Some Ransomware Gangs are Now Phoning Victims Who Restore from Backups (zdnet.com) 133
"We recommend that you discuss this situation with us in the chat," one caller warned, "or the problems with your network will never end."
ZDNet reports: In attempts to put pressure on victims, some ransomware gangs are now cold-calling victims on their phones if they suspect that a hacked company might try to restore from backups and avoid paying ransom demands. "We've seen this trend since at least August-September," Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, told ZDNet on Friday...
"We think it's the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants," Bill Siegel, CEO and co-founder of cyber-security firm Coveware, told ZDNet in an email. Arete IR and Emsisoft said they've also seen scripted templates in phone calls received by their customers.
The use of phone calls is another escalation in the tactics used by ransomware gangs to put pressure on victims to pay ransom demands after they've encrypted corporate networks. Previous tactics included the use of ransom demands that double in value if victims don't pay during an allotted time, threats to notify journalists about the victim company's breach, or threats to leak sensitive documents on so-called "leak sites" if companies don't pay.
ZDNet reports: In attempts to put pressure on victims, some ransomware gangs are now cold-calling victims on their phones if they suspect that a hacked company might try to restore from backups and avoid paying ransom demands. "We've seen this trend since at least August-September," Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, told ZDNet on Friday...
"We think it's the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants," Bill Siegel, CEO and co-founder of cyber-security firm Coveware, told ZDNet in an email. Arete IR and Emsisoft said they've also seen scripted templates in phone calls received by their customers.
The use of phone calls is another escalation in the tactics used by ransomware gangs to put pressure on victims to pay ransom demands after they've encrypted corporate networks. Previous tactics included the use of ransom demands that double in value if victims don't pay during an allotted time, threats to notify journalists about the victim company's breach, or threats to leak sensitive documents on so-called "leak sites" if companies don't pay.
CIA (Score:5, Interesting)
Assuming most of these are foreign in origin, the US should assign the CIA the task of finding the sources and eliminating them. Meanwhile we should outlaw paying ransoms so as to eliminate the motivation for launching these attacks in the first place.
Re:CIA (Score:5, Funny)
Agreed.
I propose a strike team with worldwide jurisdiction, authorized to kill on sight.
Comment removed (Score:5, Informative)
Re: (Score:3)
We don't really need to do anything besides making it illegal to pay ransoms for data. Somehow make it illegal for state and local governments to do the same when they're hit. At this point there's really no excuse for not being able to recover from a total loss of on-prem data, that's continuity planning 101.
Re: (Score:2)
In many cases it is already illegal to pay ransom - OFAC has a list of organizations and a ton of organized crime syndicates and terrorists across the world are on that list.
The problem is enforcing it as often these payments aren't made with bags of cash or money transfers, it's done by third parties using cryptocurrency.
Funny you say that (Score:3)
Funny you say that. I mentioned marque and reprisal either here or on another site a couple of weeks ago and I was thinking whether they had any modern use. I don't think they've been used since like 1815 or something.
The Goodyear blimps were operating in a unclear legal area for a while during WW2, but they didn't actually have letters.
Re: (Score:3)
Where to apply for such letters?
Re:CIA (Score:4, Funny)
Where to apply for such letters?
Send $100 to Trump in an unmarked envelope he'll write you one. (In crayon, but still...)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I hope this was an attempt at a +5 Funny
Maybe.
Re: (Score:3)
Give them the option to turn themselves in for a fair trial. That's more than they offer their victims.
Offer their government a joint operation with a fair extradition hearing.
The problem now is that they don't do the first because all we do is say "stop or we'll say stop again" and their country doesn't seem to give a rat's ass, so where is the choice?
Other options include cutting the whole country off and penalizing a bunch of people who never harmed anyone.
Re: (Score:3)
Other options include cutting the whole country off and penalizing a bunch of people who never harmed anyone.
A third option would be to fix the security holes on our servers.
Re: (Score:3)
Whac-A-Mole. There's always one more hole. We certainly should do our best, but there will always be one more hole.
No matter how well you train your people, someone will click that link. Even a system with mathematically perfect security isn't impervious if someone clicks that link. You can't make PEOPLE mathematically perfect. Lock the system in a vault and disconnect it from the net. It's still vulnerable if you convince someone with root access to type rm -rf /
We don't make our buildings impervious, we d
Re: (Score:2)
Security doesn't have to be perfect.
