波士顿——如果你的企业成为了勒索软件的受害者,而你想要关于是否向罪犯付款的简单建议,不要指望美国政府会给予太多帮助。答案很可能是:视情况而定。
“美国政府的立场是,我们强烈反对支付赎金,”国土安全部高级网络安全官员埃里克·戈尔茨坦(Eric Goldstein)上周在国会听证会上表示。
但支付并不意味着罚款,拒绝支付对许多公司来说几乎是自杀,尤其是中小型公司。太多人毫无准备。后果对国家本身来说也是可怕的。最近高调的敲诈性袭击导致东海岸加油站挤兑,并威胁到肉类供应。
尽管拜登政府已将打击勒索罪作为国家安全的优先事项,但公职人员仍在摸索如何应对赎金支付的困境。作为第一步,正在制定的两党立法将要求联邦政府立即报告勒索软件攻击,以协助应对,帮助识别作者,甚至收回赎金,就像联邦调查局最近对殖民管道支付的440万美元中的大部分所做的那样。
然而,专家表示,如果不尽快采取额外行动,赎金将继续飙升,为更好的犯罪情报收集和只会加剧全球犯罪浪潮的工具提供资金。
总统乔·拜登俄罗斯总统弗拉基米尔·普京(Vladimir Putin)上周在日内瓦没有保证,袭击背后的网络犯罪分子不会继续在俄罗斯享有安全港。至少,普京的安全部门容忍他们。最坏的情况是,他们在一起工作。
能源部长詹妮弗·格兰霍尔姆本月表示,她支持禁止支付。“但我不知道国会或总统是否赞成,”她说。
正如果尔德施坦因提醒立法者的那样,付费并不能保证你能拿回你的数据,也不能保证敏感的被盗文件不会在黑网犯罪论坛上出售。即使骗子信守诺言,你也会资助他们的下一轮攻击。你可能会再次被击中。
今年4月,当时的司法部最高国家安全官员约翰·德默斯(John Demers)对禁止付款不冷不热,称这可能会使“我们在受害者面前处于更加敌对的姿态,这不是我们想要的。”
也许对支付禁令最激烈的是那些最了解勒索软件罪犯的人——网络安全威胁应对者。
总部位于波士顿的赛博易森公司的首席执行官利奥·迪夫认为他们是数字时代的恐怖分子。“这是一种不同形式的恐怖主义,一种非常现代的恐怖主义。”
2015年的一项英国法律禁止总部位于英国的保险公司向公司偿还恐怖主义赎金,一些人认为这种模式应该普遍适用于赎金支付。
英国宇航系统公司(BAE Systems)威胁情报主管阿德里安·尼什(Adrian Nish)表示:“最终,恐怖分子停止了绑架,因为他们意识到自己不会得到报酬。”
美国法律禁止向恐怖分子提供物质支持,但司法部在2015年放弃了对支付恐怖分子赎金的公民进行刑事起诉的威胁。
“在恐怖主义案件中,这是一项政策,这是有原因的:你给了对手太多的权力,”海军陆战队大学学者布兰登·瓦莱里亚诺(Brandon Valeriano)说,他是国会创建的两党机构——网络空间日光委员会(Cyberspace Solarium Commission)的高级顾问。
一些盗版受害者采取了反对付款的原则立场,人力成本该死。一个是佛蒙特大学健康网络,在10月份的袭击后,恢复和失去服务的费用超过6300万美元。
上个月,当爱尔兰的国家医疗保健服务受到冲击时,爱尔兰也拒绝谈判。
五个星期过去了,这个拥有500万人口的国家的医疗保健信息技术仍然严重滞后。癌症治疗只能部分恢复,电子邮件服务不完善,数字病历基本上无法访问。人们堵塞急诊室进行实验室和诊断测试,因为他们的初级保健医生不能命令他们。截至周四,该系统4000台计算机服务器中有42%仍未解密。
袭击发生后一周,犯罪分子交出了软件解密密钥——在俄罗斯大使馆不寻常地提出“帮助调查”后——但恢复是一个痛苦的过程。
爱尔兰高级网络安全顾问布赖恩·霍南说:“解密密钥不是能突然逆转损害的魔杖或开关。”。回收的每台机器都必须经过测试,以确保不受感染。
数据显示,大多数勒索软件的受害者都会付钱。Hiscox保险公司表示,其受影响的客户中只有略高于58%的人支付费用,而领先的网络保险经纪人马什·麦克伦南估计,受影响的美国和加拿大客户的这一数字约为60%。
但是支付并不能保证完全康复。网络安全公司Sophos在对30个国家的5400名信息技术决策者进行的一项调查中发现,平均而言,赎金支付者只收回了65%的加密数据,超过三分之一的数据无法访问,而29%的人说他们只收回了一半的数据。
在一项对近1300名安全专业人士的调查中,赛博易信发现,选择支付赎金的企业中,有五分之四遭受了第二次勒索攻击。
尽管如此,拥有保险保护的财大气粗的企业往往会买单。
殖民管道上个月几乎立即支付了费用,以使燃料流回美国东海岸,然后确定其数据备份是否足够强大,以避免支付。后来,肉类加工巨头JBS支付了1100万美元,以避免潜在的中断美国肉类供应,尽管其数据备份也证明足以使其工厂在严重损坏之前恢复在线。
尚不清楚对被盗数据被倾倒在网上的担忧是否影响了两家公司的支付决定。
Colonial不愿透露首席执行官约瑟夫·布朗特(Joseph Blount)的支付决定是否考虑了公众对100千兆字节被盗数据的担忧。JBS发言人卡梅隆·布鲁特说:“我们的分析显示没有公司数据被泄露。”他不愿透露罪犯是否在赎金单中声称窃取了数据。
爱尔兰当局充分意识到风险。犯罪分子声称窃取了700千兆字节的数据。到目前为止,它还没有在网上浮出水面。
公开披露此类数据可能会导致诉讼或失去投资者信心,这使其成为罪犯的福音。上周,一个试图敲诈一家美国大公司的勒索软件团伙在其泄密网站上发布了一张首席执行官成年儿子的裸照。
众议院监督和改革委员会主席、众议员卡罗琳·马洛尼(Carolyn Maloney)在书面请求中要求了解更多关于JBS和殖民地案件以及CNA保险公司的情况。彭博社报道称,CNA保险公司在3月份向勒索犯交出了4000万美元。这位纽约民主党人说,“国会需要认真考虑如何打破这种恶性循环。”
参议院情报委员会主席马克·华纳(Mark Warner,D-Va)和其他议员认识到赎金禁令缺乏支持,希望至少迫使赎金受害者提高透明度,这些受害者通常不会报告袭击事件。
他们正在起草一项法案,强制要求举报违规行为和支付赎金。这些信息需要在发现后24小时内报告,由行政部门根据具体情况决定是否公开。
但这并不能保护没有准备的受害者,如果他们不付款,他们可能会破产。为此,已经提出了各种提供财政援助的建议。
