It's a little surreal how little they were asking for. The hackers asked for $1,000,000, or less than $4 per patient affected. Am I off here, or is the cost kinda low?
It's a little surreal how little they were asking for. The hackers asked for $1,000,000, or less than $4 per patient affected. Am I off here, or is the cost kinda low?
AFAIK most ransomware attacks are for similarly small amounts... small relative to the value of the data the hackers have taken hostage anyways. And I would assume the reason for that is so their...
AFAIK most ransomware attacks are for similarly small amounts... small relative to the value of the data the hackers have taken hostage anyways. And I would assume the reason for that is so their victims feel it's easier to simply pay the ransom and sweep the security breach under the rug, rather than risk losing their data, tarnishing their reputation in the event of a leak, and/or needing to involve law enforcement.
It's very low. I know it's not a direct comparison, but in the US, HIPAA violations cost something like $50 per record up to $1.5m for a violation of a single provision and there's a good number...
It's very low. I know it's not a direct comparison, but in the US, HIPAA violations cost something like $50 per record up to $1.5m for a violation of a single provision and there's a good number of multi-million-dollar fines. I wonder if a judge would be willing to lower a fine/settlement for a company for agreeing to pay a ransom; obviously that wouldn't be ideal because it would encourage companies to pay ransoms, something the government has been fighting hard to discourage.
Unfortunately, companies do already pay ransoms. Looking for sources, I found a writeup by mimecast about it, and one of their sources actually mentions the Energy Secretary considering banning...
Unfortunately, companies do already pay ransoms. Looking for sources, I found a writeup by mimecast about it, and one of their sources actually mentions the Energy Secretary considering banning paying ransomware groups because it encourages this activity.
It probably wouldn't factor into their fines, because they're not even legally encouraged to pay the ransom, so my guess is it simply doesn't enter into the legal calculation.
If paying the ransom is cheaper than securing your infrastructure, you pay the ransom. It's common in netsec circles and security is 1. expensive and 2. often goes against usability, which means...
If paying the ransom is cheaper than securing your infrastructure, you pay the ransom. It's common in netsec circles and security is 1. expensive and 2. often goes against usability, which means that the user often lessens security in order to increase the usability of the system (aka writing your password on post-its next to your monitor).
It's a little surreal how little they were asking for. The hackers asked for $1,000,000, or less than $4 per patient affected. Am I off here, or is the cost kinda low?
AFAIK most ransomware attacks are for similarly small amounts... small relative to the value of the data the hackers have taken hostage anyways. And I would assume the reason for that is so their victims feel it's easier to simply pay the ransom and sweep the security breach under the rug, rather than risk losing their data, tarnishing their reputation in the event of a leak, and/or needing to involve law enforcement.
It's very low. I know it's not a direct comparison, but in the US, HIPAA violations cost something like $50 per record up to $1.5m for a violation of a single provision and there's a good number of multi-million-dollar fines. I wonder if a judge would be willing to lower a fine/settlement for a company for agreeing to pay a ransom; obviously that wouldn't be ideal because it would encourage companies to pay ransoms, something the government has been fighting hard to discourage.
Unfortunately, companies do already pay ransoms. Looking for sources, I found a writeup by mimecast about it, and one of their sources actually mentions the Energy Secretary considering banning paying ransomware groups because it encourages this activity.
It probably wouldn't factor into their fines, because they're not even legally encouraged to pay the ransom, so my guess is it simply doesn't enter into the legal calculation.
If paying the ransom is cheaper than securing your infrastructure, you pay the ransom. It's common in netsec circles and security is 1. expensive and 2. often goes against usability, which means that the user often lessens security in order to increase the usability of the system (aka writing your password on post-its next to your monitor).