Cryptowall 4.0: Update makes world's worst ransomware worse still The fourth iteration of the world's worst ransomware Cryptowall has surfaced with gnarlier encryption tactics and better evasion tricks that have fooled current antivirus platforms. Ransomware has ripped through scores of businesses and end-user machines in sporadic and targeted attacks that have cost victims millions of …
At least to get the F out of anything dependent on a single vendor…
I avoid systems that rely on Apple and Microsoft these days. Sure, use these platforms, but do not rely on them: aim for systems that can move between these, and other platforms, so that should things turn sour, you can move with minimal disruption.
I found it easier for small offices to lock down OSX than Windows, which is mainly the reason we're using it. I'd love to go all out Linux, but the commercial software we use exists on OSX and Windows, and then OSX is simply the easiest way forward (also less expensive over its lifetime).
Mind you, we're not addicted to Apple - I don't see the point of throwing out huge wads of cash for a high res screen from Apple when the same can be had from the PC market for far less, and I personally prefer a Logitech mouse over the "thing" that Apple calls a mouse, magic or not.
Time to bring back public gibbetings and perhaps introduce live human dissections posted to YouTube. These fucking worthless sociopathic parasites serve no good use to humanity whatsoever. They can't be redeemed or rehabilitated. They are vermin, and they should be exterminated, like vermin.
How long do we need to wait before someone at NSA/GCHQ/KGB/etc. figures out that tracking this scum down and releasing the keys would actually get them some good publicity for a change?
Anyway, hanging's too good for them, I'd suggest public "stoning" with the encrypted, bricked, 3.5" disk drives. We could charge $5/throw, money to go to the victims..
>Because you don't get ransomware on Linux.
Just goes to show Linux is getting more like Windows everyday (thanks Red Hat!). That's why you are better off on a purer POSIX OS that places a premium on code correctness like with the BSDs or even Solaris (though if you are stupid enough to run lots of userland code unjailed as root on an internet facing server no OS is going to save you).
>introduce live human dissections posted to YouTube. These fucking worthless sociopathic
I agree they are pieces of feces and deserve long jail sentences but wanting humans dissected for public entertainment is beyond sociopathic and into psychopathic land.
"But what if they transfer their ill-gotten gains directly to charity?"
Well, firstly for some reason I doubt they do. Second, even if they did, it doesn't excuse blackmailing people with ransomware. To argue a charitable cause as a justification for such vile behaviour is treading perilously close to ends justifying means.
"wanting humans dissected for public entertainment is beyond sociopathic and into psychopathic land."
Or the product of a mind that has been reading too many George R.R. Martin novels lately... ;)
why sure they do ... they keep IT freelancers employed and they let us have the "I told you so" phrase when they don't want to pay for the security and backup solutions that we know work.
Everyone should have a cold storage system in place that grabs snapshots. this should be a linux box that has almost all of its functions disabled.
Deploy AppLocker policies so that only executable code placed where users cannot write to can be executed.
Use shadow copies and keep backups. The one that encrypted / decrypted on the fly to poison backups sounded particularly evil, however would have been defeated by AppLocker.
unfortunately whilst Applocker may be the best defence on a budget that many people have, it isn't a complete solution,
for example you probably allow IE or Word to run, Applocker doesn't monitor what those processes execute and you are still at risk of this.
The latest iteration of Craptolocker does make it difficult, databases can be tested if you have something like Veeam SureBackup, individual files is far harder.
A decent backup strategy (that's tested on a regular basis)
This… is what saved us last time CryptoWall struck.
That, and the fact that CryptoWall decided to try for some very big and juicy virtual machine images, which bogged it down since it was doing the re-write over gigabit Ethernet shared with the entire office. So it was something of a monkey-trap, it had a fist-full of files that it would not let go of, but couldn't fit its laden fist through the hole to release itself.
I think we lost about 6 files on the network drives, none of which were of any great importance.
But did you read the bit: "That meant months of backups would contain encrypted data that could not be decrypted unless a ransom was paid for the respective key."?
