| Recurring |
one_organization, multiple_organization |
(a) The software failure incident having happened again at one_organization:
- Proven Data Recovery was involved in paying ransoms to cyberattackers, such as the SamSam hackers, to unlock data for their clients [84557].
- Proven Data Recovery paid a ransom to unlock files for a real estate brokerage in Anchorage, Alaska, affected by the DMA Locker ransomware [84557].
- Proven Data Recovery continued to pay the SamSam hackers even after one of their employees, Jonathan Storfer, left the company [84557].
(b) The software failure incident having happened again at multiple_organization:
- Another US company, MonsterCloud, was also mentioned in the article for paying ransoms to cyberattackers without informing victims, such as local law enforcement agencies [84557].
- MonsterCloud was praised by four local law enforcement agencies for restoring their data following ransomware attacks [84557].
- Both Proven Data Recovery and MonsterCloud were highlighted as firms in the US that dominate the industry of unlocking victims' computers affected by ransomware attacks [84557]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase:
- The incident of the SamSam ransomware attack paralyzed computer networks across North America and the UK from 2015 to 2018, causing significant damages to various entities [84557].
- The strain of ransomware known as SamSam was developed by two Iranian men who orchestrated the extortion, targeting public agencies with missions involving saving lives and impairing their ability to provide healthcare to sick and injured people [84557].
- Proven Data Recovery and MonsterCloud, two US companies, paid ransoms to cyberattackers to obtain decryption tools, instead of using their own data recovery methods as they claimed [84557].
- Proven Data Recovery and MonsterCloud charged victims substantial fees on top of the ransom amounts, offering services to unlock data but actually paying ransoms to hackers [84557].
(b) The software failure incident related to the operation phase:
- Proven Data Recovery and MonsterCloud paid ransoms to cyberattackers to unlock data for victims, indicating a failure in the operation of their data recovery services [84557].
- Victims of ransomware attacks, including law enforcement agencies, turned to companies like MonsterCloud for help in restoring their data following attacks, showing a reliance on external services due to the failure to protect against ransomware [84557].
- The FBI noted that ransomware attacks are a top cybercriminal threat, with victims often not reporting incidents due to embarrassment or reluctance to acknowledge gaps in their IT security, highlighting operational failures in cybersecurity measures [84557].
- The lack of effective law enforcement response to ransomware attacks led to the emergence of companies like Proven Data and MonsterCloud, indicating a failure in the operational aspect of combating cybercrime [84557]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system:
- The software failure incident involving the SamSam ransomware strain was primarily caused by factors originating from within the system itself. The ransomware paralyzed computer networks across North America and the UK, causing significant damages to various entities [84557].
- Proven Data Recovery and MonsterCloud, two companies involved in assisting ransomware victims, paid ransoms to hackers to unlock data, which was a contributing factor within the system leading to the failure incident [84557].
- Proven Data Recovery obtained decryption tools from cyberattackers by paying ransoms, indicating an internal factor contributing to the failure incident [84557].
- The companies involved in paying ransoms to hackers developed relationships with the attackers, negotiated payment deadlines, and facilitated ransom payments, all of which were internal factors within the system leading to the failure incident [84557].
- Proven Data Recovery paid ransoms to hackers at the direction of their clients, including hospitals, which further highlights the internal factors contributing to the failure incident [84557].
(b) outside_system:
- The failure incident was also influenced by factors originating from outside the system. The SamSam ransomware strain was developed and orchestrated by two Iranian men, indicating an external factor contributing to the failure incident [84557].
- The ransom demands and payments were made using bitcoin, which is intended to be anonymous and difficult to track, showcasing an external factor outside the system that influenced the failure incident [84557].
- The US Department of Justice indicted the Iranian men responsible for the ransomware strain, highlighting external factors that played a role in the failure incident [84557].
- The US treasury department banned payments to digital currency destinations linked to the attackers, citing sanctions targeting the Iranian regime, which was an external factor influencing the failure incident [84557]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
- The software failure incident in the article is primarily attributed to the strain of ransomware known as SamSam, which paralyzed computer networks across North America and the UK from 2015 to 2018 [84557].
- SamSam ransomware caused significant damages to various entities, including cities, medical centers, and government agencies, by encrypting files and demanding ransom for decryption keys [84557].
- The ransomware attack disrupted services, delayed medical treatments, and caused financial losses, showcasing how non-human actions (the ransomware) led to the software failure incident [84557].
(b) The software failure incident occurring due to human actions:
- Human actions also played a role in the software failure incident, as some companies like Proven Data Recovery and MonsterCloud paid ransoms to the hackers to unlock encrypted data for their clients [84557].
- These companies facilitated ransom payments to cyberattackers, sometimes without informing victims, and developed relationships with hackers to negotiate payment extensions, indicating human involvement in the incident [84557].
