Jonah tells it like it is, again:
My views regarding the European political and intellectual elite have gone from mere contempt to palpable disgust.
Even the glow of the synagogues burning on soil already well fertilized with the viscera of Jews is paled by the bonfire of hypocrisy now raging in capitals across Europe. Recall last December, when France’s ambassador to England, Daniel Bernard, referred to Israel as “that shi**y little country,” asking, “Why should the world be in danger of World War III because of those people?”
Jackie
Any monies won should go to the BJ account.
WaterGirl
‘@Jackie
I added a site update up top just now, which wasn’t there when you wrote your comment.
zhena gogolia
Great news thanks!
JanieM
WG, amazing work. Wow. !!
Cheryl from Maryland
Thank you and the rest of the restoration crew.
Skepticat
Happy news indeed. Many thanks.
Spanky
That is indeed amazing work. Glad no one expects my technical expertise to include this stuff!
Yell if you need $$$.
debbie
I don’t say this lightly, but god bless you, WG.
Auntie Anne
Thank you 1000 times over! We are SO lucky to have you.
Gvg
These things will cost money. Let us know when. Also get a donate button or something up. Really.
Lapassionara
Thank you, Watergirl. You rock!
tokyocali (formerly tokyo expat)
Thank you and the front pagers for all of your hard work. Many thanks to John for keeping this place open. I visit other places, but this place remains far and above my favorite. There’s a community here. So whether we stay here or move back to the old place, I’ll be tagging along!
Nicole
This brings me much joy. Thank you for all of the hard work you put in. You are amazing.
Yutsano
O frabjous day! As the kids say. This is definitely welcome news.
eclare
Thank you so much for all your work!
WaterGirl
It’s only 8 o’clock but between this and 3 hours of gardening, I’m exhausted. See you all tomorrow.
NotoriousJRT
WaterGirl is heroic!
Another Scott
Rest easy, WG and crew. Thanks so much.
Cheers,
Scott.
Jean
Good news! Thanks, WaterGirl!
frosty
You fit in 3 hours of gardening too!!?!??
Where would we be without your hard work? Many many thanks!
scav
Bravo to all! Have a well deserved rest.
SiubhanDuinne
‘@Yutsano
And may I just add, “Calloo, callay!!”?
CaseyL
Amazing, wonderful news. I can’t thank you enough for all you’ve done. Literal sweat and years, and probably literal blood, too, if you ever get your hands on 3XXDataCenter’s crew of nincompoops!
ronno2018
thank you everyone for the hard work, I have missed the old site (even though this temp one is awesome).
My weekend work was with our network admin and installing new switches at our office and re-IPing the storage array and all the servers. Scary times indeed.
JoyceCB
Delurking to say – WaterGirl, you are the best!
BellyCat
:-*
lowtechcyclist
Thanks for all you’re doing, WaterGirl! You are amazing.
Baud
WaterGirl is the best fixer in the blogosphere.
OGLiberal
I know this is completely unrelated but the only somewhat recent new I could find about 365 Data Centers is that they were acquired in 2020 by Stonecourt Capital, a private equity firm. Rick Davis, who was recently and frequently mentioned in Steve Schmidt tweetstorms appears to be a partner in that firm. The best people…
Wag
Awesome news!! I’ve missed BJ, especially OTR with Albatrossity and Bill. Looking forward to seeing the site!
raven
I have a great number of posts concerning the banning of an individual if they would be of any use.
Jay S in WA
“Jackie May 28, 2022 at 8:08 PM
Any monies won should go to the BJ account.”
Speak for yourself! I expect compensation for pain & suffering and reimbursement for self medicating during this out(r)age!
Edited to delete the /jk tag in case they use that against us.
Thanks for the good news and all the work.
smedley the uncertain
WG, wonderful job. Yours and Johns perseverance kept us all alive. As noted above, all this cost. So make sure you rattle the tin cup in this direction. BJ is my daily read(s).
mali muso
WG, you are an absolute treasure!
different-church-lady
Christ almighty, I’m just amazed by the amount of tender loving care you put into this almost top 10k hang out. Thanks so much.
LNNVA
Thank you WaterGirl.
Bill Arnold
Good news, thanks.
A posts/comment archive using that tarball is still possible. Might need some minor tweaking e.g. to not load some javascript. Then tell google to index it (they have a simply process). If I’m bored I’ll prototype something.
