Rendered at 23:33:29 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
jawiggins 1 days ago [-]
Years ago I attended a conference that had a "fireside chat" with a DoJ official on the topic of these types of ransom payments.
He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.
His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.
Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.
bijowo1676 1 days ago [-]
This is the way to go.
Instead of paying ransom, and creating a ransomware criminal industry out of thin air, its better to force companies to recover and restore from backups and remove monetary incentive for crime.
and the executives who failed to carry regular backups obviously should face the music
jstan65536 23 hours ago [-]
Backups were not Instructure’s problem. Hackers using the threat of exposing private information to extort Instructure’s customers was the problem.
bijowo1676 23 hours ago [-]
Equifax and other companies routinely leak customers PII and financial information.
the only outcome I got from their incidents is 1 year free "identity protection service" which I didnt use.
Should be a lesson for Instructure to have proper architecture and do not store PII they dont need in their processes.
dessimus 13 hours ago [-]
At least those are mainly going to be adults. In the case of Instructure, there are many K12 school districts using Canvas as well. They are potentially selling lists of underage children along with where they live, and contact info like email and phone number.
These are going to be people with clean credit histories to exploit, and ideal for using as ghost students.
Eufrat 22 hours ago [-]
Our PII is leaked all the time. I am fed up with various businesses sending me a free credit monitoring subscription in lieu of actually having proper security controls or damages that incentivize viewing the issue as a serious going concern risk.
Leaks are inevitable, but the current situation is absurd. The liabilities and incentives to do anything about them are virtually nonexistent and security is almost always viewed as a cost.
rootusrootus 9 hours ago [-]
I’m tired of it being my problem to fix. You should be able to know everything about me and still not be able to get accounts/credit/whatever in my name.
BobbyTables2 20 hours ago [-]
Was it really a problem? Yes, voluntary release of that info by a school would normally likely be a FERPA violation, but this was a criminal act against a third party.
Infrastructure’s motivations must have lain elsewhere…
erikerikson 19 hours ago [-]
Does that really shield the schools? HIPAA wouldn't care.
bijowo1676 19 hours ago [-]
educational LMS should not store real patient health data, so thats the problem of whoever designed that system.
erikerikson 18 hours ago [-]
The question was whether the same transitive responsibility applies to FERPA, not whether HIPAA data is involved.
ninjalanternshk 12 hours ago [-]
I still believe in the approach taken by Mel Gibson’s character in “Ransom.”
Offer a reward equal to the ransom amount, to anyone who turns the kidnappers/criminals in to the authorities.
solumunus 12 hours ago [-]
Good luck when most of the random gangs are in countries that, at best, don’t care about this, and often encourage or support it.
axus 1 days ago [-]
The criminals have better marketing than the disaster recovery vendors.
varispeed 1 days ago [-]
Wouldn't that incentivise companies manufacturing media and backup facilities to finance ransomware operators?
JumpCrisscross 1 days ago [-]
> Wouldn't that incentivise companies manufacturing media and backup facilities to finance ransomware operators?
No, for the same reason fence manufacturers aren't financing burglers.
bluGill 1 days ago [-]
There is enough competition that if word gets out you can move to someone honest. At this size you can't keep a secret.
hughes 1 days ago [-]
It may be that the ideal number of ransomware operators is non-zero
_vOv_ 1 days ago [-]
If they can restore from backups, then there’s no need to pay the ransom in the first place… Ransomware is designed to silently corrupt your backups.
HDBaseT 1 days ago [-]
Who would of thought paying teenagers millions of dollars in crypto was a good idea?
They'll just use it on more exploits, more nonsense. It's a race to the bottom.
Sister group, Lapsus$ (parent group ShinyHunters) has published on their website they will pay for inside access to company networks. The group says they don't want data, they just want an avenue.
This is what happens when we keep paying these criminals millions in hard-to-trace crypto.
I do find it all a bit funny though.
bawolff 1 days ago [-]
I suppose it also puts a price on not funding your security department.
1 days ago [-]
rsstack 1 days ago [-]
How is it not a violation of AML laws to pay a ransom like this? Surely they didn't verify that the recipient (a criminal) isn't sanctioned or associated with sanctioned organizations.
cornholio 1 days ago [-]
Money laundering is the action of obfuscating the origin of criminal proceeds; victims or clients of criminals do not generally commit money laundering, for example buying drugs is not a form of AML violation regardless of the legality of the purchase itself or the fact that the funds will later be laundered by the traffickers.
KYC is a tool to prevent money laundry and it's typically an obligation of financial institutions. Sending money to an anonymous (to you) recipient is generally not a KYC violation if you are not in the money transmitting business and you aren't doing the payment on behalf of someone else.
There are infinite shades of gray in this topic, of course, but I can't see AML being relevant in this particular case.
dataflow 23 hours ago [-]
I think they mixed up sanctions (and any similar laws w.r.t. legal recipients) with AML laws. The legality of paying sanctioned entities doesn't depend on whether the money was laundered, but they were interested in how people get around the former.
rsstack 1 days ago [-]
Thank you! That's basically what I was asking.
hattmall 1 days ago [-]
How exactly would this fall into the purview of AML? As far as sanctions go the burden of proof would be on the government to prove the money went to a sanctioned entity and Instructure isn't a bank subject to KYC requirements.
rsstack 1 days ago [-]
All my corporate AML training says that not performing some KYC for large payments, directly or through a bank, is a crime in its own even if the recipient isn't sanctioned.
From Claude, maybe it's a little nuanced compared to conservative corporate policies, but doesn't feel very legal: "You can be charged with money laundering (18 USC 1956/1957 in the US, equivalents elsewhere) if you knowingly — or with willful blindness — process proceeds of crime. "I didn't ask" is not a defense if the circumstances were suspicious; deliberately avoiding KYC to preserve deniability is exactly what willful blindness doctrine targets. The recipient doesn't need to be formally sanctioned; the funds just need to be tainted."
jawiggins 1 days ago [-]
Even if it already is, the DoJ can exercise discretion in choosing who to prosecute. There has to be political will to threaten an org who has just suffered from an attack with further consequences if they make a payment.
spondyl 1 days ago [-]
Probably not too relevant but off the top of my head, the New Zealand Government's guidance on ransomware payments is that you could technically be fined if you pay a ransom to an entity in a sanctioned country, although it doesn't go into specifics
nullocator 1 days ago [-]
Is it illegal to pay kidnappers in the united states? I've never heard of this and I can't seem to find anything that says any such law has actually been passed.
kenjackson 1 days ago [-]
It's technically not illegal, but often is. You can't pay terrorist organizations or specially sanctioned orgs. See https://sanctionssearch.ofac.treas.gov
Probably should consult an attorney before paying a ransom (whether for kidnapping or other purposes).
BobbyTables2 20 hours ago [-]
I’ve been wondering this too.
Extortion and terrorism seem similar in many ways except the latter involves physical harm.
I’d asssume a company paying money to terrorists shouldn’t be acceptable.
It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.
Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
protocolture 20 hours ago [-]
>It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.
You are paying an extra fee for not testing your own software and infrastructure. It was instead tested by a third party. Be glad it wasn't tested by a nation state actor or someone who wanted to do more harm to your customers than just asking for money.
Ideally they should now secure their infrastructure and take this as a gentle reminder that they should spend more on security.
>Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
You would hope they would then upgrade the cardboard.
erikerikson 19 hours ago [-]
When you frame it like that it sounds like the thieves are doing us a favor. Except it should be heavily fined and jailable for the entire executive team and maybe the board too.
protocolture 19 hours ago [-]
The thieves are doing us a favor.
And yes, the companies executive should be jailed.
erikerikson 19 hours ago [-]
Except those payments are being passed through, are they not?
protocolture 19 hours ago [-]
Passed through where and how?
erikerikson 18 hours ago [-]
Canvas to schools to tax payers
protocolture 18 hours ago [-]
Ah yep, well they might pass on as much of the cost as they can to their customers, but it still costs them in lost customers/prestige etc.
protocolture 22 hours ago [-]
The issue is that anything a hacker can do publicly a state actor can do silently.
Its a boon to both the company and the country when a hacker makes a big public deal out of it. Because they get the chance to repair something before its intentional damaging misuse by a hostile state actor.
The hackers here deserve every cent plus possibly more.
And theres always the problem that the hackers would still get paid, they just wont report the payments making tracking difficult.
nathanmills 1 days ago [-]
Thank goodness that no kidnapping of an American has ever happened since.
Geof25 1 days ago [-]
It is illegal to commit a crime. So no crimes will be committed. Duh.
eviks 1 days ago [-]
That's the magic of Laws!
