Decriminalization Of Ransomware

um good morning [Music] well is it good morning are you telling me good morning so i was um hanging out with a friend in germany talking about this idea i had about why um and the title should be ransomware and this is what happens when you work on your slides until the last minute that should be ransomware i'm not going to go in and change it now ransomware and why it should be decriminalized and then the idea is like well why is it that [Applause] this should be classified as being a crime because we already have crimes that deal with every consequence of this action of using ransomware and we all know that hackers have a lot of

nasty things and tools and their resources and you know they can turn our home computer into a bomb and we've been driving this idea about um you know the bad hackers are are doing things and um you know there's also been plots here in this country about bombs in parliament as i learned last weekend when you had a big celebration and i got to see them on fire so i thought that was pretty cool but the thing that really began to disturb me about this was you start to see things like this the life cycle of ransomware attack now there's a reference here in the slide i kind of put it down there it was from experian

and with their idea about you know you get attacked you discover that you've been attacked and then there's this thing called negotiation and negotiation and settlement legitimize the act of ransomware because does a business negotiate with you know somebody who comes to rob them they're robbers or anything else if somebody vandalizes your business are you going to negotiate with them you know back in my country we had mafia and they would ask for protection money isn't this pretty much the same type of thing but is it actually um this this this act of ransomware um i think the decriminalization of it is being caused by businesses making this legitimate you know we've all got tools that

um hackers can use to you know blast us from orbit and in this process of discovery of the hacker gets in and performs a ransomware attack and then business [Music] okay i'll try not to talk as loud next time oh okay i fed back into them right right into critical all right so where were we oh we've got ransomware but you know we're off to the rescue there's a magic pill that can solve all of our problems and get us our computer back because you know we have this idea of negotiation now i've been to a car boot before and you know my idea behind negotiation is somebody in the negotiation is trying to get an advantage over the other person

i mean it's the reason you negotiate and um you know and the government maybe can't be much more help than that and we had a president ronald reagan while back and he said that you know there are nine terrifying words in the english language when strung together i'm from the government i'm here to help and then i noticed this in the news about ransomware so you've got an agency here called the gchq um and this fellow here was quoted as saying was i think the reason ransomware is proliferating we've seen twice as many attacks this year as last year in the uk i think i got this quote from like last week when i was researching cool slides for

the presentation and he said it's getting bigger he says because it works it just pays criminals are making very good money from it and are often feeling that it's largely uncontested so once we get this ransomware we go we pay the fee and unlock the computers and don't talk about the root cause of what is causing this phenomenon and that is well nobody in this room who's able to wake up at 9 30 in the morning like me to come to a conference to learn how to do better would fall to victim or anybody had a ransomware in their network who's going to raise their hand in the middle of an audience and say well yeah

i had a ransomware but you know feeding on to what they were saying you know i found another headline and you know this this firm was saying you know i'd counsel a client to take a deduction for it so not only are we going to pay the ransomware provider you know this is a service that they're providing we can deduct this it's a neces it's an ordinary necessary business expense so this idea that the businessman is going to legitimize the act ransomware because it's going to be a business expense then why should it be illegal to do it's a business expense it's like going out and having dinner and drinks you write it off on your

taxes it's all part of your fiduciary duty to act in the best interest of the company and you know being a director in the uk means you first your first loyalty must be to the interest of the company you serve and people in business are saying you know it's a business decision to pay the ransomware so it's not a criminal act we're not calling the police we're we're making a business decision and then you know i've been uh we where i work we write white papers on it how should you do things and secure things and this always comes up as the language that um people want to put in is like it's a business decision

and i think this idea that it's a business decision is the crux of my argument that if it's a if it's a part of business then why is it that only criminals can benefit from providing this business service as would be security professionals we could all possibly just bring up to a business that they're susceptible to ransomware and we could possibly come in and fix this and then they could pay us instead of a criminal because you know your country has this idea about really good ways of describing phishing attacks where i mean the malware the ransomware is going to come in prop more than likely through some kind of email because you know the sustained study and i've got i've

