Let's talk Ransomware

[grnidone]

Reading a thing today about United HealthCare who was recently down due to Ransomware.
https://www.reuters.com/business/healthcare-pharmaceuticals/us-pharmacy-outage-triggered-by-ransomware-unit-unitedhealth-sources-say-2024-02-26/

Someone hacks the system and shuts things down. Then, they contact the company saying "Pay us and we will give your system back?"

How often do the ransomers actually keep their promise after getting the money?
Or do the ransomers just take the money and leave?
Are they ever caught and brought through the legal system?
And is there insurance to pay the ransom?
And if they do pay the ransom, doesn't it just make ransomers ransom more?

[rcjordan]

From what I've read;

>How often do the ransomers actually keep their promise after getting the money?

Usually keep their promise ....because they need the next target to believe that they will honor the deal??


>Are they ever caught and brought through the legal system?

Occasionally. National law enforcement (FBI, etc) partner with the ransomers' host country's law enforcement IF they find them.  I've seen more partial money 'clawbacks' than arrests in the headlines.


>And is there insurance to pay the ransom?

IIRC, my small business policies began to exclude ransom & hacking.  You could buy $$$$pecial riders, of course.


>And if they do pay the ransom, doesn't it just make ransomers ransom more?

Yes, I think so. 

[rcjordan]

https://it.slashdot.org/story/24/03/06/034200/blackcat-ransomware-group-implodes-after-apparent-22m-payment-by-change-healthcare

BlackCat Ransomware Group Implodes After Apparent $22M Payment By Change Healthcare - Slashdot

[Torben]

Most businesses have backup of their systems. Most companies have never tried to restore a backup and have no idea if it is possible.

Most medium and large businesses have intrusion detection but most of them have no idea what to do when an intrusion is detected.

If you have got one computer which is infected with ransomware you can just restore it from a backup and move on. But if have a system of multiple internal and external services, restoring a backup will remove the ransomware but leave mess of out of sync systems. Think of credit card authorizations that are no longer registered, ERP orders and invoice are not registered correct.

There can be a lot of data missing from the last backup to the time you decide to restore, and it can be a huge task to figure out this mess. Banks have plans for this, but most other companies don't.

The EU NIS2 directive is requiring companies to make plans for such events but most companies are still haven't got a clue about what to do.

[rcjordan]

https://www.nbcnews.com/health/health-care/cyberattack-change-healthcare-patients-struggle-get-medication-rcna141841

Patients struggle to get medication after cyberattack on Change Healthcare