Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Just because you never heard about, say, the BancoEstado ransomware attack doesn't mean it was covered up. It's actually pretty much impossible to cover up impactful ransomware events for several very obvious reasons.


For sure, but these are the level of organizations that have PR firms on hand to put in a lot of work to suppress news, to frame things in as bland a manner as possible, to use all the available tools to ensure that even if things get reported, they're noticed as little as possible. Authorities often work with them to suppress and gag reporting of specific institutions that get hit, for a variety of reasons, but obviously including corruption - it's easy to convince politicians that they don't want pension funds or mortgage lenders or whatever to take a hit from negative publicity.

Over the last 5 years, dozens of huge financial firms - banks, hedge funds, credit unions, mortgage lenders, etc - have been hit, and about 15-20% pay the ransoms.

Even if public notice is mandated, there are probably cases where it's an obscure notification on some official government website, or a 3-4 page deep "announcement" on a company page phrased to look innocuous and routine. "We experienced a cybersecurity incident which was resolved" or what have you.

It's fairly trivial for them - routine - to cover things up, right out in the open, and with the speed of the news cycle, it's only gotten easier.

We should probably mandate disclosure by big corporations, institutions, and banks through a glaringly obvious, top half of the front page of their website, blunt declaration for 30 days, with a government page listing incidents and responses for 5 years. "XXX Corp was hit by ransomware and paid $123 in bitcoin to the APT Group AwfulAsshats"

Mandating by law that ransom not be paid puts the onus of maintaining proper disaster and ransomware recovery on the insitutions - if you're handling a huge scale of resources, you're on the hook for responsibly managing your employees security and livelihoods, your users and customers assets and data, and not incentivizing ransomware as a viable avenue of attack. If you can't handle the responsibility of securing against ransomware, you've no business handling people's data and money, frankly.

This would wipe out a whole slew of nonsense businesses, I think.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: