Colonial paid up. Are you next?

Colonial paid the $5,000,000 ransom after all. Let’s face fact:

America is the bull’s eye for hackers world wide

but nevertheless

American companies prioritize profit FAR above customer safety.

I’m thinking in particular of banking. I rely on the internet almost 100% for my banking needs. NOT AT ALL thinking of personal privacy considerations, threats from the dark web, phishing scams, and so forth. Instead:

Thinking of circumstances akin to Colonial where hackers take out (at minimum) my bank or my credit union or, even beyond that, take down the entire banking system, or the Federal Reserve.

I have often wondered exactly how effective is financial industry internet security against an increasingly sophisticated cadre of hackers worldwide. Separate Americans from online access to our many financial accounts and we’re in a world of hurt . . . . just like the people in those gas lines.

How much money are the financial institutions spending to keep their systems up and safe from hackers? I hope they are spending more than Colonial obviously spent. Prioritization of profit over system safety is foolish. I just hope it is not ubiquitous among financial institutions.

On a personal note:

Many tens of years ago I was completing design of a computer having hundreds of external connections. Without telling anyone or advertising the fact, I quietly included mil-spec connectors in the design. Those things were gold plated, butter smooth, and over the years we never had a failure. But the cost of those military grade connectors was, as you would expect, relatively high.

Right or wrong, I still to this day believe I did the right thing. But had anyone been looking over my shoulder way back I doubt I would have been able to defend the cost in advance. I just believed in my gut that connector problems could drive our service people nuts and harm our customer relationships. I wanted to forestall any such problems, and that is what I did, albeit on the QT.

Doubt I could get away with such a way of thinking today. Pity.

3 Likes

This is an automatically-generated Wiki post for this new topic. Any member can edit this post and use it as a summary of the topic’s highlights.

I think major banks are actually more accustomed than many companies to the threat of hacks and since a lot of their business rides on stability and trust, I’d hope that it’s not something they got complacent on since it could impact them to very large extents.

As far as profits though, that $5M will hurt the bottom line for sure for Colonial. And the trend is not gonna get better before it gets worse, especially after hackers notice that this sort of crime does pay millions. So one would hope it has alerted enough execs to the possibility of these hacks hurting their bottom line enough that it may be worth spending to protect themselves from it more aggressively.

Or maybe a federal ban on ransom payments like Kerb suggested could be an effective deterrent. Give time for companies and government agencies to transition to more secure system security, then make it illegal to pay ransoms to hackers. Insurers have already started refusing to underwrite policies reimbursing customers for extorted payments. I’d imagine this trend is not going away soon.

2 Likes

I agree. Banks being targets is popular to fear, but not all that practical to execute. There’s a lot of subtle legacy stuff that’s way more vulnerable, and can produce similar impacts.

3 Likes

I expect cyber insurance to become more common and companies to increase their limits.

1 Like

Whaddaya mean pay ransom to a hacker? I only see a company rewarding a private contractor for notifying them about a security vulnerability.

6 Likes

Are you next?

(From the Police Tribune just hours ago)

Washington, DC – A ransomware gang attempting to extort $4 million from the DC Metropolitan Police Department (MPD) doxed at least 200 officers and civilians after negotiations between the department and the hackers “reached a dead end.”

Cyber experts say the leak is the largest hack on a law enforcement agency in U.S. history

A Russian-speaking ransomware syndicate known as Babuk said it leaked the information after the MPD allegedly refused to meet its $4 million demand, offering $100,000 instead

Read the full Police Tribune story here

I think courts (or ideally the law) would be able to define pretty clearly where the line is on ransom vs. bounty/reward. Who sets the reward level and whether company’s main operations were severely disrupted or not for starters.

1 Like

Companies who care more about security offer modest bounties for finding their vulnerabilities in advance. Lazy ones find out about them after they caused a problem and have to pay a lot more.

4 Likes

My buddy works high up in one of the IT departments at one of the 3 largest banks in the country. They literally get thousands of cyber attack attempts every single day. Granted, most of them are quite unsophisticated, but they get hundreds that are not. They spend a lot of money keeping their stuff safe. If you’re worried about your financial institution getting hacked, move your funds into the largest bank you can. The citis, chases, and boas are rock solid compared to nearly every single institution out there (financial or otherwise). The only places that see more attack attempts than them are government agencies. They know what they are doing relatively speaking.

This has been going on for years. Hackers know how profitable it is. It’s an industry like any other illegal industry (racketeering, gambling, drugs, prostitution). They run on trust as well. If they didn’t, people/companies wouldn’t pay the ransom.