JumpCrisscross 1 days ago [-]
Hmm, there was once fraud so I guess we should repeal any prohibitions on fraud, huh? Same for murder.
nathanmills 1 days ago [-]
Calm down, extremist. There's a difference between someone doing something vs someone paying someone else to stop doing something. If the latter were truly bad then the same should be applied to people handing over their wallet to muggers. The only difference in that scenario and the above is saving yourself vs saving a family member. Would you really deny people the ability to save their loved ones?
JumpCrisscross 1 days ago [-]
> then the same should be applied to people handing over their wallet to muggers
Not really. Muggings are both more common and less traumatic than kidnappings. This is reflected in the fact that common and maximum sentences for kidnappings are universally more extreme than those for muggings.
> Would you really deny people the ability to save their loved ones?
...yes. Because it means significantly fewer kidnappings. "Deny people the ability to save their loved ones" is tantamount to "help others to lose their own."
nathanmills 1 days ago [-]
And where does ransomware fall on that trauma scale? The maximum sentence is less than mugging after all..
JumpCrisscross 1 days ago [-]
> does ransomware fall on that trauma scale?
Idk. That’s a step (sentencing guidelines) after we decide it should be criminalized.
> The maximum sentence is less than mugging after all..
They’re in the same ballpark, 2 to 6 years or so.
nathanmills 1 days ago [-]
> That’s a step (sentencing guidelines) after we decide it should be criminalized.
You decide it should be criminalized before you identify any harms?
> They’re in the same ballpark, 2 to 6 years or so.
You can just look it up. Maximum sentence for mugging is 30 years, ransomware is 20.
JumpCrisscross 1 days ago [-]
> You decide it should be criminalized before you identify any harms?
No. We have a measure of the harms. We haven’t balanced them for sentencing. Again, deciding something should be illegal doesn’t require obsessing over the sentence ex ante.
> Maximum sentence for mugging is 30 years
Not the norm, either for maximums [1] or usual sentences.
Isn't there still incentive because the data itself is valuable so attacks would continue?
jawiggins 1 days ago [-]
Maybe, but it’s harder to profit from it. A firm may be reputationally damaged, but what’s the incentive to cause that damage?
I think the Bloomberg Odd Lots guy wrote a blog post on this: you could attempt to short the stock but a) this leaves a paper trail b) the market might not know about the breach or believe you if you post you’ve done it. IIRC some hackers have tried to tell companies that they are legally required to disclose the breach to their shareholders to force market movements.
bawolff 1 days ago [-]
If there was a way to profit from the data that was more than the ransom, wouldn't they just do that instead of asking for a ransome.
Or do both i suppose, just because someone pays a ransome there is no garuntee the hacker destroys the data.
bluGill 1 days ago [-]
How much value is in the data. It is embarrassing if some kid gets a D in class, and shouldn't be public - but most of the people who care already know or have ways to find out.
rafram 1 days ago [-]
Not sure sanctions are a relevant reason not to pay here. We don’t know where everyone involved with ShinyHunters is located, but those arrested in the past have been American and French.
bluGill 1 days ago [-]
Americans and French (and most other "first world") countries will investigate and arrest anyone involved. It doesn't matter if foreigners are the only victim, most countries do not want their citizens involved with this and will send anyone caught to whatever country was affects for criminal prosecution.
Russia, and North Korea are the main names that come up as exceptions, they will protect their own people.
BrandoElFollito 14 hours ago [-]
This is doubtful.
Americans are more kidnapped globally when we look at a equal distribution of population (i.e. in the same pool in a generic country, Americans are more likely to be kidnapped (according to the James Foley Foundation).
Europeans are more likely targets in Africa due to our presence there (mostly NGOs).
The differences will be statistical, not motivated by a no-pay policy.
gustavus 1 days ago [-]
Not that I disagree but it also incentives attackers to steal and resell data to other nefarious actors.
After all a lot of the data companies have isn't their own, it's their customers. They are the ones who suffer because businesses don't bother securing their crap.
aaron695 24 hours ago [-]
[dead]
john_strinlai 1 days ago [-]
on one hand, every ransom paid encourages like-minded individuals to start or ramp up their ransomware game , which is not great.
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
cortesoft 1 days ago [-]
This is always the game theory of ransoms, and it is a classic example of a collective action problem (and is a form of a prisoner's dilemma).
Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.
> Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
You're then a target known to be vulnerable and pay ransoms, so best focus on security.
sgc 1 days ago [-]
If you have to pay, at least try to negotiate 1) a guarantee that the hackers won't just do it again sometime later, and 2) full disclosure / assistance in repairing your vulnerabilities so you have some kind of head start for the future. Outside of politically motivated hackers, this would probably be reasonably successful.
LgWoodenBadger 1 days ago [-]
What possible type of guarantee could one ever hope to "negotiate" with someone who has just successfully blackmailed/ransomed/extorted?
kelnos 1 days ago [-]
If the ransomware operator believes that breaking their word might make it harder to get money out of future victims, they'll keep their word.
They might not believe that, but if you're at the point where you're paying anyway, you might as well try to get that commitment from them.
sgc 1 days ago [-]
We are in the context of already having to pay. You are at their mercy no matter what, so the only value of any interaction with them is based on hoping they have incentive to maintain their promises to protect their reputation etc.
It's not a good situation to be in, but still, try to make the best of it.
Symbiote 1 days ago [-]
Other hacking groups now know Instructure pays up.
janalsncm 1 days ago [-]
There’s a similar dynamic from within the hacker group itself. For the ransom group, it is better for them to be perceived as trustworthy. Pay the ransom and we won’t leak your data.
For any individual within the ransom group, they can get a big payout by selling the data.
SoftTalker 1 days ago [-]
Depends on what they actually got. Names and email addresses? Considered public and are not so valuable. Universities usually publish those in a directory anyway.
Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.
Grades? Could be a FERPA violation.
Critical PII such as SSNs? Probably not in the LMS to begin with.
browsingonly 1 days ago [-]
SSNs have been used as student IDs by particularly stupid educational institutions. The 'nice' thing about getting SSNs from students is the likelihood they'll live for a long time after the breach and thus be subject to identity theft for many years to come.
SoftTalker 1 days ago [-]
This was common years (decades, really) ago but I'd be surprised if any university today was still doing that. I guess there could still be some....
kelnos 1 days ago [-]
My university stopped putting SSNs on student IDs more than 25 years ago. I'd be surprised if there are many who still do that.
Though I wouldn't be surprised if some 40 year old university IT system requires its use as an identifier, regardless of whether or not it gets printed anywhere.
saghm 1 days ago [-]
I have trouble imagining that a ransomware group would care about a regulation like FERPA when they've already done something criminal that would more than enough for prosecution if they got caught.
bluGill 1 days ago [-]
Those laws reduce the value though - "honest" people who are interested in such data won't be interested it from ransomware because they need to have legally obtained data. That is there are a lot of "honest but shady" uses of this data that are stopped by these laws.
SoftTalker 1 days ago [-]
I didn't mean that the ransomware group would care... but if they got grades, that might command a higher ransom than if they just had names and emails and other non-very-sensitive stuff.
Mezzie 1 days ago [-]
I just spoke with a K-12 teacher I know, and she confirmed SSNs in the Canvas instance.
Yikes.
saghm 1 days ago [-]
Wow. A lot of K-12 students probably don't even know their own SSN off the top of their head, much less understand the impact of having it stored in this way. I can't fathom why it would be necessary for the SSN to be tracked by the school. At most, the school district as a whole might want a record so they could make sure kids are getting schooled but putting that into Canvas doesn't make any sense to me.
SoftTalker 1 days ago [-]
Agreed, seems wild to me that anyone in 2026 is using SSN as an identifier in a system that's not doing some kind of tax reporting. It's kryptonite for any other purpose.
Mezzie 1 days ago [-]
Oh, it's insane and I recoiled when she mentioned that.
But it is 100% happening.
People do amazingly stupid things with systems, especially when they don't have enough people with the expertise to set them up properly, so they just throw things in there without stopping to think about whether or not it's a good idea.
SoftTalker 1 days ago [-]
So, a particular school system decided to add SSN to the student profile? Or Canvas requires it?
saghm 24 hours ago [-]
I'm guessing that Canvas just sort of lets you put in whatever data you want, and someone evidently decided that putting the student's SSNs in there made sense...
Mezzie 1 days ago [-]
It's not required. I don't know precisely what her district is doing or why - I don't work there But she unprompted brought up that a lot of the minors' PII was in there including SSNs.