Security just has to be good enough that the time spent probing for vulnerabilities isn't worth the expected ransom payoff.
Re: (Score:3)
Actually, time and risk of probing. In the physical world, casing the joint carries risk. On the internet, probing can be largely fire and forget and you're burning someone else's CPU cycles so you don't much care. Fire off a few hundred thousand probes from several compromised but otherwise low value bots and check for results occasionally.
A mass phishing attack from a botnet is a low effort and tends to net a lot of results.
Re: (Score:2)
A third option would be to fix the security holes on our servers.
Stop with the crazy talk, Bill!
Re: CIA (Score:4, Informative)
In the case of North Korea the country is actively encouraging them. Also the lack of an extradition treaty will be a bit of an issue, e.g. people in Russia can attack the US with impunity because there is now way for the US to bring any meaningful legal action against them.
Re: (Score:2)
We can treat those as offer rejected. So unless the criminals themselves would care top voluntarily travel to the U.S. for a trial, it's back to them having an "accident".
In the case of NK, it's likely more than encouragement.
Re: (Score:2)
Wow. So you are literally worse than the ransom gangs.
Proposing *murder*! No trial, no judge, no laws, no nothing. Way to go, showing your moral superiority.
I think that's a perfectly fitting punishment for ransomware gangs. Let them be found hanging from trees in a public place, having been strangled slowly with their own intestines. Let there be no place for them to hide, anywhere.
Re: (Score:3)
No trial, no judge, no laws, no nothing. Way to go, showing your moral superiority.
I think that's a perfectly fitting punishment for ransomware gangs.
It is also a good way to get rid of other people the authorities don't like. Just make a false accusation and use it to justify an extrajudicial murder.
Re: (Score:2)
It is also a good way to get rid of other people the authorities don't like. Just make a false accusation and use it to justify an extrajudicial murder.
What's the downside, though?
Re: (Score:2)
P.S.: What is wrong with you people?? (Score:2, Insightful)
How the fuck is ARGUING TO NOT MURDER getting a -1, Troll on Slashdot??
What is wrong with you people??
Re: (Score:2)
I guess murder isn't as bad as ransomware to some people.
And is it really murder or would it fall under "pest control"?
Re: (Score:2)
Because these are often state actors and highly organized crime rings, or sometimes both at once, and they deserve to be treated as such. They take people's livlihoods and most precious memories and they hold them for ransom to fund things that are even more evil. A few drone strikes will send the message that it's not open season for them any more.
Re: (Score:3)
Ransomware criminals have targeted hospitals. Killing them is simply self-defense.
Re: (Score:3)
Before catching ransomware gangs, I'd prioritize catching people like *you* first, before you snap and murderrape some random people because you think they stole a fry from you.
And then what would you do with this person you have caught before actually doing anything? Is precrime a thing now?
Re: (Score:2)
And then what would you do with this person you have caught before actually doing anything? Is precrime a thing now?
Lol, he'd do exactly the same thing he's complaining about me advocating for. Seriously- looked how frothed he is over this. Too funny.
Re: (Score:2)
Wow. So you are literally worse than the ransom gangs.
What's your point? According to your logic, chemotherapy is worse than cancer.
Proposing *murder*!
I prefer to think of it as 'extrajudicial karma balancing'.
No trial, no judge, no laws, no nothing. Way to go, showing your moral superiority.
Settle down, big boy- I can't get any more erect!
Before catching ransomware gangs, I'd prioritize catching people like *you* first, before you snap and murderrape some random people because you think they stole a fry from you.
Stealing a fry from me would definitely be worth a copping a rape/murder charge. Ask my son (may he rest in peace).
Anyway, sorry to trigger you so deeply. Maybe try some Copium?
Re: (Score:2)
I'm absolutely fine with murder for things like this. Extended families might even be a good idea. Some people don't get the message when you threaten them but gramma dropping dead in the street with a bullet hole in her forehead probably would work. Shoplifting should cost you a hand. Prisons should go back to hard labor, and all those hundreds of little victimless crimes that get paid for by insurance and make the world just a little bit worse and more expensive for everyone else should go back to being t
Re:CIA (Score:5, Insightful)
Meanwhile we should outlaw paying ransoms so as to eliminate the motivation for launching these attacks in the first place.