The encryption happens under your nose, without you being aware of it for a number of months. You don't know wbout it because there's a decryption layer in place... until they decide to ask for the ransom.
Even backups aren't going to save you now. Even if you have backups going back that many months, can you afford to lose all the work you've done since then?
This is getting really ugly.
> But did you read the bit: "That meant months of backups would contain encrypted data that could not be decrypted unless a ransom was paid for the respective key."?
> ...
> This is getting really ugly.
The really ugly bit is if (when) your anti-virus program gets an update, realises you are infected and removes the virus. Then you suddenly find there is no way to decrypt your data, and you don't even have the option of paying the ransom.
The really ugly bit is if (when) your anti-virus program gets an update, realises you are infected and removes the virus. Then you suddenly find there is no way to decrypt your data, and you don't even have the option of paying the ransom.
Interesting dilemma though, isn't it? There's a similar one regarding hostage takers. If the policy is never to give in to demands then inevitably that means there will be some casualties - hostages will be injured or killed - but equally if the hostage takers realise that they will never get paid, even if they prove willing to kill the hostages, does that make it less likely they (or others) will try again?
The loss of data is similar. It's unlikely to be as bad publicity as a government refusing to pay up for its citizens, so if all anti-virus programs remove the ability to pay up, and the people behind the encrypting software realise they will never get paid, does that mean they'll stop doing it?
Of course this will never work because there is always someone who will pay.
Where's the IT equivalent of the SAS, parachuting in, in the dead of night to "take out" the hostage takers and recover the hostages?
M.
Tackle it at OS level.
Store data in a drive or partition only accessible to specific servers. Applications request read/write through these services, similar to a database engine. ID is extended to include application as well as user so the service can be set up to limit write access to the correct application & maybe grant read access to other specified applications e.g. you can only update your contacts via the contact app but your email client can ask for an email address.
The server would need a mechanism for verifying the ID of the request and the application installation mechanism would have to be fairly closely guarded to ensure substitutions weren't made.
One tricky aspect would be having storage that out of bounds to the kernel - or maybe some sort of micro-kernel arrangement. I'm not sure Windows could manage this but maybe OpenBSD could.
All our user data is held on ZFS running on Linux or BSD machines, which are mounted as SAMBA shares on the windows boxen with GP to redirect every folder the user can write to onto the network drive. No access to any local filesystem is permitted.
ZFS snapshots hourly, sends backups to the onsite backup (more ZFS) nightly, and the onsite backup backs up offsite weekly.
Any user machine that is infected with anything is simply confiscated and an identical unit dropped in to replace it whilst it is DBAN'd and then re-installed by one of our hell-desk monkeys. During this process the user gets a strict telling off and isn't allowed to carry on working until they've reset every password we have under the watchful eye of one of our IT team.
Obviously it's not perfect - users could manage to get files in their home directory encrypted and then that could make it's way through the layers of backups before they noticed. On the other hand, there's a word for data like that "WORN" so it probably won't matter.
Mostly however we protect ourselves by running Linux on every desktop that doesn't _HAVE_ to run Windows for operational purposes. In a building with over 1000 machines in it, the asset DB tells me only 89 of them are Windows.
This post has been deleted by its author
>Put Windows in the bin where it belongs.
No windows is actually a decent host OS for vms (for home use anyway) and for the widest selection of games they need that windows bare metal. Try not to access the internet with Windows though regardless. Solaris runs nicely under Virtual Box on Windows and it gives you a sweet unity mode for free for non business use. That way you can run all your internet apps under Solaris right on your windows desktop and at least for me had all the software I needed available.
I realize that they have <ahem> expenses... but this is unbelievable. I almost would expect them to drop out of sight and go live on their ill-gotten gains.
Ok.. expenses.. cops maybe? Influential country leaders? Bankers? Someone's handling the money at their end.