SoftTalker 1 days ago [-]
It would be nice if system owners stopped thinking "we'll just ask for all the info in case we need it" and instead "we might get sued (or ransomed, or both) because we are collecting this."
zwily 23 hours ago [-]
That is a big yikes, but definitely not the norm. Most school districts switched from using SSN as their SIS identifier decades ago.
LastTrain 1 days ago [-]
They already have your SSN, as does anyone else who wants it.
Mezzie 1 days ago [-]
True. It's more yikes about what this says about the technical knowledge in that school.
MagicMoonlight 1 days ago [-]
I don’t know if that’s really true. Nobody would really give a shit if you leaked where everyone goes to college… because it’s already on their LinkedIn or whatever.
The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.
HDBaseT 24 hours ago [-]
It really isn't as simple as that.
You are leaking email addresses that likely otherwise wouldn't be out there publicly. Whilst email addresses and names are "effectively" public, they aren't just in a one big database anyone on the planet can access.
Every single one of those email addresses will receive increased spam and phishing attempts, with more isolated information (such as School, First+Last Name, Subjects, Teachers/Lecturers, etc) the phishing attempts can be more refined.
i.e, Student receives an email that looks like its from their school (has email footer, has student name, has relevant teacher name, subject name, etc), the user is now more likely to click some sketchy link.
These little identifiers add up, especially when cross-references with other leaks. Even more problematic when most of the users wrapped up in a leak like this are under 18 too.
A lot of this stuff could be done previously, although the effort and scale to do so would of been higher/harder.
bradyd 1 days ago [-]
> For the ransom group, it is better for them to be perceived as trustworthy.
They've already proved themselves to be untrustworthy simply by ransoming you in the first place.
Ancapistani 1 days ago [-]
No, they're proven themselves to be malicious. That's not the same thing at all.
bombcar 1 days ago [-]
You can also have the "excessive force" doctrine, where holding someone or something for ransom results in your entire country being a smoldering crater.
But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.
ergocoder 22 hours ago [-]
Why don't someone pretend to be ransom hacker, take the money, and release the hacked data anyway?
This will progress the game theory to the point where nobody will pay ransom because the thieves won't honor the deals anyway.
BennyH26 1 days ago [-]
And that’s exactly why the incidence of kidnapping plummeted in Italy once ransom payments were made illegal
latexr 1 days ago [-]
How does that work? I.e. say a kidnapping occurs and the ransom is paid. What kind of trouble does the paying party get into? A fine? Jail?
jasonfarnon 24 hours ago [-]
A fine or sentence is probably on the books but it never comes to that. The main thing is to freeze the family's assets, and more importantly to publicize this procedure so the mafia or whoever knows there's no point in threatening the family.
bluGill 1 days ago [-]
So long as the potential payer knows they will get something they are going to slow down. They might pay, but suddenly becomes harder because they have to hide what they are doing. Many won't figure out how to pay.
The real value though is enough people consider themselves honest and won't do anything they know is illegal. They already hate dealing with criminals, but so long as paying is legal they might do it, but as soon as it affects their moral code they won't. The whole system collapses because just a few people saying no to paying means the kidnappers lose money on too many operations.
latexr 14 hours ago [-]
I understand the mechanism and the point of making it illegal, that’s not the question.
What I want to know is what exactly are the lawful repercussions for the person who paid.
protocolture 22 hours ago [-]
>but everyone would be better off if no one paid a ransom.
I doubt if everyone would be better off if state level actors found and used these vulnerabilities instead of ransom seekers.
Hizonner 1 days ago [-]
... except that "policies" don't cut it. Criminal penalties for paying are what you need, and not just for payments to specific designated entities, either. The executive making the decision to pay has to have a real fear of personally spending time in actual prison.
gnopgnip 1 days ago [-]
US law has criminal penalties for paying a ransom to a designated criminal terrorist organization or under treasury sanctions.
esseph 1 days ago [-]
Most hacking groups don't fall under that. Some, sure.
cortesoft 1 days ago [-]
A criminal penalty is a form of policy
Hizonner 22 hours ago [-]
... but not the form of policy they actually have.
Except for payments to specifically sanctioned organizations, the policy is "we'd really rather you didn't do that, but whatever".
The specific sanctions don't cover most of the groups, either, and even when they do cover the group who got paid, you can't necessarily prove the people who got paid were the ones on the list. And there may be a scienter requirement even then; I don't know.
Making a list of specific criminals you can't pay is just stupid. No ransoms, ever, period, or it's da slammah.
mlyle 1 days ago [-]
There's one more piece that matters.
If no one pays the ransoms, but people believe that large ransoms are paid-- you still have the crime.
Ancapistani 1 days ago [-]
The obverse is true - because a ransom organization is dependent upon their reputation, a company claiming to have paid and received confirmation from the group could prevent them from releasing it as well.
The general public (including the next victims) don't have a way to confirm if payment was made. ShinyHunters would have to choose between arguing publicly that they were not paid or not releasing the data to protect their own reputation...
mlyle 1 days ago [-]
Good/funny observation. Game theory and economics are fun. :D
I do think that the partial information problem relating to new entrants into this market is interesting though.
The number of potential threat actors with partial/no information but that might speculate based on grandiose visions of ransom or outdated history is high.
We see dumb attempts at real-world ransoms/extortion which don't get paid at a pretty high clip based on this kind of partial knowledge.
HDBaseT 24 hours ago [-]
It's an interesting idea, although I think in the heat of the moment, the last thing your org should be thinking of will be playing games with one of the most prolific hacker groups on the planet.
You'll probably get your data leaked anyways, potentially get compromised again (see Instructure situation) and end up in a way worse place if you just shut up and paid it, or let it leak normally.
kjkjadksj 1 days ago [-]
While the us stance has resulted in savings on potential ransom, it has also lead to people being kept in prison for very long time until prisoner exchanges might be worked out. That cost to an individuals life being imprisoned is probably far in excess whatever the US might pay. Plus the US prints its own monopoly money and doesn’t really play by the rules of economics anyhow ever since getting off gold standard.
cortesoft 1 days ago [-]
This is literally the exact point I am making, and the US policy isn’t about saving money.
Like you said (and like I said in my post), for an individual kidnap victim, the best option would be to pay the ransom. It is better to pay the money and be free.
However, that means a kidnap group now has more money, which will make them better able to kidnap another victim and demand more money.
The point of a “no ransom” policy is that it takes the choice away from the individual, who would choose to pay it, and changes the game theory to make kidnapping not worth it.
The whole reason you need a policy at all is BECAUSE it is better for the person to pay the ransom.
appreciatorBus 1 days ago [-]
That ransoms today are denominated in USD and that the US might be printing too many USD has nothing to do with whether or not ransoms should be paid.
The day the USD falls, ransoms will simply be denominated in something else and the same underlying collective action problem will remain.
This is just way of avoiding the core issue by blaming something unrelated that you don't like.
A: U should clean your room, it would be better for you & the rest of your family
B: FU dad, everyone knows there's no such thing as a clean room under capitalism!!!!!
WillPostForFood 1 days ago [-]
Cash is not the real cost; the cost is by agreeing to continue printing ransom money, you cause more individuals to be kidnapped.
AlotOfReading 1 days ago [-]
I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.
applfanboysbgon 1 days ago [-]
> I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.
Ancapistani 1 days ago [-]
Agreed.
This is the same problem that crypto addresses in an unregulated market - it provides attestation and continuity, but not much else.
New actors are untrusted. Trust must be built through small transactions until someone trusts you enough for larger transactions. Survive long enough without major reputational harm and you can even offer to act as an escrow service for parties with less trust.
Freak_NL 1 days ago [-]
The name ShinyHunters is currently quite well-known due to a number of high-profile hacks (Odido in the Netherlands this year was huge). Their brand has a significant value right now.
jasonfarnon 24 hours ago [-]
How does everyone know its ShinyHunters and not someone pretending? I imagine they have some mechanism to authenticate, I'm curious what it is.
HDBaseT 24 hours ago [-]
Because ShinyHunters published they hacked Canvas on their own website.
They also redirected the canvas login pages to a ShinyHunters message, whilst this could be done by another group/person, its unlikely.
You can also validate PGP keys and TOX accounts, etc via their website.
jasonfarnon 18 hours ago [-]
OK, I didn't realize they had a stable website all this time. I guess it's all out there in the open with these groups.
onemoresoop 1 days ago [-]
Yeah but fewer ransomes would be paid out regardless of who is attacking. They could be spoiling their own market and am sure they would
AlotOfReading 1 days ago [-]
That's a motivation to avoid tragedy of the commons, not because they're trying to maintain their own reputation to victims. It benefits the criminals even if they change their name.
esseph 1 days ago [-]
>
I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time.