Getting the actual data would be much much better. (Though If we do get the old content back, you should still ask google to index it; threads were often indexed like 50 comments in then never reindexed by google..)
dkinPa
Wonderful news! Thank you, WaterGirl — you are a Treasure!
arrieve
So happy to hear this. Thank you thank you WaterGirl!
HumboldtBlue
Youse are ridiculously awesome and WaterGirl deserves a medal.
gene108
I just want to thank you for the Balloon-Juice site (and Jackal Action), John.
I didn’t realize how much it’s been a social outlet for me, until it went dark. I could just pop over to Balloon-Juice, and even if I was not commenting, read intelligent conversations people are having and it’s like I’m hanging out with a group of people.
Edit: Also, thanks to everyone who has made this site run over the years, like WaterGirl, Anne Laurie, Betty Cracker, TaMara, Adam, David Anderson, and now infrequent front pagers like DougJ, Mistermix, and Tom Levenson and anybody else I’m leaving out.
scribbler
WaterGirl, thank you, thank you, thank you. Amazing job!
kalakal
Than you Watergirl, enjoy your well earned rest. You’re a star
Carlo Graziani
‘@Bill Arnold: It would be worthwhile thinking through a design whereby a limited stack of current BJ posts and related comments — one year deep, say — gets continuously and automatically refreshed, with older stuff going into a static, searchable archive that does not burden the WordPress database (and gets deleted from the database) as new stuff comes in.
Then it becomes trivial to scatter archive copies across diversified providers for robustness against disasters, and the current BJ never turns into a waddling hog constantly dragging along vast indexes of data that are never consulted.
This all seems quite scriptable to me. If you think it practicable, perhaps your prototype could be designed with a view to extension to later posts and data.
WaterGirl
Cole has always said he does not want to archive or separate the older Balloon Juice threads. Assuming we get our data back eventually, I would be surprised if he changes his mind about that.
Jackie
We get to go home on Tuesday!!! I’m sooo happy! This has been a great temporary home, (Thanks, WaterGirl!) but there’s no place like HOME!
currants
Watergirl, Steep, Scout211, Cole–all of you working on this–you’re wonderful, and doing amazing work. I am so grateful for you.
citizen dave
Echoing all the thanks! You and y’all are tremendous.
A Good Woman
Thank you @WaterGirl and everyone working to restore the site. You are the best!
Liminal Owl
Thank you to all who are working on getting the site back. WaterGirl, you are once again heroic.
Layer8Problem
The efforts are so very appreciated. Thank you WaterGirl and everyone hammering together our temporary residence and reassembling the original establishment.
jl
Thanks to the BJ front pagers for all the work . BJ rises like a phoenix from the ashes.
oatler
Jay S: Self-medicating in solidarity, Brother! with good old Horchata, the Mrs Beasley of indicas.
Carlo Graziani
‘@WaterGirl: I didn’t know that, being relatively new around here. Are there specific reasons that might be addressed by a reasonable design? After all, using the live WP database as a search engine for old material is not particularly efficient, and has very obvious performance costs for current discussion. It seems likely that a separate lightweight searchable archive could be presented transparently in BJ as if it were almost integrated with WP through a bit of web design magic, and the benefit would be a big load off the WP database.
HumboldtBlue
‘@Gene108:
“I didn’t realize how much it’s been a social outlet for me, until it went dark. I could just pop over to Balloon-Juice, and even if I was not commenting, read intelligent conversations people are having and it’s like I’m hanging out with a group of people.”
Yup.
opiejeanne
Dear Water Girl
Thank you. You and the others do so much for all of us here on this nearly top 10,000 blog.
Balloon Juice was very much missed while our train was crossing Eastern Montana. There’s no wifi on the Empire Builder between Chicago and Seattle, but I managed to use my phone as a hotspot most of the time.
RaflW
Just want to add my thanks and appreciation to all who labor to get us back home!
Another Scott
Via a comment in Cole’s twitter thing, here’s a page with a link to the complaint:
and here’s the 72 page .pdf.
Cheers,
Scott.
update: links removed from here at moved up top because at least one of them was breaking the margins. thanks, Scott, for the links.
Redshift
You guys are awesome!
Another Scott
From page 23 of the Class Action complaint:
=== quote ===
72. In their everyday business operations, and as an integral part of their business, Biz place significant reliance on its ability to access and transact with the products and services provided by 365.
