Comments

You must log in or register to comment.

[deleted] t1_iwgeve3 wrote

All countries need to do this.

Ban Cryptocurrency while they are at it aswell.

8

_bobby_tables_ t1_iwgfnqi wrote

Why not just make it illegal to not have your data backed up?

40

Remarkable-Way4986 t1_iwghbvf wrote

Don't pay criminals for crimes or they will do it more often

48

g2g079 t1_iwgmbgf wrote

My old job had viruses everywhere when I started. Machines hadn't been wiped for decades and even their antivirus licensing server was down because of malware

I spent months reimaging every machine in that place. I kept everything updated and the PCs running like new. Meanwhile, my senior coworker and our vendor pissed around for a replacement backup solution for over a year after the old one failed during a restore.

Eventually, I quit for a better opportunity. A few years later EVERYTHING got ransomware there. I only found out because months after the attack they had asked a local community college for help imaging machines because it was going slower than expected due to their senior guy going to Vegas.

Like wtf. This was a mental healthcare place. You should have called professionals. Instead you asked if their are any students that can help because you sent your senior guy to fucking Vegas.

So glad I left that place. Still wonder if they had a working backup.

20

[deleted] t1_iwgmj9t wrote

The problem is that ransomware groups steals data before encrypting them, known as double-extortion, threatening to sel or leak them if the victim dont pay, so backups isnt an complete solution as you might think.

Some even conduct triple extortion attacks, with DDoS attacks on top of the threat of the data leak

11

[deleted] t1_iwgn3rp wrote

True, I see too many companies who experience cyberattacks, including the largest, multi-billion enterprises, and when I see that, I get so pissed off, by realizing that home users have better security practices than the worlds largest businesses.

Like, its not difficult to secure your business against every attack vector, yet no business bother doing securing all their attack vectors, despite clearly having the resources to do so. It leaves me speechless.

3

Fun_Ad_9878 t1_iwgnj30 wrote

I kind of think that this is irrelevant. I have been part of two ransomware attacks and in both cases the only way to pay was bitcoin. I strongly discourage any form of paying ransomware attackers but those that do pay will not be stopped by any law.

41

Testicular_Wonder t1_iwgt35o wrote

Boy Australia that is sure going to stop the problem…

/s

2

Fieos t1_iwgvjax wrote

It isn't that simple. Often times to recover significant amounts of data takes time. A business has to weigh out the loss of revenue during the recovery window versus the cost of paying the ransomware payment.

−2

[deleted] t1_iwgwm3k wrote

Cryptocurrency has not done anything positive for the world, it uses as much electricity as Greece, it has caused billions in damage, from fraud/scams, malware and like the topic is about, Ransomware, last year US banks paid 1.2 billion dollars in ransom payments.

People have litteraly killed themself after losing money in Crypto, its an scam, an ponzi scheme.

8

Buckie188 t1_iwgzri8 wrote

Also all the problems you are putting forward are also found in the regular currency market. If not moreso. I was very much against crypto until I started to educate myself around it.

−8

Cyberinsurance t1_iwh4xgb wrote

This is one of those “nice in theory and bad in action”. No one wants to pay for extortions but sometimes you need to do it to get a decryptor.

0

_bobby_tables_ t1_iwh5ok3 wrote

It really is. A company should develop an action plan ahead of time. A recovery path should be designed to restore the most critical systems first. The plan should be updated and tested.

My company can recover from a worst case scenario starting with bare metal in less than three days for productuon systems, and another two days for non-critical systems (finance, HR, legacy and a few minor administrative systems).

This is really a solved problem with a little prep work. These days I see ransomware payments as a tax on stupidity and/or incompetence. I have no sympathy.

6

Fieos t1_iwh8wj7 wrote

It really isn't, especially when you are talking in the amounts of petabytes of backup data. Plus, so much of it depends on how you were compromised...

You should have an action plan, you should have backups, but saying it is 'simple' is pretty specific to the company. But you are an Internet badass, I get it.

1

fellipec t1_iwhesqu wrote

Why not ban ransomware in the first place? /s

−1

blargmehargg t1_iwhgvfy wrote

Eh, the finances of public companies can make payments like this harder to hide.

I’m also against ever paying these ransoms, and if they’re going to make a law preventing it I think it should only apply to companies of a certain size (and there are various ways to draw that line.) This would allow small businesses who could be entirely crippled to the point they cease to operate to make their own decisions there (though I still think its an awful idea to comply.)

11

Plumsandsticks t1_iwhu0yc wrote

I wonder how this will play out. The main reason companies pay the ransoms is their insurance. Bigger companies are insured against interruptions to their business, so when an attack happens, the insurer is on the hook. From the insurer's standpoint, it's often cheaper to pay the ransom than to pay the company for the interruption, and so most ransom payments happen because the insurer demands it (to put it simply). Attackers know this very well.

When the companies won't be able to pay, it will likely drive the cost of business continuity insurance for everyone, at least until the attackers realize it's no longer so easy. I wonder what other unintended side-effects we'll see.

3

Cantora t1_iwhxxft wrote

Because we can choose not to only think of ourselves when we make these kinds of decisions. Why be so selfish?

As for that analogy, you should have insurance and if the police arrest the criminal then you shouldn't need to pay the excess. We're taking about Australia here.

But in the end, you're making a good point that the average person doesn't really give a shit about the greater good. It all boils down to not inconveniencing "me"

The law would need to make sure the ambiguity around insurance was clear, and would need to be tied with the right kind of education campaign to help people understand how to protect themselves and their data.