- The actions of these companies, including paying ransoms and interacting with cybercriminals, contributed to the resolution of the software failure incident caused by the ransomware attack [84557]. |
| Dimension (Hardware/Software) |
software |
(a) The articles do not provide information about a software failure incident occurring due to contributing factors originating in hardware.
(b) The software failure incident reported in the articles is related to ransomware known as SamSam, which paralyzed computer networks across North America and the UK from 2015 to 2018. This strain of ransomware caused significant damages to various entities, including cities, medical centers, and government agencies. The incident involved the encryption of files by cyber attackers, leading to disruptions in services, delays in medical treatments, and financial losses [84557]. |
| Objective (Malicious/Non-malicious) |
malicious, non-malicious |
(a) The objective of the software failure incident was malicious, as it was caused by a strain of ransomware known as SamSam that paralyzed computer networks across North America and the UK from 2015 to 2018. The attackers behind SamSam targeted public agencies and organizations involved in saving lives, impairing their ability to provide healthcare to sick and injured people. The cyberattackers collected at least $6m in ransom in return for restoring access to the files, and they knew that shutting down computer systems could cause significant harm to innocent victims [84557].
(b) In contrast, the software failure incident was non-malicious in the sense that some companies, like Proven Data Recovery and MonsterCloud, claimed to assist ransomware victims by unlocking their data with their own technology. However, it was revealed that these companies actually paid ransoms to hackers to retrieve the data, sometimes without informing the victims. This non-malicious aspect involved companies misleading clients about their methods and not being transparent about paying ransoms to hackers [84557]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
The intent of the software failure incident related to the SamSam ransomware attack can be categorized as both poor_decisions and accidental_decisions:
(a) poor_decisions: The incident involved poor decisions made by companies like Proven Data Recovery and MonsterCloud, who paid ransoms to hackers to unlock data for their clients. Proven Data Recovery, for example, paid ransoms to the SamSam hackers, which raised ethical concerns about potentially funding terrorism and organized crime [84557].
(b) accidental_decisions: The incident also involved accidental decisions or unintended consequences, where companies like Proven Data Recovery and MonsterCloud may have misled clients about their methods of data recovery or failed to disclose that they were paying ransoms to hackers. This lack of transparency led to misunderstandings and potential ethical dilemmas for the clients [84557]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident related to development incompetence can be seen in the case of the SamSam ransomware attack mentioned in Article 84557. The incident involved Iranian hackers developing the strain of ransomware known as SamSam and orchestrating the extortion, causing significant harm to innocent victims, including public agencies with missions involving saving lives. The attackers impaired the ability of these agencies to provide healthcare to sick and injured people, showcasing the consequences of the ransomware attack [84557].
(b) The accidental aspect of the software failure incident can be observed in the case of Proven Data Recovery and MonsterCloud, where these companies paid ransoms to hackers to unlock data for their clients. In some instances, the companies may have paid the ransom without informing the victims, leading to potential misunderstandings and ethical dilemmas. For example, Proven Data Recovery paid a ransom to unlock files for a real estate brokerage in Anchorage, Alaska, without explicitly mentioning the payment to the victim, raising concerns about potential deception and lack of transparency in the process [84557]. |
| Duration |
temporary |
The software failure incident described in the articles can be categorized as a temporary failure. This is evident from the fact that the incident involved ransomware attacks by the SamSam strain, which paralyzed computer networks across North America and the UK from 2015 to 2018 [84557]. The incident caused significant damages to various entities, including cities, medical centers, and government agencies. The attackers demanded ransom payments in exchange for restoring access to the files, and companies like Proven Data Recovery and MonsterCloud facilitated these payments to the hackers to help victims regain access to their data [84557].
Additionally, the articles highlight that the ransomware attacks were ongoing and involved negotiations with the hackers to lower ransom amounts for clients. Proven Data Recovery, for example, had a list of hackers who could provide decryption keys quickly and at reduced rates, indicating a temporary nature of the failure incident where negotiations and payments were made to address the immediate impact of the ransomware attacks [84557]. |
| Behaviour |
omission, other |
(a) crash: The incident described in the articles does not specifically mention a system crash where the system loses state and fails to perform its intended functions.
(b) omission: The incident involves failures where the system omits to perform its intended functions at instances. For example, the ransomware attacks caused delays in medical appointments and treatments for patients nationwide whose electronic records couldn't be retrieved [84557].
(c) timing: The incident does not directly relate to failures caused by the system performing its intended functions too late or too early.
(d) value: The incident does not directly relate to failures caused by the system performing its intended functions incorrectly.
(e) byzantine: The incident does not directly relate to failures caused by the system behaving erroneously with inconsistent responses and interactions.
(f) other: The behavior of the software failure incident described in the articles can be categorized as a ransomware attack that paralyzed computer networks, encrypted files, and demanded ransom payments for restoring access to the files. This behavior falls under the category of a cyberattack involving extortion and data encryption [84557]. |