
The Ransom?
Bitcoins? And if you don't have any, then what? Basically f**cked, I suppose. Then again, opening a dodgy document/email might be considered foreplay to getting f**cked via malware.
The infamous Cryptolocker malware, which encrypts your computer files and demands a payment of £534 ($860) to unlock them, may have been sent to "tens of millions" of Brits, Blighty's crime-busters warned today. According to an alert from the UK National Crime Agency (NCA), a fresh round of ransomware-loaded spam posing as …
Savvy crims, get paid, and boost the value of your investment!... Still, lots of unanswered questions...
#1. What if a user spots a dodgy serial number looking exe in talk mangler, can they kill it?
#2. The BBC site said many users were paying and not receiving the key?....
#3. I want to know how drive-by attacks are infecting machines too. But all the news articles harp on about are dodgy attachments. However, originally drive-by attacks were also reported. So what was the attack vector: Java, Flash, other 3rd party plug-in, JavaScript etc etc?
If you don't have bitcoins, they expect that you'll buy some. Which you can do on any one of many exchanges. These criminals are smart enough to make sure they're hard to trace (Bitcoins are anonymous), but relatively easy to collect from their victims (you can legally and easily buy bitcoins online, you don't have to mine them yourself).
I guess this is good for getting new users into Bitcoin... But honestly it seems to me like the people who really want to see Bitcoin succeed would want to see an end to this sort of thing. It's just another reason policy makers can cite as proof Bitcoin is used 'primarily for criminal purposes'. If some people don't get their act together it's going to be hard to refute that claim.
Seems to me that the solution is obvious.
Don't use Windows.
I too have been the recipient of a number of spurious bank e-mails. I didn't touch them, of course, but even if I had they would have just bounced off as I use Linux.
No, I'm not smug, just happy I got off the MS train of death years ago,
"Why is this a Windows only thing? I mean this specific malware was compiled for Windows but the attack vector is phishing and irrespective of the OS the user would have permission to write to those files."
Because, like Windows, Linux file systems have an "execute" permission. The difference being that when Linux saves a file, the execute permission is disabled unless you manually enable it, preventing the malware from running by double-clicking the attachment.
This makes running malware a lot more difficult, since you first need to know to change the permissions to execute the file and in doing so, probably understand that it's not in fact a weirdly named PDF but an executable pretending to be.
Assuming you have given it execute permission, it still only executes in your user space, unless you're also stupid enough to enter your password and run it as root (assuming IT gave you the password). Since these businesses have been setup professionally with backups, nuking your user space isn't such a big issue as it can be restored and the OS remains in tact.
This is why malware is more prevailant on Windows. Linux can still be infected, you just have to get the user to jump through a lot more hoops and they're more likely to trip on them and get suspicious.
This write-up doesn't say it, but others do:
The malware "disguises" itself by files like "foobar.pdf.exe" and giving itself the PDF filetype icon.
Windows, being Windows, and trying not to overwhelm our dear little heads with trivial information, comes with "hide extensions for known filetypes" checked on (one of the first things I undo on a new install).
So to Joe Average, they are clicking on a PDF, not an EXE.
Keep in mind, over the last 5 or 6 years, MS's "security" has been crying wolf ALL the time wrt to files. With regards to anything, really.
For example, I can't even open my own Word files in an email at work without being nagged to death by Windows. Heck, I can't even _edit_ my own .cmd files in Notepad without a warning. So many users will dismiss whatever warning it does throw.
So, yeah, maybe if Linux desktops had 80% penetration then someone might have cobbled more attack vector together and malware wouldn't "Windows only". And, as a Mac user, I figure we are overdue for a real nasty - Apple's security record is patchy, but BSD saves their bacon most days.
But this particular flavor of fubar has Redmond's signature all over it. Not least, the lack of execute permissions on Windows files and the delegation of that responsibility to the user.
Likewise. I went Linux about six years ago, and although I obviously benefit from the added protection it gives me, that is only one of the reasons I had for making the switch. I'm almost tempted to hope that Linux remains a minority interest on the desktop, just so that it is not worthwhile for the bad guys to attack it - even though that would be harder to do in the first place.