Reputation is everything in a collective.
bombcar 1 days ago [-]
If we assume a world where ransomware is continually existent and all your data is ransomed at anytime, we'd have a world designed to work around that.
We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.
zbentley 1 days ago [-]
I think you may have re-invented email reputation.
arjie 1 days ago [-]
An idea I idly thought about is that of a "Benevolent Terrorist"[0]: one who does great harm to some number of people so that they may make it to a better world. Not entirely original, I suppose, since the Kwisatz Haderach from Dune is the trope definer. But a fun thought I had was what if you ran a ransomware company that just didn't pay? You'd screw a lot of people over but eventually you'd make ransomware a non-business the better you impersonated them and failed to deliver after taking the ransom.
What stops a ransomware group copying all data and just selling it piecemeal on the darknet under posibly a different name?
Realistically, the only people that could check that it's true are buyers, and those benefit from keeping a low profile
ashleyn 1 days ago [-]
Another way to view this calculation: if you keep your infrastructure secure and up to date, you (very likely) don't have to pay any ransom in the first place.
joseda-hg 1 days ago [-]
There is a line where the ransom price beats the capex of keeping a secure system, specially when the risk so nebulous
Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally
nradov 23 hours ago [-]
Paying a ransom should always be illegal with federal criminal charges for the employees who authorize the payment. If businesses are destroyed or people die as a consequence then those are acceptable casualties.
LastTrain 1 days ago [-]
That operates on the idea that hacker organizations use long term strategic thinking, something the US government and a good number of corporations don’t even practice. I wouldn’t put my money on that.
john_strinlai 1 days ago [-]
while i am not about to bet the farm on the long-term strategic thinking ability of extortion groups, they are much smaller than most corporations and the US government, thus its much easier to think strategically and execute on longer-term goals.
shinyhunters, for example, has been active and acted as a cohesive unit for the past 7 years.
esaym 1 days ago [-]
> on the other hand, the ransomware groups that want to stay in business need to be honest
I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.
barkingcat 1 days ago [-]
one issue is that modern ransomeware groups are also being hunted themselves - there are many ransomeware orgs that are themselves being ransomed so are not reliable.
even if you pay the ransom to the 1st group, the 2nd group will leak.
patrickthebold 1 days ago [-]
So, maybe we could consider a "White Hat" ransomware group that takes the money and also leaks the data, so that long term no one bothers to pay which ultimately disincentivizes ransomware attacks?
esseph 1 days ago [-]
White hats that take money are not white hats, those are grey hats.
LOL that's some super heavy duty optics framing on what basically amounts to "we paid out a ransom but don't worry the bad guys assured us things were okay"
aetch 1 days ago [-]
They said “received digital confirmation of data destruction (shred logs)” - is this supposed to fool users into thinking the hackers didn’t keep any of the data?
linksnapzz 1 days ago [-]
The criminals did not share the logs of them making a copy of the data before shredding it; so obviously that didn't happen.
I thought it was illegal to pay ransom to hackers. I guess it is legal or maybe it isn't very clear? I thought that there were certain conditions that the company had to check together with law enforcement so that at least the ransom money doesn't go to a hacker group that is on a government payments sanctions list.
Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".
JohnMakin 1 days ago [-]
Not only is it not illegal, there are insurance policies set up to take care of this very scenario. It's almost always handled by a third party, not the company themselves, that would deal with any such concerns.
dylan604 1 days ago [-]
It is illegal to pay terrorists. As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group. If they did, would they be able to send in SEAL Team 6 to handle the hackers?
Scoundreller 1 days ago [-]
> As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group.
If you’re sending a large sum of money to $anonymoushacker, how do you ensure they’re not on some OFAC list? Or do your AML checks? Or make sure you’re not on the wrong side of Foreign Corrupt Practices act? The third party probably turns a blind eye to that cuz there’s no way of really checking.
abigail95 1 days ago [-]
the people who do "AML checks" are the ones processing the transaction.
i don't do that every time i want to send money. private individuals don't just "run checks" - it would make commerce untenable and possibly unconstitutional.
say you get a passport, an address, a photo, a signature, a phone call - how do you verify any of this is real?
zbentley 1 days ago [-]
Cryptocurrency mitigates most of those concerns. That's why the flourishing of crypto payment systems has been an unalloyed blessing for cybercriminals.
bluGill 1 days ago [-]
No it does not. It makes some things harder and some things easier. The public ledger means you can track where then money flowed - you might not know who had it but you know how it flows which is interesting. I don't know if it has happened, but I've heard of proposals to make any bitcoin the traces to some transaction illegal to have, and that means nobody who might get caught will have anything to do with those.
teddyh 9 hours ago [-]
“Payment must be made in small, used bitcoins.”
Scoundreller 1 days ago [-]
It can at a technical level but not at a legal level.
Your BigCo accounting department is not going to be very understanding about acquiring cryptocurrency to send to ??? for a ransom.
dylan604 1 days ago [-]
Isn't this why in other comments people have said that companies use third parties to pay the ransom rather than paying directly?
Scoundreller 1 days ago [-]
That’s my theory too. Setting up payments to a new vendor is hard enough even for the most legitimate.
An org’s Net30 terms aren’t going to work here…
wil421 1 days ago [-]
If they were in Iran a drone would’ve paid a visit, based on current events. Most of them are in Russia or former Eastern Bloc like Belarus. USA and the west doesn’t want a direct conflict so the drones never pay them a visit.
Instead, they trick the hackers into going on a vacation in a country that will let them grab them.
amarant 1 days ago [-]
A large percentage of hacking groups are state sponsored Russians. That seal response would be starting WW3 over some pii.
Protecting pii is important, but it's not that important
dylan604 1 days ago [-]
we started the pretext to WW3 over someone wanting to move the focus of attention, so it's really not that much of a stretch.
amarant 1 days ago [-]
Aye, I meant more in the sense of "it would be a bad idea", than "that's definitely not going to happen".
Predictions are hard, especially about the future!
altcognito 1 days ago [-]
Man, I don’t remember Putin wanting to move the focus of attention that bad.
MagicMoonlight 1 days ago [-]
Iran, Russia and North Korea are the biggest sources of ransomware.
fragmede 1 days ago [-]
The cyber terrorist groups North Korean Lazarus Group and Russian groups like APT28 (Fancy Bear) are on the US SDN list, among others.
peyton 1 days ago [-]
Search “cyber jihad” and “cyber islamic state” if you’re curious for answers.
calpaterson 1 days ago [-]
It often is illegal to pay them. They are often on sanctions lists, or indeed in embargoed countries. And it's just generally not allowed to pay unidentifiable parties for basic anti-money laundering reasons. And a lot of countries are bringing in new legislation to make paying illegal, starting with public sector organisations. I'm sure that will only expand.
Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.
JohnMakin 1 days ago [-]
I don't know where you are getting your information from. For one, it's very often unknown, by virtue of how these groups operate, where they are from or who they are affiliated with in the first place. For two, as I stated, it is such common practice to pay ransoms that there are insurance policies specifically for doing so, it's very common to purchase these as part of a SOP of a company's security policy. A business is required, often by the board/shareholders, to maintain business continuity, which is why these exist.
For three, by the FBI's own source, they don't mention anything about it being illegal, they merely advise against doing so[0] -
> The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.
I am not saying I support paying ransoms, or take any position here, I am just saying quite factually it is an extremely common practice to pay these, often via third parties that take care of any potential legality issues (which I am not aware of being super common at all, and if you are being targeted by a nation state on a sanctions list, you probably are well aware and have your own legal team/police liasons to deal with any such issues). Most ransomware attacks come from small, unknown groups.
If the bad guys get paid and release the info anyway, they not only make it less likely they'll get paid in the future, they make it less likely anyone will get paid in the future.
Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.
kjkjadksj 1 days ago [-]
Why not wait a week and take the site down and ransom them again?
shlant 15 hours ago [-]
for the same reasons?
stavros 1 days ago [-]
Because why would anyone pay anyone if they were going to do what they threatened you with anyway?
terminalbraid 1 days ago [-]
> We received digital confirmation of data destruction (shred logs).
