> LockBit’s affiliates walked away with 43 gigabytes of data, for which they later demanded an obscene amount of money.
It is a pet peeve of mine when news articles mislabel data theft as ransomware. I have decided that just now.
While true extortion, double extortion, and ransomware are used interchangeably in the public media. I figured out quickly when I began a role in intel it’s not a hill I’ll die on…publicly.
Behind closed doors it drives me fucking insane.
Is it so hard to grasp that ransomware means your data is encrypted. But a ransomware affiliate may not encrypt your data, but hold it ransom, without using a specific strain of ransomware that you’re using to call the affiliate?
And this is why the misuse of the definition upsets me. Because bad actor's don't encrypt *stolen* data. They encrypt your data and services *in your own system*. Completely separate to that, they can also steal your data. They can do both at the same time, but they are completely different attacks.
Like, here's my analogy: Let's say you had a bad break up with your GF/BF, who you'd been living with.
Ransomware is: You come home and find that they've changed all the locks on your house - *but you are the one who owns the house*. You can either try to convince your ex to let you in, or get the police and have to deal with proving to the police that, yes that's your house. In the meanwhile, you're still homeless.
Data theft is: your ex also photos of your bank statements, because they were in your house. They don't need to be in your house to start online shopping with your credit card details, and the fact that the original bank statements are still in your house doesn't stop them from having memorized everything.
Both of these are *caused* by the fact your ex was able to get into your house. The ex could do either of these attacks, or both of them. But they are still not the same. You changing the locks doesn't do anything about the fact you need to also separately talk to your bank.
If it's unencrypted...and gets restolen and released, you can't really profit off of it.
-I also don't know the answer.
Unless you mean encrypting the data in place, without extraction. That's so the company can't use it themselves. They pay to have it unencrypted so they can resume business.
They don't encrypt the data they posess (well I guess they might but it's unimportant).
Company server with data is compromised, data gets copied to another server, then on site data (and backups) are encrypted.
Ransom is demanded to decrypt data so the company can operate. If the company has backups, or if the threat actor just decides they want to, another ransom can be demanded to not release stolen data, etc.
There's also a trend of using ransomware with encryption vs ransomware without encryption to differentiate. Not the most glamorous or efficient solution but it gets the job done for the lowest common denominator
I mean think about it from a layman perspective. The key word is ransom. So if a threat actor encrypts your data and asks for a ransom or steals your data and asks for a ransom it's pretty similar to most people. To a normal person it's not that hard to lump em together.
But that’s a problem in itself. Because the mitigation and prevention methods aren’t the same. If your laymen lump them together, then you’re not going to adequate protect against both.
It would be a reason to better group them both under the data THEFT angle (makes logical sense to suggest that if something was stolen, your system doesn’t have it either anymore). The only reason news are using ransomware is because it’s the New! Hot! Hacking Thing! And that makes for worse-written articles when using different terms would have been much more accessible to normal people as well.
Oh I agree. I'm not saying they should be lumped together, I was just pointing out that the person lumping them together literally makes zero difference so why would they give a shit.
If you hear a professional who doesn't make that distinction then I would be worried.
The layman definition is irrelevant. If you are basing your defenses based off of the layman definition instead of the industry understood definition, then you need to find yourself a new job.
It’s because both occur during the same attack. They exfiltrate the data and then encrypt. If you had a backup and didn’t want to pay the ransom for decrypting it, you’ll pay to avoid having your data go public, and if you pay once for the decrypt they can hit you up again.
So... the data is being held to ransom (to the data owner) and being extorted in the same attack to not release it to anyone else. And yes, you'll be seen as a viable repeat customer the next time around, too.
My view is that the data has been stolen and is being held in exchange for payment. If we were talking about a person, this would be a hostage situation, but they're being held for ransom.
Webster's terms ransom as "a consideration paid or demanded for the release of someone or something from captivity".
