Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Crime

Some Ransomware Gangs are Now Phoning Victims Who Restore from Backups (zdnet.com) 133

"We recommend that you discuss this situation with us in the chat," one caller warned, "or the problems with your network will never end."

ZDNet reports: In attempts to put pressure on victims, some ransomware gangs are now cold-calling victims on their phones if they suspect that a hacked company might try to restore from backups and avoid paying ransom demands. "We've seen this trend since at least August-September," Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, told ZDNet on Friday...

"We think it's the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants," Bill Siegel, CEO and co-founder of cyber-security firm Coveware, told ZDNet in an email. Arete IR and Emsisoft said they've also seen scripted templates in phone calls received by their customers.

The use of phone calls is another escalation in the tactics used by ransomware gangs to put pressure on victims to pay ransom demands after they've encrypted corporate networks. Previous tactics included the use of ransom demands that double in value if victims don't pay during an allotted time, threats to notify journalists about the victim company's breach, or threats to leak sensitive documents on so-called "leak sites" if companies don't pay.

This discussion has been archived. No new comments can be posted.

Some Ransomware Gangs are Now Phoning Victims Who Restore from Backups

Comments Filter:
  • CIA (Score:5, Interesting)

    by crow ( 16139 ) on Sunday December 06, 2020 @05:00PM (#60800996) Homepage Journal

    Assuming most of these are foreign in origin, the US should assign the CIA the task of finding the sources and eliminating them. Meanwhile we should outlaw paying ransoms so as to eliminate the motivation for launching these attacks in the first place.

    • Re:CIA (Score:5, Funny)

      by JustAnotherOldGuy ( 4145623 ) on Sunday December 06, 2020 @05:11PM (#60801032) Journal

      Agreed.

      I propose a strike team with worldwide jurisdiction, authorized to kill on sight.

      • Comment removed (Score:5, Informative)

        by account_deleted ( 4530225 ) on Sunday December 06, 2020 @05:20PM (#60801060)
        Comment removed based on user account deletion
        • We don't really need to do anything besides making it illegal to pay ransoms for data. Somehow make it illegal for state and local governments to do the same when they're hit. At this point there's really no excuse for not being able to recover from a total loss of on-prem data, that's continuity planning 101.

          • by guruevi ( 827432 )

            In many cases it is already illegal to pay ransom - OFAC has a list of organizations and a ton of organized crime syndicates and terrorists across the world are on that list.

            The problem is enforcing it as often these payments aren't made with bags of cash or money transfers, it's done by third parties using cryptocurrency.

        • Funny you say that. I mentioned marque and reprisal either here or on another site a couple of weeks ago and I was thinking whether they had any modern use. I don't think they've been used since like 1815 or something.

          The Goodyear blimps were operating in a unclear legal area for a while during WW2, but they didn't actually have letters.

        • by Tom ( 822 )

          Where to apply for such letters?

        • by raind ( 174356 )
          I don't think the CIA follows many laws or congress...
      • I hope this was an attempt at a +5 Funny and it's getting "Underrated" only due to moderators being sensitive to karma
    • Re:CIA (Score:5, Insightful)

      by fahrbot-bot ( 874524 ) on Sunday December 06, 2020 @05:15PM (#60801046)

      Meanwhile we should outlaw paying ransoms so as to eliminate the motivation for launching these attacks in the first place.

      People won't even follow temporary mandates to wear a mask for 10 minutes at the grocery store to help keep them and others from getting exposed to COVID-19 and possibly dying, so have fun with that.

      • by jonwil ( 467024 )

        If the penalties for paying ransom (especially the penalties for corporations) are high enough then that will act as a deterrent.

        • If the penalties for paying ransom (especially the penalties for corporations) are high enough then that will act as a deterrent.

          So... higher than "death"?

          • So... higher than "death"?

            Hung, drawn and quartered?

            How about killed, brought back to life and then killed again?