73. Biz also purchased additional “backup” services to ensure that his customers would not lose access to their webpages and Critical Infrastructure after a disaster.
74. Defendant has now informed Biz that it cannot access the backups for which Biz paid Defendant. Upon information and belief, these backups are either encrypted by the cyberattacker and/or have been deleted from Defendant’s systems.
=== unquote ===
Unsurprising, but unfortunate.
:-(
Grrr…,
Scott.
Carlo Graziani
Wow. The complaint cites the 365throwaway assertions of “poor security practices” as constituting information and belief for 365’s security incompetence. I sure hope that guy covered his tracks, because there are certainly some subpoenas heading for Reddit right now.
Carlo Graziani
Oh. Shit.
“Defendant has now informed Biz that it cannot access the backups for which Biz paid Defendant. Upon information and belief, these backups are either encrypted by the cyberattacker and/or have been deleted from Defendant’s systems”
3xx lied about the backups. Smiled, and lied.
OK, it’s on to the ridiculous plan. We have to figure out how to shoehorn that archive back into a WP database — and how much of it is worth shoehorning.
TEL
Thank you so much WaterGirl and everyone else for all the hard work!
Joey Maloney
Wow. Never checking backups for accessibility and reliability is something I espect from, say, 15-years-ago me as an individual when I had a drive crash and hadn’t backed up in 6 months and it was corrupt anyway.
Nowadays I do nightly backups using two completely separate systems in my home plus a commercial service offsite. And all I’m safeguarding is my personal stuff. Shocking that a professional outfit wouldn’t rise to at least that standard.
Jay S in WA
Another Scott May 28, 2022 at 11:36 PM
Ah somebody Paid the Pacer tax and freed the document. The listing was on Courtlistener but the document wasn’t up last time I checked. The Pacer monopoly is a crime.
Jay S in WA
What they are asking for:
REQUEST FOR RELIEF
WHEREFORE, Plaintiffs, individually and on behalf of all Class Members proposed in
this Complaint, respectfully requests that the Court enter judgment in their favor and against
Defendant as follows:
a. For an Order certifying the Nationwide Class and appointing Plaintiff Biz as class
representative for the Nationwide Class;
b. For an Order certifying the Nationwide Subclass and appointing Plaintiff PaleoMom,
Plaintiff Core Wellness, and Plaintiff Speed School as Class Representatives for the
Nationwide Subclass;
c. For an Order appointing Plaintiffs’ Counsel to represent such Classes;
d. For a finding that Defendant has been negligent;
e. For a finding that Defendant breached its contracts with the Nationwide Class.
f. For a finding that the Defendant has engaged in unfair or deceptive acts or practices in
the course of trade or commerce which constitute violations of the Connecticut Unfair
Trade Practices Act;
g. An Order preliminarily and permanently enjoining the Defendant from the use of acts
or practices that violate the Connecticut Unfair Trade Practices Act, including, but not
limited to, the unlawful acts and practices pleaded in this Complaint;
Case 3:22-cv-00715 Document 1 Filed 05/27/22 Page 45 of 72
46
h. For equitable relief compelling Defendant to utilize appropriate methods and policies
with respect to ransomware protection;
i. For equitable relief requiring restitution and disgorgement of the revenues wrongfully
retained as a result of Defendant’s wrongful conduct;
j. For an award of actual damages, punitive damages, and compensatory damages, in an
amount to be determined;
k. For an award of costs of suit and attorneys’ fees, as allowable by law; and
l. Such other and further relief as this court may deem just and proper.
JURY TRIAL DEMAND
Plaintiffs demand a jury trial on all issues so triable.
grandmaBear
Thank you WG! You are awesome!
Jay S in WA
So I see a request that they go forth and sin no more, a request for monetary relief, and a public trial.
I don’t see an explicit demand for data recovery to the extent possible.
IANAL
FelonyGovt
Thank you so much, WaterGirl and everyone else working to restore our home. And I’ve appreciated the emails from John.
Jay S in WA
Okay I left out the opening paragraph that might be interpreted as data recovery:
“173. Under the provisions of Connecticut General Statute § 42-110g, Plaintiffs are entitled to and seek to recover actual damages, punitive damages, and such equitable relief as the Court deems proper, including attorneys’ fees. These forms of relief are in addition to and not a substitute for the claim for restitution and other equitable relief alleged in this Complaint. ”
Other paragraphs about restitution mostly talk money though.