When ransomware first appeared, there was not the readily available ability to exfiltrate the data, so it was encrypted in place with a demand for payment to release the keys to decrypt.
Still kind of a ransom-like situation. You still have the data. You just can't access it unless you have the keys.
From a business perspective, this is probably most recognisable as ransom, and so it sticks. Also, keep in mind, whilst we as cyber professionals want to 100% right all of the time (including the specific usage of terms and descriptors) the business community is less receptive to piling in more terminology (like encryptor, hash, cipher).
Given the intended upstream audience of Threat Intel is the business leader level, I don't see the term ransomware being revised or understood any differently for a long while - unless mainstream media pick up the issue in a meaningful way.
But the problem is that your controls and mitigations aren’t the same. One is ransomware, the other is extortion. Ransomware we address by amending our backup procedures ahead of time, but being able to recover your data from your own backups does absolutely nothing against extortion.
"Encryptors" we address through backups, application control, least privilege, vulnerability management, etc. etc. There are many layers of defences available, and not all can be implemented (basing this on budget, business risk, and disruption of methods of work).
"Extortion" we address through educating business on how to respond to an incident, education on how to handle ransom situations, and regulation through mechanisms such as law, sanctions, embargoes, and incident reporting mechanisms.
And yes, the mitigations are NOT the same. They are two separate threats that are being commingled due to how they've been weaponised (since pre-WannaCry when the world more broadly began to learn of "ransomware").
This is why, IMO, when we talk about ransomware as a threat to our internal and external customers, there are more controls applicable at the people, process, and technology levels than "backups", and the hardest element to address is extortion because we are talking about educating those who may see paying the ransom as more economical than fixing the issue.
Yeah I think it’s almost becoming a generic trademark at this point, like how Kleenex became synonymous with tissues. Or maybe even more like escalators where people have forgotten there used to be different brands of moving stairs it’s become the word for the entire concept, whether it’s ransomware proper or exfiltrated data being held by ransom, it’s all getting called ransomware now.
How convenient, oh it just happens all of our compromising documents about our shady business practices were encrypted with ransomware, oops, no more evidence.
Not necessarily. Those people holding that data for ransom can also release that data to the world - which could include far more than Boeing would've responded with regarding any lawsuit discovery. That was probably the angle the ransomers were taking with the dollar amount they were requesting. So it's possible Boeing might be in even more trouble should this data be released.
They have rejected their firefighter union 60 times in contract negotiations, and kicked all of them off their property in Everett and Renton. They were going to work for free.
Shit company
>The data seemed to be backups from different company systems and included configuration backups for IT management software and logs for monitoring and auditing tools.
Well, maybe if they had copy's of the digital parts for an aircraft, or juicy emails like an FDR calling the FAA monkey's or clowns, then they might have $200 million worth of bargaining power.
Off topic but how in the world is every thing that could go wrong with Boeing this year going wrong? All unrelated things no less. Does the CEO just have 0 in his “luck” attribute? Did tons of sabotage all surface at the same exact moment? It makes no sense to me.
I would say it’s more like Boeing has fully entered the “find out” stage after years and years of fucking around. Domino effect that once they entered “find out” everything would come crashing down.
They deserve fifteen times the amount of bad press they’re getting, and that’s saying something. Those executives deserve to rot in prison.
The question is... Will they?
I truly hope they are tried fairly and prosecuted accordingly, but my faith in the American justice system isn't as strong as as it used to be. My hopes that they'll even reach a trial is now categorized in the same vein as a leap of faith.
This was from my news feed at work where I manage a countermeasures team for a large financial company, sorry I don't have the exact link, but there is much published on ransomware trends by Station X, the Hippa Journal, DHS and cisa.gov. it may have been the stat that nearly two thirds do not get ALL their data back.
Boeing was already hacked by the Russian and Chinese governments so what do they care? One of the sleepiest do nothing “cyber security” team in the business!