Who would know...? Since TOR is involved, I'd suspect that NSA or one of the 5-Eyes would or could know but then they would lose a tool for their escapades in spying.
Still.. that much money and they're still at it. They must have one hell of a retirement fund set up. And yes, if their ever caught, hanging would be too good for them.
Unlikely to be state sponsored generally they are after information and so are low and slow. The last thing a state sponsored attacker would do is raise a flag.
This is classic organised crime, lots of these gangs are moving from drugs into malware because of better margins and less chance of getting caught.
States have all manner of objectives. Stuxnet was not about gaining information, it was about industrial espionage. The CIA has a long and poorly distinguished history of drug and gun smuggling to raise money for the of gift democracy and freedom. Iran Contra or more recently fast and furious had objectives other than information. The 'intelligence' agencies supporting the 5-eyes shadow government monitor all internet traffic that passes through their domains and the NSA has compromised TOR. Is it really conceivable that they cannot trace the traffic or failing that cannot offer a decryption service. It is far more probable that this is yet another black ops money raising exercise for people like ISIS R US than to believe that the combined resources of Western governments cannot hack a control server in plain site on the internet and find the people behind the malware.
True there are different motives but the only motive here is money, Stuxnet isn't really comparable it was also low and slow trying to hide itself and the damage it was doing for as long as possible.
It's a profit exercise, as another poster points out sometimes to stop these kind of things as a government you would need to show your hand in terms of tooling and control. It doesn't always mean they couldn't stop the attackers just that it's a balance.
It could be a government but I think it's way less likely than an organised crime group.
In 'state sponsored' terms, this would be pretty small potatoes. For comparison, the UK - itself a second-rank player in intelligence - spends about £2 billion a year on the whole field, so one-third of a billion over several years doesn't really compare.
No, this is organised crime at its best worst most typical.
They will be hunted, they will be traced, they will be caught. They already know this. It's only a matter of time. Enjoy the Ferrari while you can guys. The brightest burn the shortest.
Prevention/detection? Checksums I guess. Behaviour issues on file stores; massive numbers of files being accessed at once should be an alert for the OS to stop and warn. As for the database key replacement... can't think of a way to handle that, unless the engine keeps a secondary repository and if the key changes, it flags up and stops processing.
So move them to an RO repository off your PC and only keep the stuff you are working on in a RW storage location.
Will be doing that with the NAS's this week. Not that I expect to get caught but my security is dependent to some extent on the security of those I regularly communicate with and frankly they're probably rubbish.
Agreed, I already do this myself. Have done for a few years. The normal desktop account can read, but there is a separate for write back to the OpenIndiana server via SFTP. And even then, none of those accounts have admin access to the server itself; those are separate accounts yet again.
Of course, a physical attacker can work their way through that, but it should be enough to stop software.
did we learn nothing from the billion vulnerable to stagefright, yet not one andifone compromised?
only hard fact is that 992 businesses complained they were asked for between $200 and $10000. Anecdotally, most of it is for the low end, where it is easier to pay than to bother pulling out the backup. The reason is that crims do not know the victim and assume it is SOHO. So actual take is is probably $5MM / year, and declining returns.
Clearly conventional antivirus is not pro-active and the crims are increasingly making it irrelevant. Are Windows workstations and average office users an unfixable exploitation route? If so, perhaps at some point businesses may move internet-facing workstations to something like Qubes OS -- the only way to access internet is through an untrusted VM; the only way to work on critical data and files is in a privileged VM which can't access anything beyond the hypervisor's firewall VM.
On the other hand, the entity for which I work is so deeply vested in Microsoft and Windows that it would be a huge budget-time-staffing effort to move even one department to an alternate OS, let alone the city-wide mass of vulnerable workstations currently squatting on line workers' desks. I suspect this is typical of many business's infrastructure?
Quod tempora haec.
Haha! Almost exactly my set up :)
I limit general surfing to a Linux running inside VirtualBox, games playing to the Windows host and all my "work" on a Windows VM running on a separate Hyper-V server. Maybe it's slightly annoying switching between the three but speed-wise it's barely any different than running it all through one Windows PC.