got decided where they looked at the these um fishing campaigns where they funnel down from 1800 just takes one user to go in click on the thing and then you've got the malware i thought this was a funny graphic because at the end you know they bring this big funnel down we're going down from 1800 to 50 to 14 down to oh one person collected but oh we caught it it didn't actually cause anything because you know in official documents you can't really have anything sexy happen um i think of it more like this you know there's a flowchart involved some things happen to your computer and then you just sit there and you go through

and think well is the computer still operating well you know you're the i.t staff if you don't have it staff you reboot you have i.t staff you let them worry about it and then go back to work but if you don't have it staff well you have a budget to fix the pc if not you need to reinstall windows and you go back to work um it's kind of like what could happen when something goes wrong but when you get ransomware it's bothersome and then when you get down to who so got bitcoin because now your solution is going to require bitcoin and you can get rid of this malware and then [Music] the hacker gets paid

and i i happened to run into a hacker while i was doing research for this and i got a quote from them but they said i think because it works and it just pays i'm making very good money from it good thing it's illegal else i'd have to charge fat and you know you know actors are making good money at this so there's a list of kind of references and i don't know if anybody's had any coffee does anybody disagree with me is anybody afraid to disagree because they don't want to talk to me [Music]

well i don't know i mean it's it's a service and if more if people are doing it in a legitimate fashion charging less to get it fixed then it would become a more economical way the ransomware costs are going down [Music] oh yeah so he said i'm going to paraphrase what you said to suit the the needs of my talk but you brought up insurance and said that the cost of ransomware is going up because uh of insurance and thank you for mentioning that because that just further strengthens my closet this is a legitimate thing if you get insurance for it um is it necessarily illegal it's just something that happens to your business and it's a cost of doing business

you can get i got travel insurance if i catch coven while i'm in the uk i can go and they pay for the quarantine i mean you get insurance for many things insurance doesn't necessarily do anything but like you say drives the price up so the criminals make more but if we could legitimately approach this as a responsible disclosure where you can approach business and say your security is lacks and you're going to get hit with the ransomware and then the business owner what's the business owner going to say well no it hasn't happened yet and then you can just take your laptop and go well look what you can do you have a security vulnerability here you need

to address this and if we address this in the law and said you know you shouldn't operate a network on the internet that is susceptible to this i mean we've been doing this for a while i mean going back to you know this tool has been out for decades [Music] and you know everybody always talks about attack chains that that these hackers have and how sophisticated these attacks might be and you know this idea about the secretive society where you know you know what if every country has ninjas but the the japanese are just rubbish at it right i mean you know it's not this it's not you know you don't need to have skills to write

code to do this this is stuff that is just commonly available downloaded and people are stupid enough to click through big warning signs like this to get this ransomware malware the biggest problem we have are the users and because we legitimize their behavior provide them a safety net of insurance and oh well we'll just pay the ransomware and we'll write it off on our taxes because the tools and malware are you know there's really been a formalism to describe malware and what it what it is in um you know it's become a part of the art of computer security to understand what malware is and you know israel read i should have practiced his name

before i got to the slide um coined the term here on july 4th and there's the pc world magazine where it came from came up with a better idea practical definition of malware digital actions with the intent of game gaining political financial or personal advantage now one of the big things that i am against paying the ransomware at all i think it's the stupidest thing that you can do because it's not this hooded hacker making the money it's terrorist we're funding terrorist organizations where you don't know where this money is going you're and then because they're getting paid they'll just keep doing it and i think the the idea that just paying the ransomware and not

um just paying the ransomware and not having a good system that can be resilient from this is a breach of fiduciary duty it shows incompetence in the management of your business that you would rather just pay malware that hire an i.t person how many of these rent or have understaffed it people are just not viewed i.t is not viewed as a service to the company it's viewed as a cost center so if it's cheaper to pay the ransomware than hire somebody to keep you from getting ransomware what is the business going to do they're just going to pay and then we fall into this trap because the tools that are being used are it's really easy you can take a lot of