            Personally, I rather like the traditional American "999 life sentences" approach.

          • If the penalties for paying ransom (especially the penalties for corporations) are high enough then that will act as a deterrent.

            So... higher than "death"?

            A fate worse, than a fate worse that death? That's pretty bad.

        • They tried that method with the war on drugs. In some countries they kill you for drug smuggling, yet those countries still have drug smugglers. They tried that method in dark ages england, killing bandits and thieves. This resulted in bandits killing their victims, since dead victims can't tell the police what the bandits look like.
    • Meanwhile we should outlaw paying ransoms so as to eliminate the motivation for launching these attacks in the first place.

      Because what we want is for companies, big and small, to be in a position where if they don't pay they don't get their data back, and the government fining these companies for paying to get their data back.

      What next, jailing people so as to eliminate the motivation for murder?

      • by jaa101 ( 627731 )

        Because what we want is for companies, big and small, to be in a position where if they don't pay they don't get their data back, and the government fining these companies for paying to get their data back.

        Correct. Because this strategy could reduce the incidence of ransomware attacks in the future. It's short-term pain for long-term gain, AKA playing the long game.

        • by jabuzz ( 182671 )

          Further if the introduction of sanctions for paying a ransom are announced in advance of coming into force you have time to get your shit in order. You get to play the long and short game at the same time.

          I would suggest minimum 12 months jail and a 10 year ban on board member/directorship for anyone sanctioning or involved with the payment of a ransom.

          I also think say around about 5000USD (or local equivalent) for being aware a payment was made but not informing the authorities. There are a range of offenc

        • Having companies disclose ransomware attacks is beneficial to security, both theirs and other companies. If you incentivize hiding the problem then corporations will hide the problem.
    • Yeah, cause punishing the victims will do so much good. --.--

      Why are the dumbest always the most confident?
      (Don't answer. It was rethorical. I know why.)

      • Telling the victims that they may not take a course of action which will creates dozens more victims would do a great deal of good.

        • by ghoul ( 157158 )
          Its a case of do as I say not do as I do. Its the same mentality which makes Newsom close schools and then send his own kids to in person private schools
          • It is the same mentality as not hating the starving for stealing bread, but still thinking theft should be illegal. Desperate actions may not be evil, but they remain highly destructive to society.

            • by gTsiros ( 205624 )

              what's even more damaging to society is people dying of hunger. When people are dying of hunger or poverty in general while others have enough money to spend to pet nail salons, that's not a society. That's a farce.

              or does that go against our practicing of freedom?

        • Having a police department that works to defend the countries network infrastructure would be a good start. It doesn't matter how tall your castle walls are if they are undefended. For bonus points make an international police force that can go after the criminals anywhere in the world.
      • Punishing the victim is standard operating procedure for the war on drugs, and has failed by every measure.
    • Re: (Score:2, Troll)

      by ghoul ( 157158 )
      Since the kingpins of these networks learnt their craft on the govt dime, CIA operatives sent after them may just get recruited as Sr VPs in these operations.
  • by bloodhawk ( 813939 ) on Sunday December 06, 2020 @05:08PM (#60801020)
    I would hope such phone threats would be laughed at. The organization has already been compromised so they will be getting in security experts and basically restoring onto trusted machines not the existing compromised servers and workstations. The organization already took the first correct step by resorting to backups, I would hope they are smart enough to continue on the right path, if not they deserve all the pain coming their way.
    • The challenge becomes when they may have a back door via your switch, router, scanner, camera, or any other “connected” system. Replacing everything is a pretty drastic move. Our insurance policy covers servers, workstations, and network— but excludes some of these other systems.
      • You don't have to replace them, wiping them clean is usually sufficient, especially if you have proper networking and security people looking at the whole picture which is an ABSOLUTE must if you are recovering from this sort of disaster. They should have done a forensic analysis to work out how and where they got in and what they accessed while in.
        • by Corbets ( 169101 )

          You don't have to replace them, wiping them clean is usually sufficient, especially if you have proper networking and security people looking at the whole picture which is an ABSOLUTE must if you are recovering from this sort of disaster. They should have done a forensic analysis to work out how and where they got in and what they accessed while in.

