US School Agrees To Pay $8,500 To Get Rid Of Ransomware

An anonymous reader writes: Earlier this week, the media was abuzz with the case of the Hollywood hospital that almost shut down its operations because of a ransomware infection, which it eventually paid. Something similar happened around the same time in a South Carolina school district when ransomware shut down an elementary school's servers. The school had to pay $8,500.

older server running outdated equipment.

[Joe_Dragon]

older server running outdated equipment. Well the Republicans failed to fund the IT newer hardware and software.

Re: older server running outdated equipment.

[guruevi]

Apt-get upgrade doesn't require any new funding, not even new hardware, this isn't hardware failing, this is incompetence succeeding.

It is not a good idea to pay extortionists

[gweihir]

You start paying, they find more targets, make their scam more professional, etc. At the moment, these are still common criminals, as can be seen by the low sums demanded (completely out of proportion compared to the damage done), but that will now change.

The good thing is that Bitcoin is not really anonymous, unlike the common wisdom. With a bit of lick these people will be identified. The bad thing is that it will take some time and by then others will have copied the scam.

Re:It is not a good idea to pay extortionists

[sims+2]

But for this bitcoin doesn't need to be anonymous it just needs to be non-seizable most don't use paypal or cc merchant accounts anymore because they get frozen before they can do anything with them.

Bitcoin doesn't get seized, frozen, revoked or invalidated. So despite being trackable its a better choice because they are unlikely to loose access to it after they've received it.

Re:It is not a good idea to pay extortionists

[Applehu+Akbar]

"The good thing is that Bitcoin is not really anonymous, unlike the common wisdom. With a bit of lick these people will be identified. The bad thing is that it will take some time and by then others will have copied the scam."

So why is the all-seeing, omnipotent NSA not able to nail ransomware hackers? I've heard the excuse that ransomware was below their level of concern, but now governments are being targeted, and this has already included police agencies. My take is that the NSA cannot see as much as it claims.

Re:It is not a good idea to pay extortionists

It's the public who have ascribed god like powers to the NSA not the other way around. In the rush to condemn NSA intelligence operations the capabilities and intentions needed to be exaggerated in the extreme. Of course distortions and out right lies are acceptable when attacking the NSA because they are evil incarnate that need to be closed down so any means to accomplish this goal is allowed. The ole "the end justifies the means" is the guiding mantra of today's social justice warriors. And any other opposition group who dares use same mantra are treated with contempt and called fascists.

Re:It is not a good idea to pay extortionists

[ShanghaiBill]

You start paying, they find more targets, make their scam more professional, etc.

That isn't all bad. In the past, insecure systems were hijacked and used as spam-bots, so the cost of the insecurity was borne by others. At least with ransomware the cost is borne directly by the bozos running MS-Windows on their servers.

Re:It is not a good idea to pay extortionists

[gweihir]

The NSA does not claim to see as much as people think. I once asked somebody mid-high in the NSA this question and he said "If we really could do what people think we can do, then the world would look differently." Entirely convincing.

Your second mistake is that identification of such criminals is a fast process. It is not. Ask again in a year or so.

Re:It is not a good idea to pay extortionists

[gweihir]

I do not disagree. The technical sophistication is also a sign that these are not complete beginners. But there is one other thing: They do not make a lot of money at the moment, but this type of attack does scale. They now got validated. They will try hard to get a lot more targets in the near future.

Re:It is not a good idea to pay extortionists

[gweihir]

Well, yes. And as they will now scale up their attacks, the problem will get a lot more pressing. Still, not paying them would have also had an effect in that direction and this will hit a lot of people that are actually not responsible for the IT screwups.

Re: It is not a good idea to pay extortionists

[Applehu+Akbar]

Maybe but damn they are experts on droids and iphones. Good for something I guess just not much of anything else.

If that were so, why are they desperately wheedling for Apple to bail them out of their inability to crack an iPhone?