All in all I think Biz has given up hope of data recovery.
sab
The one of the reddit comments suggested that 365data was contemplating bankruptcy chapter 11. What would that do to the class action? Wouldn’t bankruptcy stay lawsuits against them?
Carlo Graziani
Well, let us parse:
“Defendant has now informed Biz that it cannot access the backups for which Biz paid Defendant. Upon information and belief, these backups are either encrypted by the cyberattacker and/or have been deleted from Defendant’s systems”
365 tells Biz it cannot “access” the backups. 365 did *not* say that the backups were either encrypted or deleted. That is inferred by Biz “upon information and belief”.
But in fact it’s not that plausible, it seems to me. The attack was probably on hundreds of terabytes, maybe petabytes of data owned by several entities, not just BJ. It is impossible to encrypt that much data surreptitiously, and not that easy to delete it. I still think it’s likely that 3xx told a version of the truth: the data is fine, somewhere in a giant maze of RAID arrays, but the ransomware attack scrambled the high-level metadata that they need to figure out where it is, and methodically going through their disk farms and reconstructing that metadata is a bankruptcy proposition for them.
However, if this is in fact the case, then perhaps this would be a relief that the court could order.
Joey Maloney
It might be somewhat more possible to encrypt that much data surreptitiously, if it’s on backup drives that no one has bothered to look at for weeks or months. That would greatly reduce the amount of surreptition required.
Antonius
Thanks @WaterGirl, John, and the whole crew for keeping the lights on!
HeartlandLiberal
Where is the new site located? At 365? Or another provider?
Also, do we need to donate to help the recovery?
WaterGirl
‘@Joey Maloney wrote:
“Wow. Never checking backups for accessibility and reliability is something I espect from, say, 15-years-ago me as an individual when I had a drive crash and hadn’t backed up in 6 months and it was corrupt anyway.”
Bizbudding was TESTING their backups regularly. But that was when they could get to them on the cloud. As of 16 days ago, they are either encrypted or deleted.
So “349” Data Centers outright lied about the backups being fine, which is totally shitty and wrong on so many levels, but just to be clear, the problem is NOT that Bizbudding didn’t test their backups.
brantl
Thanks so much, I don’t think you know how much this site means to people, but I suspect you’re getting an inkling.
sixthdoctor
Appreciate all the hard work you, John, and everyone else involved is doing to keep this community active.
Citizen_X
Wow, thanks, WaterGirl, and everybody else, for all your hard work.
Here’s to getting our backups back. And to roasting 365 execs over open flame! At least we can look forward to that.
Carlo Graziani
‘@WaterGirl: “Encrypted or deleted” is Biz’s inference, not established fact. I feel that it is much more likely that the data is safe (as 3xx claimed) but unlocatable because the attackers screwed with their infrastructural metadata that allows them to know where everything is in their maze of filesystems (hence making 3xx’s claim misleading).
Again, the difference is significant. If this interpretation is correct, 3xx may or may not be willing to launch the recovery due to cost, and may attempt to protect itself from the recovery cost via a bankruptcy proceeding. The court could, perhaps, preempt such a course.
On such legal matters I must say I know little to nothing of what is possible, though,, so perhaps the copious legal talent hanging around could comment.
Ivan X
‘@Carlo Graziani in other words, the backup raw data are accessible, but the backups themselves are not? Entirely plausible. I tend to think of a blown RAID, and for that matter even a backup with a missing catalog, as lost data, even though yeah, sure, it’s there in there somewhere. But it’s like having the world’s largest library and all of the pages of the books torn out into a big pile and the card catalog destroyed, and then having to put the books back together, on an incomprehensible scale. Is that sort of thing even possible, especially on the scale we’re talking about at a data center?
That’s a pretty vicious hair to split by 365, though. I can see offering that sort of not-quite-a-lie misrepresentation for the first few days to buy time while options were being assessed, but not once is the jig is up, which it sure seems to be.
I suppose half the value of the lawsuit would be to have the actual truth come out.
Carlo Graziani
‘@Ivan X: Without wishing to express certitude, I believe that this is a very real possibility.