People won't even follow temporary mandates to wear a mask for 10 minutes at the grocery store to help keep them and others from getting exposed to COVID-19 and possibly dying, so have fun with that.
Re: (Score:2)
If the penalties for paying ransom (especially the penalties for corporations) are high enough then that will act as a deterrent.
Re: (Score:2)
If the penalties for paying ransom (especially the penalties for corporations) are high enough then that will act as a deterrent.
So... higher than "death"?
Re: (Score:2)
Hung, drawn and quartered?
How about killed, brought back to life and then killed again?
Personally, I rather like the traditional American "999 life sentences" approach.
Re: (Score:2)
If the penalties for paying ransom (especially the penalties for corporations) are high enough then that will act as a deterrent.
So... higher than "death"?
A fate worse, than a fate worse that death? That's pretty bad.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This isn't about health, it's about conformity and submission to authority.
No, it's about not transmitting a potentially deadly disease to other people .
Re: (Score:2)
I dispute your premises. COVID isn't going to go away. It mutates too fast for vaccines to be effective in the long term.
[Citation Required]
Re: (Score:3)
Meanwhile we should outlaw paying ransoms so as to eliminate the motivation for launching these attacks in the first place.
Because what we want is for companies, big and small, to be in a position where if they don't pay they don't get their data back, and the government fining these companies for paying to get their data back.
What next, jailing people so as to eliminate the motivation for murder?
Re: (Score:3)
Because what we want is for companies, big and small, to be in a position where if they don't pay they don't get their data back, and the government fining these companies for paying to get their data back.
Correct. Because this strategy could reduce the incidence of ransomware attacks in the future. It's short-term pain for long-term gain, AKA playing the long game.
Re: (Score:2)
Further if the introduction of sanctions for paying a ransom are announced in advance of coming into force you have time to get your shit in order. You get to play the long and short game at the same time.
I would suggest minimum 12 months jail and a 10 year ban on board member/directorship for anyone sanctioning or involved with the payment of a ransom.
I also think say around about 5000USD (or local equivalent) for being aware a payment was made but not informing the authorities. There are a range of offenc
Re: (Score:2)
Re: CIA (Score:3)
Yeah, cause punishing the victims will do so much good. --.--
Why are the dumbest always the most confident?
(Don't answer. It was rethorical. I know why.)
Re: (Score:2)
Telling the victims that they may not take a course of action which will creates dozens more victims would do a great deal of good.
Re: (Score:3)
Re: (Score:2)
It is the same mentality as not hating the starving for stealing bread, but still thinking theft should be illegal. Desperate actions may not be evil, but they remain highly destructive to society.
Re: (Score:3)
what's even more damaging to society is people dying of hunger. When people are dying of hunger or poverty in general while others have enough money to spend to pet nail salons, that's not a society. That's a farce.
or does that go against our practicing of freedom?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Troll)
Re:CIA (Score:4, Insightful)
Outsource the wet work to Mossad. They're particularly good at it.
-jcr
You mean from the same country which produces spyware which allows dictators to monitor their citizens [cbsnews.com] for anyone who disagrees with the dictator [haaretz.com], or the country which planted fake stingray devices around the White House [politico.com]?
Well, yeah (Score:3)
Well yeah if you want someone to sneak around and find somebody who is hiding, sneaky people would be exactly the right people for the job. :)
Of course there's the little inconvenient fact that the government of a country is not the same as everyone in that country. Their are organizations in the US that do ALL SORTS of things, from the mafia to the Red Cross. Neither of these are the US government. And Pegasus isn't the government of Israel.
Re: (Score:3)
Re: CIA (Score:2)
I wouldn't say that they are particularly good at it, more that they don't give a shit if people know it was them. Since at least recently thry tend to kill people in ways that are pretty obvious
Re: (Score:2)
Outsource the wet work to Mossad. They're particularly good at it.
-jcr
I actually thought Donald Trump was the wet-work expert and he learnt that from Russian hookers not Israeli intelligence.
Re: (Score:2)
So your solution is for the phone company to listen to all phone calls and disconnect the call if a threat is made.
There are no words.
Re: (Score:2)
Then they need to figure out how to stop the callers.
I used to run a telco. Of course they know where the calls come from - no one delivers calls for free. They must hold bank account details for the place where the call entered their system. Telecoms equipment is expensive (Have you ever seen a Cisco price list?)