More to the point, the cybercrime issue is now so serious that only governments, co-operating on a large scale internationally, can begin to combat it. But, as has been observed elsewhere in other comments here, they seem to be much more interested in watching the sheep than catching the wolves.
It is a different world now. The average dude or dudette, using Android on their mobile device will not suspect such at attack. It is true they will not run into a CryptoLocker type threat(yet), but for Linux newbies; they will fall for any social engineering trick in the book. So no matter what OS you use, if you don't have a clue, you will get pwned. At least the enlighten few here on the REG will never fall for such a scam; but we must be sympathetic for the bozos who do.
I notice with some amusement that my original post "Nasty" is getting mixed reviews. 26 up 26 down at the time of writing.
Let me explain why I said what I said about not using Windows.
It is NOT a personal attack on those using Windows, use what you like. I did however follow Microsoft's advice in deprecating unsafe software. MS itself has advised users not to use SHA-1 as there are serious concerns as to the lifespan of this algorithm see:
http://technet.microsoft.com/en-us/security/advisory/2880823
So, if it's good enough for MS to say don't use something that is potentially unsafe, then it should follow that if the OS itself poses extreme risks to a user's data then it too should be avoided. Not an easy choice to make but if you are responsible for the safety of say, a companies data, then you really should consider eliminating anything that poses a threat to that data.
As I said this is not a personal attack on anyone's choice of OS, just a suggestion to be as safe as you can be. The trouble is that the readers of El Reg probably don't need that spelled out for them, it's the general public who need to be informed of the threat. Though given the take up in Android and iOS that may mitigate some of the problem.
The uptake of android and ios arn't going to mitigate anything. Windows is not the subject of these attacks because it is less secure but because it is more popular. As alternatives become widely used we will and are already seeing more and more attacks against them too. The common factor is the User, not the OS.
"The common factor is the User, not the OS."
And if the OS is inherently more secure then what does that do for the general risk to a person's data?
Reduces it, I think.
The uptake of Android and iOS will mitigate the threat from using unsafe OSs if it means that such an insecure OS is replaced by a more secure one.
Since it doesn't atack .EXE files, just change the extension of all your important files. Any decent OS can work out what app to launch from the file contents. Oh wait... Did someone say it atacks MS based OSes.
Just tested it on a .DOC, .JPG and .TXT on my PC and seems to work well. I can even get rid of the extension completely and it still works. Does seem to confuse the thumbnails though - OOPS!
If Windows didn't use extensions for file types then it would presumably use proper file types which are independent of filenames. I'm fed up with getting attachments typed as binary data (Application/octet-stream) because some stupid Windows or webmail client hasn't bothered to set the Content-type properly.
One problem is that if Windows users hide frequently used extensions, which is/was the default, then the attackers can send filenames ending in .doc.exe which look like .doc files if you've overlooked the fact that you shouldn't be seeing .doc either.
The ransomeware is usually a .exe file inside a .zip file. I've received loads of them not just pretending to be from financial institutions but also from couriers.
Pretty easy to mitigate this one, as is the case with most Windows malware that isn't custom tailored by a State Actor anymore. Disallow email attachments as you should have done 10 years ago (there's nothing that you can't use dropbox or the like for that absolutely has to be sent through email), don't download dodgy executables and don't pirate programs. If you do, use some common sense and scan the shit out of them before installing. Disable autorun (I can't believe that one still has to be said), and run the cryptoprevent tool from foolishit (or alternatively, manually add the registry keys that the tool adds if you don't trust the tool). Spending 15 minutes mitigating across your Windows clients is a hell of a lot cheaper than buying two bitcoins.
Of course, don't let any of this stop some of you from your juvenile pissing and moaning about how Windows sucks, though no one in the real world cares. Really, if some FOSS people spent half as much time actually helping the projects they care about and attempting to fix fairly major and/or confusing problems as they do complaining about things they can't change in regard to the proprietary vendors, maybe there would be some solutions to the glaring problems preventing the >1% desktop adoption rate from increasing, but its easier and more fun to blame someone else I guess. It amazes me that the insecurity and persecution complex is still ongoing among far too many members of the community when it has been high time to grow up for quite awhile now.