training i mean these are slides i pulled from malware training that i do myself you can you can learn how easy it is to do these things there are um [Music] why did i leave this slide in here i meant to delete that one sorry about that you know we can get our indicators of compromise and we can share well here look this is what's happening now we're going to we're going to all band together and and one person gets hit then we can all fix everything else and then the us cert came up with a document of mitigations and while it's very easy to put ransomware on an unprotected computer system or one that's not really properly

uh secured um the mitigations are all the same and the reason we don't do them is it's boring i mean these reports are boring they all go through and it's a list of things that i invested my slides here the you know the the technical description from the us cert about you know malware droppers and how these things are done the techniques that uh are being used at the state of the art have become portable the the uh the attacker doesn't necessarily have to concern himself whether or not it's hardware or software they're exploiting they have come up with a formalism to um once they've gotten in it's fairly predictable what is going to happen and you get them and you get the

ransomware screen it's it's a very formalized process and we have antivirus oh the threat was blocked um and then this is an indicator of compromise and well the idea being that well is this somewhere else on my computer network but again this is another tool that i can easily run as a system administrator to [Music] find weird things in my network and track them down before they become big and then you know all of the things and techniques that ransomware users there easily found ways that obfuscation techniques that ransomware people use to make money these are all there's a discipline involved in this they're professionals and you know perhaps what they do should be legitimized

because you know we have tools to detect these things we just don't bother using them and you know what's antivirus supposed to be doing anything why is this not working we've been using antivirus for decades now and it's still um you know ineffective [Music] oh and back to the report uh so these are the mitigations that we always uh talk to they're you know mundane and boring things where we're going to keep our software up to date right everybody keeps our software up to date we're kind of required to do it aren't we we're not given the choice anymore our all software automatically updates itself so we should always be safe from this ransomware we all restrict our users ability to

install their own software don't we enforcing strong passwords we make our users change their passwords regularly exercise caution when opening email attachments i mean i'm sure that where you work everybody exercises caution when they open the email attachment yeah sure i mean this is boring stuff right we're all doing this [Music] enable a personal firewall maybe that'll help horizontal attacks disable unnecessary services scan for and remove suspicious email attachments these are all things that we would do what this is is these are things you should be doing in your business if you do these things you won't get ransomware so the fact that if you don't do these things you're inviting the ransomware and then

the legitimacy it gets legitimized when you pay for it and write it off on your taxes

i hope so because i think that i'm running out of slides and i have plenty of time

[Music]

[Music] yeah well [Music]

even okay so it's okay so the first comment was about kidnappers well what kidnapping is a crime if you kidnap somebody and ask for money and then sometimes people pay the money to get the person back certainly there was a crime committed there if i and then as the second commenter brought up i can go to a business and say this is susceptible to ransomware and then i don't want i would like to see it become a legitimate act to do this because it would be an opportunity for somebody to earn a living to secure businesses right and i anticipated this kind of argument because it comes down to intent the act of actually doing the ransomware

there are already crimes that cover this if you if you put ransomware on a computer you're performing a denial of service attack against the business that's already illegal so if i use low orbit if i give you a dos it's illegal because i'm putting you out of service there's already a law that covers this if somebody gets hurt as a result of ransomware we have assault we have murder we have laws that cover the physical actions are the manifestations of this ransomware the actual ransomware itself is a trigger for these crimes that we already have well defined like kidnapping i think the to question is uh just in september of this year a hospital in alabama followed your advice

and didn't pay a ransomware and a six-month-old baby died because they couldn't access um so they were going to restore backups put their systems down uh if that was my baby i would much rather than update the ransomware market with a whole floor at a hospital guess the question is have you ever been in a situation where you have been asked to pay rent america we've seen this quite a bit in the u.s with colonial pipeline and gas shut down for per [Music] so it's easy to say don't pay ransomware when you're not directly involved but when your business is out of operation are your hospitals shut down i think it's a little disingenuous

yeah i mean it's a legitimate argument but if you if you use that as your security posture i think that that should be criminal i think your other assumption is that all of these attacks are super targeted all the research on that on ransomware show that they just pray and spray