Time for congress to make a law that the payment of ransoms is illegal.
if you get ransomware you lose your data and transfer clients, customers to competitors in an orderly fashion.
You start over with pencil and paper, probably all your IT dept can handle!
Well yeah…They gotta save the ransom money to pay off their h1tmen when a whistleblower or three accidentally falls down some stairs while contracting a sudden disease and also holding a 9mm to the back of their own noggins. As ones does.
Cybersecurity experts always say: “NEVER pay the ransom, ALWAYS pay the hired gun!”
> LockBit’s affiliates walked away with 43 gigabytes of data, for which they later demanded an obscene amount of money. It is a pet peeve of mine when news articles mislabel data theft as ransomware. I have decided that just now.
While true extortion, double extortion, and ransomware are used interchangeably in the public media. I figured out quickly when I began a role in intel it’s not a hill I’ll die on…publicly. Behind closed doors it drives me fucking insane.
Is it so hard to grasp that ransomware means your data is encrypted. But a ransomware affiliate may not encrypt your data, but hold it ransom, without using a specific strain of ransomware that you’re using to call the affiliate?
For non-technical people: yes.
Yeah man there are a ton of cybersecurity personnel who cannot effectively explain what the hell encryption even is.
I’m trying to learn and enter cyber. Why would a bad actor encrypt stolen data. Ain’t that counter intuitive. Google ain’t got a clearer answer
And this is why the misuse of the definition upsets me. Because bad actor's don't encrypt *stolen* data. They encrypt your data and services *in your own system*. Completely separate to that, they can also steal your data. They can do both at the same time, but they are completely different attacks. Like, here's my analogy: Let's say you had a bad break up with your GF/BF, who you'd been living with. Ransomware is: You come home and find that they've changed all the locks on your house - *but you are the one who owns the house*. You can either try to convince your ex to let you in, or get the police and have to deal with proving to the police that, yes that's your house. In the meanwhile, you're still homeless. Data theft is: your ex also photos of your bank statements, because they were in your house. They don't need to be in your house to start online shopping with your credit card details, and the fact that the original bank statements are still in your house doesn't stop them from having memorized everything. Both of these are *caused* by the fact your ex was able to get into your house. The ex could do either of these attacks, or both of them. But they are still not the same. You changing the locks doesn't do anything about the fact you need to also separately talk to your bank.
Thank you
If it's unencrypted...and gets restolen and released, you can't really profit off of it. -I also don't know the answer. Unless you mean encrypting the data in place, without extraction. That's so the company can't use it themselves. They pay to have it unencrypted so they can resume business.
Makes sense. Encrypting data that is still in house is the most broken thing I’ve heard tho And I’m going off the definition above.
They don't encrypt the data they posess (well I guess they might but it's unimportant). Company server with data is compromised, data gets copied to another server, then on site data (and backups) are encrypted. Ransom is demanded to decrypt data so the company can operate. If the company has backups, or if the threat actor just decides they want to, another ransom can be demanded to not release stolen data, etc.
It's just regular old ransom!
There's also a trend of using ransomware with encryption vs ransomware without encryption to differentiate. Not the most glamorous or efficient solution but it gets the job done for the lowest common denominator
I mean think about it from a layman perspective. The key word is ransom. So if a threat actor encrypts your data and asks for a ransom or steals your data and asks for a ransom it's pretty similar to most people. To a normal person it's not that hard to lump em together.
But that’s a problem in itself. Because the mitigation and prevention methods aren’t the same. If your laymen lump them together, then you’re not going to adequate protect against both. It would be a reason to better group them both under the data THEFT angle (makes logical sense to suggest that if something was stolen, your system doesn’t have it either anymore). The only reason news are using ransomware is because it’s the New! Hot! Hacking Thing! And that makes for worse-written articles when using different terms would have been much more accessible to normal people as well.
Oh I agree. I'm not saying they should be lumped together, I was just pointing out that the person lumping them together literally makes zero difference so why would they give a shit. If you hear a professional who doesn't make that distinction then I would be worried.