IMO, You need to be able to use, secure, and support everything on the market including but not limited to Windows, every fragmented bit of Linux distribution, Android, iOS, *BSD, AIX, HP-UX, and OS X and have a working knowledge of experimental edge cases like Haiku (among others) if you consider yourself a professional, otherwise find a different field to work in. IT is not a monoculture, it never has been and never will be.
I realize that email attachments are the source much of the undesirable code out there. But email attachments are also the source of a lot of desirable business that's out there as well. My business would grind to a halt in a quick fast hurry if we didn't allow attachments. What you're suggesting is like disallowing cars on the highway because cars are a major source of accidents.
A well managed system doesn't disallow common operations, it mitigates the risks associated with those operations. Anybody can just turn things off. It takes someone who actually knows what they're doing to work within the requirements of the business.
Yes and no, Don.
Yes, in the real world, you can't expect an averageSME not to use risky procedures/technology to keep up with the competitors. And neither can you expect them to understand the risks and/or - in the majority of cases, in my experience - pay for effective mitigation.
But no, because the system - in this case, the bit of the system called email attachments -is an enormous risk that, really, your average SME should not be taking. And this will only get worse, as time goes on - Crime is a lucrative business and the internet is a great place to carry on in that enterprise.
In a system in which anonimity is on by default - and extremely difficult to turn off - no one should be receiving anything from any one. At least no one without the - or finances to acquire the - knowledge necessary to make sure what is being received is fit to be viewed.
As history shows - and will, no doubt, go on showing - breaking something is much, much easier than building something that cannot be broken. Dig up that bloke Hadrian and ask him. And never mind Ukrainian students, all he had to deal with were a few Scottish lads with a tin or two of blue paint.
Me? I remember when CDs were indestructable ...
EDIT: Forum Overlords. Merit Badge Award: "Your post contains some invalid HTML". It probably still contains a few other invalid things, but even the limited help is much appreciated by this idiot :-)
I don't know... If a SME isn't going to allow attachments you're getting really close to the dreaded 'does the average person/small business need a computer at all' line.
Unless you've got a really weird business that doesn't need supplies or has only one or two suppliers that sell fixed price commodities then operating without email is going to cause all sorts of expensive problems. Both parties are going to have to develop and enforce IT policies that for the vast majority of SME's and upstream SME suppliers are beyond their means. The vast majority (over 65%) of SME's in the US have annual revenues of less than $150k. Less than 25% of B2B vendors (suppliers) have revenues over $1m. Asking either of those groups to step up their IT is nearly a wasted effort: They simply don't have the means.
You're going to end up with one of two solutions. Either an IT guy who is driven insane by exemptions or staff that just work right around the blocks and create new attack vectors in the process. I would argue that larger organizations could develop functional 'no attachment' policies and processes far easier than a SME.
Even if you did manage to browbeat people into not using attachments I've yet to meet a successful SME owner or executive that's going to deal with those restrictions. They're the most likely to fall for some stupid spear-phishing attempt anyway. All you've done by blocking attachments is make things more complicated and risky. With an attachment you've got a known risk and lots of ways to defend that opening.
I agree, Don - In the real world it's basically the same as the high % of drivers who beetle-about uninsured. Probably won't happen to them; deal with the consequences, at the time, if it does.
The BBC was reporting this cryptovirus story, with the headline/sub "the cops" say SMEs need to be on the look out,
But really, this situation (and many, many others like it) is the equivalent of plod announcing that a serial killer is on the loose, and that people should stay inside and lock their doors ... when the thin blue line knows very well that almost all of the potential victims have no idea how to use a key (or even have a key ... or a door).
I'm in full agreement that, in the real world, stuff will go on porning a % of business and individuals so long IT pays well (by remaining complex).
