Source: www.schneier.com – Author: Bruce Schneier
Comments
Why do technologists who know better continue to propagate the erroneous statement “ransomware attacks”. Ransomware is launched by a click of a mouse [FULL STOP].
Tom •
@Carl Engelbrecht – I think the description is fair in this case. This was not a one-click operation; it involved days of reconnaissance, the capture of access to a large and diverse server estate, exfiltration of hundreds of GB of data (this was not an encryption attack), destruction of backups that might have been used for recovery, significant work to cover tracks and the destruction of a large chunk of the server estate.
There were two points raised in the report which I thought were particularly interesting. The first is about risk. The library say they were good at identifying large risks that they weren’t prepared to accept and acting to mitigate them. They were good at identifying small risks and deciding they were content to live with them. They were not good at looking at the overall risk picture and aggregating all those small risks and deciding whether they were happy with their overall level of risk. I suspect this is true of a very large number of organisations full of good, capable people; an individual identifies a large risk, thinks it’s not acceptable and gets something done about it. But an individual identifies a small risk and thinks it’s not worth doing anything about it; no-one has an overall picture of risk.
The second was that recovery has been so arduous because many of the library’s systems are so specialised and old that they simply can’t get an installer for them. The original supplier has disappeared or no longer supports the software. They had a copy of the installer … in the backups which the attack destroyed. On a similar line, I wonder how many organisations out there have software running on an Ubuntu 12.04 VM? It’s not that old, but you can’t install it any more; Ubuntu have removed it from their mirrors.
Prefer Not To •
This will continue to be a problem as long as society thinks of this as nerds suffering nerd crime. It’ll stop when His Royal Majesty sends the SAS to deliver a kinetic response to the Rhysida Ransomware Team.
Does anyone believe that MI-6 and GCHQ can’t find some of the humans behind Rhysida? You don’t even have to find all of them – just enough to ensure that the leadership decides to attack the Library of Botswana or Tuvalu next time. Like, seriously, this is why western societies employ rough men who stand ready to do harsh things to bad actors. Why aren’t we using them?
Not really anonymous •
I don’t think you really want to go down the assassination road. We already have India assassinating people (or trying to) in the US and Canada. The US regularly blows up people near the wrong (as in it’s bad to be there, but it can be incorrect as well) cell phone, often killing innocent people.
You probably don’t want other governments killing people who break laws in their countries remotely. A number of governments make criticising the government a very serious crime. There have already been assassinations in the UK of Russian dissidents and the UK hasn’t responded strongly enough to actually stop that practice.
Less powerfull countries already do this as well.
Not really anonymous •
There are two kinds of assassination. There is the kind where you don’t tell anybody you did it and your Press Secretary or Secretary of State has a press conference where they try to suppress laughter while insisting that Glorious Leader is completely innocent.
The other kind is where a country proudly takes credit and announces, “Action that is widely acknowledged as immoral and illegal will be met with reprisal.”
When the Israelis took Adolf Eichmann out of Argentina, they were happy to take credit for it on the world stage. And, quite frankly, the world was happy it done.
Insisting that acts of war not be met with reprisal if they happen in the digital domain is kind of like how, if you steal less than the FBI limit from 1 million people, the federal government stills insists that it’s not a crime worthy of the attention of the FBI. Digital changes the scale, scope, and reach of bad actors. And I do believe that for certain adversaries, the only effective solution is kinetic.
Prefer not to •
My apologies, I typed the wrong name in the field on the comment above. There was no intention of misleading.
And, to be clear, I am not advocating assassination. Clear police action, and legal, not extra judicial, punishment is certainly appropriate
Clive Robinson •
@ Prefer Not To, ALL,
Re :
“Clear police action, and legal, not extra judicial, punishment is certainly appropriate”
It does not work that way when an idiot thinks “Might is Right” it always ends up in a game of “mine is bigger” in the ego dept.
For instance a certain Russian was sent out to “make a point” by assassination, and is now spending time in some what meager German accomodation.
As Putin knows the German’s are unlikely to negotiate… So Putin is rounding up those with US citizenship or relatives and having them charged with spying and the like and put in jails. Putin knows that the US will give in and put pressure on the Germans…
So those from the US that come in range of Putin’s cronies are suffering because Putin thinks “might is right”.
https://www.bbc.co.uk/news/world-europe-68679483
So what do you do in response?
Prefer not to •
@Clive Robinson
What we have here is a crime committed against an agency of a western state, with significant costs to the state to remediate the crime scene, and a group with a well known brand name committing the act. What would you have us do except ask our security experts to “nerd harder” so the bad guys don’t succeed the next time?
Not really anonymous •
The proper path is to follow the normal judicial procedure. If a government is supporting bad actors then diplomatic actions should be taken. In some cases this just isn’t going to work and you need to reply on improving security.
Also note that western governments do this crap too. Less hipocrisy might help get agreements amoung governments to punish governments that do this. Currently the reactions depend mostly whether a government is an ally or not.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Original Post URL: https://www.schneier.com/blog/archives/2024/03/lessons-from-a-ransomware-attack-against-the-british-library.html
Category & Tags: Uncategorized,cyberattack,ransomware,reports – Uncategorized,cyberattack,ransomware,reports
