained, not a single one.

    1. Jeff Strubberg

      I’m not saying you’re wrong, Mike, but you’re still blaming the victim.

      Provocative clothing isn’t an excuse for rape, and stupid cyber practices are not an excuse for a cyber crime. These people are criminals.

      everyone talks about how expensive it is to keep them out. How about sinking some funds into deterrence? I love my career, but let’s face it, this is, as another poster put it, a cat and mouse game, an arms race.

      1. security vet

        ok, let’s take your position for arguments sake. There have been criminals for what – at least a few thousand years, maybe longer. How does connection to the Internet change that? If you connect you assume the risk. No one will save or protect you. So victim’s have at least some role – at a minimum they need to train their users NOT TO CLICK ON THINGS! How hard is that?

        1. Jeff Strubberg

          That’s not my position at all.

          Do you have protection against assault and burglary? Yes, you do. It’s called law enforcement. It’s a deterrent, and it keeps crime down to something we can mostly live with.

          There’s no deterrent in the cyber world at the moment. That needs to change.

          And victim blaming won’t change it.

          1. security vet

            there’s plenty of deterrent – otherwise the break in rate would be much much higher…

          2. Mike

            I think we’re confusing who the victims are. The patients are the victims. The hospital who was handling patient data while not being patched against EBlue is not a victim. Let me reframe it, if you go on a cruise and the ship sinks because its very old and never maintained, the cruise company is not a victim of the ocean. The passengers who suffer are victims of the company who sold them a trip on an old leaking boat. You seem to be missing the point here, these are not well maintained networks that are getting ransomed. I repeatedly see the same things over and over, servers out of warranty, software not being oem supported – usually due to age, patches not being managed. These are all requirements for handling patient data, providers tend to ignore these because they’re esoteric and expensive concepts to a business owner. Its the same as continuing to run an unsafe cruise because docking it for repairs would bankrupt the company, same issue but with outdated CT scanners that have attached XP control machines.

            1. security vet

              So if an organization fails to patch and gets ransom’d who is the victim? The organization or the person whose records get locked? What about the criminal? Who/how do you hold them accountable? Do you still shop at Target, TJ Max, Home Depot, etc? Do you still call 911 and go to the hospital?

              1. Mike

                The patients whos info was stolen are the victims, thats it. If the hospital doesn’t patch, they’re negligent. If the hospital fails to report the intrusion and chooses to cover up the breach, they’re now guilty of destroying evidence in a federal felony extortion case. Who holds the hacker responsible? Nobody does! Attribution will never work and good luck prosecuting a case over seas. Trying to fix the issue by holding the hackers responsible is like trying to stop your boat from sinking by emptying the ocean. Its cheaper just to build a strong boat.

  25. VeryConcerned

    Anything we can do to harden systems, including training, is helpful, but some approaches are aimed at individual PC hit and run incidents. In other articles we have seen the first indicators of compromise three or four months before the outbreak. Data exfiltration is often done over a period rather than a single multi-gig hit. Therefore the malware is sitting there communicating with the C&C for weeks or months. Restoring to to yesterday’s or even last week’s back-up creates a false sense of security. Restoring just the data, and rebuilding servers, domain controllers, etc. from gold images is a big step forward, but requires more nuanced services. Can we please stop comments that say ‘just do backups’.
    I do not know how to reach people that don’t understand the basic importance of patching regularly. They’re out there in great numbers. I still meet people that believe OSX is safe – and point them to example dedicated mac malware examples (to read, not infect – I realise that could be ambiguous).
    Finally, please can we stop blaming people for opening phishing. Our systems should detect it, and I see examples so convincing I’m tempted myself. The ANU example documented that the email was never opened as such, it was triaged, but the mere act of assessing it was enough to trigger it.
    Encrypt your data? well as soon as I’ve logged on and authenticated, my data is visible.
    That means we need embedded routines that detect repeated encryption of files and directories (folders) and request authorisation of the user, and good tools to detect or prevent data exfiltration. They don’t yet come standard with every OS. Perhaps they should.

  26. SeymourB

    If I were a less moral individual, I would be sorely tempted to hire a few “stress booter” firms to give their website the traffic they so clearly are asking for.

    Another option would be for hundreds of thousands of people to attempt to download the purloined gigabytes of data. You know. For kids.

    With enough data flowing to their server there may be bandwidth surcharges that kick in and price their criminal enterprise right out of business.

    1. Ben Dover

      This reminded me of something interesting, yet hilarious. There are lots of videos on YouTube of “scamming the scammers”, but there are two in particular that I thought were brilliant. The one guy got a fake Microsoft Support scam number, created a python script, and had it randomize phone numbers and call that number every few seconds. He basically DoS’d their call center by flooding it with illegitimate calls. Awesome.

      The other one was very similar, and some guy found a phishing page, created a script to randomize fake (and offensive) usernames / passwords. He basically sent thousands of fake usernames / passwords to this phishing page which I can only imagine was an extreme headache for the idiot that was trying to phish people. Small, yet fantastic wins!

      In my honest opinion, that should be considered legal. If one person is causing a DoS or similar to an obviously malicious site/service, I don’t see the harm in saving potentially hundreds of would-be victims.

      1. Joe

        While I agree with the hilarious nature of these “hack back” videos.

        I don’t think it should be legal.
        I do agree that in these case, where hacking back works and doesn’t have any collateral damage, it should not result in charges. After all, the criminal isn’t going to press charges.

        But let’s think about vigilantism for a moment. There is a reason why we don’t let civilians perform retribution. First, it sets a bad precedent that two wrongs make a right.
        More importantly… it puts a lot of trust and responsibility on civilians to know what they are doing.

        Hacking back against an attacker is often very difficult to do without resulting in collateral damage. It’s a legal minefield when you consider that attackers use 3rd parties to proxy and host their attacks. So a fake login page used for phishing might be hosted by an innocent service… that will take offense to some vigilante DOSing the web server.

        1. Jeff Strubberg

          Not sure where I stand on hacking back, honestly. It would be awfully easy to do wrong and cause damage, but at the same time, most places in the US accept your right to defend yourself and your property. Is this so different?

Comments are closed.