The shareholders losing every damn cent due to not having off-line backups is a predictable event, ransomeware or not. They are wel
Re: (Score:2)
> The solution is to require the telcos to pay the ransome
Just to be clear, if I break into your network, then a week later after you restore from backup, I call you, it's the phone company's fault?
> Then they need to figure out how to stop the callers.
Again, how exactly do you expect the phone company to disconnect calls when threats are made, other than by listening to all of the calls?
> They must hold bank account details for the place where the call entered their system. Telecoms equipment is
surely no one would succumb to that threat (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
You don't have to replace them, wiping them clean is usually sufficient, especially if you have proper networking and security people looking at the whole picture which is an ABSOLUTE must if you are recovering from this sort of disaster. They should have done a forensic analysis to work out how and where they got in and what they accessed while in.
I disagree. In many cases, “proper” network and security people HAVE looked at the whole picture. We still miss things, even when we’re not in a hurry after a significant compromise.
On top of that, there can be architectural weaknesses that have been accepted for one reason or another in the past (or simply not noticed previously) that take a long time and a whole heck of a lot of money to close. Even if you find them in the post-incident review, it may not actually be possible to close th
Re: (Score:2)
I think the point is just how much big brassy one's malware authors have to call victims and chastise them for not following the victimhood script. It takes a certain amount of low to do that to others, and something to factor in when punishment is being discussed. Hopefully everyone's security will improve, but in the mean time we can sit back and marvel at just how bad humanity can be to others.
Kids, they only call when they want something ... (Score:5, Funny)
Thief: I see you're trying to restore your system instead of paying us?
Victim: Bobby, is that you?
Bobby: Mom?
Mom: You only call when you're ransoming my data. When are you going to settle down and ransom a nice single girl's data?
That time they called the hacker's mom (Score:2)
Your comment reminded me of a funny story that happened some years ago.
Somebody kept breaking into a certain company's network and causing mischief.
This was back when a lot of people looked at "hacking" as a teenage prank, before CFAA and all.
The defenders were eventually able to figure out who the attacker was. Not proof beyond a reasonable doubt that was all admissable in court, but they knew it was George. It was enough that the defenders actually got an FBI agent, as I recall, or some law enforcement,
Call me (Score:3)
I make multiple redundant backups weekly with some rotated offsite. If I ever lose anything it'll be due to the planet exploding, not because some shit-breathed weasel has hacked my system.
So, yeah...call me for payment and I'll tell you to fuck off.
Re: Call me (Score:4, Insightful)
Hah, mate, you'd be fucked with that virus I saw back in the times. Corruped your data bit by bit, especially the rarely accessed parts. By the time you realized something was wrong, all your backups, even a year back, were already fucked in unknown places. Like changing numbers in spradsheets and databases etc.
Nowadays, such malwae could be much smarter, and leave all the steuctural data intact and update the checksums so really only your data corrupts while the files still open without errors.
May I suggest adding version control to your entire system?
Re: (Score:2)
May I suggest adding version control to your entire system?
I'm using Duplicacy for that very reason. It's basically an incremental backup that has immutable snapshots, with append-only data storage. Basically, something like git but with a focus on de-duplication and efficient incremental backup of binary files.
Re: (Score:2)
May I suggest adding version control to your entire system?
I'm using Duplicacy for that very reason. It's basically an incremental backup that has immutable snapshots, with append-only data storage. Basically, something like git but with a focus on de-duplication and efficient incremental backup of binary files.
Just realize that it doesn't screw with your old data by convention, nobody enforces it. A hacker may not abide by those conventions. You'll be able to tell someone screwed with your data because various checksums will no longer be right, but noticing such a problem is not the same as recovering data.
Re: (Score:2)
I'll need to go in and delete the old backups eventually, so I'll need to use the root password again, but I'm planning to do that from a recently-wiped system.
One way that would screw up the backups is if the malware somehow recognizes the backup utility and cor
Re: (Score:2)
I may be missing something, but Duplicacy seems to be a 'push' model backup tool. If accurate, then the fact that it can perform backups means that an attacker that has a foothold does have the access needed to at least modify data. There are strategies where they couldn't read old backups, but they'd be able to destroy and/or encrypt them.
Best practice has long been a 'pull' model backup, where you have a backup system (that can never ever ever *execute* data that it backs up) that has full read access to
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
May I suggest adding version control to your entire system?