This is shockingly naive
j-bos 1 days ago [-]
I imagine they are not naive, they're counting on their clients being naive.
corvad 1 days ago [-]
What's to say they didn't copy the data then shred a copy, or hell even just fabricate some shred logs.
latexr 1 days ago [-]
In the abstract, it’s hilarious to imagine the hackers keeping the data, then some time from now leaking it accidentally (or another hacker group hacks them) then them having to issue a public apology for not having kept the stolen data secure and having lied about shredding it.
eaf7e281 1 days ago [-]
However, they could use it as a last resort or as a final "gift" before getting arrested or switching identities.
They might be considered "trustworthy" right now to get companies to pay them money, but no one will know what will happen in a few years when this strategy won't work anymore.
Anyway, I hope this doesn't come at all, or as late as possible.
latexr 1 days ago [-]
> but no one will know what will happen in a few years when this strategy won't work anymore.
Good point.
> Anyway, I hope this doesn't come at all, or as late as possible.
Same. As I said, I find the idea funny in the abstract, if it didn’t affect anyone or if it were a TV show, for example. But since it does affect real people…
omoikane 23 hours ago [-]
Hackers have an incentive to destroy the data as promised, because if it becomes a trend where the data is leaked despite the ransom being paid, no one would pay ransoms in the future.
Obviously this doesn't stop hackers from selling the data anyway and say "it wasn't us, someone else got the same data through a different hack".
Groxx 1 days ago [-]
Gotta hope that's just a PR attempt to try to save face. Though I wish companies would stop claiming it.
1 days ago [-]
Cider9986 2 days ago [-]
>The data was returned to us.
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
I guess the incentive is for the hackers to not leak, so they can get away with the next ransom.
mbesto 1 days ago [-]
This is a good time to point out that when there is a data breach, data is rarely stolen. The real threat and harm is when data that is stolen is used against you.
embedding-shape 1 days ago [-]
> You wouldn't "return" data unless it was encrypted or the originals were deleted
The very next line from what you quoted:
> We received digital confirmation of data destruction (shred logs).
Now, color me surprised if they didn't delete it, but I'm guessing this is why they call it "returned", since from their beliefs, the data was deleted after it was "returned".
delichon 1 days ago [-]
A good infotech public service project would be to maintain a public list of organizations that have succumbed to ransom demands, so that we can choose to take our business elsewhere. It would also be an act of bravery though in the face of potential liability for libel. I doubt disclaimers would evade much of that.
pretzel5297 1 days ago [-]
So you would rather take your business to somewhere that got hacked, didn't pay the ransom, and got customer data leaked?
delichon 1 days ago [-]
Yes, particularly if they are transparent about it.
pretzel5297 1 days ago [-]
Yeah, sorry. I don't believe you :)
tadfisher 1 days ago [-]
The customer data is already leaked, unless your threat model somehow includes trusting threat actors to keep said data confidential in perpetuity.
applfanboysbgon 1 days ago [-]
ShinyHunters has a vested financial stake in not leaking the customer data. If they did, nobody would ever pay a ransom to them again. I trust ShinyHunters to look out for themselves continuing to get paid.
tadfisher 1 days ago [-]
Sure. Do you trust every member of ShinyHunters to remain a member of ShinyHunters in good standing, and to resist the temptation to exfiltrate the data in the process of exiting ShinyHunters?
applfanboysbgon 1 days ago [-]
I would expect ShinyHunters to understand that traitors pose an existential threat to the group and to take measures to prevent a lone wolf from selling them out easily. That they have existed for 7 years already indicates they are probably not so amateur as to allow any individual member to walk off with data that would compromise their operation.
skywhopper 1 days ago [-]
This is a really silly take. Instructure also had a financial incentive not to get hacked. And yet…
applfanboysbgon 1 days ago [-]
No, it actually doesn't, which is the problem. The market has shown that there are no financial consequences to any company that gets hacked. Instructure could have just as well not paid the ransom, as many companies don't, and continued to be fine. Even if they do pay the ransom, it is likely that it is less than it would have costed them to engineer secure systems, so even if you take paying ransoms as necessary market incentives still steer you to ignoring security.
aetch 1 days ago [-]
If you believe the hackers didn’t keep a copy of the data, you’re the target market.
jsLavaGoat 1 days ago [-]
Both of them got hacked so... yes.
latexr 1 days ago [-]
Theoretically, if it happened before and the ransom wasn’t paid, there’s both an incentive by the service to improve their security practices and a disincentive on the hackers to target that business.
Waterluvian 1 days ago [-]
I wonder if, longer term, we're better off if a company like this were in some way destroyed as a result of getting hacked and paying a bribe.
I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.
cube00 1 days ago [-]
I've never seen a company blame a data breach as the point where they started going bankrupt.
Customers never migrate on mass after a breach, 7000 underfunded and overworked education institutions are not migrating on mass.
So I feel safe to say there's no lasting impact to a company when a data breach occurs.
This will all be forgotten in a few months.
Ancapistani 1 days ago [-]
To be fair, I don't think I've ever seen a company identify the inflection point after bankruptcy, accurately or not.
LadyCailin 14 hours ago [-]
Probably, but without government regulation to make ruinous fines for allowing your data to be breached, the thought experiment is moot.
corvad 1 days ago [-]
I suspected as much as it disappeared from the ShinnyHunters page and it recovered so fast. The main thing I'm interested in knowing was how much was paid. Also I don't really like their statement that the data is safe or destroyed, those promises seem a little questionable with regards to these incidents.
How does things like this work in terms of bookkeeping? How do they label the expense? Can a company send huge amounts of money to an unknown crypto account without needing to explain anything to the tax authorities?
mewse-hn 1 days ago [-]
It's the insurance company paying the ransom and I assume they tie the payment to the insurance policy they are fulfilling, I don't know what the tax implications would be, I am not in finance or an accountant
acomjean 1 days ago [-]
“Data recovery”?
evantahler 1 days ago [-]
Being that this is HN, do we know how they got hacked? Can we learn something about protecting our services?
cube00 1 days ago [-]
We’re currently working to identify a robust list of Indicators of Compromise (IOCs) and will make those available to our customers.
It worries me they've only committed to making it available to their customers and not the public.
layman51 1 days ago [-]
I read online that it has to do with their "Free-For-Teachers accounts" which I assume is a way for teachers to get access to Canvas services for free when their school doesn't subscribe to it.
I don't know for sure, but I think it probably had to do with some kind of misconfiguration on an Salesforce Experience Cloud site. I have heard that ShinyHunters often exploits this type of service and that it is very easy for companies to forget to set the right permissions to data and they end up throwing a bunch of different data into Salesforce.
sheept 1 days ago [-]
This blog post[0] suggests that, based on their changelog after the incident, the hackers may have extracted session tokens using XSS in a support ticket. Then the ransom note was displayed using a custom theme.
Surely if they are demanding a ransome they somehow got server access to delete data. Would seem kind of insane to pay a ransome solely for an XSS.
corvad 1 days ago [-]
> Has law enforcement been engaged? Yes. We've notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners.
Hmm. I thought all these agencies say NOT to pay a ransom.
bluGill 1 days ago [-]
Not always. They have been known to give "marked bills" to pay with in the past. A lot can be learned by watching how ransom money moves around (bit coin is very traceable this way). Sometimes paying a ransom is an important part of finding and arresting the guilty.
biesnecker 1 days ago [-]
Engaged != listened to.
sans_souse 1 days ago [-]
I would love to know the amount of ransoms paid by large companies who've been compromised without the public being informed. How much that undisclosed amount impacts inflation and the economy today is not talked about nearly enough, imo.
1 days ago [-]
kryogen1c 22 hours ago [-]
Everyone's making a lot of good points about game theory and economic motivations, but there is a much more important and self-serving point: when you pay a ransom, hackers come after your shit x10.
Paying a ransom signals 3 things:
1) you are vulnerable to attack
2) you cannot recover from an attack
3) you've got cash
The result is that you get attacked much, much more. You could ask me how I know, but I wouldn't tell you :)
rottencupcakes 1 days ago [-]
What on earth does "returned the hacked personal data" mean?
yakkomajuri 1 days ago [-]
I believe attacks like this often include copying data and then deleting it from the victim's servers.
Although of course returning is a weird term in the sense that the attackers will almost certainly keep the data as well.
Freak_NL 1 days ago [-]
How is Instructure getting away with paying off the ransomware hackers? Is that still legal in Utah or something?
ibejoeb 1 days ago [-]
This happens every day, and there doesn't seem to be anything interesting about this case. It's how most situations are resolved. There are money transmitters that specialize in ransoms. They "do" sanctions checks that are about as good as you suspect they are.
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
mrkramer 13 hours ago [-]
Stop funding cyberterrorism.
>the deal means that the hackers have returned the compromised data of some 275 million users across more than 8,800 institutions.