But when that same system is delivering routing instructions to Chuckiton Couriers' fleet of 3 driverless vans? ... And what about those medical/carer robot gizmos? Let's hope those old folks remember to flash their robot-friend's firmware, when a backdoor is (inevitably) found. When it's time for her colostomy bag to be changed, gotta hope granny isn't following the practices of today SMEs: hoping that 2007 pirate copy of ZoneAlarm - with a sub that expired in 2010 - will get her by ... And that granny can afford the upgrade, when support for her XP version expires next year.
The original point - of this bit of the discussion - was that email attachments were too unsafe to be allowed. I would have preferred the point be that, unless "you know what you are doing" (or paying someone else who knows) then email attachments are not safe to accept. But the point probably still stands.
The wider issue is - if something so "simple and everyday" cannot be made safe, then - piling more and more critical things on that same system, to be used by the same users or same skillsets, is asking for a lot of bother.
Once her robot has granny by the throat, it will cost a lot more than $800 to decrpyt the ReleaseTheOldBatAtOnce routines.
Oh, spam isn't that bad, and virus's can't hurt you. Wait until it infects something in Parliament/Congress and lots of congressional staffers have to pony up. Then we might see something about blasting this type of thing.
Where is the FBI/Scotland Yard when you need them??
"Where is the FBI/Scotland Yard when you need them??"
And there it is. You know their response will be a more diplomatic version of, "Oh so now you do want us to keep tabs on the whole internet so that we can swiftly apprehend criminals. We'd like to do a better job of protecting the public but these pesky privacy laws.. "
Surely some security expert has already found the IP of the master server and blocked or advised not to contact it?
I also think that for once the perps have at least done a clever attack. It might teach people one day to not stupidly believe the security they've just got their credit card out for and have some initiative themselves.
OK, can someone explain how the bitcoins get transferred from one account to the other, and there be no trace whatsoever of where they've gone? Surely the coins have to go somewhere? And they are only of any use to a criminal if they can be converted into real cash? That means that a bitcoin account must have a real world bank account attached to it? And the worlds police agencies cannot trace that?
Bitcoin accounts (known as addresses) only have numbers. No name or other identifying information is attached. On the other hand a full record of every transaction is publicly available and they will as you say probably want to sell them for standard currency sooner or later. They will no doubt try a few tricks to confuse the trail, but it's still worth investigating.
The reason they decrypt is that it encourages victims to pay. If word-of-mouth was that they just rip you off (more than they have) then no one would pay up. If people know they can get their vital but foolishly un-backed up data back then will pay.
One of the companies I help sysadmin got this. Fortunately we ensured that they had 2 independent backups + shadow copies enabled so we could get them back to roughly where they were that morning.
Yes they do attempt to decrypt every time. The occasional reports of things going wrong are most likely due to network shares becoming unavailable, or the malware being unable to re-establish connection to the C&C server.
The frightening scenario is of more than 1 user in the same organisation being hit at the same time. If they both have the same network share mapped, each copy of the malware will encrypt files on that share - resulting in files encrypted twice...and possibly not in the same order. If one PC is faster than the other (or has faster network access) it could start decrypting a drive behind the other one, then overtake it.
Both ransoms would have to be paid, and the decryption process run on both machines concurrently, so that when one PC threw up a "cannot decrypt this file" error, it would have to wait for the other PC to decrypt the file before it could undo its encryption.
Our organisation has several "departmental" shares that hundreds of users have mapped at any one time. Luckily we do comprehensibly backup, but only every 24 hours. I dread an infection here.
You can protect a computer with the free CryptoPrevent utility. Once it is infected though you need an uninfected backup. If you haven't made a conscious backup, you might be able to recover files using ShadowExplorer (also free) - kudos Microsoft for their clever volume shadowing auto-backup feature.
Or of course you can try paying the crooks. I'm surprised to see that the BBC report, presumably taking its info from the police, suggests that people who pay *don't* get their decryption key and just lose their money as well as their documents. From what I've read, paying the ransom does work, it would be pretty stupid of the crooks it if didn't. I suspect some deliberate misinformation from the authorities.
