People need to understand why paying ransomware is fueling the growth of cybercrime as it is making a huge shift in the economics in play that bought talent away from crime and into industry. A thread.
Early at the turn of the millennium, hacking did not really impact business - until worms like MyDoom and SQLSlammer hit, hackers were loosely aligned groups of intruders who breached networks for fun and often had public spirited intentions and set about todo no harm.
There was always a criminal element, seeking to profit from insecure systems and conduct profit-driven attacks like premium rate tel fraud or carding. However, talented hackers were quick to dismiss such behavior as lame and sought a higher calling, trying to help world instead.
The industry sprung up and with it govs of world addicted to hacking drove the price & value of hack tools and material skyward. Early 2000, an RCE exploit for a popular web server might set you back the cost of a small car, LPE's a bottle of vodka and few packets of cigarettes.
As the price of these attack tools rose, so too did the employment prospects and salaries of people who knew how they worked and how to create them. Criminal gangs could not easily recruit talented hackers, as they were happily earning 6-figure salaries at major tech companies.
This economic shift has been in place for years, the economy of malware and intrusions for those who choose the blackhat lifestyle struggled to make the same sums as their whitehat counterparts and often they would seek to enter the industry for better prospects in their life.
The governments and industry raised the price of exploits to small-mansion money as it was largely seen as a way to price amateur and criminal hackers out of the market. Crime groups were not likely to pay $100k for a RCE and thus many powerful attacks stayed out of their reach.
When you start giving organized crime groups $11 million USD or $5 million for an attack that involves a split amongst some 10 threat actors at best, you leave them with a huge cash reserve that they can spend on buying material that PREVIOUSLY WAS OUTSIDE OF THEIR BUDGET.
This economic shift is placing the ball in the attackers court, they are no longer going to struggle to attract skilled and talented individuals - who may also see the risks as not too significant and thus may not be motivated to seek professional employment when crime will pay.
Every single time you pay a ransom, you increase the kitty available to the crime gang, they aren't hackers in the traditional sense - everything they do flies in the face of the ethics and traditions passed down generationally through t-philez and e-zines amongst hackers.
As these groups are now the ones able to hold the large purse strings, which previously were reigns held by defense, military, LE, intelligence and security service sectors - they are able to attract some of the best and brightest talent, as well as purchase the best tools.
When you start to think about paying a ransom, just stop and realize that for every one ransom paid, another 10 victims are created - the ONLY WAY to slow this growth in behavior is to target the economics, the financial incentive, which fuels the attackers and their business.
Harming and disrupting systems was never part of the ethos of the hacker community and people who engage in this behavior are not those seeking to climb mountains for the intellectual thrill of the knowledge gained, they are organized crime groups profiting from destruction.
For every major corporation paying them $11million USD, there are 1000's of SMB's, mom & pop shops, non-tech industry companies that simply go out of business and people loose their livelihoods - jobs are lost, families go without, these are the real human costs of the attacks.
The ONLY SOLUTION IS NOT TO PAY, I cannot stress this point enough - it doesn't matter what you think will be the outcome of paying, any payment will only have a disastrous knock-on effect and cause significant costs to others in society, might save your data but not next persons
These attacks will increase in both sophistication and frequency as the attackers begin to understand that the power dynamics and economy of hacking that kept such groups in check is now swinging hard and fast into their favor. Do NOT pay ransomware. EVER. There is NO EXCUSE!

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Hacker Fantastic

Hacker Fantastic Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hackerfantastic

21 Apr
Literally, most forensics tools have been cracked & leaked onto forums in recent years, if you want feature-rich Windows desktop apps for easy bugs, just dig into almost any of them. XML Entity Injection, XSS, RCE, hard-coded certs, all common bugs.
Forensic's software vendors supply primarily LE market, because of this close proximity to LE, they will (and do) call the police on any kind of vulnerability disclosure or information leaks. They think their software is special than other software and will get special protection
Encase, Cellebrite, BlackBag, you download any major phone or computer forensic toolkit and in a few hours have easy to exploit critical security bugs. People sit on them because they don't like dealing with the risk of LE action which those companies will wield in conversations.
Read 4 tweets
31 Oct 19
What exactly is @myhackerhouse ? Hacker House is a globally operating cyber security company based in the UK and US, with a focus on solutions orientated approaches to security. This is a thread about our company and what we do, if you wanted to know - read on!
As a business we provide cyber assurance services to a global client base, using bleeding edge technologies to deliver our services. This includes penetration testing and our unique blend of advanced threat simulations, using proprietary tools developed over the last 15 years.
As a company we focused on a solutions orientated approach and noticed a significant issue in skills defect that meant our clients were often lacking basic assessment skills internally and thus had high dependency on external contractors. We worked to change that through training
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!