I take your point on OTT firewall settings though. On my next rebuild I'll take your tip and drop the "work" VM completely off the Internet and make it LAN-access only. I'll probably also dump my Windows Server in favour of something like FreeNAS. The only attack vector I'll probably leave open (purely for convenience) is sharing the clipboard between machines.
If you think of it like this: what do you need Windows or OSX for (the former being the most dangerous) I can only make a case for games and Visual Studio.
Oh and a shout for GlassWire, not particularly efficient but very beautiful firewall monitor :)
Where I worked I saw similar/v3? on two networks at companies. ( + many home users)
Any suspect PC was formatted server in to ours ( in same town.) blast away "Data" partition;
Restore backup; Server back on site at 8 am next day.
I get paid and paid again to implement what I had advised.
Some one will say "you cant take a server out how can anyone work!"
Eh.... no one could work?
One company had not had any backup 2 months prior when i started their IT support.They swapped the USB disk... both were dead.
How do you prevent this? Policies!
I'm blocking PE files at the perimeter to most desktops. I'm SSL bumping EXCLUDING the bank(s) used. scanning all with inline AV. Email goes through "cloud" spam/virus service, on box AV before getting to an exchange server with suitable AV and policy's. User gets a email (normally they don't understand) and call up
"You revived an attachment from 'blod@place.com' the attachment was rejected, they have been contacted automatically but you are advised to contact this person.
The original email is attached."
Email servers can exclude zip and EVERY vector I'v seen has been in a zip. Yeah its a bit of a pain what IS worse?
Also only PCs I have seen any crypto ransom-ware on run "not an AV" MSE. That's a swear word.
I'm getting a lot of dodgy emails these past few weeks; all vaguely business orientated. I would imagine that email attachments would be the main vector, so the cheap and nasty way would be to get your mailserver to filter out any attachments that are executable or archive files.
All the while, Bitcoin is the elephant in the room.
Without an anonymous online payment system, ransomware would not be a profitable industry.
And how are we to know that ransomware is not funding terrorism?
Is it time for a 'licensed' version of Bitcoin to appear, with a snoopers charter attached, and non-licensed Bitcoin becomes illegal?
You forget wire transfers: the money laundry de facto of the past. All Bitcoin does is take mules out of the equation, but they can easily be put back in.
And as for all the people demanding the head honchos'...heads, how do you do that if they're located in a country hostile to the West like Russia or China?
I've only encountered ransomware once, but it didn't ask for bitcoin, it asked for "Green Dot Moneypak", some sort of pre-paid cash card. So did the tech support scammers who called "from Windows" to fix my computer (I strung them along to get to this part for the hell of it).
At least with Cryptowall 4.0 there is a possibility of retrieving your non-backed up data, unlike this strain of ransomware that completely irreversably encrypts your data with no chance of ever getting it back:
Back your shit up, people, back it up good and proper.
1. 'Client' staff member opened payload and decided to ignore it, went home with pc running, next day couldn't figure out why she wasn't able to access anything, ignored it for most of the day until she got hold of me. Had to restore data from 3 days prior because the last 2 were also infected.
2. Called out to a domestic job, basically his laptop was fully encrypted, as was his backup which was also connected at the time. He admitted that he had taken it to a local IT shop for repairs and they couldn't do anything, so called me out. I worked out that he had been infected some 2 weeks earlier and told him that there was bugger all that anyone could do.
3. 'Client' staff member emailed me to say that a file on her desktop was no longer accessible, but because she had been busy hadn't bothered to get in touch. I remoted in and only because her machine was full of old profiles and offline server work had it kept the crypto busy all day locally. It had just started to much through the server when I screamed at her to pull the network cable.
Spiceworks gave me a good method using file services / monitoring that I have that in place at all the sites so if a crypto starts on the server I get an email (because clearly I can't rely on AV or users).