Version control or verification of the backup?
I run a script from time to time that does some simple checksum comparisons. I don't run it often because it takes forever but it seems to catch anything that's been fiddled with. It's not foolproof but it'll do for my purposes.
They must be getting desperate (Score:2)
Actually calling companies is a big escalation in cost and risk for the baddies. Those phone calls can be tracked. You threaten the wrong organization -like a power plant- and you are going to risk getting a visit from the Air Force.
Re: (Score:2)
Re: (Score:2)
but with the proviso that if the law comes calling, the buck stops with them.
Honor among thieves? The sorts of people that volunteer to be the 'poor sap' are another attack surface for law enforcement. They'll just as likely turn states evidence in return for a reward and witness protection.
Re: (Score:2)
Honor among thieves?
Nope, just anonymous bitcoin payments.
Re: (Score:2)
Nope, just anonymous bitcoin payments.
The middleman need to have more than that. If I'm the IT team of a company that just got hit and some anon calls me up with demands for payments, how do I know it's not just a con? Word about the attack may be out and every basement dweller is calling me for some payment.
In the kidnapping business it's called proof of life. The caller had better be able to prove that they are a part of the gang or they get nothing. And if they start relaying messages between the victim and the actual perpetrators, tracing
Re: (Score:2)
Re: They must be getting desperate (Score:3)
I wanted to say the same, then thought for 20 seconds, and realized that of course they had access to multiple company networks nd just would use their phone systems.
So all you'd do is attack another victim.
And if you really caught them, they could pose as another victim too. You could not really tell.
Duke of Wellington had the right idea (Score:2)
"Publish and be Damned!" https://en.wikipedia.org/wiki/... [wikipedia.org]
Threats work only if you feel threatened.
Re: (Score:2)
President Sukarno. When the KGB tried to blackmail him.
Problem for AT&T (Score:2)
Call centers shouldn't read such scripts... so either we've got to get the readers head-in-the-game, or AT&T needs to put these call centers on a national blocklist.
Oh, to threaten them (Score:5, Funny)
When I saw the headline that gangs were phoning companies that had restored from backup, I had assumed it was something much worse...
The dreaded follow-up survey.
Re: (Score:2)
"Hello, were calling about your experience in your recent attack by HackCo. If the Bitcoin transaction went smoothly, press 1..."
Comment removed (Score:4, Insightful)
Hello. This is Lenny. (Score:4, Funny)
Ever try to call a company and actually get a human on the line? Welcome to phone menu Hell.
"We recommend that you discuss this situation with us in the chat"
That's not going to work either. Some of the chat bots are downright evil.
Re: (Score:2)
New for 2021 - the chatbots are conspiring together to write ransomeware - in Rust!
Panic now, before its too late!
It's time to require the telecoms to fix their bug (Score:2)
There should be no way for someone to call a relay, and then spoof a phone number.
Re: This is what you tell these gangs (Score:3)
It should be: "Could you listen to elevator music for atleast 9 minutes? And don't go anywhere for the next 30; we will be air delivering a package shortly. Thank you DoD."
P.S.: (Score:2)
(PROTIP: They will not delee/wipe your data. They will slowly corrupt it so when you notice, it's already too damaged and you backed up that damage yourself too, so no restoration. Source: Some viruses in ye olden days did this. Worst malware in history.)
Re: (Score:2)
The current standard is to wash your drive with an encryption key... then get you to buy the key so you know enough to decrypt. It really should be caught by the OS or antivirus.
Re: (Score:2)
If you don't have weeklies/monthlies/yearlies, you have no real backup. Otherwise, any unnoticed corruption, be it hostile/hardware/your own fault, will cause data loss.
Re: (Score:2)
Re: (Score:2)
And of course, if you cave, there's no way the fine upstanding extortionists would re-infect you anyway or sell off the details to another gang of extortionists.
Re: (Score:2)
If your backups aren't airgapped they're not backups.
Not a chance. (Score:2)
Answer, 1 month later...
Not going t happen. The reason why they are making phone calls now is that the word is out that backups are the way to prevent this kind of attack. The phone calls are evidence that backups work to solve this problem, or they wouldn't try and convince you not to use the obvious cure. This is why they encrypt your data then follow up with the high pressure sales tactic - it's just social engineering to try and convince you not to use the cure you have in your hand.
I have always said that those who get hur