Years ago I attended a conference that had a "fireside chat" with a DoJ official on the topic of these types of ransom payments.
He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.
His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.
Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.
I would love to know the amount of ransoms paid by large companies who've been compromised without the public being informed. How much that undisclosed amount impacts inflation and the economy today is not talked about nearly enough, imo.
on one hand, every ransom paid encourages like-minded individuals to start or ramp up their ransomware game , which is not great.
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
This is always the game theory of ransoms, and it is a classic example of a collective action problem (and is a form of a prisoner's dilemma).
Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.
If you have to pay, at least try to negotiate 1) a guarantee that the hackers won't just do it again sometime later, and 2) full disclosure / assistance in repairing your vulnerabilities so you have some kind of head start for the future. Outside of politically motivated hackers, this would probably be reasonably successful.
You can also have the "excessive force" doctrine, where holding someone or something for ransom results in your entire country being a smoldering crater.
But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.
There’s a similar dynamic from within the hacker group itself. For the ransom group, it is better for them to be perceived as trustworthy. Pay the ransom and we won’t leak your data.
For any individual within the ransom group, they can get a big payout by selling the data.
Depends on what they actually got. Names and email addresses? Considered public and are not so valuable. Universities usually publish those in a directory anyway.
Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.
Grades? Could be a FERPA violation.
Critical PII such as SSNs? Probably not in the LMS to begin with.
SSNs have been used as student IDs by particularly stupid educational institutions. The 'nice' thing about getting SSNs from students is the likelihood they'll live for a long time after the breach and thus be subject to identity theft for many years to come.
I don’t know if that’s really true. Nobody would really give a shit if you leaked where everyone goes to college… because it’s already on their LinkedIn or whatever.
The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.
... except that "policies" don't cut it. Criminal penalties for paying are what you need, and not just for payments to specific designated entities, either. The executive making the decision to pay has to have a real fear of personally spending time in actual prison.
While the us stance has resulted in savings on potential ransom, it has also lead to people being kept in prison for very long time until prisoner exchanges might be worked out. That cost to an individuals life being imprisoned is probably far in excess whatever the US might pay. Plus the US prints its own monopoly money and doesn’t really play by the rules of economics anyhow ever since getting off gold standard.
An idea I idly thought about is that of a "Benevolent Terrorist"[0]: one who does great harm to some number of people so that they may make it to a better world. Not entirely original, I suppose, since the Kwisatz Haderach from Dune is the trope definer. But a fun thought I had was what if you ran a ransomware company that just didn't pay? You'd screw a lot of people over but eventually you'd make ransomware a non-business the better you impersonated them and failed to deliver after taking the ransom.
I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.
> I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.
The name ShinyHunters is currently quite well-known due to a number of high-profile hacks (Odido in the Netherlands this year was huge). Their brand has a significant value right now.
That's a motivation to avoid tragedy of the commons, not because they're trying to maintain their own reputation to victims. It benefits the criminals even if they change their name.
If we assume a world where ransomware is continually existent and all your data is ransomed at anytime, we'd have a world designed to work around that.
We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.
> on the other hand, the ransomware groups that want to stay in business need to be honest
I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.
Another way to view this calculation: if you keep your infrastructure secure and up to date, you (very likely) don't have to pay any ransom in the first place.
There is a line where the ransom price beats the capex of keeping a secure system, specially when the risk so nebulous
Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally
So, maybe we could consider a "White Hat" ransomware group that takes the money and also leaks the data, so that long term no one bothers to pay which ultimately disincentivizes ransomware attacks?
LOL that's some super heavy duty optics framing on what basically amounts to "we paid out a ransom but don't worry the bad guys assured us things were okay"
They said “received digital confirmation of data destruction (shred logs)” - is this supposed to fool users into thinking the hackers didn’t keep any of the data?
I thought it was illegal to pay ransom to hackers. I guess it is legal or maybe it isn't very clear? I thought that there were certain conditions that the company had to check together with law enforcement so that at least the ransom money doesn't go to a hacker group that is on a government payments sanctions list.
Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".
Not only is it not illegal, there are insurance policies set up to take care of this very scenario. It's almost always handled by a third party, not the company themselves, that would deal with any such concerns.
It is illegal to pay terrorists. As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group. If they did, would they be able to send in SEAL Team 6 to handle the hackers?
> As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group.
If you’re sending a large sum of money to $anonymoushacker, how do you ensure they’re not on some OFAC list? Or do your AML checks? Or make sure you’re not on the wrong side of Foreign Corrupt Practices act? The third party probably turns a blind eye to that cuz there’s no way of really checking.
If they were in Iran a drone would’ve paid a visit, based on current events. Most of them are in Russia or former Eastern Bloc like Belarus. USA and the west doesn’t want a direct conflict so the drones never pay them a visit.
Instead, they trick the hackers into going on a vacation in a country that will let them grab them.
It often is illegal to pay them. They are often on sanctions lists, or indeed in embargoed countries. And it's just generally not allowed to pay unidentifiable parties for basic anti-money laundering reasons. And a lot of countries are bringing in new legislation to make paying illegal, starting with public sector organisations. I'm sure that will only expand.
Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.
I don't know where you are getting your information from. For one, it's very often unknown, by virtue of how these groups operate, where they are from or who they are affiliated with in the first place. For two, as I stated, it is such common practice to pay ransoms that there are insurance policies specifically for doing so, it's very common to purchase these as part of a SOP of a company's security policy. A business is required, often by the board/shareholders, to maintain business continuity, which is why these exist.
For three, by the FBI's own source, they don't mention anything about it being illegal, they merely advise against doing so[0] -
> The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.
I am not saying I support paying ransoms, or take any position here, I am just saying quite factually it is an extremely common practice to pay these, often via third parties that take care of any potential legality issues (which I am not aware of being super common at all, and if you are being targeted by a nation state on a sanctions list, you probably are well aware and have your own legal team/police liasons to deal with any such issues). Most ransomware attacks come from small, unknown groups.
If the bad guys get paid and release the info anyway, they not only make it less likely they'll get paid in the future, they make it less likely anyone will get paid in the future.
Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.
In the abstract, it’s hilarious to imagine the hackers keeping the data, then some time from now leaking it accidentally (or another hacker group hacks them) then them having to issue a public apology for not having kept the stolen data secure and having lied about shredding it.
I wonder if, longer term, we're better off if a company like this were in some way destroyed as a result of getting hacked and paying a bribe.
I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.
A good infotech public service project would be to maintain a public list of organizations that have succumbed to ransom demands, so that we can choose to take our business elsewhere. It would also be an act of bravery though in the face of potential liability for libel. I doubt disclaimers would evade much of that.
ShinyHunters has a vested financial stake in not leaking the customer data. If they did, nobody would ever pay a ransom to them again. I trust ShinyHunters to look out for themselves continuing to get paid.
Sure. Do you trust every member of ShinyHunters to remain a member of ShinyHunters in good standing, and to resist the temptation to exfiltrate the data in the process of exiting ShinyHunters?
> Has law enforcement been engaged? Yes. We've notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners.
Hmm. I thought all these agencies say NOT to pay a ransom.
I suspected as much as it disappeared from the ShinnyHunters page and it recovered so fast. The main thing I'm interested in knowing was how much was paid. Also I don't really like their statement that the data is safe or destroyed, those promises seem a little questionable with regards to these incidents.
There shouldn't have been a need to give into hackers, even highly successful hackers. If they're not doing air-gapped backups weekly, that's malpractice and hints at a substandard architecture and/or operations. On a short enough full backup schedule all of Canvas's customers should've been able to recover based on their own copies of assignments and test results. And a policy like that should've been in the SLAs.