[Music] yeah well i've got another my idea about emails we should just get rid of it there's no reason for email [Music] who here likes email and what would like to see it stay around we don't need email anymore email is a hassle and it causes more harm then it does good [Music] no i just i stopped reading email during coven i mean i have 21 000 emails to read and i'm never going to read them i mean what happens my philosophy about emails i don't read it because if i don't take the right action somebody tracks me down i've got a phone we've got all of these other ways to chat you know back in the office

before covid i didn't read email either i don't read my work email because you know i get 100 emails a day at work that's related to stuff that are reminders and if they really want something they seek you out and then the the garbage that you get an email that causes things like malware to come up is just much more frequent than any business email that's worth reading and then the other thing about email i don't like is like people are requiring you to give an email for everything now and then that kind of like marks you forever because i can't un do that it's like when somebody asks for your mobile number i'm like no

you're not getting my mobile number because i'm going to start getting calls that i don't want and back here there was a question [Music]

well i think they pay it anyway [Music]

making ransomware payments illegal well i think that you're going to get the same argument like the gentleman over here on the left talked about alabama where you have a hospital or you have the colonial pipeline and nobody's got gas so somebody wants to get paid they're going to get paid to turn on the service but what we don't do is ever take it back to the ground and go to the root cause and say well where did we go wrong because i don't think anybody disagrees we have mitigations we know how to prevent most of this malware ransomware we're just laps in our operation of business to actually do the diligence of preventing this from happening

now we're back over here again

off and burned yeah

[Music]

um

[Music] um [Music]

okay and i had time to think again about updating my my idea of secure i act like nothing is secure because let's just be real about this everything that we use is insecure it can't be fixed it is designed broken ask intel how broken is the intel processor but still we plot on and keep buying it um spectre and meltdown taught us that you know inherently the hardware and software that we use has been through diligent business practice it's just it's not economical to actually make a device that is secure

well i think i'm looking at it in a more practical way i'd like to see people who want to find their own independent way of working not have themselves threatened because they found something i mean i've i see this all the time we're in the business where all this what do you do when you're at the doctor's office and you see something that's totally effed up because i'm i'm still not sure about saying the f-bomb i probably would have dropped the f-pun it's been two years i'm not ready or maybe i already have have i said [ __ ] yet was that it okay now now it's all but what was the question um [Music]

fix

yeah well i got the idea about you know um you know this talk and this idea about the decriminalization of the act of ransomware from weed in the united states so states are decriminalizing marijuana and they're they're doing it for the reason so that they can tax it and make money and the idea of um how do you because responsible disclosure is broken you know the idea of we're going to be able to go to a vendor and tell them about a vulnerability and give them the appropriate amount of time to address the bug and then i'll get credit for this vulnerability i mean we had the the best ideas when we came up with responsible disclosure

we've completely flummoxed the entire thing and this is a little bit clear because why is it that when it's a very awkward conversation when you discover something that for example this this hospital in alabama say you're you're in you're in alabama and you're in the hospital you notice that the systems in the hospital aren't being run properly and you go to the hospital and say i think that your systems are um are not properly configured and the hospital goes well hipaa you know you can't you know you just violated the hipaa i mean the the threat of the law is what businesses use to keep these it's easier to threaten somebody that with the law than it is to actually fix

the problems that are being brought up and it makes everybody awkward to contact anybody to tell them that their things aren't fixed properly and susceptible to these attacks i think it would open a dialogue between security researchers and companies and provide a way for and incentivize people for for fixing things when they see they need to be fixed i mean the zero day market is a good example of how we have matured this model of you find a zero day there's a market for that you can go and talk to legitimate businesses and sell the zero day and then they deal with the responsible disclosure you get paid less but you get paid all this and it's been legitimized and now