I still think there needs to be some sort of background monitor that can be installed on local machines that will flag up a message or perform an action that if x number of files are read / modified within x number of seconds. Maybe there needs to be a folder / honeypot on the local drive that contains a couple of hundred small docs so the only thing that would access it would be a crypto.
It's just a thought.
Nice idea on the background monitor, but I fear it is doomed. A common feature of the victims' experience is the time between first being infected, first noticing and then calling in IT help. So an attacker can go low and slow for a few days and still fly under the radar of a monitor.
And that's to say nothing of legitimate systems that beat up the filesystem. Have you ever run FileMon on a Windows machine? It's a wonder the hard drive in most laptops isn't on fire!
I predict in a few years that someone will start offering cloud VDI good enough for home users and then perhaps the attacks will cease (or at least be aimed at the cloud provider, hopefully who has a clue). That leaves games, which I would be sorry to lose on the PC platform. Of course, if VDI takes off, no one will ever buy a PC again and games for PCs will disappear.
"Of course, if VDI takes off, no one will ever buy a PC again and games for PCs will disappear."
As the song goes, "Ain't nothin' like the real thing, baby." Anyone that's tried to graft VDI onto games has run into the sheer physical obstacles of lag and bandwidth. Consoles have tried to make a dent on PC gaming for three generations or so, and instead they've switched gears. Xbox One, PS4, Steam Machines, even today's arcade machines are all based on PC architecture.
Since using a computer is an essential part of any business, why are businesses not including even some basic computer skills and security training when they hire people? Businesses today still think they can just show any old employee what to click on and how to use their specific app, and not care if they understand basic computing.
The result is what you see in every office: People who click on any browser popup, install any tool bar, open any email attachment, etc etc. The fault here are the business owners - 99% of the time aren't computer knowledgeable themselves - not making computer skills a required qualification.
"Since using a computer is an essential part of any business, why are businesses not including even some basic computer skills and security training when they hire people?"
Probably because if they did that, they'd exclude all applicants. It's hard to set a high bar when no one can clear it.
"Since using a computer is an essential part of any business, why are businesses not including even some basic computer skills and security training when they hire people?"
We use http://www.securingthehuman.org/ all staff have to go through the 50 odd video's followed by the accompanying questions what really gets them, is that if they get one wroing, the answers change so answer A will now be C, which really makes them look at the question and answers properly. they must do this within the first month of starting.
Then one month every year - we just did ours in October - all staff including the CEO and IT staff, do the training again, as they do update their videos and answers.
We have found just by doing this, we are getting way less people clicking on stuff willy nilly, we've had 3 USB keys dropped near our premises in the last year, two had malware, all three were passed directly to ICT and even better staff are now putting anyone calling up and asking questions of a social engineering nature - what OS do we use and all that type of thing - directly through to IT. So it has definitely made a difference to ourselves.
Yes,
Most people make terrible decisions/mistakes because they do not know better, a small training course every now and then explaining what a virus is, what a phising scam is and basic computer usage training goes a very long way to improves things for a fraction of the cost of most security suites.
Security is a process not a feature.
Also using an OS that does treat everything as an executable helps a lot in this regard.
Antivirus is just one line of defense. I don't rely on it at all. In fact, I could quite happily run without it.
Try this new program called Voodooshield:
https://voodooshield.com/
--------------I am not affiliated with this company at all.---------------
It's free and works on xp through 10. It's super lightweight, has a learning mode, and is compatible with all AV softs due to its design.
I use it as an extra line of defense in my setups. In fact, on machines that I run with NO AV at all this is always on there as it is practically invisible with practically no performance hit.
I think there is a good chance that Voodooshield would stop these cryptoviruses from running, due to how it works. It really is ingenious and there's nothing really like it to my knowldedge. The free version will probably do all you want and will work fine for most use cases. If you want the extra features you can get a 2-computer license for 20 dollars I think it is.
I use Voodooshield on my audio systems where no real time AV or AM is allowed to run, just pure system hardening via EMET etc. etc.