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
Enrollment or courses might not be generally super sensible, but financing/financial data, personal identification like phone numbers and emails, chat logs and such
I mean, something as simple as name + grades is extortable. There are plenty of students who would not want their bad grades to be public information, and who would be upset with their school if the school allowed that to be leaked, or who may personally pay an extortion if contacted directly.
I certainly do think it's crazy that schools are selling out education to SaaSification, but that is normal in the world we live in.
This happens every day, and there doesn't seem to be anything interesting about this case. It's how most situations are resolved. There are money transmitters that specialize in ransoms. They "do" sanctions checks that are about as good as you suspect they are.
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
> You wouldn't "return" data unless it was encrypted or the originals were deleted
The very next line from what you quoted:
> We received digital confirmation of data destruction (shred logs).
Now, color me surprised if they didn't delete it, but I'm guessing this is why they call it "returned", since from their beliefs, the data was deleted after it was "returned".
The same group has a reputation to uphold (i.e., that of 'honourable' criminals), so they just move on to the next target, who will, incidentally, know that they are absolutely true to their word. (This is why paying off ransomware hackers is being made illegal in a number of countries.)
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
Sure. In all likelihood ShinyHunters will 'gracefully' point out the weak spots leveraged in the system of the 'customer' upon receiving payment to prevent this happening again next week.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
Simple economic motivations from the hackers. They've hacked a lot of different companies. [1] If they didn't keep their word then companies would have no incentive to pay, and vice versa when they do keep their word.
Years ago I attended a conference that had a "fireside chat" with a DoJ official on the topic of these types of ransom payments.
He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.
His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.
Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.
I would love to know the amount of ransoms paid by large companies who've been compromised without the public being informed. How much that undisclosed amount impacts inflation and the economy today is not talked about nearly enough, imo.
on one hand, every ransom paid encourages like-minded individuals to start or ramp up their ransomware game , which is not great.
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
This is always the game theory of ransoms, and it is a classic example of a collective action problem (and is a form of a prisoner's dilemma).
Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.
https://en.wikipedia.org/wiki/Collective_action_problem
https://en.wikipedia.org/wiki/Prisoner%27s_dilemma
> Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
You're then a target known to be vulnerable and pay ransoms, so best focus on security.
If you have to pay, at least try to negotiate 1) a guarantee that the hackers won't just do it again sometime later, and 2) full disclosure / assistance in repairing your vulnerabilities so you have some kind of head start for the future. Outside of politically motivated hackers, this would probably be reasonably successful.
Other hacking groups now know Instructure pays up.
Famously summarized by Kipling
https://www.kiplingsociety.co.uk/poem/poems_danegeld.htm
You can also have the "excessive force" doctrine, where holding someone or something for ransom results in your entire country being a smoldering crater.
But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.
And that’s exactly why the incidence of kidnapping plummeted in Italy once ransom payments were made illegal
How does that work? I.e. say a kidnapping occurs and the ransom is paid. What kind of trouble does the paying party get into? A fine? Jail?
There’s a similar dynamic from within the hacker group itself. For the ransom group, it is better for them to be perceived as trustworthy. Pay the ransom and we won’t leak your data.
For any individual within the ransom group, they can get a big payout by selling the data.
> For the ransom group, it is better for them to be perceived as trustworthy.
They've already proved themselves to be untrustworthy simply by ransoming you in the first place.
Depends on what they actually got. Names and email addresses? Considered public and are not so valuable. Universities usually publish those in a directory anyway.
Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.
Grades? Could be a FERPA violation.
Critical PII such as SSNs? Probably not in the LMS to begin with.
SSNs have been used as student IDs by particularly stupid educational institutions. The 'nice' thing about getting SSNs from students is the likelihood they'll live for a long time after the breach and thus be subject to identity theft for many years to come.
This was common years (decades, really) ago but I'd be surprised if any university today was still doing that. I guess there could still be some....
I don’t know if that’s really true. Nobody would really give a shit if you leaked where everyone goes to college… because it’s already on their LinkedIn or whatever.