The thing is, people have a mental model of ransomware attacks — compromise a host, encrypt the data, send ransom note — that precedes the cloud era. It is still relevant to cloud hosting, but it’s what you might call a client-side attack: you compromise a customer account through a phishing email, say, then move in and use classic ransomware technique. The cloud aspect is irrelevant here, because the hosting/storage is an abstraction from the attacker’s point of view.
The 3xx attack was not a client-side attack. It was a server-side (or maybe “infrastructure-side” would be a better term) attack. The attackers seized control of 3xx’s infrastructure control layer, and did something to screw up 3xx’s ability to maintain their service. Allegedly reversibly, upon payment of ransom.
OK, so what could that something be? Deleting or encrypting data is out of the question, in my opinion, because it takes too long for petabyte-scale data, and would have consequences that are easily detectable and interruptible by IT staff. Moreover, to be an effective blackmail threat and not just vandalism, there has to be a technically credible reversal method. You can’t just bullshit professional IT looks and their cyberintrusion specialist consultants the way you could bullshit some PC owner at home.
One simple way to do that is export some critical database describing the master filesystem layout, encrypt the export, and delete the database (and any backups of the database, which you locate by tracing its backup system). Done. Data is safe, encrypted db backup in possession of 3xx, now just send ransom note: “We send decryption key of db backup on payment of…”, definite articles dropped due to translation from Russian. You could even send a transcript of the shell session in which the encryption and deletion occurred and add a hash (unforgeable file signature operation) to that session, so that 3xx could verify the hash of the encrypted db file and hence have further assurance of the technical validity of the reversal procedure.
RoonieRoo
I just want to add a thank you WaterGirl for the tears, sweat and work to bring BJ back to life. I know I don’t comment frequently but BJ is important and your stewardship is something I am very grateful for.
Another Scott
I’m no IT code slinger, but what gets me about this whole saga is that it never should have been possible in the first place. Client virtual machines are supposed to be isolated from one another, so ransomware on one VM should not have affected anything else. That seems to imply that, contrary to 3xx’s protestations, that they were the target of the attack (either through negligence or incompetence). IOW, Boris in St. Petersburg locking up the FYWP dB for one of Biz’s clients via a ransomware attack could not, in any sensibly run outfit, take out 3 cloud datacenters.
There’s still too much of this saga, and 3xx’s comments about it, that does not make sense. Maybe it’s some variation of the Kaseya or SolarWinds attack, or doors that weren’t closed after everyone should have known about those vulnerabilities….
https://purplesec.us/kaseya-ransomware-attack-explained/
Dunno.
Lots of lessons to be learned after this saga.
Cheers,
Scott.
RubberDuck
At this point I’m assuming “third party” is the credit union. They’re still down (what a coincidence!) and claiming a platform upgrade by their EFT vendor is what kicked off their outage.
If so, and depending on what they (or even 325) were upgrading, that may have broken the storage and any ransomware contained therein, and that’s that.
Carlo Graziani
‘@Another Scott: From the fact that 3xx reported trouble with their BGP network infrastructure (the “virtualized route reflectors” stuff) as a factor in the intrusion detection, it is completely clear that this was not a classic client-side ransomware attack. It was a direct attack on 3xx’s cloud infrastructure, bypassing clients, so that VM isolation is not relevant.
3xx just had shitty security. Pretty sure you couldn’t attack AWS this way.
Another Scott
‘@Carlo, yeahbut…
From Exhibit 1 of the lawsuit:
=== quote ===
We are now able to confirm that the May 14th security incident was a ransomware attack. We are also able to confirm that neither 365 Data Centers nor our customers were the target of this attack. The intended target was a third party whose data is stored in a dedicated environment on our cloud platform. Unfortunately, for our valued customers and 365 Data Centers, the cyber-attacker broadened the ransomware attack.
While our investigation continues, an analysis and evaluation to date by our systems team and cybersecurity experts has revealed that, aside from the targeted third party, no data was taken from the 365 Data Centers cloud environment and there are no on-going
threats in the environment.
=== unquote ===
It sounds like, if you take their statement at face value (which of course is a dangerous thing to do), a VM got compromised and the attackers somehow broke out from there to attack their cloud farm. While recognizing that it’s ultimately all just bits moving around, that should not be possible. That’s the whole point of VMs and layers and isolated processes.
Their explanations do not make sense, and the court needs to find a way to get 3xx to give an accurate picture of what happened (and not let them escape responsibility via bankruptcy).
My $0.02.
Cheers,
Scott.