5

Fun_Ad_9878 t1_iwhyby7 wrote

Yes that is what I am saying. The premise of any law is that it can be enforced. It's true that bitcoin wallets are public info and many of their owners are known. Yet the only real way to enforce is with blocking bank accounts and banning certain types of credit card vendors much like gambling houses do. The only way to enforce ransomware payments would then be whistleblowers. I got news for you. Unlike license violations where the company pressures it's workers to break the law and the employee has no benefit, in the case of ransomware payments the employees are usually at fault and will be in no hurry to have their name out there since they likely suggested to pay it in the first place to cover up their mistakes.

​

Another issue is the size of the transfer. I have never paid for ransomware (so I don't know the price) but if the ransom is say less than 10k USD then it can be hidden in such ways but if it gets to be more then really there will be no way to hide it. This is where terrorists get stuck imo. Of course terrorists already have their money in bitcoin so it's likely less of an issue.

1

Informal-Lead-4324 t1_iwhz5b1 wrote

You're being selfish wtf. You're saying YOU get to decide whether or not someone has the ability to recover their data. Wtf. YOURE being authoritarian. And it's funny because we know Damn well corporate interests in your country would be exempt. There's 0 fucking chance your government is going to fine Facebook for paying a ransom on their own data.

So in this case what happens. The authorities "look into it" and you're out your data lol. Thanks officers.

Your last paragraph Is moot. In a world with 0day no click exploits, you're literally victim blaming people who technically could have done absolutely zero to prevent it.

−2

badillustrations t1_iwhzfxc wrote

> I got news for you. Unlike license violations where the company pressures it's workers to break the law and the employee has no benefit, in the case of ransomware payments the employees are usually at fault

I guess I don't understand this assumption. There are equivalents of SOX compliance across many countries and that everyone in a compliance team would be totally cool signing off on illegal activity is a little strange to assume.

I think bitcoin is a little secondary to this conversation. Someone could convert X dollars to bitcoin and it's hard to track, but just taking X dollars out of an account needs to be accounted for just as if someone took it out to cash.

4

Fieos t1_iwhzqr0 wrote

Okay, sure.

- Source 20+ year IT veteran specializing in the private cloud computing areas of business continuity, disaster recovery, and cyber-threat resiliency.

People often think, "I have backup... I'm good."

How do you know if your backups aren't also compromised? Are you scanning for metadata changes in your archive? If your infrastructure was targeted, do you have a recovery plan for all your data center services? DNS/NTP/LDAP/SMTP/PKI/etc?

Do your business processes aligned to report and communicate internally (and possibly externally) in the event of a security breach? If you are compromised and recovering to an alternate restore target... do you have your VIPs configured to handle the new locale?

Do you have all your binaries for a site rebuild onsite in a vault and are all your runbooks current? Have you actually even tested restores?

Say you are recovering from backup and everything else is good? What is your throughput to get your data back on disk?

If your data is encrypted by a third party, what's the plan? If the data is already outside of the environment... what's the plan?

None of this is simple at scale.

2

Fun_Ad_9878 t1_iwi0g27 wrote

>I think bitcoin is a little secondary to this conversation. Someone could convert X dollars to bitcoin and it's hard to track, but just taking X dollars out of an account needs to be accounted for just as if someone took it out to cash.

The expense could easily be itemized as a security expense. Data recovery expense. If they really wanted to get creative then they could list it as any old expense like employee's party or who knows what else. If a receipt is a problem then they can just pay said employee a bonus and he could convert it. There are plenty of ways. If the payment is done in conventional ways then it can be stopped usually.

1

DasKapitalist t1_iwi2ly9 wrote

>There are equivalents of SOX compliance across many countries and that everyone in a compliance team would be totally cool signing off on illegal activity is a little strange to assume.

Every USA-based company which does business internationally and "complies" with the FCPA laughs as your optimism. Bribing people in third world to do their job (or to "protect" your business from "accidents") is both illegal and ubiquitous. It's the sort of thing you'd see categorized as "consulting expenses, "travel and entertainment expense", or "risk mitigation expense".

For ransomeware, they'd probably just label it "data recovery expense" or "penetration testing expense" if the accountant had a sense of humor.

1

nvrmor t1_iwi9kpj wrote

pfft you wouldn't know internet badass if it fragged you straight in the face. I ran gentoo in 2002 and have written DOZENS of bash scripts. All you need is a little rsync to stop ransomware and it doesn't take 2 braincells to figure that out genius jeez

1

Gedz t1_iwi9rgm wrote

Trust Australia to try and regulate something. It’s the hell of regulation on earth. FFS government, get out of peoples lives. Next time they’ll be telling you can’t ride a bike without a helmet, or that you’re locked into the country for 2 years.

−2

LeastDescription4 t1_iwibztw wrote

In an unrelated note, do you know how invasive ASIC can be? Their "proactive surveillance" is fun.

Basically any financial company is well aware of the level of scrutiny behind stuff like this, so I wouldn't be surprised to see another government agency being given similar controls/access. Probably the OIAC I guess considering they already do the mandatory data breach reporting stuff.

2

atr0s t1_iwijitc wrote

He's got a point though. It only really applies if your business is big enough or controversial enough to be worth blackmailing, but if the attackers are already encrypting your data, they can copy it first and threaten to release it if you aren't going to pay because you have a backup.

1

BraidRuner t1_iwj80bj wrote

They should probably ban criminal activity as well and that should solve the problem, because banning things is always so effective. Criminals are well known to respect government edicts.

1

skunksmasher t1_iwjqf2j wrote

yall release that the word CONSIDER is a qualifier and makes the entire sentence meaningless!

0