The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.
... except that "policies" don't cut it. Criminal penalties for paying are what you need, and not just for payments to specific designated entities, either. The executive making the decision to pay has to have a real fear of personally spending time in actual prison.
US law has criminal penalties for paying a ransom to a designated criminal terrorist organization or under treasury sanctions.
Most hacking groups don't fall under that. Some, sure.
While the us stance has resulted in savings on potential ransom, it has also lead to people being kept in prison for very long time until prisoner exchanges might be worked out. That cost to an individuals life being imprisoned is probably far in excess whatever the US might pay. Plus the US prints its own monopoly money and doesn’t really play by the rules of economics anyhow ever since getting off gold standard.
That ransoms today are denominated in USD and that the US might be printing too many USD has nothing to do with whether or not ransoms should be paid.
The day the USD falls, ransoms will simply be denominated in something else and the same underlying collective action problem will remain.
This is just way of avoiding the core issue by blaming something unrelated that you don't like.
A: U should clean your room, it would be better for you & the rest of your family
B: FU dad, everyone knows there's no such thing as a clean room under capitalism!!!!!
Cash is not the real cost; the cost is by agreeing to continue printing ransom money, you cause more individuals to be kidnapped.
An idea I idly thought about is that of a "Benevolent Terrorist"[0]: one who does great harm to some number of people so that they may make it to a better world. Not entirely original, I suppose, since the Kwisatz Haderach from Dune is the trope definer. But a fun thought I had was what if you ran a ransomware company that just didn't pay? You'd screw a lot of people over but eventually you'd make ransomware a non-business the better you impersonated them and failed to deliver after taking the ransom.
What could go wrong? ;)
0: https://wiki.roshangeorge.dev/w/Benevolent_Terrorist#Poisoni...
I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.
> I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.
The name ShinyHunters is currently quite well-known due to a number of high-profile hacks (Odido in the Netherlands this year was huge). Their brand has a significant value right now.
Yeah but fewer ransomes would be paid out regardless of who is attacking. They could be spoiling their own market and am sure they would
That's a motivation to avoid tragedy of the commons, not because they're trying to maintain their own reputation to victims. It benefits the criminals even if they change their name.
> I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time.
Reputation is everything in a collective.
If we assume a world where ransomware is continually existent and all your data is ransomed at anytime, we'd have a world designed to work around that.
We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.
What stops a ransomware group copying all data and just selling it piecemeal on the darknet under posibly a different name?
Realistically, the only people that could check that it's true are buyers, and those benefit from keeping a low profile
> on the other hand, the ransomware groups that want to stay in business need to be honest
I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.
Another way to view this calculation: if you keep your infrastructure secure and up to date, you (very likely) don't have to pay any ransom in the first place.
There is a line where the ransom price beats the capex of keeping a secure system, specially when the risk so nebulous
Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally
So, maybe we could consider a "White Hat" ransomware group that takes the money and also leaks the data, so that long term no one bothers to pay which ultimately disincentivizes ransomware attacks?
White hats that take money are not white hats, those are grey hats.
https://en.wikipedia.org/wiki/Grey_hat
LOL that's some super heavy duty optics framing on what basically amounts to "we paid out a ransom but don't worry the bad guys assured us things were okay"
They said “received digital confirmation of data destruction (shred logs)” - is this supposed to fool users into thinking the hackers didn’t keep any of the data?
I thought it was illegal to pay ransom to hackers. I guess it is legal or maybe it isn't very clear? I thought that there were certain conditions that the company had to check together with law enforcement so that at least the ransom money doesn't go to a hacker group that is on a government payments sanctions list.
Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".
Not only is it not illegal, there are insurance policies set up to take care of this very scenario. It's almost always handled by a third party, not the company themselves, that would deal with any such concerns.
It is illegal to pay terrorists. As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group. If they did, would they be able to send in SEAL Team 6 to handle the hackers?
> As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group.
If you’re sending a large sum of money to $anonymoushacker, how do you ensure they’re not on some OFAC list? Or do your AML checks? Or make sure you’re not on the wrong side of Foreign Corrupt Practices act? The third party probably turns a blind eye to that cuz there’s no way of really checking.
If they were in Iran a drone would’ve paid a visit, based on current events. Most of them are in Russia or former Eastern Bloc like Belarus. USA and the west doesn’t want a direct conflict so the drones never pay them a visit.
Instead, they trick the hackers into going on a vacation in a country that will let them grab them.
A large percentage of hacking groups are state sponsored Russians. That seal response would be starting WW3 over some pii.
Protecting pii is important, but it's not that important
we started the pretext to WW3 over someone wanting to move the focus of attention, so it's really not that much of a stretch.
The cyber terrorist groups North Korean Lazarus Group and Russian groups like APT28 (Fancy Bear) are on the US SDN list, among others.
Iran, Russia and North Korea are the biggest sources of ransomware.
Search “cyber jihad” and “cyber islamic state” if you’re curious for answers.
It often is illegal to pay them. They are often on sanctions lists, or indeed in embargoed countries. And it's just generally not allowed to pay unidentifiable parties for basic anti-money laundering reasons. And a lot of countries are bringing in new legislation to make paying illegal, starting with public sector organisations. I'm sure that will only expand.
Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.
I don't know where you are getting your information from. For one, it's very often unknown, by virtue of how these groups operate, where they are from or who they are affiliated with in the first place. For two, as I stated, it is such common practice to pay ransoms that there are insurance policies specifically for doing so, it's very common to purchase these as part of a SOP of a company's security policy. A business is required, often by the board/shareholders, to maintain business continuity, which is why these exist.
For three, by the FBI's own source, they don't mention anything about it being illegal, they merely advise against doing so[0] -
> The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.
I am not saying I support paying ransoms, or take any position here, I am just saying quite factually it is an extremely common practice to pay these, often via third parties that take care of any potential legality issues (which I am not aware of being super common at all, and if you are being targeted by a nation state on a sanctions list, you probably are well aware and have your own legal team/police liasons to deal with any such issues). Most ransomware attacks come from small, unknown groups.
[0] https://www.fbi.gov/how-we-can-help-you/scams-and-safety/com...
If the bad guys get paid and release the info anyway, they not only make it less likely they'll get paid in the future, they make it less likely anyone will get paid in the future.
Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.
Why not wait a week and take the site down and ransom them again?
Because why would anyone pay anyone if they were going to do what they threatened you with anyway?
> We received digital confirmation of data destruction (shred logs).
This is shockingly naive
What's to say they didn't copy the data then shred a copy, or hell even just fabricate some shred logs.
In the abstract, it’s hilarious to imagine the hackers keeping the data, then some time from now leaking it accidentally (or another hacker group hacks them) then them having to issue a public apology for not having kept the stolen data secure and having lied about shredding it.
Being that this is HN, do we know how they got hacked? Can we learn something about protecting our services?
I wonder if, longer term, we're better off if a company like this were in some way destroyed as a result of getting hacked and paying a bribe.
I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.
A good infotech public service project would be to maintain a public list of organizations that have succumbed to ransom demands, so that we can choose to take our business elsewhere. It would also be an act of bravery though in the face of potential liability for libel. I doubt disclaimers would evade much of that.
So you would rather take your business to somewhere that got hacked, didn't pay the random, and got customer data leaked?
Yes, particularly if they are transparent about it.
Yeah, sorry. I don't believe you :)
The customer data is already leaked, unless your threat model somehow includes trusting threat actors to keep said data confidential in perpetuity.
ShinyHunters has a vested financial stake in not leaking the customer data. If they did, nobody would ever pay a ransom to them again. I trust ShinyHunters to look out for themselves continuing to get paid.
Sure. Do you trust every member of ShinyHunters to remain a member of ShinyHunters in good standing, and to resist the temptation to exfiltrate the data in the process of exiting ShinyHunters?