Carlo Graziani
‘@Another Scott: The “target” of the attack, and the *vector* of the attack are two distinct things. As you correctly noted, it would have been literally impossible to take down the entire cloud infrastructure through a client-side attack inside a VM. That’s just the nature of VMs. It was completely clear from the earliest developments, and the information divulged to WG by David of Biz, that this was certainly an infrastructure-side attack.
Spinning it in terms of who the target was may have been an effort to deflect attention from 3xx’d gross incompetence and security malfeasance.
Frank Wilhoit
‘@Carlo Graziani: 365 — if they have the sense that God gave a sh1tfly, which does not stand proven — have to be telling *all* of their customers that they were *not* the target. Suppose they tell the target, “You were the target”: then that instantly becomes a completely different conversation, and one that 365 are not prepared to have.
Ivan X
‘@Carlo Graziani thanks. Makes total sense.
But, if that’s the case, and we assume 3xx was indeed the target and not some third party (who maybe was the real target, but 3xx was the means), then what’s the holdup? There ain’t no getting it back without paying. Are they dicking around negotiating? Are what the attackers asking for so far beyond the financial pale of what 365 can even pay that they’re stuck? Are they busy trying to decide whether bankruptcy with all their clients burned but some cash left to pay bills is better than bankrupt and broke?
And, if they can’t, is there in fact any means of reconstructing RAID/SAN, file system, VM, and backup metadata from raw disk blocks, which may or may not have been locally encrypted by 3xx in the first place, at datacenter scale? Seems impossible to me, but I’m a personal computing consultant; I don’t work at that level.
Another Scott
‘@Ivan X – Yet another potential complication is – if the hackers are russian, how would a ransom get paid now even if 3xx or the “client/not-client” in question wanted to pay? The US froze the dollar banking system for russian transfers as of late February/early March. Who wants to go to federal prison as part of this saga??
Cheers,
Scott.
Ivan X
‘@Another Scott — interesting complication indeed. Wouldn’t it be possible to convert dollars to some mutually acceptable fiat or crypto currency? They probably want to be paid in crypto anyway. Or would that still be illegal?
J R in WV
I want to thank John G Cole for not throwing in the towel, and Watergirl for bringing up this Jackal-supporting page. Given the fact that this Covid plague continues, Wife is still frail immunologically speaking, and we don’t get around much anymore, Balloon Juice has been an important social place for us for many months now.
I wasn’t aware of how important B-J was to us until one morning it was gone! Then it started coming back. Now we learn that 3nn hosting was acquired by Venture Capitalist ghouls not too long ago… amazed!!
Could this whole operation be on behalf of the VC vultures attempting to get rid of their customers to repurpose the hardware and software to a more lucrative purpose, like churning some bitcoin-like enterprise?
Having had common generic medications disappear from my insurance formulary after Vulture Capitalists raised the price from $3.21 per script to $5,149, I’m prepared to believe the worst even in the absence of hard evidence. One guy went to jail after people died for the lack of his generic was repriced to make him millions more dollars, because he “wanted to impress his dad with his ability to make money!” and now he’s already out of jail
Right now the only evidence we have is the lack of data access!
Thanks again Watergurl and all your minions for all the work you do for us jackals !!!!!
Another Scott
‘@Ivan X – no idea about the details – IANAL.
ProPublica [eta-not sure what’s going on here with user-links, but it looks like anchor-tags work, eventually.]:
=== quote ===
The lack of clarity puts the onus on victims to discover if their attacker falls into a sanctioned category. Determining whether groups are operating out of North Korea or Iran, for example, or on behalf of the FSB is “very, very challenging because there’s obviously efforts to conceal that on the other side,” said Ryan Fayhee, a sanctions attorney who works with victims. The government makes it seem “as if this is a traditional commercial enterprise and you can just simply screen the criminal,” he added. “That’s not how it happens.”
The federal government has long discouraged the payment of ransom and in recent years has put the professionals who work with ransomware victims on notice. In October 2020 the Treasury Department issued an advisory saying that “companies that facilitate ransomware payments to cyber actors on behalf of victims” may “risk violating OFAC regulations.” A second advisory, in 2021, seemed to acknowledge that victims sometimes make payments that violate sanctions. In those cases, victims and their representatives may receive leniency if they quickly report the incident and payment to OFAC.