Re:It is not a good idea to pay extortionists

[Firethorn]

it just needs to be non-seizable

Start marking the bitcoins 'paid' as ransoms like this as 'dirty', and get as many vendors as possible to ban 'dirty' bitcoins'.

A user notices that X amount of his bitcoin has been marked dirty and unacceptable, and he has to sell it at a loss is going to get pissed at where he got it from - and probably implement checking for dirt himself. Then the anonymizers and places that accept ransom bitcoins for laundering will have regular users start avoiding them, etc...

Re:It is not a good idea to pay extortionists

[sims+2]

You mean like people do with counterfeit bills?

Re:It is not a good idea to pay extortionists

[AK+Marc]

The nice thing about paying is that the FBI can get involved. And there's always a money trail. When they start getting busted and serving time, the copycats will slow down.

Re:It is not a good idea to pay extortionists

[AK+Marc]

It's not the NSA's job. It's the FBI's. The NSA might be able to help the FBI, but the FBI doesn't care because the political will isn't there. Get Congress to fund the FBI for more cybercrime work. Nope. If it's not putting minorities in jail, the Republican-controlled Congress won't fund it.

Re:It is not a good idea to pay extortionists

[Firethorn]

Pretty much - People only don't bother checking when the rate is low enough to not matter.

Re:It is not a good idea to pay extortionists

[tsotha]

Let's say you traced the bitcoin transaction to Russia or Ukraine (which is pretty likely). What are you going to do if the local sovereign government refuses to extradite? I wouldn't be at all surprised to find the NSA knows who these people are, but we're not ready to go to war over the odd $8500.

Re:It is not a good idea to pay extortionists

[Applehu+Akbar]

Just hire local mafiosi to do some "wet work."

Re:It is not a good idea to pay extortionists

[stoatwblr]

"And as they will now scale up their attacks, the problem will get a lot more pressing."

At some point they'll step on the wrong toes and find themselves floating face down in a pond somewhere.

Re:It is not a good idea to pay extortionists

[gweihir]

That is exactly the point: History proves nicely that the NSA has rather strong limits.

Of course for people deep in paranoia (you seem to be), the NSA is the all-seeing, all-knowing entity that everybody needs to be deeply afraid of. Here is a hint: That idea has been used throughout history to control people and make them self-censor by chilling-effects. Usually it was called "God". This has worked well on many people, despite its obvious invalidity.

Back in the real world, the NSA TAO (Targeted Access Organization, i.e. the "hackers") apparently has something like 200 people working there. They can, at best, hack something like 1000 targets at any time if using heavy automation. Less than 100 targets is a more realistic estimate though, and on every hack they risk losing zero-day code. That is not god-like at all. That is what a good large criminal gang of hackers can do when they really put their mind to it. And they can do some things the NSA cannot, as they do not need to worry about being identified. Specifically because of the "god"-nimbus the NSA is cultivating in public opinion, they must be extremely careful to not get caught and identified.

Bus sure, be paranoid and play right into their hands. Well done.

Re:It is not a good idea to pay extortionists

[gweihir]

I doubt it and even if it happens it will not matter. Otherwise we would not have crime, now would we? Threatening violence has never reduced crime to any significant degree. Criminals do not expect they will get caught. The whole idea law enforcement is based on is rather seriously broken.

Bet it goes like this...

[MrKrillls]

"The school's IT staff said the ransomware penetrated their network through an older server running outdated equipment."

And proceeded to propagate through their network through newer servers running outdated equipment...

Re:Bet it goes like this...

[dAzED1]

I think you mean newer servers running outdated software. But even that doesn't work, given how horrible of a security mess server2012 and win10 are.

Re:Bet it goes like this...

[MrKrillls]

Yup.

Shame on them

It should be illegal to pay ransomware criminals.

Re: Shame on them

[guruevi]

It IS illegal to pay criminals for their activities. We should be trying these decision makers for funding terrorism.

