There’s only one way to stop any type of attack and that’s to learn how its delivered and learn what you should not do.
There has been an article I’ve been sitting on for awhile titled What more can be done to stop ransomware attacks? which is agreat article.
The comment, made somewhat in jest by Allan Liska, an intelligence analyst at Recorded Future, was in response to a question about what could be done to further deter ransomware actors from carrying out their attacks.
“We only need to hit one ransomware dude with a drone, and then a whole bunch of them will retire very quickly once they know that’s on the table,” Liska said during an expert panel Wednesday at the Mandiant Worldwide Information Security Exchange (mWISE).
While the comment may have been tongue-in-cheek, there was an undercurrent of exasperation when Liska and other experts were asked how to further thwart ransomware attacks, especially as it has been made public that several companies have made eight-figure ransom payments in 2024.
You want to know why they have made those payments? Because they opened the file that contained the payload that infected them in the first fucking place. If you realized that say an invoice was due, yet something looked off, you’d either ask questions or delete the email. Especially if the file attached is a zip file with the invoice for example.
Invoice software can send email with links, or maybe an attached PDF, but never an executable.
The experts commended the amount of takedowns in 2024 — 14 as of this article’s publication — calling it a step in the right direction. But they also know cybercriminals adapt to these actions, being able to re-tool and quickly resume operations.
This is because they buy a hundred domains at random, and when one pops off the net, put one of them up at random. I’ve said that those who sell domains should ask us what we’re doing with it, and follow up at regular intervals. You don’t need to sit on a hundred or a thousand domains just because you can.
If you’re a business, i understand your need. But the average consumer doesn’t need to have that many domains.
Over the course of the year, both Callow and Liska have called for an outright ban on ransom payments as a way to deter attacks. But both backed off those thoughts Wednesday when they viewed it through the lens of the current attack landscape.
“I used to be a proponent of a ban, but I think the time to do that would have been [when] ransomware was nowhere near as impactful as it is” now, Callow said. “I just don’t see us being able to tell a hospital that it can’t pay a ransom when it has no means of recovering its systems. The impact on patients would be politically untenable.”
Maybe we just need to start regulating crypto like we do the dollar or the euro. Knowing how its used is great, banning ransomware payments would be good in theory, but again we have to ask how this type of thing is going to be enforced.
I kind of feel bad for places like hospitals who don’t have a choice, since they don’t have any other means of working, and I suppose you can make a case that if there’s nothing else, fine. But if you have backups, and they are found to work, then you shouldn’t need to pay anything to anyone to get data back for your mistake. I’ve lost data because I didn’t back that crap up somewhere.
“We are seeing those [insurance] companies push organizations to try to restore as many systems as they can as quickly as possible, while the negotiator is kind of stalling,” she said. “That’s important from the perspective of if an organization was hit with ransomware, and the attacker demanded $2 million for the restoration of all their systems, if that [victim] organization is able to actively discover that actually only 10% can’t be restored from backups, they can use that to give them an upper hand in the negotiation, which ultimately helps the cyber insurer, because they might not have to pay out as much.”
Liska noted that insurers are increasingly stringent about companies’ security practices before issuing policies.
There’s tons more that I could’ve blocked and commented on, but the article is a good read. As I try to recover from having an issue caused by another issue needing to be delbt with, we just need to be pushing forward.
Let the comments begin.