Yea sure, they didn't keep the copy of stolen database. You know, criminals are very trustworthy people.
applfanboysbgon 1 days ago [-]
I've seen half a dozen comments in this thread suggesting that paying hacking ransoms should be illegal, but I strongly disagree, for multiple reasons. I'll just make this a top-level comment rather than picking one to reply to.
(1a) Multiple have suggested that the US made it illegal to pay kidnapping ransoms. This is a misconception. The US adopted a policy that the government itself would not pay ransoms, but explicitly noted this did not apply to the victims. "The U.S. Department of Justice does not intend to add to families’ pain in such cases by suggesting that they could face criminal prosecution."
(1b) Despite this policy, the US pays ransoms anyways. Usually in the form of prisoner swaps, but in 2023 it released $6 billion in frozen Iranian funds in exchange for the release of 5 hostages[1].
(2) The belief that paying ransoms should be illegal is predicated on the belief that criminals will be less likely to commit the crime if there is no money to be made. This may be true for kidnapping, but that does not mean it would be true for hacking. Kidnapping is a high-stakes, high-commitment crime that requires physical presence and exposes the criminal to significant danger. If the criminal anticipates no reward, the risk-reward calculus skews them away from kidnapping. However, hacking is a low-risk crime. Even if the chance of reward is low, the risk is also low, so hackers are unlikely to be deterred from hacking. Many hackers will do it just for fun or to prove that they can. Moreover, hackers can profit in other ways, for example by selling the data on the black market, or by making use of the data themselves as a nation-state or corporate espionage actor. Hacking will undoubtedly continue as long as things can be hacked, regardless of whether ransoms are ilegal.
(3) Making ransoms illegal pushes the burden onto people who have no real ability to do anything about it. When a company fails to pay ransom, it is the customers who suffer. It does not materially affect the company in any way to have customer data leaked. The market has already shown, overwhelmingly, that it will not punish companies that leak user data. That a company pays a ransom to begin with indicates that they don't actually understand the market and/or have some small shred of a conscience. Rather than making it illegal to pay ransoms, I would rather see penalties for having a data breach in the first place, but once a data breach is assured, companies should be paying ransoms to try to mitigate the damage to their customers.
(4) The idea of trying to solve hacking by making it illegal to pay ransoms is ridiculous on its face. As long as systems are insecure, hackers will exist, so the legal emphasis should be on consequences for data security. The collection of PII that is not essential to providing a service to customers should be discouraged, and there should be real consequences for negligent security. There should be an investigative board similar to those for airline crashes and infrastructure collapse, which examines the circumstances in depth and identifies whether the company is at fault for negligent handling of PII.
The problem is paying ransom to these groups gives teenagers millions of dollars in crypto to spend on more exploits and more insiders.
It is a race to the bottom. The teenagers have effectively unlimited time, millions of dollars and rocket launchers.
BobbyTables2 20 hours ago [-]
If customers suffer when a company doesn’t pay ransom - that’s a good thing.
Those (now former) customers can the be patrons of a competitor that doesn’t let such happen again.
applfanboysbgon 19 hours ago [-]
That's just not reality. Not least of which because competitors are exactly the same when it comes to security. Even if they weren't, security isn't something the market can realistically select for because it's not verifiable from a customer's perspective. A customer can clearly see, say, a price difference or feature difference, but cannot see a security difference in any meaningful sense. This is something that needs to be enforced at a regulatory level, there are many problems the free market cannot solve, and in fact market forces actively incentivize neglecting security.
linksnapzz 1 days ago [-]
The moral hazard of companies escaping scrutiny of their poor practices while simultaneously subsidizing the behavior that takes advantage of said poor practices at other companies needs to be addressed.
__MatrixMan__ 1 days ago [-]
I'm curious about the open source competition (https://github.com/moodle/moodle is my first find, there are likely others) and what they could've made happen with that money if they had received it instead as an investment re: not worrying about future ransomware attacks.
skywhopper 1 days ago [-]
Canvas itself is also open source (https://github.com/instructure/canvas-lms), which was the big appeal of it originally in a world where Blackboard had a stranglehold on the LMS market.
__MatrixMan__ 1 days ago [-]
Huh, neat! I had just assumed otherwise because everything else my university uses is nine kinds of proprietary.
Like, they recently tried to sell me to McMillian who then tried to sell me the "submit homework" button for $20. I complained and got exempted from having to submit homework, but that's par for the course in edtech right now.
Dumb move. You cannot trust that they won't leak it anyway to make additional profit, since they're not accountable except to their made-up name.
TruffleLabs 22 hours ago [-]
"The deal with the hackers included the return of stolen data and digital evidence that copies had been deleted, Instructure said."
does "yes, I deleted the data" in an email count as digital evidence?
Zigurd 1 days ago [-]
There shouldn't have been a need to give into hackers, even highly successful hackers. If they're not doing air-gapped backups weekly, that's malpractice and hints at a substandard architecture and/or operations. On a short enough full backup schedule all of Canvas's customers should've been able to recover based on their own copies of assignments and test results. And a policy like that should've been in the SLAs.
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
applfanboysbgon 1 days ago [-]
Backups do nothing to protect your customers from getting extorted to avoid their data being leaked.
Zigurd 1 days ago [-]
What extortable content should schools be creating? And if they are it's crazy that they are trusting it to school SaaS.
joseda-hg 1 days ago [-]
Enrollment or courses might not be generally super sensible, but financing/financial data, personal identification like phone numbers and emails, chat logs and such
applfanboysbgon 1 days ago [-]
I mean, something as simple as name + grades is extortable. There are plenty of students who would not want their bad grades to be public information, and who would be upset with their school if the school allowed that to be leaked, or who may personally pay an extortion if contacted directly.
I certainly do think it's crazy that schools are selling out education to SaaSification, but that is normal in the world we live in.
SilverElfin 2 days ago [-]
Given they were hacked multiple times, couldn’t they just be targeted again by the same or different group? Why would it stop here?
Freak_NL 1 days ago [-]
The same group has a reputation to uphold (i.e., that of 'honourable' criminals), so they just move on to the next target, who will, incidentally, know that they are absolutely true to their word. (This is why paying off ransomware hackers is being made illegal in a number of countries.)
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
felooboolooomba 1 days ago [-]
So they hacker group could create an unregistered subsidiary and hack some more?
Freak_NL 1 days ago [-]
Sure. In all likelihood ShinyHunters will 'gracefully' point out the weak spots leveraged in the system of the 'customer' upon receiving payment to prevent this happening again next week.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
OneDeuxTriSeiGo 1 days ago [-]
They could but also why would they?
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
esafak 1 days ago [-]
If you squint you can think of it as pen-testing done economically right: how much do you really value your data??
OneDeuxTriSeiGo 1 days ago [-]
NGL that's pretty much what it is.
On the one side you have white hat hackers and pen-testers who you pay a contract or salary to prod your system. If you really piss them off (i.e. by stiffing them of their pay) some might just steal your data and threaten to leak it unless you pay them.
On the other side are black hat hackers who will drive by your system and if they find a way to break in they'll offer to keep your data private for a ransom fee. And maybe if you have some charisma, decent pay, and/or a good repertoire you might recruit them on/convert them into white hats for your org.
somenameforme 1 days ago [-]
Simple economic motivations from the hackers. They've hacked a lot of different companies. [1] If they didn't keep their word then companies would have no incentive to pay, and vice versa when they do keep their word.
It might make more sense for Shinyhunters to request a reoccuring charge to smooth out their revenue stream. Basically protection money as it was called in the good old days.
This is of course assuming that Instructure continues to be relevant, and that students still believe that college education holds economic or social value.
jccalhoun 1 days ago [-]
I think Instructure has made themselves a target. I'm a professor at a college that uses Canvas and I'm going to be making sure I download the gradebook for my classes more often from now on.
vachina 1 days ago [-]
What data held by Instructure is so critical it warrants a ransom payment?
HDBaseT 23 hours ago [-]
Tons of stuff, usernames, first name, last name, email addresses. - Most of this stuff isn't "private" per se, but its also not publicly index-able for a reason.
Conversations between students, conversations between teachers and other students/staff or teachers. Course content, etc.
Giorgi 8 hours ago [-]
Problem with blackmail is that you never know if they made copies. Unless this is a well elaborated sting operation.
xvxvx 1 days ago [-]
Michael Jackson paid the ransom and look what happened to him.
doublerabbit 1 days ago [-]
It would be amusing to discover it turned out that the hackers were 14 year old teenagers, bored with school.
cheschire 1 days ago [-]
The defendant, who calls himself “zero cool”, has repeatedly committed criminal acts of a malicious nature.