If you believe the hackers didn’t keep a copy of the data, you’re the target market.
Both of them got hacked so... yes.
> Has law enforcement been engaged? Yes. We've notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners.
Hmm. I thought all these agencies say NOT to pay a ransom.
Engaged != listened to.
I suspected as much as it disappeared from the ShinnyHunters page and it recovered so fast. The main thing I'm interested in knowing was how much was paid. Also I don't really like their statement that the data is safe or destroyed, those promises seem a little questionable with regards to these incidents.
There shouldn't have been a need to give into hackers, even highly successful hackers. If they're not doing air-gapped backups weekly, that's malpractice and hints at a substandard architecture and/or operations. On a short enough full backup schedule all of Canvas's customers should've been able to recover based on their own copies of assignments and test results. And a policy like that should've been in the SLAs.
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
Backups do nothing to protect your customers from getting extorted to avoid their data being leaked.
What extortable content should schools be creating? And if they are it's crazy that they are trusting it to school SaaS.
Enrollment or courses might not be generally super sensible, but financing/financial data, personal identification like phone numbers and emails, chat logs and such
I mean, something as simple as name + grades is extortable. There are plenty of students who would not want their bad grades to be public information, and who would be upset with their school if the school allowed that to be leaked, or who may personally pay an extortion if contacted directly.
I certainly do think it's crazy that schools are selling out education to SaaSification, but that is normal in the world we live in.
How is Instructure getting away with paying off the ransomware hackers? Is that still legal in Utah or something?
This happens every day, and there doesn't seem to be anything interesting about this case. It's how most situations are resolved. There are money transmitters that specialize in ransoms. They "do" sanctions checks that are about as good as you suspect they are.
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
>The data was returned to us.
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
[1] https://www.youtube.com/watch?v=IeTybKL1pM4
[2] https://search.brave.com/search?q=monero+price&rh_type=cc&ra...
[3] https://xcancel.com/zachxbt/status/2012212936735912351
[4] https://archive.ph/4zD7f
[5] https://archive.ph/NYWbJ
I guess the incentive is for the hackers to not leak, so they can get away with the next ransom.
> You wouldn't "return" data unless it was encrypted or the originals were deleted
The very next line from what you quoted:
> We received digital confirmation of data destruction (shred logs).
Now, color me surprised if they didn't delete it, but I'm guessing this is why they call it "returned", since from their beliefs, the data was deleted after it was "returned".
What on earth does "returned the hacked personal data" mean?
I believe attacks like this often include copying data and then deleting it from the victim's servers.
Although of course returning is a weird term in the sense that the attackers will almost certainly keep the data as well.
Michael Jackson paid the ransom and look what happened to him.
Given they were hacked multiple times, couldn’t they just be targeted again by the same or different group? Why would it stop here?
The same group has a reputation to uphold (i.e., that of 'honourable' criminals), so they just move on to the next target, who will, incidentally, know that they are absolutely true to their word. (This is why paying off ransomware hackers is being made illegal in a number of countries.)
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
So they hacker group could create an unregistered subsidiary and hack some more?
Sure. In all likelihood ShinyHunters will 'gracefully' point out the weak spots leveraged in the system of the 'customer' upon receiving payment to prevent this happening again next week.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
They could but also why would they?
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
Simple economic motivations from the hackers. They've hacked a lot of different companies. [1] If they didn't keep their word then companies would have no incentive to pay, and vice versa when they do keep their word.
[1] - https://en.wikipedia.org/wiki/ShinyHunters
Got to scroll down to see the update.
(https://www.instructure.com/incident_update#:~:text=STATUS%2...)
Thanks, we've put that in the toptext.
It would be amusing to discover it turned out that the hackers were 14 year old teenagers, bored with school.
The defendant, who calls himself “zero cool”, has repeatedly committed criminal acts of a malicious nature.