Slashdot Mirror

← Back to Stories (view on slashdot.org)

US School Agrees To Pay $8,500 To Get Rid Of Ransomware (softpedia.com)

Posted by BeauHD on from the held-hostage dept.

An anonymous reader writes: Earlier this week, the media was abuzz with the case of the Hollywood hospital that almost shut down its operations because of a ransomware infection, which it eventually paid. Something similar happened around the same time in a South Carolina school district when ransomware shut down an elementary school's servers. The school had to pay $8,500.

18 of 138 comments (clear)

  1. It is not a good idea to pay extortionists by gweihir · · Score: 2

    You start paying, they find more targets, make their scam more professional, etc. At the moment, these are still common criminals, as can be seen by the low sums demanded (completely out of proportion compared to the damage done), but that will now change.

    The good thing is that Bitcoin is not really anonymous, unlike the common wisdom. With a bit of lick these people will be identified. The bad thing is that it will take some time and by then others will have copied the scam.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:It is not a good idea to pay extortionists by sims+2 · · Score: 2

      But for this bitcoin doesn't need to be anonymous it just needs to be non-seizable most don't use paypal or cc merchant accounts anymore because they get frozen before they can do anything with them.

      Bitcoin doesn't get seized, frozen, revoked or invalidated. So despite being trackable its a better choice because they are unlikely to loose access to it after they've received it.

      --
      Minimum threshold fixed. Thanks!
    2. Re:It is not a good idea to pay extortionists by ShanghaiBill · · Score: 4, Insightful

      You start paying, they find more targets, make their scam more professional, etc.

      That isn't all bad. In the past, insecure systems were hijacked and used as spam-bots, so the cost of the insecurity was borne by others. At least with ransomware the cost is borne directly by the bozos running MS-Windows on their servers.

    3. Re:It is not a good idea to pay extortionists by gweihir · · Score: 2

      The NSA does not claim to see as much as people think. I once asked somebody mid-high in the NSA this question and he said "If we really could do what people think we can do, then the world would look differently." Entirely convincing.

      Your second mistake is that identification of such criminals is a fast process. It is not. Ask again in a year or so.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:It is not a good idea to pay extortionists by Firethorn · · Score: 2

      it just needs to be non-seizable

      Start marking the bitcoins 'paid' as ransoms like this as 'dirty', and get as many vendors as possible to ban 'dirty' bitcoins'.

      A user notices that X amount of his bitcoin has been marked dirty and unacceptable, and he has to sell it at a loss is going to get pissed at where he got it from - and probably implement checking for dirt himself. Then the anonymizers and places that accept ransom bitcoins for laundering will have regular users start avoiding them, etc...

      --
      I don't read AC A human right
  2. Horry County school district (South Carolina, US) by ls671 · · Score: 3, Interesting

    Horry County school district (South Carolina, US). Got it! Thanks for the tip ;-)

    At least banks and other victim institutions keep the whole thing secret. Great idea to render it public.

    Another funny part in TFA:

    Coincidentally, when the ransomware incident happened, the school's administration was looking into hiring an outside security provider.

    What if it wasn't coincidental?

    --
    Everything I write is lies, read between the lines.
  3. Re: older server running outdated equipment. by guruevi · · Score: 3, Interesting

    Apt-get upgrade doesn't require any new funding, not even new hardware, this isn't hardware failing, this is incompetence succeeding.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  4. Re:Is this what we want to be teaching? by hort_wort · · Score: 5, Informative

    Do we really want to be teaching children to negotiate with terrorists?

    The obvious way around that is to stop calling everyone who breathes a "terrorist".

  5. This is a good reminder by Kludge · · Score: 2

    For me to do my offline backups.

  6. What's the attack vector? by mark-t · · Score: 2

    What is the typical attack vector for something like this? I understand how it might affect a home users own computers either by visiting malicious websites, or being unconcerned with what one runs that was downloaded from ithe Internet, but how does a place like a school get hit?

    --
    File under 'M' for 'Manic ranting'
  7. The real question in all this: by kheldan · · Score: 2

    So many useless, off-topic posts in this thread by political trolls; what's up with that? You shits have an issue with political candidates or parties, take it up at the polls, not by shitposting on Slashdot. Anyway..

    Is anyone going to learn from these unfortunate incidents? There is no excuse for there not being decent security precautions and procedures in the IT department of any organization, and there likewise is no excuse for there not being adequate incremental backups of critical systems. Basically this school and the hospital in Hollywood were sloppy, and criminals capitalized (literally) on their sloppiness.

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
  8. i hope you know / this will go down by Pseudonymous+Powers · · Score: 2

    God dammit, when I heard my elementary school got hacked I thought I was finally going to be able to get out from under the pernicious shadow of my Permanent Record!

  9. Re: TCO? by guruevi · · Score: 4, Informative

    $8500 is cheaper than paying a decent SysAdmin. These criminals know at what point to price their services so that these institutions can continue putting their clients at risk.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  10. Re:habit? by sunderland56 · · Score: 4, Interesting

    It would be better if it became the habit to spend money on security. That $8500 would have gone a long way towards decent security measures.

    One wonders, though, what an elementary school district needs with 25 servers (or more; tfa says 25 were affected). What was so mission critical that it was worth paying cash to get back? Why not just format the affected machines, reinstall, and be done with it? The database that says litte Timmy got a B last year just aren't mission critical.

  11. Re:habit? by ShanghaiBill · · Score: 4, Interesting

    One wonders, though, what an elementary school district needs with 25 servers

    There are a lot of federal dollars available for things like "computers in the classroom" and "cops in schools" that don't really make much sense, but, hey, it's free money, and can't be used for anything else. The elementary school that my kid attends has a $250,000 Cisco enterprise system that handles less traffic than the $39 Netgear router that I have at home. A federal grant paid for it, and on top of that, Cisco made a nice donation to the enrichment program, so it was a no-brainer.

  12. Re:Shame on them by ShanghaiBill · · Score: 3, Insightful

    It should be illegal to pay ransomware criminals.

    Especially if, as in this case, they are being paid with tax dollars. I can understand an unprincipled individual or private company paying ransomware, but for a government entity to pay off criminals with public funds is vile. If this was legal, we need to change the law. If it was illegal, the decision maker should be prosecuted.

  13. Re: TCO? by 0100010001010011 · · Score: 2

    That assumes they only get hit once.

  14. Re: TCO? by ogdenk · · Score: 2

    I live in SC, many sysadmins are paid $40,000-$50,000/yr in this area. Especially those working for low-budget school systems or smaller organizations.