people make a living finding zero days why can't people make a living finding networks that are susceptible to ransomware but just trying to do that and getting caught would be a crime what if you make what if you accidentally unleash ransomware in somebody when you're discovering it i mean we've got what's this thing um i haven't done a talk in two years so i'm trying to remember that this showdown everybody uses showdown now and you can find these kind of things all over the place i watch uh you know infosec twitter i think barry's in the back i've seen him in the last two years go from he's taken all of these classes you do

this stuff barry right and i watch him twitter he's like oh i found this i found that and then what happens when you approach a business and you tell them hey this is effed up um you know what kind of response do you get from the business

they [Music]

well i'm telling you right now you should just get paid you should hit them with ransomware and get paid is that controversial to say i mean the the head of the gchq said you know people are doing this with impunity right now hack the planet

it doesn't work if bug bounty programs worked we wouldn't have this problem we've been trying this for what's it been 30 years responsible disclosure now this is the the 20s we were talking about this in the 90s and we still haven't managed a way to do responsible disclosure

um

so how many people have actually found zero days and reported them to vendors in this room how many have done a hundred [Music] i can answer your question possibly not while we're being filmed what happens when you find cool

people make big zero-days more um doesn't tackle the entire problem i'm not saying that someone signs up to a crowd or whatever and then instantly gets all their problems resolved and then it gets ransomware again but attacks type of caution

well yeah i mean it partially works i'll i'll give in your end of the argument yes we do have somewhat of a dysfunctional system around responsible disclosure but we have no formalism in ransomware what we have are criminals making money off of people who for whatever reason allow this to happen on their networks and then from their business perspective it's cheaper to pay the ransomware than it is to actually hire somebody to fix this problem

well i was hoping somebody would say that thank you very much i think what this does is it enables people to find a job that they could do on their own and get paid because you know i've got a daughter that's got a degree and she can't find a job it's like we have a vacuum of people with jobs and people who are trying to get jobs don't have experience so there's there's no entry level in in any jobs you i've i've seen this in twitter all over but this it's practically impossible to hire somebody when you're i work at a big place and i was on a committee to hire a programmer for 18 months

and you've got either you lose the candidates because you can't take action fast enough or people just don't apply and it's a hard problem and i think that you're back here doing this so did i feel the time so we're doing we're doing great i'm trying to run it through my head it did decriminalize it and i feel like if i'm out of business and you can send me an email saying you've got vulnerability and you owe me money because i can ransom you i feel like every scripture in the world is constantly going to be sending me emails constantly it happened and now you've actually appreciated people i actually now owe that money so now i'm

in trouble because i have so much money for all these scriptures

well you you it's like zero days you could say well i've already paid on this one you know uh the the race to zero days that way too i find a zero day and you find the same zero day the first person there gets paid the second person does it and we already get too much mail to read anyway i already established that fact earlier in the topic but i think we need to come we need to come up with a way to have a better conversation with people about the fact that their networks aren't they shouldn't be connected to the internet i think that uh i mean again off burnt i mean this thing is broken

[Music] [Music]

the securities software basically slowed down the brutal forces between five and twenty criminals

[Music]

never [Music] is [Music] so um i was glad i was first today because i think there are some conversations that we should probably have in the hallway that might be interesting to some people that ask questions because i think the especially with this idea we had from the back about i'm going to get a lot of emails about these things i think we need to find a way to better communicate you just need to consider that it's always a bad idea to internet connect an electronic device and you shouldn't you shouldn't just do it and you should accept the risk that you will lose everything if you go online and then people just don't think about

that i mean how many people lose their pictures on their phone because they they it gets run over by the car or you it gets stolen and you don't have any backups of anything in your phone people just don't do the due diligence of things because there's this idea that these things are perfect and you know and they're not i could just dump this down right now what would i lose if i just dropped my laptop on the ground and [Music] and i think it was a good conversation all i was try my only aim in the talk was to have a conversation with a few people i think that i did that so thank you very much because i'd have

been finished like 20 minutes ago if they hadn't started yelling at me so i was trying to provoke some thought and um thank you for having me it's been great to get back out and you know have a great day i'll be around hit me in the hallway you'll get a much better answer you