Admin privileges aren't needed for software to make itself run on Windows 7 or 8.
Admin is only needed if it installs into Program Files or another "protected" folder, or adds keys to HKLM.
If it just installs into My Documents and adds auto run keys to HKCU, admin isn't needed and it can just go ahead and do anything to anything the user could.
This isn't a privilege escalation, it's just doing anything a normal user could do - rearrange their Start menu/start screen, and mess with the user's files.
If only somebody could think of something like an Execute flag that only an admin could set?
"You mean NTFS advanced setting "Traverse folder/execute file"? ;)"
I think he means done properly, i.e. not turned on by default/inheriting the permissions of the parent. If the user had to extract/save the file, right-click, properties, security, tick "execute" and then double-click the .exe, infection rates would drop massively.
"You can protect a computer with the free CryptoPrevent utility."
Which is all well and good if you knew of a safe, malware free, 100% trustworthy, unhijacked source for it ... and that assumes that the software itself is not a trojan that only installs crypto.
I suppose I'd better take the risk and download a potentially insecure program from an totally unknown source on the internet to lock up a piece of malware which I don't yet have so don't know if aforementioned package will be sod all good anyway.
I'm going to start chanting, reading charred bones, drinking urine and spreading duck fat on my keyboard to stop infection next ... I just love computers
Yes, but scanned for what?
I've lost count of the number of friends/acquaintances who have installed AV on my advice, then complained two years later that their PC has nasties on it.
No, of course they haven't kept their virus defs up to date - too much like hard work - despite the fact that (I thought) I'd drummed it into them that it was a necessity.
Who knows how up-to-date GMail's scanning is? Sure, it's helpful:- but don't become complacent and totally rely on it.
" get a Gmail account. Attachments are scanned for you."
I see quite a few emails now which have a footnote of "This email has been scanned" (doesn't say who by, what for, anything useful like that).
As I see them in my works email, I suspect it might be the local Microsoft-centric IT department.
Either way, I have no idea what that footnote means.
Anyone else seeing similar? If it IS the IT department they'll be using standard MS tools and maybe a bit of Sophos or similar?
Assume 10 million is the real number.
Now let's say .001 are actually infected. That's 10,000 actual infected PCs. Of that we will have to high/low on who actually pays.
10,000 pay. Approx £5,340,000 in one month.
5,000 pay and the rest wipe and start over. £2,670,000 in one month.
Who in their right mind is going to pass up that kind of money if they can get away with it?
The SAS cannot just drop into Russia. They have at least to tell the FSB first, otherwise the rubberhosing will be applied on the incorrect recipient.
Here is a little story about "unnanounced operations" by the CIA in Turkey, for instance. It's a fun read:
Didn't happen in our department, so no. I believe the idiot has been identified, but she's only one among many.
(PAs are the worst for disobeying rules and nobbling AV software so they can open attachements on the basis "It might be important" - even after getting repeated warnings about it. They're almost iompossible to sack too)
This post has been deleted by its author
This malware (in fact pretty much all malware) is easily avoided in a corporate environment:
1) Block incoming attachments that contain executable files.
2) Use an executable white-listing software so that users cannot run any program unless it is pre-approved. Applocker is built into Windows and will do this job with ease.
The problem is that many businesses receive hundreds of unsolicited attachments every day, quite often in PDF form. Almost all of the mail recieved at UK University Admissions Offices are of this type. If someone gets an email with an attachment that has "PDF" on the end, chances are they'll open it, especially if it has a recognisable PDF icon.
How do you prevent users doing this? Simply telling them not to open unsolicited emails is not the answer, since that will stop them doing 90% of their business. You can't rely on email server AV scanners, since the fact that corporate users are opening these mails proves that AV companies are having a hard time keeping up with the malware's changes in code.
The answer is to educate users in the concept of hidden file extensions, and the fact that a PDF attachment will not say "PDF" on the end, and if it does, then it's likely there's a hidden "EXE". Unfortunately this is a concept that the majority of users (who have been brought up on the Windows graphical "point and click" environment of the last 30 years) find difficult to grasp.
