Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Teamsters doesn’t pay ransom. Should you? It’s not rocket science

Richi Jennings Your humble blogwatcher, dba RJA
Astronaut in a sunflower field

It’s emerged that the International Brotherhood of Teamsters was attacked by ransomware scrotes in 2019. Despite advice from the FBI, the union didn’t pay a penny in ransom—and certainly not the $2.5 million asking price.

But these days, that experience might not be useful. Today’s criminals are wise to organizations with good disaster-recovery processes. They steal your data first, then threaten to leak it or sell it to other criminals.

So your best bet is to shore up your security. In this week’s Security Blogwatch, we do our duty as we see fit.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Electric.

But 2019 was a long time ago

What’s the craic? Jonathan Allen and Kevin Collier report—Ransomware attack hit Teamsters in 2019 — but they refused to pay:

Hackers asked for a seven-figure payment. But unlike many of the companies hit by high-profile ransomware attacks in recent months, the union declined to pay, despite the FBI's advice to do so, three sources [told us].

"They locked down the entire system and said if we paid them they would give us the encryption code to unlock it," said one of the sources. … The FBI advised the Teamsters to "just pay it," the … source said. "They said 'this is happening all over D.C. … and we’re not doing anything about it,'" a second source said.

[But] their insurance company … urged them not to pony up. [So] the Teamsters decided to rebuild their systems, and 99 percent of their data has been restored from archival material — some of it from hard copies.

In 2019 … either the victim paid and hoped their files could be restored easily, or they didn't and tried to manage on their own. [But] now, most ransomware gangs [also] threaten to leak victims' files if they don't pay.

So today’s M.O. isn’t your grandpappy’s ransomware? Mayank Sharma expandifies—Teamsters was hit by ransomware in 2019, but refused to pay up:

Those were simpler times, and ransomware gangs hadn’t learned the art of double extortion. No data was exfiltrated and there were no threats of leaks. If a victim refused to pay, the threat actors would chalk it up to experience and simply move on.

However … the previously unreported attack … revelation once again highlights how many organizations simply don’t share details about the attacks.

Incidents often remain secret? This is true, says George Dascalu—Ransomware Struck Teamsters in 2019:

The union organization kept the hack hidden from the public. This points to a truth that cybersecurity experts believe lies beneath the surface of recent high-profile attacks: An unknown number of companies and organizations were blackmailed without ever speaking publicly about it.

The FBI press office did not respond to numerous requests for comment. The position of the FBI is that ransomware payments should be avoided.

This lack of data is a problem. Canberra1 agrees:

Risks keep on going up. I'm sure the insurance company premiums are way too low — and the FBI is not letting them know of real world numbers.

In some countries, paying a ransom is illegal. This is why the new ransomware people are leaking details, so documenting the breach — which impacts insurance and director bonuses. However … people bitten now think the cloud is safer. Should FBI tell them lightning starts in clouds?

If only we had some sort of historical analogy? This Anonymous Coward suggests state piracy:

I wonder if these guys even have letters of marque from the russian government.

And how many other Colonial Pipelines were there? So wonders squiggleslash:

The other day it was revealed the FBI had actually been tracing ransomware payments to the hackers. … So perhaps the FBI's advice was because of that.

Perhaps that was their intent. They couldn't exactly tell the Teamsters that though, could they?

It's an interesting question whether most companies wouldn't be better off just trying to rebuild their systems from day 1 using whatever backups are available, rather than paying a million or more. The "cost of recovery" is usually measured in millions of dollars, but that number includes the costs both of losses made while the system is down, and of the salaries of people sitting idle. It probably doesn't reduce the costs much getting the encryption key.

And once identified, how to retaliate? With a perspective, here’s DS999:

Its largely irrelevant. With most ransomware coming from Russia. No one is going [to] conduct drone strikes inside their border, no matter how bad a cybercrime criminals resident there have conducted.

What they could do is if they identify the people, send in spies to poison them. Putin seemed to think that's OK when he had someone poisoned on English soil, so turnabout is fair play. I'll bet ransomware would quickly become far less common after a few of their fellows wake up dead.

But where’s the silver lining? We see through aberglas, darkly: [You’re fired—Ed.]

The ransom should be paid double. The crooks are doing us a big favor, by pointing out *****y security and adding something to a security budget to do something about it.

If things ever go bad with China, they will not just be after ransom, they will shut us down—turn off the lights. … So this ransomware is a good thing. … If the hackers can get in, the Chinese are already there.

Attack is the best form of defense. Andy The Hat remembers pragmatism in the age of Sputnik

The actual problem with this statement: One state's "attack" is another's freedom of speech.

Accept that any state can legitimately take action against another state … without going through diplomatic channels and you are on a steep and slippery slope to physical conflict. In some ways this is similar to the freedom of space, establishing the rights to overfly any state with an orbiting craft, otherwise it would be impossible to operate satellites, and was established by the US President biting his tongue.

But the Teamsters, though? Salgak1 has one question:

OK, I have to ask: This being the Teamsters, whose knees got broken, and which hackers got to swim with the fishes? (Not joking. The Teamsters play hardball at such things.)

I grew up in a Teamsters home: Both parents were members. You messed with the Teamsters at your peril.

Meanwhile, Harry McCracken cracks me up:

I always enjoy reading about people who refuse to play ball with criminals.

The moral of the story?

We have no idea of the true scale of ransomware attacks. But 2019-era ransomware is quite different from today’s attacks, which steal the data before encrypting it.

And finally

Three minutes of uplifting choonz

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Elia Pellegrini (via Unsplash)

Keep learning

Read more articles about: SecurityData Security