Since many victims in the past have been loath to report attacks to the FBI, fearing that the intrusion would become public or the FBI would instead investigate the company itself, the Treasury Department hoped the guidance would prompt more victims to work with law enforcement. That, in turn, could lead to more indictments and more sanctions.
That part of the strategy seems to be working: More victims are reporting incidents to law enforcement, according to Waters. Following the 2021 advisory, many insurers began requesting proof that policyholders making ransomware claims report the incidents to the FBI, he said. The insurers he works with heavily weigh decisions made by intermediaries such as negotiating firm Coveware. Following Conti’s proclamation about Russia, Coveware stopped making payments to the group, said its co-founder, Bill Siegel. Coveware continued to negotiate with Conti, allowing time for the victim to assess the situation, prepare a public relations strategy and make arrangements to notify people affected by the breach.
=== unquote ===
More at the link.
Has 3xx reported anything to the FBI and OFAC??
Cheers,
Scott.
Carlo Graziani
‘@IvanX, @Another Scott:
The target is the subject of the blackmail attempt. That is probably, based on what we now know, one of 3xx’s customers, and very likely one of Biz’s customers.
The vector was the attack on 3xx’s cloud infrastructure.
Once in, there was a “broadening” of the attack, for purposes currently unknown. It could have been to sow confusion, to increase pressure on 3xx, to make recovery more expensive (which makes the attack more effective), or another, tatget-of-opportunity blackmail attempt on another customer. Only legal discovery can shed light on this, so far as I can see.
As to payment, Bitcoin is the preferred medium of exchange, and among other things it’s a bit more difficult for the US Treasury to hunt down and block such transactions.
Another Scott
‘@Carlo – a bit more difficult, maybe, but still problematic for normal people I would think. Treasury.gov (from April 20):
=== quote ===
WASHINGTON – Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated entities and individuals involved in attempts to evade sanctions imposed by the United States and its international partners on Russia. OFAC designated Russian commercial bank Transkapitalbank and a global network of more than 40 individuals and entities led by U.S.-designated Russian oligarch Konstantin Malofeyev, including organizations whose primary mission is to facilitate sanctions evasion for Russian entities. OFAC also designated companies operating in Russia’s virtual currency mining industry, reportedly the third largest in the world. This is the first time Treasury has designated a virtual currency mining company.
“Treasury can and will target those who evade, attempt to evade, or aid the evasion of U.S. sanctions against Russia, as they are helping support Putin’s brutal war of choice,” said Under Secretary for Terrorism and Financial Intelligence Brian E. Nelson. “The United States will work to ensure that the sanctions we have imposed, in close coordination with our international partners, degrade the Kremlin’s ability to project power and fund its invasion.”
=== unquote ===
The details matter, and IANAL. I do wonder, though, if any of the post-February-24 banking sanctions have had an impact on this saga with 3xx.
Cheers,
Scott.
Carlo Graziani
Although on reflection, there is one part of this story that doesn’t hang together. In the account that I just gave, the intruders had 3xx at their mercy. And 3xx is a large, well-regarded, privately-held, well-fnded company. Why would they not *also* be blackmail targets?
Another Scott
Meanwhile, BoJo apparently wants to bring Imperial units back to the UK to short up his support with the mouth-breathers.
===
===
Wait until you hear his rant about the eleventy-billion different plumbing fitting standards. :-/
Cheers,
Scott.
Carlo Graziani
Yeah. I’m starting to think it’s pretty likely 3xx lied about the ransomware target too. It’s not like they were under oath at the time. They had plenty of interest in deflecting attention away from themselves. They are still locked down, which they shouldn’t be for merely legal reasons. But if they themselves had been targeted, then they can’t unlock without paying up the ransom, or a major, expensive recovery effort. And they wouldn’t want anyone to know that, least of all Biz or their other customers.
I think the #1 question to 3xx in discovery should be “was your company the actual target of blackmail in this ransmware attack?”
Carlo Graziani
The story that 3xx fed us makes no sense at all. It’s analogous to claiming that hackers broke into the US Federal Reserve so as to rob savings accounts at some provincial bank. That’s idiotic. If you had control of the Fed, you’d aim a little higher, don’t you think?
I think we have to assume that 3xx has lied to their customers about everything.
Ivan X
‘@Carlo Graziani Obviously whatever we think is nothing more than informed speculation, but everything about the ludicrous communications from 3xx and the duration of downtime have led me to the same conclusion.