A simple, incomplete ransomware defense

Attribution is hard, but whatever works.

A truism in security is “attribution is hard.” It’s really hard to know who hacked you, first, because it’s easy to deflect suspicion by leaving false clues, and second, because the bar for hacking even big, critical systems is so low.

The ransomware epidemic has been raging for years now, and it’s quite a tangle. It includes idiots who download (or pay for) some off-the-shelf malware and turn it loose on whatever systems they can find, who don’t even know who they’ve hacked.

It includes sophisticated crime-gangs with high degrees of specialization: tooling, payment processing, even “customer service” for victims who can’t figure out how to buy cryptocurrency to pay their ransoms.

It includes state actors, who often pretend to be bungling idiots while infecting the systems of national adversaries — sometimes, they use fake ransomware that irretrievably trashes the target system, then claim to be too incompetent to recover them.

And it includes all kinds of hybrids, like “state-sponsored” hackers (private criminal orgs on governmental payrolls) as well as state-tolerated “cyber-patriot militias” (high-tech mall ninjas who hack out of a sense of patriotic duty).

This combination of adversaries accounts for the more bizarre ransomware turns, like the ransomware gang Darkside, who seized the Colonial Pipeline’s billing systems (sparking petrol hoarding…