Re:Shame on them

[ShanghaiBill]

It should be illegal to pay ransomware criminals.

Especially if, as in this case, they are being paid with tax dollars. I can understand an unprincipled individual or private company paying ransomware, but for a government entity to pay off criminals with public funds is vile. If this was legal, we need to change the law. If it was illegal, the decision maker should be prosecuted.

Re:Shame on them

[radarskiy]

So instead of complaining that they paid off a criminal, you can complain that they spent more tax-payer money than was necessary and demand that the decision-maker be prosecuted.

Horry County school district (South Carolina, US)

[ls671]

Horry County school district (South Carolina, US). Got it! Thanks for the tip ;-)

At least banks and other victim institutions keep the whole thing secret. Great idea to render it public.

Another funny part in TFA:

Coincidentally, when the ransomware incident happened, the school's administration was looking into hiring an outside security provider.

What if it wasn't coincidental?

TCO?

[0100010001010011]

So when are we going to start including ransomware into the total cost of ownership?

Have any technical articles been posted on what all of these 'servers' were running?

Re:TCO?

[ls671]

Have any technical articles been posted on what all of these 'servers' were running?

Well, take a guess...

Re: TCO?

[guruevi]

$8500 is cheaper than paying a decent SysAdmin. These criminals know at what point to price their services so that these institutions can continue putting their clients at risk.

Re: TCO?

[ShanghaiBill]

$8500 is cheaper than paying a decent SysAdmin.

School administrators have no way of telling a good sysadmin from a bad sysadmin. Either would have a salary+benefits of over $100k/year, which few schools can afford. Schools can get federal grants to buy equipment, but salaries come out of their own budget.

Re: TCO?

[Mordaximus]

School administrators have no way of telling a good sysadmin from a bad sysadmin. Either would have a salary+benefits of over $100k/year, which few schools can afford. Schools can get federal grants to buy equipment, but salaries come out of their own budget.

Assuming each school needed a full time sysadmin, which they most likely do not. $100k to pay an admin to keep an eye on a portion of the schools in the school board is far more reasonable. And would then come from the board's budget, not the school.

Re: TCO?

[wisnoskij]

Hell, $8500 is probably cheaper than paying some contractors to test the security of your network. $8500 is peanuts to a hospital running 25+ servers.

Re: TCO?

[0100010001010011]

That assumes they only get hit once.

Re: TCO?

[ogdenk]

I live in SC, many sysadmins are paid $40,000-$50,000/yr in this area. Especially those working for low-budget school systems or smaller organizations.

Re: TCO?

[ShanghaiBill]

I live in SC, many sysadmins are paid $40,000-$50,000/yr in this area.

Once you add in benefits, pensions, overhead, and management, $50k is $100k. Burdened employment costs tend to be higher for governments, and even higher for public schools.

Re:TCO?

[AK+Marc]

Windows 8 home?

Re:Is this what we want to be teaching?

[hort_wort]

Do we really want to be teaching children to negotiate with terrorists?

The obvious way around that is to stop calling everyone who breathes a "terrorist".

This is a good reminder

[Kludge]

For me to do my offline backups.

What's the attack vector?

[mark-t]

What is the typical attack vector for something like this? I understand how it might affect a home users own computers either by visiting malicious websites, or being unconcerned with what one runs that was downloaded from ithe Internet, but how does a place like a school get hit?

Re:What's the attack vector?

[jbmartin6]

Phishing is the most common, but there are also thousands of sites pushing ransomware through the Angler exploit kit, and similar. I've seen it from restaurant sites and online forums especially. The managers are very clever, they don't push the EK more than a few times from any one site to avoid getting blacklisted. My employer has a crew of folks patching workstations (Flash vulnerabilities are a favorite) and monitoring traffic, and it has still gotten through a couple times and we've had to pull the plug on some locations until it was stopped. It is easy to see how a school or hospital could fall victim, and also why they would rather pay the ransom than go through and expensive and time consuming restore.

Re:What's the attack vector?

[stoatwblr]

"Phishing is the most common,"

A stat from several sites I work with - about 200,000 people in all.

Phishs are spotted and ignored by 97% of users - but that last 3% are a major problem

We've even had secretarial staff disable antivirus systems giving warnings about infected attachments in order to open things "because it might be important"

And no, they can't be fired.

The real question in all this:

[kheldan]

So many useless, off-topic posts in this thread by political trolls; what's up with that? You shits have an issue with political candidates or parties, take it up at the polls, not by shitposting on Slashdot. Anyway..

Is anyone going to learn from these unfortunate incidents? There is no excuse for there not being decent security precautions and procedures in the IT department of any organization, and there likewise is no excuse for there not being adequate incremental backups of critical systems. Basically this school and the hospital in Hollywood were sloppy, and criminals capitalized (literally) on their sloppiness.

Re:The real question in all this:

[MrKrillls]

"shitposting"... Fine verb!!!!!!!

Re:The real question in all this:

[pauljlucas]

If most school districts can't pay teachers decent salaries, they presumably can't pay market rate for good sysadmins, so they have to take what they can get.

Re:The real question in all this:

[WindBourne]

the problem is that companies/groups decide to save a few bucks. Sadly, they are ignoring all of the evidence which is running windows and offshoring leaves you vulnerable. While the GOP is certainly be ones behind the offshoring, there is no doubt that the dems are just as stupid. They are the ones wanting to increase H1B, which will lead to more attacks.

Re:The real question in all this:

[edis]

There is something to make good out of this very bad habit: those, that were certainly cornered into making pay terrorists, have to recognize need to submit any decryption tools they were provided with to the people, fighting terrorists of that kind. That including analysts of the BleepingComputer community, makers of security tools, Kaspersky is one that springs to mind in regard to providing decryption utilities for public. Traces of communication and funds have to be professionally investigated as well, as far as it is possible.

There is no acceptable answer in just paying ransom, funding terrorists for their next gigs.

Re:The real question in all this:

[jbmartin6]

"decent security precautions" are hard, given that Angler pushes come from thousands upon thousands of different sites. All it takes is one host a little behind on patching and BAM. Maintaining backup regimes is expensive, it's much cheaper to take your chances and pay the very affordable ransom instead.

Re:The real question in all this:

[edis]

You can widen the use of the word, deriving from what terror is associated with:
ORIGIN late Middle English : from Old French terrour, from Latin terror, from terrere ‘frighten.’
Take a look at the meanings of terrorize, for your next.

If digging a little, you would quickly find, that "the definition of terrorism has proven controversial".
This gives you no good ground to tell that you know better than others what the word means.

Re:The real question in all this:

[kheldan]

it's much cheaper to take your chances and pay the very affordable ransom instead

I find that to be an extremely cowardly attitude to take, and a completely unnecessary and irresponsible one to boot. It's a don't-give-a-damn attitude and I find it reprehensible; if someone worked for me and took that sort of attitude towards the problem, they'd be fired on the spot.

Re:The real question in all this:

[kheldan]

There is no acceptable answer in just paying ransom, funding terrorists for their next gigs.

First of all there is little to no evidence that these were 'terrorists', not in the current-events sense of the word, it's just cyber-criminals, could be anyone really, could be some edgy teenagers looking to score some cash any way they can. Secondly, if you're saying we need to comply with anything and everything that the police (local LEOs, FBI, NSA, CIA, etc) demand of us, just because they demand it, then I have two choice words for you which I will uncharacteristically refrain from using on you, and they're not nice words at all.

Re:The real question in all this:

[edis]

It is about professional and most efficient handling of the given circumstances. We are mostly professionals gathering here. Teenagers are not very likely to have balls for arranging that scale of operations with the quality needed.