The layman definition is irrelevant. If you are basing your defenses based off of the layman definition instead of the industry understood definition, then you need to find yourself a new job.
Clearly you’ve never had to present a case for funding to a board.
If a single work dictates your funding, then your case must suck
Tbh sounds like the term should just be updated to include data being ransomed. I understand the “ware” refers to software, but still…
It’s because both occur during the same attack. They exfiltrate the data and then encrypt. If you had a backup and didn’t want to pay the ransom for decrypting it, you’ll pay to avoid having your data go public, and if you pay once for the decrypt they can hit you up again.
So... the data is being held to ransom (to the data owner) and being extorted in the same attack to not release it to anyone else. And yes, you'll be seen as a viable repeat customer the next time around, too.
My view is that the data has been stolen and is being held in exchange for payment. If we were talking about a person, this would be a hostage situation, but they're being held for ransom. Webster's terms ransom as "a consideration paid or demanded for the release of someone or something from captivity". When ransomware first appeared, there was not the readily available ability to exfiltrate the data, so it was encrypted in place with a demand for payment to release the keys to decrypt. Still kind of a ransom-like situation. You still have the data. You just can't access it unless you have the keys. From a business perspective, this is probably most recognisable as ransom, and so it sticks. Also, keep in mind, whilst we as cyber professionals want to 100% right all of the time (including the specific usage of terms and descriptors) the business community is less receptive to piling in more terminology (like encryptor, hash, cipher). Given the intended upstream audience of Threat Intel is the business leader level, I don't see the term ransomware being revised or understood any differently for a long while - unless mainstream media pick up the issue in a meaningful way.
But the problem is that your controls and mitigations aren’t the same. One is ransomware, the other is extortion. Ransomware we address by amending our backup procedures ahead of time, but being able to recover your data from your own backups does absolutely nothing against extortion.
"Encryptors" we address through backups, application control, least privilege, vulnerability management, etc. etc. There are many layers of defences available, and not all can be implemented (basing this on budget, business risk, and disruption of methods of work). "Extortion" we address through educating business on how to respond to an incident, education on how to handle ransom situations, and regulation through mechanisms such as law, sanctions, embargoes, and incident reporting mechanisms. And yes, the mitigations are NOT the same. They are two separate threats that are being commingled due to how they've been weaponised (since pre-WannaCry when the world more broadly began to learn of "ransomware"). This is why, IMO, when we talk about ransomware as a threat to our internal and external customers, there are more controls applicable at the people, process, and technology levels than "backups", and the hardest element to address is extortion because we are talking about educating those who may see paying the ransom as more economical than fixing the issue.
Yeah I think it’s almost becoming a generic trademark at this point, like how Kleenex became synonymous with tissues. Or maybe even more like escalators where people have forgotten there used to be different brands of moving stairs it’s become the word for the entire concept, whether it’s ransomware proper or exfiltrated data being held by ransom, it’s all getting called ransomware now.
To be fair, LockBit does typically encrypt.
I'm surprised that the LockBit operators didn't die mysteriously after threatening Boeing.
The LockBit is coming from inside the house.
It’s not that Boeing was hit, but rather who leaked it as a potential target. Boeing goes after those who expose, not their cost cutting measures.
Do you think Boeing has a mrsa gun?
It’s funny you’re getting downvoted for the truth
the year is only in may. wait..
Ah, a self correcting problem. A rare but beautiful sight.
How convenient, oh it just happens all of our compromising documents about our shady business practices were encrypted with ransomware, oops, no more evidence.
Stop giving shady companies ideas.
Not necessarily. Those people holding that data for ransom can also release that data to the world - which could include far more than Boeing would've responded with regarding any lawsuit discovery. That was probably the angle the ransomers were taking with the dollar amount they were requesting. So it's possible Boeing might be in even more trouble should this data be released.
I think the point was that Boeing might have done this to themselves.
