The idea that the spending needs to grow linearly with the growth is a damning indictment of the mindset of the vast ineffectual mess that is the cybersecurity industry.
> damning indictment of the mindset of the vast ineffectual mess that is the cybersecurity industry
Cybersecurity is not about stopping issues but about compliance and liability. Attend RSA once, and you will see it yourself.
It makes sense when you consider the main threat you are protecting yourself from is lawsuits.
The lawsuits come from the issues though.
This is a similar fact in government. For instance in the UK with the NHS and other services, we often look at total spending and assume that spending has to stay at least constant in real terms or grow, when in reality you want some metric of spending per outcome.
It’s not a popularly held mindset, either within the security industry or outside of it. This piece seems to be pitched at salespeople whose only job is to extract money from other companies.
Basic hygiene security hygiene pretty much removes ransomware as a threat.
> Basic hygiene security hygiene pretty much removes ransomware as a threat.
It does not. The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware, not to mention AI agents. And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.
And no, backups aren't the solution either, they only limit the scope of lost data.
In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.
Er… Linux has pretty good isolation of users who don’t have super user privileges.
AFAIK the idea is to have backups so good, that restoring them is just a minor inconvenience. Then you can just discard encrypted/infected data and move on with your business. Of course that's harder to achieve in practice.
Sleeper agent malware is a thing especially in high risk situations. If somebody has a dormant RAT installed since year X-1 it’s going to be impossible to solve that in year X by using backups
What about non executable backups? Backup data but not programs?
Not applicable everywhere, but I think it's applicable most places.
In the end the limiting factor will be the bandwidth of your disk arrays... enough compromised machines and they will get overwhelmed.
Serious professionals use one or more spending models to determine budget.
My favorite is the Gordon-Loeb model[0], but there are others that are simpler and some that are more complex. Almost none that imply the budget should naively grow in lockstep with prevelence linearly.
I think TFA doesnt really mean to imply that it should, merely that there is a likley mismatch.
It seems obvious to me that the only real solution is to penalize the payment of ransoms. For the same reasons one doesn't negotiate with terrorists.
Is there some reason to believe that this isn't the best approach? And if not, then any theories as to why it hasn't been enacted?
It's one of those ideas that sounds nice in theory, but doesn't survive contact with the real world. In the same way that many people would say that you shouldn't negotiate with terrorists or kidnappers; but if it's their loved one who's being held and tortured they'll very quickly change their mind.
Getting to a world where no one pays ransoms and the ransomware groups give up and go away would be the ideal, and we'd all love to get there. But outlawing paying ransoms basically sacrificing everyone who gets ransomwared in the meantime until we get to that state for the greater good.
And where companies get hit, they'll try hard to find ways around that, because the alternative may well be shutting down the business. But if something like a hospital gets hit, are governments really going to be able to stand behind the "you can't pay a ransom" policy when that could directly lead to deaths?
I work in the state government space. Many targets/victims of ransomware are small/local government agencies and the ransom demands are greater than their annual budgets. Not every agency is big enough to have someone (bored) come in on Sunday, notice stuff getting encrypted and then run in to the server room and hit the big red button like Virginia's legislature in 2021[0].
Many ransoms are far more than the victim can actually pay. Not all ransom payments result in a decryption key that actually works.
Notes:
0 - https://www.nbcnews.com/politics/politics-news/officials-vir...
I don't think you can enforce such a rule. I think it's a good approach too.
Another issue is that not paying up and risking restore from underfunded ops dept. might be more expensive than paying up AND making a selected executive look bad. And we can't have that, can we.
It would make the ransomware statistic go down without actually stopping crime. Any company that considers paying the ransom would have a strong incentive to never report the security incident to avoid being punished for ransom payments
Plus it gives the ransomware gangs a whole new angle they can use.
So, remember how you illegally paid us a ransom a few months ago? Unless you want to go to prison, then you better...
We're already seeing this against companies who pay ransoms and fail to report the breaches when they're legally required to - but it would be much worse if it's against individuals who are criminally liable.
Agreed - it’s not that it’s a bad point but it would be an ineffective rule which is usually an excuse to forgo other more effective (usually more expensive) options
Unfortunately the actual solution will probably have to mirror real world, which means balkanizing the Internet to clarify legal jurisdiction, maybe some international police task force to aid with cross-border investigation, but ultimately it all hinges on whether and how much the countries with most nuclear aircraft carriers are willing to pressure other countries to take this seriously.
All that does is make the problem more expensive by whatever cut the middle men who will pop up take and however much the overhead of the obfuscation is. It might reduce payments at the margin, but probably not enough to be worth the cost.
I don't think there is a reasonable correlation, since stopping ransomware doesn't require that much of an increase in spending; it's a culture thing more than a money thing.
Moving security tickets to the top of the stack is absolutely a money thing. Training is a money thing. Exchanging velocity for security is a money thing. Changing culture takes money.
What do you need to do to improve culture in the correct way?
Stopping Ransomware is trivial if governments knew where the money goes. But cryptocurrencies and lax capital control pushed by the uber-rich makes it impossible.
The technology is there and it is used to track the average citizens every move. But when it comes to rich people then the money goes and comes without control (and without taxation).
Cryptocurrencies are a great solution to enable criminal activity. Their only use and highly appreciated by terrorists, criminals and dictatorial governments around the world.
It is far from trivial. What are you going to do if the money goes to an enemy country?
And while cryptocurrency are certainly popular with criminals, it is far from the only option for hiding transactions. As for the technology, if it exists, it is not very effective. The shadow economy is going strong even among average citizens, from drug trade to babysitting.
If governments can't stop even the most trivial kind of unreported work in their own country, how to you expect them to stop well organized international gangs, sometimes backed by nation states.
The davos oracle https://youtube.com/shorts/Pqig_vIR4zI?si=G_JpJP90xqO0AQAd
If ransomware spending must scale directly with ransomware attacks then I don't see how companies could possibly keep up with the spending. A lot of the "gaps" in cybersecurity are essentially spending problems. Companies want to spend as little on it as they can.
Wait until companies try powering their businesses with agentic systems. Then businesses aren't paying a ransom to prevent privacy law lawsuits, but rather they'll be paying a ransom equivalent to the black market value of their business.
I wonder what kinds of market hypotheses you could derive from the game theory here
I think this article mostly shows that publicly announcing a successful ransoming of a company is now more popular than a couple years back.
Well, given that C levels see cybersecurity has a bad return on investment (read: insurance), Ive seen countless numbers of people laid off these jobs.
So yeah, I'm surprised its only 3x, and not even more.
A good abliterated local LLM is great at finding dumb exploits and writing ransomware code. And the cybersec professionals? Yeah, theyre pivoting elsewhere and gone.
Thanks, Satoshi
Don't worry, ransomware already existed before BTC. The ransomware demanded Ukash and Paysafecard instead.
That seems disingenuous. Crypto made ransomware much easier.
Thanks, Tim Berners-Lee.