          I disagree. In many cases, “proper” network and security people HAVE looked at the whole picture. We still miss things, even when we’re not in a hurry after a significant compromise.

          On top of that, there can be architectural weaknesses that have been accepted for one reason or another in the past (or simply not noticed previously) that take a long time and a whole heck of a lot of money to close. Even if you find them in the post-incident review, it may not actually be possible to close th

    • I think the point is just how much big brassy one's malware authors have to call victims and chastise them for not following the victimhood script. It takes a certain amount of low to do that to others, and something to factor in when punishment is being discussed. Hopefully everyone's security will improve, but in the mean time we can sit back and marvel at just how bad humanity can be to others.

  • by fahrbot-bot ( 874524 ) on Sunday December 06, 2020 @05:08PM (#60801022)

    Thief: I see you're trying to restore your system instead of paying us?

    Victim: Bobby, is that you?

    Bobby: Mom?

    Mom: You only call when you're ransoming my data. When are you going to settle down and ransom a nice single girl's data?

    • Your comment reminded me of a funny story that happened some years ago.
      Somebody kept breaking into a certain company's network and causing mischief.
      This was back when a lot of people looked at "hacking" as a teenage prank, before CFAA and all.

      The defenders were eventually able to figure out who the attacker was. Not proof beyond a reasonable doubt that was all admissable in court, but they knew it was George. It was enough that the defenders actually got an FBI agent, as I recall, or some law enforcement,

  • by JustAnotherOldGuy ( 4145623 ) on Sunday December 06, 2020 @05:10PM (#60801030) Journal

    I make multiple redundant backups weekly with some rotated offsite. If I ever lose anything it'll be due to the planet exploding, not because some shit-breathed weasel has hacked my system.

    So, yeah...call me for payment and I'll tell you to fuck off.

    • Re: Call me (Score:4, Insightful)

      by BAReFO0t ( 6240524 ) on Sunday December 06, 2020 @05:54PM (#60801150)

      Hah, mate, you'd be fucked with that virus I saw back in the times. Corruped your data bit by bit, especially the rarely accessed parts. By the time you realized something was wrong, all your backups, even a year back, were already fucked in unknown places. Like changing numbers in spradsheets and databases etc.
      Nowadays, such malwae could be much smarter, and leave all the steuctural data intact and update the checksums so really only your data corrupts while the files still open without errors.

      May I suggest adding version control to your entire system?

      • by Cyberax ( 705495 )

        May I suggest adding version control to your entire system?

        I'm using Duplicacy for that very reason. It's basically an incremental backup that has immutable snapshots, with append-only data storage. Basically, something like git but with a focus on de-duplication and efficient incremental backup of binary files.

        • by shess ( 31691 )

          May I suggest adding version control to your entire system?

          I'm using Duplicacy for that very reason. It's basically an incremental backup that has immutable snapshots, with append-only data storage. Basically, something like git but with a focus on de-duplication and efficient incremental backup of binary files.

          Just realize that it doesn't screw with your old data by convention, nobody enforces it. A hacker may not abide by those conventions. You'll be able to tell someone screwed with your data because various checksums will no longer be right, but noticing such a problem is not the same as recovering data.

          • by Cyberax ( 705495 )
            A hacker won't be able to modify the data on my S3 storage (in Wasabi). They simply don't have access keys for that. Theoretically, they could have spied my root password when I was setting up Wasabi around 3 years ago, but it's really unlikely.

            I'll need to go in and delete the old backups eventually, so I'll need to use the root password again, but I'm planning to do that from a recently-wiped system.