I’ve been out of internal audit for a year, but the last conference I went to had a seminar about having cyber security insurance specifically so you can pay the ransom. I’m pretty sure that is what my current company’s cybersec insurance is setup to do. Since when has the trend been to not allow ransom payments as part of the insurance? Insurance companies only care about the bottom line. They are quite aware of how much more it often costs to recover from a cybersecurity attack than it does to pay the ransom. Why would they only write policies that cost them more?

4 Likes

I hope I didnt have to highlight the tongue-in-cheek nature of my comment with an emoji or something?

2 Likes

I tend to think that serious attempted attacks (the kind that holds a system hostage) against banks are not about ransoms. Any attempt to collect a ransom from a bank would have to happen quietly, in advance of the attack. Because once a ransom attack against a bank goes “live”, there wont be any recovering from it no matter how quickly they pay.

Assuming I understand you right, I believe you’ve got that backwards.

The haxckers first hack the system, insert software that encrypts important files and only after that do they demand ransom.
There is no leverage to demand ransom if there hasn’t been a hack.
“we’re going to hackc you” is not a legit threat. Its like kitnapping. You steal the person first. You don’t say “I’m going to kitnap your daughter”.

1 Like

The serious ones are about ransoms. The most successful hackers around the world are in it for ransoms. It’s the fastest and easiest way to a payday. You just have to cripple the system. You don’t have to figure out how to get anything out or turn whatever you got out (credit card numbers, social security numbers, etc) into cash. Less work. Fewer steps. More money. Successful hackers almost always hand back control after a ransom is paid. It’s like a pirates code. They all know that if they get a reputation of not complying after the ransom is paid, people/companies will stop paying the ransom. There is no value in holding a company’s computers hostage if you can’t turn those hostage computers into cash/bitcoin in your own pocket. They are happy to hand them back over after getting paid.

It is the unserious ones that are after some way to get access to the money/accounts at the bank. I’m not talking about people that try to hack an individual account. I’m talking about people that try to hack a bank.

3 Likes

Yes and no. By “the attack”, I mean shutting down the system. The hack sets up the attack. Shut down a pipeline, and the oil eventually starts flowing again. Shut down a bank, and that bank is pretty much done.

Thank you, meed18, for this comment and your other contributions as well.

And, indeed, you are correct. This thread is NOT about individual vulnerabilities. We have another very good thread on this forum which addresses that matter. This thread is, as you state, about attacks on an entire financial institution, or on even larger financial targets, e.g., the Federal Reserve.

Wiki has the history of Ransomare. First such type of virus appeared in 1989.
By 2013 the “he operators of CryptoLocker had procured about US$27 million from infected users”
The WannaCry hack was in 2017. that hit 200k systems across the globe. That could have made them up to $60M total.
Since then theres been a history of multiple hospital systems individually hit with single entity ransoms with large payment demands.

I don’t know if a single bank has been targetted or hit in that time.

Id’ be more worried about my hospital or our electric grid or other vitally important systems that quite often have very mediocre, dated and unfunded computer systems. The hackers will target the easiest and ripest targets. Its going to be more effective to demand ransom from something liek a hospital where lives are at stake : easy to hit and lots of leverage plus the money to pay…

2 Likes

OK I see what you mean then.

So my understanding of ransomware is that it works :

  1. they hack into the system somehow and insert software. This part is done quiet
  2. they then trigger the software which takes over the system in some way and will encrypt vital system & data. This is the actual attack. The seizing of teh system is the part that gives the attack leverage.
  3. once the system is seized then they demand ransom or threaten to destroy the system with x days or something like that
  4. if they are paid they unlock the system, if not paid the system self destructs or remains encrypted which may effectively ruin it

I don’t believe they have any leverage to demand ransom until after the attack. If you install softare and then say that you’re going to attack someone then that software can potentially be romoved, teh system can be locked down or protected and the victim of the attack has little reason to believe the attack threat isn’t just a bluff or hoax.

1 Like

Which is why I said I think a serious attack against a bank is not about collecting ransom :wink: . To use your analogy, it’s shooting your kidnapped victim then expecting someone to pay anyways.

The key to ransom is being able to undo whatever you are using as leverage. There are other much more vulnerable systems that can be taken offline to cause chaos, but cause little-to-no permanent damage.

In ransomware the ‘attack’ is seizing the hostage. You’re not ‘shooting’ the hostage. In ransomware they only ‘shoot’ the hostage after the ransom is not paid.

1 Like