3 Candles on No More Ransom’s Cake

Don’t pay the ransom: That’s the message from the aptly named No More Ransom initiative.

A global partnership between public and private sectors, including community involvement, the project has grown 151-strong over three years. By helping victims access free decryption tools, the group has prevented hundreds of millions in ransom payments—by some estimates, as much as a billion dollars.

So why won’t U.S. law enforcement play? In today’s SB Blogwatch, we won’t pay.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Jon’s makes it up.


Up and To the Right

What’s the craic? Warwick Ashford counts the “reasons to support No More Ransom”:

 The No More Ransom portal [which] aims to help victims of ransomware to recover their data without having to pay ransom to cyber criminals [claims it has] has saved ransomware victims … $108m in the past three years. … It was started as a joint initiative by the Dutch National Police, Europol and McAfee … the first public-private partnership of its kind, offering … victims an alternative solution to losing their precious files or having to pay … criminals.

The partners include 42 law enforcement agencies, five EU agencies and 101 public and private entities. [With] more than three million individual visits … from 188 countries, the project has become a one-stop shop for the victims of ransomware.

The third anniversary of No More Ransom coincides with a resurgence of ransomware around the world … with the UK being the worst-hit [where] ransomware is up 195% [year on year].

Blame Brexit? Catalin Cimpanu celebrates the historicity of the “No More Ransom project”:

 [It’s] the three-year anniversary of the No More Ransom project. … The project, which launched in July 2016, now hosts 82 tools that can be used to decrypt 109 different types of ransomware.

Most of these have been created and shared by antivirus makers like Emsisoft, Avast, and Bitdefender [or] national police agencies; CERTs; or online communities like Bleeping Computer. … An Emsisoft spokesperson [said] the $108 million estimate … is “actually a huge underestimate. … It’d be more accurate to say … north of $800 million.”

[It] now has more than 150 partners across the world. … The only oddity in No More Ransom’s make-up is the lack of any US-based law enforcement agency.

Most of the site’s visitors came from South Korea, the US, the Netherlands, Russia, and Brazil.

Speaking of the Bleeping Computer community, here’s Lawrence Abrams, who calls the partnership a “Success Story”:

 [We joined] the project in 2018 so that we could offer our decryptors, information, and help to a wider range of victims. … Since May 2019, the decryptors … many of which have been created by Michael Gillespie, have been downloaded over 320,000 times. Our overall lifetime number is probably in the millions.

Ultimately, it doesn’t matter how much money is saved, but rather how many people get their files back for free. It is just as important for a parent to recover the pictures of their loved ones as it is to recover a corporate network.

True, dat. Steven Wilson, Head of Europol’s European Cybercrime Centre, has “108 million reasons to celebrate”:

 When we take a close look at ransomware, we see how easy a device can be infected in a matter of seconds. A wrong click and databases, pictures and a life of memories can disappear forever.

No More Ransom brings hope to the victims, a real window of opportunity, but also delivers a clear message to the criminals: The international community stands together with a common goal. Operational successes … will continue to bring the offenders to justice.

Lock ’em up! But Mieke Eoyang notes a curious piece missing from the PR:

 Great infographic on impact, but one notable omission – how many convictions?

So why no U.S. involvement? After all, as Jareth Trigwell notes, “many US public entities being hit ”:

 Within the same week in June 2019, two Florida towns fell victim to ransomware and paid a little over $1 million to hackers. … Since 2013, there have been 169 successful ransomware attacks on state and local US governments.

In 2018, Atlanta, Georgia, was hit hard by SamSam ransomware, which knocked out a range of critical public services. … In April 2019, Ryuk ransomware infected a number of municipalities … disrupting department phone lines in Imperial County, California and forcing system shutdowns in Stuart, Florida. [In] May 2019, hackers used a new strain of the RobbinHood ransomware to take control of 10,000 computers belonging to the Baltimore government.

Many cybercriminals believe that public departments will respond more quickly than organizations in the private sector and be more willing to hand over the ransom. … However, research shows that this may not be true.

At both a federal and local level, most municipalities strongly discourage their departments from making ransomware payments. In much the same way that most countries won’t negotiate with terrorists.

In an ideal world, public entities would invest heavily in cybersecurity and have robust strategies … to mitigate the effects of ransomware. [But] many local public departments either don’t have the budget to keep … infrastructure up to date, or are … behind the curve due to bureaucratic inefficiencies. … Until we see a radical shift in how municipalities approach … cybersecurity in general, [it’s] probable that we’ll continue to see more ransomware attacks on the public sector.

And how do these tools work? Ask Dan Bugglin:

 No More Ransom handles ransomware that has flawed encryption implementations where it is possible to determine the decryption key far easier than if the encryption was properly implemented and strong enough.

Or by seizing servers. Meet John Fokker (and Raj Samani):

 [It’s] the digital equivalent of Sophie’s Choice: pay criminals or potentially lose your business. [So] three years ago … the public and private sectors drew a line in the sand against ransomware.

No More Ransom began because of an operational problem that could only be solved through collaboration. A Law Enforcement Agency had seized a server which contained private keys that could help decrypt thousands of victims.

A Law Enforcement Agency is bound by a geographical jurisdiction; further, developing decryption software is not its core competency. Fortunately, both global reach and software development happened to be exactly what cybersecurity companies could bring to the table.

The initiative has expanded at an enormous rate. … We remain confident that, together, we can continue to take a stand and disrupt this form of cybercrime.

Meanwhile, Billly Gates offers this radical alternative:

 Competent system administrators can use a new bleeding-edge technology called … Backups.

And Finally:

Jon asks all the important questions


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Europol

Featured eBook
The State of DevSecOps

The State of DevSecOps

For years now, IT’s mantra has been “move quickly and break things.” To increase agility, companies adopted innovative and quick development practices. Great redesigns took place in the wake of DevOps. However, in this rush to implement forward-thinking practices, many teams eschewed security. No longer can institutions disregard security requirements within their DevOps environment. The ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 53 posts and counting.See all posts by richi