            One way that would screw up the backups is if the malware somehow recognizes the backup utility and cor
            • by Junta ( 36770 )

              I may be missing something, but Duplicacy seems to be a 'push' model backup tool. If accurate, then the fact that it can perform backups means that an attacker that has a foothold does have the access needed to at least modify data. There are strategies where they couldn't read old backups, but they'd be able to destroy and/or encrypt them.

              Best practice has long been a 'pull' model backup, where you have a backup system (that can never ever ever *execute* data that it backs up) that has full read access to

              • by Cyberax ( 705495 )
                If you have versioning turned on S3/Wasabi with proper permissions, duplicacy won't be able to rewrite or delete the old backups.
            • If you haven't practiced a full recovery you don't have a backup.
      • May I suggest adding version control to your entire system?

        Version control or verification of the backup?

        I run a script from time to time that does some simple checksum comparisons. I don't run it often because it takes forever but it seems to catch anything that's been fiddled with. It's not foolproof but it'll do for my purposes.

  • Actually calling companies is a big escalation in cost and risk for the baddies. Those phone calls can be tracked. You threaten the wrong organization -like a power plant- and you are going to risk getting a visit from the Air Force.

    • They manage these phone calls in the same way they managed payments before Bitcoin: they’ll find some poor sap to handle things for them in exchange for a taste of the profits... but with the proviso that if the law comes calling, the buck stops with them.
      • by PPH ( 736903 )

        but with the proviso that if the law comes calling, the buck stops with them.

        Honor among thieves? The sorts of people that volunteer to be the 'poor sap' are another attack surface for law enforcement. They'll just as likely turn states evidence in return for a reward and witness protection.

        • by Cyberax ( 705495 )

          Honor among thieves?

          Nope, just anonymous bitcoin payments.

          • by PPH ( 736903 )

            Nope, just anonymous bitcoin payments.

            The middleman need to have more than that. If I'm the IT team of a company that just got hit and some anon calls me up with demands for payments, how do I know it's not just a con? Word about the attack may be out and every basement dweller is calling me for some payment.

            In the kidnapping business it's called proof of life. The caller had better be able to prove that they are a part of the gang or they get nothing. And if they start relaying messages between the victim and the actual perpetrators, tracing

        • They are unlikely to have ever received any evidence beyond some emails and bitcoin addresses. i.e. exactly the same sort of information already available.
    • I wanted to say the same, then thought for 20 seconds, and realized that of course they had access to multiple company networks nd just would use their phone systems.
      So all you'd do is attack another victim.

      And if you really caught them, they could pose as another victim too. You could not really tell.

  • "Publish and be Damned!" https://en.wikipedia.org/wiki/... [wikipedia.org]

    Threats work only if you feel threatened.

  • Call centers shouldn't read such scripts... so either we've got to get the readers head-in-the-game, or AT&T needs to put these call centers on a national blocklist.

  • by SuperKendall ( 25149 ) on Sunday December 06, 2020 @05:56PM (#60801156)

    When I saw the headline that gangs were phoning companies that had restored from backup, I had assumed it was something much worse...

    The dreaded follow-up survey.

    • "Hello, were calling about your experience in your recent attack by HackCo. If the Bitcoin transaction went smoothly, press 1..."

  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Sunday December 06, 2020 @06:09PM (#60801196)
    Comment removed based on user account deletion
  • by PPH ( 736903 ) on Sunday December 06, 2020 @08:56PM (#60801522)

    Ever try to call a company and actually get a human on the line? Welcome to phone menu Hell.

    "We recommend that you discuss this situation with us in the chat"

    That's not going to work either. Some of the chat bots are downright evil.

    • Some of the chat bots are downright evil.

      New for 2021 - the chatbots are conspiring together to write ransomeware - in Rust!

      Panic now, before its too late!

  • There should be no way for someone to call a relay, and then spoof a phone number.

As of next Thursday, UNIX will be flushed in favor of TOPS-10. Please update your programs.

Working...