参议院本月批准了一项立法,将建立一个特别的网络响应和恢复基金,为受到重大网络攻击和破坏的最脆弱的私营和公共组织提供直接支持。
Ransomware gangs get paid off as officials struggle for fix
The Associated Press
FILE - In this Nov. 20, 2020, file photo a U.S. Department of Homeland Security plaque is displaye...
BOSTON -- If your business falls victim to ransomware and you want simple advice on whether to pay the criminals, don't expect much help from the U.S. government. The answer is apt to be: It depends.
“It is the position of the U.S. government that we strongly discourage the payment of ransoms,” Eric Goldstein, a top cybersecurity official in the Department of Homeland Security, told a congressional hearing last week.
But paying carries no penalties and refusing would be almost suicidal for many companies, especially the small and medium-sized. Too many are unprepared. The consequences could also be dire for the nation itself. Recent high-profile extortive attacks led to runs on East Coast gas stations and threatened meat supplies.
Although the Biden administration has made battling ransomware crime a national security priority, public officials are fumbling over how to respond to the ransom payment dilemma. In an initial step, bipartisan legislation in the works would mandate immediate federal reporting of ransomware attacks to assist response, help identify the authors and even recoup ransoms, as the FBI did with most of the $4.4 million that Colonial Pipeline recently paid.
Without additional action soon, however, experts say ransoms will continue to skyrocket, financing better criminal intelligence-gathering and tools that only worsen the global crime wave.
PresidentJoe Bidengot no assurances from Russian President Vladimir Putin in Geneva last week that cybercriminals behind the attacks won't continue to enjoy safe harbor in Russia. At minimum, Putin’s security services tolerate them. At worst, they are working together.
Energy Secretary Jennifer Granholm said this month that she is in favor of banning payments. ”But I don’t know whether Congress or the president is” in favor, she said.
And as Goldstein reminded lawmakers, paying doesn’t guarantee that you’ll get your data back or that sensitive stolen files won’t end up for sale in darknet criminal forums. Even if the ransomware crooks keep their word, you’ll be financing their next round of attacks. And you may just get hit again.
In April, the then-top national security official in the Justice Department, John Demers, was lukewarm toward banning payments, saying it could put “us in a more adversarial posture vis-à-vis the victims, which is not where we want to be.”