He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.
His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.
Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.
Instead of paying ransom, and creating a ransomware criminal industry out of thin air, its better to force companies to recover and restore from backups and remove monetary incentive for crime.
and the executives who failed to carry regular backups obviously should face the music
the only outcome I got from their incidents is 1 year free "identity protection service" which I didnt use.
Should be a lesson for Instructure to have proper architecture and do not store PII they dont need in their processes.
These are going to be people with clean credit histories to exploit, and ideal for using as ghost students.
Leaks are inevitable, but the current situation is absurd. The liabilities and incentives to do anything about them are virtually nonexistent and security is almost always viewed as a cost.
Infrastructure’s motivations must have lain elsewhere…
Offer a reward equal to the ransom amount, to anyone who turns the kidnappers/criminals in to the authorities.
No, for the same reason fence manufacturers aren't financing burglers.
They'll just use it on more exploits, more nonsense. It's a race to the bottom. Sister group, Lapsus$ (parent group ShinyHunters) has published on their website they will pay for inside access to company networks. The group says they don't want data, they just want an avenue.
This is what happens when we keep paying these criminals millions in hard-to-trace crypto.
I do find it all a bit funny though.
KYC is a tool to prevent money laundry and it's typically an obligation of financial institutions. Sending money to an anonymous (to you) recipient is generally not a KYC violation if you are not in the money transmitting business and you aren't doing the payment on behalf of someone else.
There are infinite shades of gray in this topic, of course, but I can't see AML being relevant in this particular case.
From Claude, maybe it's a little nuanced compared to conservative corporate policies, but doesn't feel very legal: "You can be charged with money laundering (18 USC 1956/1957 in the US, equivalents elsewhere) if you knowingly — or with willful blindness — process proceeds of crime. "I didn't ask" is not a defense if the circumstances were suspicious; deliberately avoiding KYC to preserve deniability is exactly what willful blindness doctrine targets. The recipient doesn't need to be formally sanctioned; the funds just need to be tainted."
Probably should consult an attorney before paying a ransom (whether for kidnapping or other purposes).
Extortion and terrorism seem similar in many ways except the latter involves physical harm.
I’d asssume a company paying money to terrorists shouldn’t be acceptable.
It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.
Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
You are paying an extra fee for not testing your own software and infrastructure. It was instead tested by a third party. Be glad it wasn't tested by a nation state actor or someone who wanted to do more harm to your customers than just asking for money.
Ideally they should now secure their infrastructure and take this as a gentle reminder that they should spend more on security.
>Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
You would hope they would then upgrade the cardboard.
And yes, the companies executive should be jailed.
Its a boon to both the company and the country when a hacker makes a big public deal out of it. Because they get the chance to repair something before its intentional damaging misuse by a hostile state actor.
The hackers here deserve every cent plus possibly more.
And theres always the problem that the hackers would still get paid, they just wont report the payments making tracking difficult.
Not really. Muggings are both more common and less traumatic than kidnappings. This is reflected in the fact that common and maximum sentences for kidnappings are universally more extreme than those for muggings.
> Would you really deny people the ability to save their loved ones?
...yes. Because it means significantly fewer kidnappings. "Deny people the ability to save their loved ones" is tantamount to "help others to lose their own."
Idk. That’s a step (sentencing guidelines) after we decide it should be criminalized.
> The maximum sentence is less than mugging after all..
They’re in the same ballpark, 2 to 6 years or so.
You decide it should be criminalized before you identify any harms?
> They’re in the same ballpark, 2 to 6 years or so.
You can just look it up. Maximum sentence for mugging is 30 years, ransomware is 20.
No. We have a measure of the harms. We haven’t balanced them for sentencing. Again, deciding something should be illegal doesn’t require obsessing over the sentence ex ante.
> Maximum sentence for mugging is 30 years
Not the norm, either for maximums [1] or usual sentences.
[1] https://en.wikipedia.org/wiki/Robbery_laws_in_the_United_Sta...
I think the Bloomberg Odd Lots guy wrote a blog post on this: you could attempt to short the stock but a) this leaves a paper trail b) the market might not know about the breach or believe you if you post you’ve done it. IIRC some hackers have tried to tell companies that they are legally required to disclose the breach to their shareholders to force market movements.
Or do both i suppose, just because someone pays a ransome there is no garuntee the hacker destroys the data.
Russia, and North Korea are the main names that come up as exceptions, they will protect their own people.
Americans are more kidnapped globally when we look at a equal distribution of population (i.e. in the same pool in a generic country, Americans are more likely to be kidnapped (according to the James Foley Foundation).
Europeans are more likely targets in Africa due to our presence there (mostly NGOs).
The differences will be statistical, not motivated by a no-pay policy.
After all a lot of the data companies have isn't their own, it's their customers. They are the ones who suffer because businesses don't bother securing their crap.
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.
https://en.wikipedia.org/wiki/Collective_action_problem
https://en.wikipedia.org/wiki/Prisoner%27s_dilemma
https://www.kiplingsociety.co.uk/poem/poems_danegeld.htm
You're then a target known to be vulnerable and pay ransoms, so best focus on security.
They might not believe that, but if you're at the point where you're paying anyway, you might as well try to get that commitment from them.
It's not a good situation to be in, but still, try to make the best of it.
For any individual within the ransom group, they can get a big payout by selling the data.
Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.
Grades? Could be a FERPA violation.
Critical PII such as SSNs? Probably not in the LMS to begin with.
Though I wouldn't be surprised if some 40 year old university IT system requires its use as an identifier, regardless of whether or not it gets printed anywhere.
Yikes.
But it is 100% happening.
People do amazingly stupid things with systems, especially when they don't have enough people with the expertise to set them up properly, so they just throw things in there without stopping to think about whether or not it's a good idea.
The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.
You are leaking email addresses that likely otherwise wouldn't be out there publicly. Whilst email addresses and names are "effectively" public, they aren't just in a one big database anyone on the planet can access.
Every single one of those email addresses will receive increased spam and phishing attempts, with more isolated information (such as School, First+Last Name, Subjects, Teachers/Lecturers, etc) the phishing attempts can be more refined.
i.e, Student receives an email that looks like its from their school (has email footer, has student name, has relevant teacher name, subject name, etc), the user is now more likely to click some sketchy link.
These little identifiers add up, especially when cross-references with other leaks. Even more problematic when most of the users wrapped up in a leak like this are under 18 too.
A lot of this stuff could be done previously, although the effort and scale to do so would of been higher/harder.
They've already proved themselves to be untrustworthy simply by ransoming you in the first place.
But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.
This will progress the game theory to the point where nobody will pay ransom because the thieves won't honor the deals anyway.
The real value though is enough people consider themselves honest and won't do anything they know is illegal. They already hate dealing with criminals, but so long as paying is legal they might do it, but as soon as it affects their moral code they won't. The whole system collapses because just a few people saying no to paying means the kidnappers lose money on too many operations.
What I want to know is what exactly are the lawful repercussions for the person who paid.
I doubt if everyone would be better off if state level actors found and used these vulnerabilities instead of ransom seekers.
Except for payments to specifically sanctioned organizations, the policy is "we'd really rather you didn't do that, but whatever".
The specific sanctions don't cover most of the groups, either, and even when they do cover the group who got paid, you can't necessarily prove the people who got paid were the ones on the list. And there may be a scienter requirement even then; I don't know.
Making a list of specific criminals you can't pay is just stupid. No ransoms, ever, period, or it's da slammah.
If no one pays the ransoms, but people believe that large ransoms are paid-- you still have the crime.
The general public (including the next victims) don't have a way to confirm if payment was made. ShinyHunters would have to choose between arguing publicly that they were not paid or not releasing the data to protect their own reputation...
I do think that the partial information problem relating to new entrants into this market is interesting though.
The number of potential threat actors with partial/no information but that might speculate based on grandiose visions of ransom or outdated history is high.
We see dumb attempts at real-world ransoms/extortion which don't get paid at a pretty high clip based on this kind of partial knowledge.
You'll probably get your data leaked anyways, potentially get compromised again (see Instructure situation) and end up in a way worse place if you just shut up and paid it, or let it leak normally.
Like you said (and like I said in my post), for an individual kidnap victim, the best option would be to pay the ransom. It is better to pay the money and be free.
However, that means a kidnap group now has more money, which will make them better able to kidnap another victim and demand more money.
The point of a “no ransom” policy is that it takes the choice away from the individual, who would choose to pay it, and changes the game theory to make kidnapping not worth it.
