Comment by jacquesm
10 years ago
NEVER EVER PAY RANSOM MONEY.
Please. Even if your business will suffer it will suffer a lot more if you do pay since now it is known you'll cave. Also: you are making the problem larger for others.
10 years ago
NEVER EVER PAY RANSOM MONEY.
Please. Even if your business will suffer it will suffer a lot more if you do pay since now it is known you'll cave. Also: you are making the problem larger for others.
From their blog: https://protonmaildotcom.wordpress.com/
At around 2PM, the attackers began directly attacking the infrastructure of our upstream providers and the datacenter itself. The coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes. This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.
At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it taking into the consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.
They put their customers in charge of the company? This gets weirder all the time. The problem is that they asked their customers in the first place. They should have simply communicated the fact that they would be under attack shortly and indicate that they would never ever pay a red cent.
That would give their customers time to batten the hatches and/or migrate off the system for the time being while sending a clear signal that they would not pay anyway.
This is a tough situation to be in but putting your customers in control of the company (and in a democratic way no less) is not the solution. What about those customers that decided (rightly imo) against paying?
Companies such as these should have an up-front item in their terms of service indicating that they would never pay a ransom, that way they would be clear to both their customers and their potential attackers.
"This was a collective decision taken by all impacted companies"
I think they were put under pressure by other companies using the same IPS, not their customers.
9 replies →
ProtonMail can't be trusted with any decisions about its business going forward, no matter how good their service (of which I still have doubts anyway). I mean, who knows what kind of compromises they will make next if they get "pressured" by the government or whoever to put a backdoor in their service.
1 reply →
So if you start following what flows out of that bitcoin account, couldn't you find out who it benefits?
No. They ran the coins through a Coin Mixer: https://coinmixer.net
Theoretically maybe, but I'm sure they'll be using a mixing service to obfuscate the destination(s).
I think cryptolocker actually decrypted the FS after the ransom was paid. So sometimes it works.
Actually, it makes no sense to not follow through because that is their business model.
Let me make a spam analogy: the reason we are drowning in spam is because it works. If even 0.00001% of the spam recipients enters into a financially beneficial relationship with the spammers then everybody will get spammed. The only way spam will go away is if everybody will finally stop responding to spam.
So you just simply do not pay extortion fees unless you want to become part of the problem.
In the case of an encrypted filesystem that means you will have to restore from a back-up (which I assume (naively maybe) that you have). And you chalk the whole thing up to your education fund. Paying up is simply wrong.
> The only way spam will go away is if everybody will finally stop responding to spam.
Right, which is why "never pay extortion fees" doesn't make much more sense for combatting this stuff than "never click on spam links" makes for combating spam. It's unrealistic to think we will convince enough businesses to altruistically not pay extortionists, just like it's unrealistic to think you'll get your grandmother to stop clicking on spam links. You need another solution.
4 replies →
The way you make money is by selling spamming services. The sucker is not necessarily the person receiving the spam, it can also be the desperate business owner buying the "campaign".
According to Spam Nation by Krebson Security, Spam works because people can get cheap prescription drugs.
http://www.amazon.com/gp/product/1492603236 http://krebsonsecurity.com
If at any point a CryptoLocker locked a person files up, and they didn't give up the key and it got out, no-one will ever pay them again. It's in their best interest to actually unlock the files.
If you are the victim of a crypto locker, you don't really have a choice. In fact it is true of any hostage situation. Parents of a kidnapped kid only have one solution. It is the authorities role to ensure that the hostage takers end up in a jail or a coffin, otherwise impunity will fuel criminal behavior.
Kidnapped kid versus restoring a back-up. That's not a fair comparison.
If you have a working backup you are not really held hostage in the first place. But many people backup to an external drive or a NAS, which unless they happened to be offline at the time of the attack would also be compromised.
4 replies →
>NEVER EVER PAY... you are making the problem larger for others
That's true but for the individual payee it can make sense. Trying to get the ransomers back can work. They'll keep at it till they figure they can get harmed.
That's naive. If you pay a ransom they'll be back shortly for more. You've just turned yourself into an ATM for your attackers.
I was thinking in part of the pirate activities off Somalia. Most ship owners were better off paying $1m than losing a boat worth say $50m. The problem seems to have slacked off now and I feel it was more related to firearms being pointed in the direction of the pirates than people not paying. Likewise with Cryptolocker putting Evgeniy Bogachev in jail rather than on various yachts would be a start. http://www.usatoday.com/story/news/nation/2014/06/03/fbi-bus...
2 replies →
as someone who actually did this in their teens, i ddosed someone for 1 day then asked for a couple thousand bucks, but they wouldnt give any so they were ddosed for like 2 weeks. they ended up paying like 750 and i left them alone after that. they ended up losing like 250 grand in sales, could have been prevented by just paying a measly 2
2 replies →
It would only make sense if you're doing it as a delaying tactic.
There is a chance they could be 'honorable' thieves and desist, but it's likely having had someone cave in once, they'd cave in again, and again... So, it only makes sense as a delaying tactic, in the long run it's mostly a losing proposition, unless you're setting them up for a sting or something.
What's your opinion on settling bogus litigation?
Bury the bastards.
I've been in that position (twice) and in both cases was able to reverse tables on my opponent. It could be that I'm lucky but I think that these operations only work because there are a lot of people that cave in when they see a letter on a lawyers letterhead regardless of the merit.
Hire a hitman, kill main lawyer and go up from there. Will be cheaper than settlement, not to mention full lawsuit.
"An appeaser is one who feeds a crocodile, hoping it will eat him last."
-Winston Churchill
If your a security service, definitely pay no ransom money. Also, tell your clients to back their stuff up with their own methods, too, just in case you come under heavy attack.
> Also, tell your clients to back their stuff up with their own methods, too, just in case you come under heavy attack.
This goes for any 'in the cloud' data that you might have. In the end it's your data and your company that is at stake. Not all data wipe-outs are malicious, sometimes accidents do happen.
Banks are tripping over themselves to get out of the datacenter business and put all their files on Azure/Rackspace/AWS/what have you. It's embarrassing.
1 reply →
Except that it seems when it comes to Azure everyone feels safe then also backing up to Azure (specifically talking about SQL database here). Sigh...
3 replies →
> Also, tell your clients to back their stuff up with their own methods, too, just in case you come under heavy attack
you would be shocked at the number of people who get upset when you advise them to make their own backups, and interpret this as an indictment of the reliability of your own backup procedures.
e.g. "isn't that what we pay you for???"
nevertheless, do it anyway and let them fume. there are no prerequisites for running a business and you'll find that many absolute morons are at the helm of some nominally successful businesses.
Agreed. Whenever I hear a self important IT person saying "this place WILL go under without me" I know I'm dealing with someone delusional or inexperienced.
A company of any size can continue on even if severely crippled with nobody left who understands how anything works. I've seen it time and again - also even where I've felt I was important.
Minimal viable product and vendor lock ins are powerful real world things.