I am not going to deal with your opinion just because it bears very little in the above-mentioned light of professional stance.

Re:The real question in all this:

[kheldan]

I am not going to deal with your opinion just because it bears very little in the above-mentioned light of professional stance.

Same to you, buddy.

Good!

[whoever57]

Perhaps people will start to take computer security seriously, if they see that it has an immediate impact on their budgets.

i hope you know / this will go down

[Pseudonymous+Powers]

God dammit, when I heard my elementary school got hacked I thought I was finally going to be able to get out from under the pernicious shadow of my Permanent Record!

Re:habit?

[sunderland56]

It would be better if it became the habit to spend money on security. That $8500 would have gone a long way towards decent security measures.

One wonders, though, what an elementary school district needs with 25 servers (or more; tfa says 25 were affected). What was so mission critical that it was worth paying cash to get back? Why not just format the affected machines, reinstall, and be done with it? The database that says litte Timmy got a B last year just aren't mission critical.

Re:Is this what we want to be teaching?

[sims+2]

We almost have tourist defined as terrorist too but Egypt is farther along in that aspect than we are in the US
http://news.antiwar.com/2015/0...

Although I think we will have that figured out within the next 10 years.

When I was at school...

[Skiron]

... someone stole my slide rule. I had to pay them 1s and 6d to get it back. How times have changed!

Re:habit?

[ShanghaiBill]

One wonders, though, what an elementary school district needs with 25 servers

There are a lot of federal dollars available for things like "computers in the classroom" and "cops in schools" that don't really make much sense, but, hey, it's free money, and can't be used for anything else. The elementary school that my kid attends has a $250,000 Cisco enterprise system that handles less traffic than the $39 Netgear router that I have at home. A federal grant paid for it, and on top of that, Cisco made a nice donation to the enrichment program, so it was a no-brainer.

Windows and offshoring

[WindBourne]

Seriously, as long as groups/companies insist on running windows and offshoring the work, they will continue to be hit by ransomware and others.

Several decades ago, America used to be concerned about Security. Now, it is a joke.

Re:Windows and offshoring

[jbmartin6]

Ransomware isn't particularly sophisticated,and would work just as well on Linux if anyone wanted to code it up. Take everyone off Windows and I am sure someone would. I'm curious why you think America used to be concerned about Security. Remember SQL Slammer, Love Letter, and friends? The underlying architecture of the systems (e.g. disallow script access to Outlook address book) only changed when the security cost became too high, not before.

Re:habit?

[Max_W]

...Why not just format the affected machines, reinstall, and be done with it? ...

It could be an inside job too.

Re:Horry County school district (South Carolina, U

[Hognoxious]

Anyone else read that as Horny County?

No

[John+Bokma]

Based on the number of phishing emails I see weekly I doubt people are ever going to learn. Stuff like this is done because it works and has been working for decades.

Re:An *elementary* school?

[Mordaximus]

You could fit a typical student record on a 3x5 card ... suck it up and just tell the crooks to go pound sand.

Assuming that payroll wasn't handled by one of the servers affected...

Re:Is this what we want to be teaching?

[St.Creed]

But there is good news too! We can be unpussified by following a few simple steps: http://www.welivesecurity.com/...

Re:habit?

[spudnic]

What if they were to just format the affected machines, restore from the latest backup prior to the intrusion, and be done...

Oh, wait.

Re: habit?

[Billly+Gates]

Several thousand employees perhaps. School Districts are big employers who also have lawyers, accountants, business analysts, and shared drive and applications too just like the private sector.

Everyone keeps talking about security, but ....

[King_TJ]

... what about good backups?!

Just last week, one of my co-workers attended a Cisco seminar where they were peddling an "all inclusive" system to try to stop malware, and especially ransomware. It involved software you had to load on all of the clients, server-side software and special firewall type gear, all to try to "proactively stop ransomware from phoning home or uploading content anyplace". The price tag, obviously, was pretty steep as well.