The whole reason you need a policy at all is BECAUSE it is better for the person to pay the ransom.
The day the USD falls, ransoms will simply be denominated in something else and the same underlying collective action problem will remain.
This is just way of avoiding the core issue by blaming something unrelated that you don't like.
A: U should clean your room, it would be better for you & the rest of your family
B: FU dad, everyone knows there's no such thing as a clean room under capitalism!!!!!
The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.
It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.
This is the same problem that crypto addresses in an unregulated market - it provides attestation and continuity, but not much else.
New actors are untrusted. Trust must be built through small transactions until someone trusts you enough for larger transactions. Survive long enough without major reputational harm and you can even offer to act as an escrow service for parties with less trust.
You can also validate PGP keys and TOX accounts, etc via their website.
Reputation is everything in a collective.
We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.
What could go wrong? ;)
0: https://wiki.roshangeorge.dev/w/Benevolent_Terrorist#Poisoni...
Realistically, the only people that could check that it's true are buyers, and those benefit from keeping a low profile
Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally
shinyhunters, for example, has been active and acted as a cohesive unit for the past 7 years.
I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.
even if you pay the ransom to the 1st group, the 2nd group will leak.
https://en.wikipedia.org/wiki/Grey_hat
Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".
If you’re sending a large sum of money to $anonymoushacker, how do you ensure they’re not on some OFAC list? Or do your AML checks? Or make sure you’re not on the wrong side of Foreign Corrupt Practices act? The third party probably turns a blind eye to that cuz there’s no way of really checking.
i don't do that every time i want to send money. private individuals don't just "run checks" - it would make commerce untenable and possibly unconstitutional.
say you get a passport, an address, a photo, a signature, a phone call - how do you verify any of this is real?
Your BigCo accounting department is not going to be very understanding about acquiring cryptocurrency to send to ??? for a ransom.
An org’s Net30 terms aren’t going to work here…
Instead, they trick the hackers into going on a vacation in a country that will let them grab them.
Protecting pii is important, but it's not that important
Predictions are hard, especially about the future!
Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.
For three, by the FBI's own source, they don't mention anything about it being illegal, they merely advise against doing so[0] -
> The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.
I am not saying I support paying ransoms, or take any position here, I am just saying quite factually it is an extremely common practice to pay these, often via third parties that take care of any potential legality issues (which I am not aware of being super common at all, and if you are being targeted by a nation state on a sanctions list, you probably are well aware and have your own legal team/police liasons to deal with any such issues). Most ransomware attacks come from small, unknown groups.
[0] https://www.fbi.gov/how-we-can-help-you/scams-and-safety/com...
Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.
This is shockingly naive
They might be considered "trustworthy" right now to get companies to pay them money, but no one will know what will happen in a few years when this strategy won't work anymore.
Anyway, I hope this doesn't come at all, or as late as possible.
Good point.
> Anyway, I hope this doesn't come at all, or as late as possible.
Same. As I said, I find the idea funny in the abstract, if it didn’t affect anyone or if it were a TV show, for example. But since it does affect real people…
Obviously this doesn't stop hackers from selling the data anyway and say "it wasn't us, someone else got the same data through a different hack".
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
[1] https://www.youtube.com/watch?v=IeTybKL1pM4
[2] https://search.brave.com/search?q=monero+price&rh_type=cc&ra...
[3] https://xcancel.com/zachxbt/status/2012212936735912351
[4] https://archive.ph/4zD7f
[5] https://archive.ph/NYWbJ
The very next line from what you quoted:
> We received digital confirmation of data destruction (shred logs).
Now, color me surprised if they didn't delete it, but I'm guessing this is why they call it "returned", since from their beliefs, the data was deleted after it was "returned".
I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.
Customers never migrate on mass after a breach, 7000 underfunded and overworked education institutions are not migrating on mass.
So I feel safe to say there's no lasting impact to a company when a data breach occurs.
This will all be forgotten in a few months.
[1] https://xcancel.com/search?f=tweets&q=1968412640398430555
https://www.instructure.com/incident_update
It worries me they've only committed to making it available to their customers and not the public.
I don't know for sure, but I think it probably had to do with some kind of misconfiguration on an Salesforce Experience Cloud site. I have heard that ShinyHunters often exploits this type of service and that it is very easy for companies to forget to set the right permissions to data and they end up throwing a bunch of different data into Salesforce.
[0]: https://cyber.acmucsd.com/canvas (disclosure: I was involved with this org when I was a student)
Hmm. I thought all these agencies say NOT to pay a ransom.
Paying a ransom signals 3 things: 1) you are vulnerable to attack 2) you cannot recover from an attack 3) you've got cash
The result is that you get attacked much, much more. You could ask me how I know, but I wouldn't tell you :)
Although of course returning is a weird term in the sense that the attackers will almost certainly keep the data as well.
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
>the deal means that the hackers have returned the compromised data of some 275 million users across more than 8,800 institutions.
Yea sure, they didn't keep the copy of stolen database. You know, criminals are very trustworthy people.
(1a) Multiple have suggested that the US made it illegal to pay kidnapping ransoms. This is a misconception. The US adopted a policy that the government itself would not pay ransoms, but explicitly noted this did not apply to the victims. "The U.S. Department of Justice does not intend to add to families’ pain in such cases by suggesting that they could face criminal prosecution."
(1b) Despite this policy, the US pays ransoms anyways. Usually in the form of prisoner swaps, but in 2023 it released $6 billion in frozen Iranian funds in exchange for the release of 5 hostages[1].
(2) The belief that paying ransoms should be illegal is predicated on the belief that criminals will be less likely to commit the crime if there is no money to be made. This may be true for kidnapping, but that does not mean it would be true for hacking. Kidnapping is a high-stakes, high-commitment crime that requires physical presence and exposes the criminal to significant danger. If the criminal anticipates no reward, the risk-reward calculus skews them away from kidnapping. However, hacking is a low-risk crime. Even if the chance of reward is low, the risk is also low, so hackers are unlikely to be deterred from hacking. Many hackers will do it just for fun or to prove that they can. Moreover, hackers can profit in other ways, for example by selling the data on the black market, or by making use of the data themselves as a nation-state or corporate espionage actor. Hacking will undoubtedly continue as long as things can be hacked, regardless of whether ransoms are ilegal.
(3) Making ransoms illegal pushes the burden onto people who have no real ability to do anything about it. When a company fails to pay ransom, it is the customers who suffer. It does not materially affect the company in any way to have customer data leaked. The market has already shown, overwhelmingly, that it will not punish companies that leak user data. That a company pays a ransom to begin with indicates that they don't actually understand the market and/or have some small shred of a conscience. Rather than making it illegal to pay ransoms, I would rather see penalties for having a data breach in the first place, but once a data breach is assured, companies should be paying ransoms to try to mitigate the damage to their customers.
(4) The idea of trying to solve hacking by making it illegal to pay ransoms is ridiculous on its face. As long as systems are insecure, hackers will exist, so the legal emphasis should be on consequences for data security. The collection of PII that is not essential to providing a service to customers should be discouraged, and there should be real consequences for negligent security. There should be an investigative board similar to those for airline crashes and infrastructure collapse, which examines the circumstances in depth and identifies whether the company is at fault for negligent handling of PII.
[1]https://2021-2025.state.gov/briefings/department-press-brief...
It is a race to the bottom. The teenagers have effectively unlimited time, millions of dollars and rocket launchers.
Those (now former) customers can the be patrons of a competitor that doesn’t let such happen again.
Like, they recently tried to sell me to McMillian who then tried to sell me the "submit homework" button for $20. I complained and got exempted from having to submit homework, but that's par for the course in edtech right now.
(https://www.instructure.com/incident_update#:~:text=STATUS%2...)
does "yes, I deleted the data" in an email count as digital evidence?
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
I certainly do think it's crazy that schools are selling out education to SaaSification, but that is normal in the world we live in.
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
On the one side you have white hat hackers and pen-testers who you pay a contract or salary to prod your system. If you really piss them off (i.e. by stiffing them of their pay) some might just steal your data and threaten to leak it unless you pay them.
On the other side are black hat hackers who will drive by your system and if they find a way to break in they'll offer to keep your data private for a ransom fee. And maybe if you have some charisma, decent pay, and/or a good repertoire you might recruit them on/convert them into white hats for your org.
[1] - https://en.wikipedia.org/wiki/ShinyHunters
This is of course assuming that Instructure continues to be relevant, and that students still believe that college education holds economic or social value.
Conversations between students, conversations between teachers and other students/staff or teachers. Course content, etc.