In re the idea of how this could all get a lot worse....10 years ago, if a company's employee clicked a malicious link or opened a booby trapped attachment, that company and that employee would have a bad day, or week, or month, or however long it took brainiacs in that organization to realize that some intruder was leeching off their bandwidth, or access, or whatever. At worst, the victim organization had all of that employee's browser credentials stolen. Maybe their machine was a botnet proxy, or relaying spam for a few days. Big deal.

We had a really nice period of maybe 3 years between the emergence of ransomware that tried to get victims to pay in $100 Greendot card increments to the explosion of bitcoin and the acceptance of on-roads to the US financial system, which is what ultimately what made large-scale corporate ransomware raids a thing.

@briankrebs If only those same companies took researchers seriously when they report the issues that are later exploited.

Ask me how I know.

@briankrebs

Many countries already have laws against moving money for the purpose of money laundering or supporting terrorism and organized crime, I'm reasonably sure these could already be used for exactly this purpose.

@briankrebs
To some extent it's a problem of political will and international law, isn't it?

If the APT is a state organization, then it's a state action. If they're military, it's a military action by a foreign country. If they're state-sponsored, they're analogous to funded guerilla groups or privateers, and so on.

It seems to me that the apparatus to deal with it is largely there if the international community decided to treat computer incursions analogously to physical ones.

@briankrebs I think you're tying into the proper a analogy here. These are attacks by foreign adversaries on Americans. There's an apparatus for dealing with this, but it's suck in the oil age and there's no one to bomb.

Like you can't just decide to go to a battlefield and fight on one side or the other. Ransomware needs to be given the same treatment. It should be state department and dhs funded, centrally managed, defense.

Leaving individuals and companies to try to deal with international warfare isn't going to go well.

@briankrebs this is a clear sign that security is not nearly where it should be.

i don't just mean credentials and login methods, but also include the edge devices (routers, switches, etc), the OS on this devices, and the devices in the field.

as long as the "rush deploy, patch later (if at all)" mindset continues, this will never end.

@briankrebs that's only the symptom though. It's easier than selling the exfiltrated data to others. If you shut down the ransom part I bet the criminals are going to go that route.

The problem is that hospitals, ports, governments, ... are running unsecurable systems. If your business depends on 445/tcp being open from your desktops and your security provider gets money for ticking boxes on a checklist, then you are the problem.

@briankrebs sad but true, enforcing common sense by law should be the last resort, but i believe we are there.

I've seen many tabletop exercises that ended with the payment option as the first option, and that was just a simulation!!!
In reality I'm sure that they would just do it without thinking about the consequences.

@gadgetgav @briankrebs

I'd ban crypto before telling ransomware victims they're damned if they do and damned if they don't. If there's some other dependable way to collect ransoms without getting caught we can revisit the matter. Crypto is itself a ponzi scam so you'd be hitting two cuckoo weavers with one stone.