Perhaps most vehement about a payment ban are those who know ransomware criminals best — cybersecurity threat responders.
Lior Div, CEO of Boston-based Cybereason, considers them digital-age terrorists. “It is terrorism in a different form, a very modern one.”
A 2015 British law prohibits U.K.-based insurance firms from reimbursing companies for the payment of terrorism ransoms, a model some believe should be applied universally to ransomware payments.
"Ultimately, the terrorists stopped kidnapping people because they realized that they weren’t going to get paid,” said Adrian Nish, threat intelligence chief at BAE Systems.
U.S. law prohibits material support for terrorists, but the Justice Department in 2015 waived the threat of criminal prosecution for citizens who pay terrorist ransoms.
“There’s a reason why that’s a policy in terrorism cases: You give too much power to the adversary,” said Brandon Valeriano, a Marine Corps University scholar and senior adviser to the Cyberspace Solarium Commission, a bipartisan body created by Congress.
Some ransomware victims have taken principled stands against payments, the human costs be damned. One is the University of Vermont Health Network, where the bill for recovery and lost services after an October attack was upwards of $63 million.
Ireland, too, refused to negotiate when its national health care service was hit last month.
Five weeks on, health care information technology in the nation of 5 million remains badly hobbled. Cancer treatments are only partially restored, email service patchy, digital patient records largely inaccessible. People jam emergency rooms for lab and diagnostic tests because their primary care doctors can't order them. As of Thursday, 42% of the system’s 4,000 computer servers still had not been decrypted.
The criminals turned over the software decryption key a week after the attack — following an unusual offer by the Russian Embassy to “help with the investigation” — but the recovery has been a painful slog.
“A decryption key is not a magic wand or switch that can suddenly reverse the damage,” said Brian Honan, a top Irish cybersecurity consultant. Every machine recovered must be tested to ensure it's infection-free.
Data indicate that most ransomware victims pay. The insurer Hiscox says just over 58% of its afflicted customers pay, while leading cyber insurance broker Marsh McLennan put the figure at roughly 60% for its affected U.S. and Canadian clients.
But paying doesn’t guarantee anything near full recovery. On average, ransom-payers got back just 65% of the encrypted data, leaving more than a third inaccessible, while 29% said they got only half of the data back, the cybersecurity firm Sophos found in a survey of 5,400 IT decision-makers from 30 countries.
In a survey of nearly 1,300 security professionals, Cybereason found that 4 in 5 businesses that chose to pay ransoms suffered a second ransomware attack.
That calculus notwithstanding, deep-pocketed businesses with insurance protection tend to pay up.
Colonial Pipeline almost immediately paid last month to get fuel flowing back to the U.S. East Coast — before determining whether its data backups were robust enough to avoid payment. Later, meat-processing goliath JBS paid $11 million to avoid potentially interrupting U.S. meat supply, though its data backups also proved adequate to get its plants back online before serious damage.
It's not clear if concern about stolen data being dumped online influenced the decision of either company to pay.
Colonial would not say if fears of the 100 gigabytes of stolen data ending up in the public eye factored into the decision by CEO Joseph Blount to pay. JBS spokesperson Cameron Bruett said “our analysis showed no company data was exfiltrated.” He would not say if the criminals claimed in their ransom note to have stolen data.
Irish authorities were fully aware of the risks. The criminals claim to have stolen 700 gigabytes of data. As yet, it has not surfaced online.
Public exposure of such data can lead to lawsuits or lost investor confidence, which makes it manna for criminals. One ransomware gang seeking to extort a major U.S. corporation published a nude photo of the chief executive's adult son on its leak site last week.
Rep. Carolyn Maloney, chair of the House Committee on Oversight and Reform, has asked in written requests to know more about the JBS and Colonial cases as well as CNA Insurance. Bloomberg News reported that CNA Insurance surrendered $40 million to ransomware criminals in March. The New York Democrat said, “Congress needs to take a hard look at how to break this vicious cycle.”
Recognizing a lack of support for a ransom ban, Senate Intelligence Committee Chair Mark Warner, D-Va., and other lawmakers want at least to compel greater transparency from ransomware victims, who often don't report attacks.
They are drafting a bill to make the reporting of breaches and ransom payments mandatory. They would need to be reported within 24 hours of detection, with the executive branch deciding on a case-by-case basis whether to make the information public.
But that won’t protect unprepared victims from potentially going bankrupt if they don’t pay. For that, various proposals have been put forward to provide financial assistance.
The Senate this month approved legislation that would establish a special cyber response and recovery fund to provide direct support to the most vulnerable private and public organizations hit by major cyberattacks and breaches.