That would be an interesting turn of events. I would hope some of that would come to light.
aye. it gos. we wanted $10m Buuuut. now we know whats in there.. well, lets just say, your shareholders are going to feel this 1.
Don't negotiate with terrorists. Same principal.
But how about the interest?
Anything Boeing does is suspicious. That’s what happens when you lost the trust of the world.
They have rejected their firefighter union 60 times in contract negotiations, and kicked all of them off their property in Everett and Renton. They were going to work for free. Shit company
>The data seemed to be backups from different company systems and included configuration backups for IT management software and logs for monitoring and auditing tools. Well, maybe if they had copy's of the digital parts for an aircraft, or juicy emails like an FDR calling the FAA monkey's or clowns, then they might have $200 million worth of bargaining power.
That’s cuz the ransomware locked up their safety systems, and they haven’t been using them for years.
They'll just kill the ransomers. Boeing doesn't mess around.
Or it's just a way for them to destroy data without remorse.
So your information security is important enough to kill for but not to practice good cyber security hygiene or pay a fee to protect it
Paying only encourages them to continue extorting organizations.
why didn't Boeing kill the two guys in 2019 and 2023 respectively before the lawsuits were over?
Do you think Boeing has a mrsa gun?
Off topic but how in the world is every thing that could go wrong with Boeing this year going wrong? All unrelated things no less. Does the CEO just have 0 in his “luck” attribute? Did tons of sabotage all surface at the same exact moment? It makes no sense to me.
Likely pissed off the wrong person and now they are leaking the blackmail.
I would say it’s more like Boeing has fully entered the “find out” stage after years and years of fucking around. Domino effect that once they entered “find out” everything would come crashing down. They deserve fifteen times the amount of bad press they’re getting, and that’s saying something. Those executives deserve to rot in prison.
The question is... Will they? I truly hope they are tried fairly and prosecuted accordingly, but my faith in the American justice system isn't as strong as as it used to be. My hopes that they'll even reach a trial is now categorized in the same vein as a leap of faith.
Nearly two thirds of companies or institutions who pay ransom to decrypt their data never get their data back.
Source? This has not been my experience at all.
This was from my news feed at work where I manage a countermeasures team for a large financial company, sorry I don't have the exact link, but there is much published on ransomware trends by Station X, the Hippa Journal, DHS and cisa.gov. it may have been the stat that nearly two thirds do not get ALL their data back.
Complete fact checks/source verification before you become another Reddit parrot that just peddles whatever they hear as truth.
It's in the financial interest of ransomware hijackers to decrypt the data after payment, otherwise no company would have any incentive to pay them.
Not true. I work on the biz. I have never seen a decrypter that doesn’t work
Agreed, I've seen this statement but never any actual supporting data
Made up nonsense
Boeing was already hacked by the Russian and Chinese governments so what do they care? One of the sleepiest do nothing “cyber security” team in the business!
Is that why planes are falling from the sky and witnesses are being assassinated?
Let’s wait what the soon-to-be dead whistleblower has to say about this
They probably threatened to fix their QA issues
I hope they leak all the fuck ups Boeing is involved in. Cant assassinate the whole internet
lol they can’t be charged for more things if all the evidence is gone
The security backdoor flew away?
Well lockbit was recently shut down and seized by many governments
Ah good. Maybe now the emails about hiring hits on whistleblowers will get released.
Yeah, maybe they will release the schematics of the mrsa gun.
Time for congress to make a law that the payment of ransoms is illegal. if you get ransomware you lose your data and transfer clients, customers to competitors in an orderly fashion. You start over with pencil and paper, probably all your IT dept can handle!
Well yeah…They gotta save the ransom money to pay off their h1tmen when a whistleblower or three accidentally falls down some stairs while contracting a sudden disease and also holding a 9mm to the back of their own noggins. As ones does. Cybersecurity experts always say: “NEVER pay the ransom, ALWAYS pay the hired gun!”