Oh and unhiding file extensions isn't the answer. We had a bunch of machines a few years ago with "hide file extensions" turned off by default. The result was that users would happily give their Office documents a name, save them, and then be unable to find them again. The reason? They were overwriting the ".DOC" or "XLS" on the end, so Word and Excel (which use extension filters) didn't show their files anymore.
The best strategy to beat this is to mitigate the effects by educating users into the wisdom of regular offline backups. The malware's going to keep spreading because users gonna keep clicking, and so long as people are prepared to pay (because they have no alternative), Cryptolocker is a success. There will be more like it.
Sure, regular backups aren't going to help recover that important file that you updated only 30 minutes ago, but if it's only the one file there's less incentive for you to fork out £4-600 to decrypt it. If you didn't backup several gigabytes of network files that constitute the whole of your business, then yes you'll pay silly money to get it all back, and that's the area where the malware thrives.
"Can you think of a plausible use for a windows feature that allows one type of file to masquerade as another for the purposes of being executed by mistake ?"
Well yes I can. To allow apps to be opened by double-clicking files with a particular file extension - arguably one of the most important innovations in GUI computing for 30 years. So important a feature in fact that every other graphical OS has copied it. I'm running Linux with an LXDE desktop and if I change a file extension to DOC, the icon changes to a big fat "W", indicating that I've got Libre Office installed. I am reliably informed that OSX also does this.
Ok so it goes wrong sometimes (note the default association of NFO files), but nobody could have anticipated it would be hijacked in the 21st Century to enable propagation of malware.
"Fix the OS properly, Microsoft"
Apart from the fact that you actually mean "Fix the OS properly Apple....Gnome...LXDE...KDE...Microsoft..." , what would you suggest? How would you redesign the graphical interface so that a user can easily identify files that open with a particular application, and then open that app by double-clicking the file...without enabling that feature to be hijacked by malware?
Exactly. I think most email servers are set up to reject emails containing executables from the outside - the only ones I have seen that users receive are executables inside a zip file.
I advised my customers to look at the file extension (which is displayed by default in Outlook) and if it says .exe or .zip at the end, don't click. If it looks legit, forward me it for advice. I even sent them screenshots of what a bad 'un would look like.
Users do stupid things, often believe they're too busy or don't understand or its our (IT's) problem to follow advice and good practice. But when the best practice doesn't take much effort to follow and its easy to communicate why the threat is such a big deal (in this case it translates to hard currency), the results are good.
I've received from HM Revenue & Customs (who would not send out random emails)
And Fedex (I am not expecting any deliveries nor have ever used Fedex)
Might it be useful if other readers listed any suspect emails they have received and these were collated into an editorial piece ?
Bitcoin is the currency for crime, easier than cash or any physical high-value asset as no personal contact is involved. There have been times and places where a state has made the holding of Gold illegal - in 1933 USA "criminalized the possession of monetary gold by any individual, partnership, association or corporation."
Time for similar legislation in respect of bitcoin.
While we're at it the fraudsters other friend is Western Union whose security checks on recipients of cash transfers appear to be sufficiently lax that the fraudster gets away with it. Make WU responsible for a refund if fraud is proven.
"What is the UK National Crime Agency doing about this besides sending out warnings?
Because, let's face it: my little sister could do that."
But could she manage to spend £500 million a year doing it? That's more than a million flagons of scrumpy a year! ;-)
I personally think that CryptoLocker is some ingenius piece of Software, and I am surprised nothing like this has emerged sooner, and I am disappointed, that I didn't have the idea to make it happen myself. Kudos to the developers, don't get too greedy.
This might even have a positive effect on people who just click anything thats mailed to them.
When will return on investment calculations favour ditching computerised working methods for paper based working methods as the cost of computerised methods is so open to extortion, hacking, widespread leaking?
(face it, wikileaks would have a tougher time if all that stuff were not in digital form stored on digital media)
Return of the Luddites?