Pulling his buddy, who worked at Cisco, aside for a minute, he asked, "If you have good backups, wouldn't all of this be pretty much unnecessary?" His friend smiled and nodded in agreement.

We use CrashPlan ProE where I work, backing up all of the client PC and Mac desktop folder contents in pretty much real-time, to the backup servers we designated for them based on the offices they operate out of. The servers themselves replicate to other servers at our other locations, for off-site backup copies, as well as a big chunk of the content we actively used getting stored on DropBox (where it's also possible to restore backups of deleted files or folders, or to go back to earlier versions if needed, using the backup and restore capabilities they provide business users).

As a general rule, if anyone was infected with ransomwarre that encrypted their data, we'd just wipe it and go to the latest good backup, and be back up and running with very little lost data (if any). Absolutely no reason to pay one of these hackers to unlock the stuff for us.

It seems to me that if you've got $8,500 to pay the ransom, then you had $8,500 to invest in some backup infrastructure instead....

Re:Everyone keeps talking about security, but ....

[Dadoo]

what about good backups?!

Give it time, and they'll figure a way around that, too. Off the top of my head, I'd say ransomware writers could put a delay in their software, before it does anything - say 6 months after it finds a new system. By that time, the ransomware will be all over the backups. Then what?

Anyone heard of

[invictusvoyd]

Once you add in benefits, pensions, overhead, and management, $50k is $100k. Burdened employment costs tend to be higher for governments, and even higher for public schools.

Software As A Service ?

Re:Anyone heard of

[AK+Marc]

Take the salary of a sysadmin and multiply by 10. That's the SaaS cost.

Re:Horry County school district (South Carolina, U

[ls671]

Not me, I first thought it was a misspelling of "Whory".

Re:habit?

[AK+Marc]

When I left school (yes, it was a while ago) the computers were used to make things easier, but the permenant record was still printed every year and stored in file cabinets. A loss of the computer would cause re-work for the current year's teachers, and delays for those ordering transcripts, but no data loss would happen if every computer were stolen or wiped tomorrow.

Re:You have no idea how bad it really is...

[AK+Marc]

The schools don't even know what CIPA is or how to meet it. The only one I know that even tried was given official complaint and was about to start the fine phase, before they got outside help to meet the law. Then they paid 10x what they needed to, to bring in an outside firm and put in basic filtering.

Re:habit?

[jenningsthecat]

It would be better if it became the habit to spend money on security...

Also, on VERY frequent offline backups using increasingly cheap mass storage options. And possibly even duplicate server racks. Get a call from your neighbourhood data extortionist? Take the servers offline, patch the hole, restore from backups or switch over to the second rack, and tell the extortionists to fuck off.

Re:habit?

[tsotha]

If I made ransomware I'd put in a six month delay so even if you had a backup you'd lose six months of work.

Computers down because of ransomware infection?

[tetraverse]

What was the name of the computer Operating system this ransomware ran on?

Re:habit?

[stoatwblr]

"It would be better if it became the habit to spend money on security."

And backups. $8500 buys a pretty decent box to run Bacula on.

Re:habit?

[stoatwblr]

Assuming it encrypted the stuff for 6 months, then refused to hand it over when you ran a DB query, etc.

If it's offering up unencrypted data for 6 months then you have 6 months of unencrypted data to work from until it locked the thing last week.

Re:An *elementary* school?

[cascadingstylesheet]

You could fit a typical student record on a 3x5 card ... suck it up and just tell the crooks to go pound sand.

Assuming that payroll wasn't handled by one of the servers affected...

Housed in the elementary school, instead of at the district level?

In any case, if they can't piece together what they were paying people ... sheesh.

Re:habit?

[BoogieChile]

Or a reliable backup system.

One of our senior management got hit by one of these, and since he had access all the different network shares, did quite a bit of damage.

Something over 37,000 files restored from the backups later and no ransom had to go anywhere.