I really think more people need to take a look at this. The guy that codes it is active on Wilders Security which as you know is pretty much the no.1 forum on the net for these things. The dev is open to feedback and is an excellent chap to deal with.
--------------I am not affiliated with this company at all.---------------
I use everything from system hardening via Emet, to sandboxing, to Vms, to AV/AM, on demand scanners, third opinion scanners, HIPS (host intrusion prevention systems) like Defense+, anti-keyloggers, anti-screengrabbers etc. etc. - Voodooshield is a whole other paradigm to everything else (though it may possibly be closest to HIPS) and works so silently in the background you would never know it is there. You need to train it for a bit (like any good HIPS), but that can be turned off and on. It really is a superb bit of software. For free, the protection it gives could prevent a lot of these nasties I believe, before they take hold.
One last time, I've got absolutely no vested interest in this company at all. Just a heads up for those that don't know about it yet.
Still, there is no substitute for having all your data backed up and tested!
At my last company, someone executed a cyptolocker binary from a unknown sender offering an invoice.pdf.exe in their personal Hotmail. I wish commonsence could be taught.
The result was about 30k encrypted files over multiple network drives. Spent a few good days cleaning that up... extracting the list of encrypted files from the laptop registry, regex pokery, excel, vlookups to shadow copy paths, conversion to robocopy scripts, running them in daily batches....
The fact that this malware supposedly doesn't keep a plan text copy of affected files is giving me a cold sweat. I must remember to look into those powershell scripts tomorrow that try and prevent mass file changes...
Don't blame the scammers who earn millions from ransomeware. Blame companies like Microsoft and those in control of web standards for making it possible for them to commit these crimes in the first place. The scammers are like poachers; they can only get away with what the gamekeeper allows them to.
How easy will it be to create a disk format or disk Firmware that prevents encryption? I'm not suggesting this necessarily for working machines, but for back-ups. This way, you will always be able to get data back (up to the last point a back-up was run).
Imagine a USB drive that was completely safe from any future encryption ransomware - i think people would buy that - if it could be done,
"How would you go about detecting encryption? How would any program be able to tell the difference between encrypted data and raw random noise?"
Actually that might be relatively easy for certain data - you could abstract the filing system, perhaps by virtualising it, from the apps and probably also the OS itself (perhaps using off-box storage for everything, such as a NAS / SAN that the machine boos from, this could possibly be built into a hard drive at some point, but it must be accessible only at high level) with a system that was 'data aware'. For example, it knows what a .docx should look like, and if anything didn't fit into that data definition, it could be flagged, the storage cut off and the original recovered from snapshot.
The thing is, what if the .docx was corrupted from the outset, meaning the copy that's giving the system a hissyfit is in the snapshot, too? Plus, what's to prevent me from changing its assigned role? Finally, what about container formats that are multi-purpose. I can tell you magic numbers won't easily allow a computer to distinguish between an .epub, a .odt, and a .zip (because they're all, structurally, essentially identical to the last).
The whole concept of the computing model you know and love is that there is no distinction between data and code.
The processor only sees numbers, there is no way to distinguish anything other than you arbitrarily telling it what is what. You point it at data and it will happily try to execute it (and will obviously crash)
On the other hand the OS could choose not to run everything that comes from the interwebs at the minimum opportunity.
...still don't have a clue about how this stuff works.
"Make sure you have backups and you'll be fine!"
Well yeah by all means, but make sure they are not connected to any machine or network as this thing will rip through your servers, mapped drives, NAS, USB HDDs and cloud. Seen it happen to a couple of small businesses in my area.
Cryptoprevent installed on maximum! Oh and maybe upgrade the security and email scanning on your cheapo Exchange server hosting too!
There is a simple way to detect ransom/crypto ware that would be hard to defeat. Just have your data drives read by a another operating system that is independent of the one you usually use. Your "foreign" system should fail to successfully read ransomware encrypted files, telling you that your working operating system has been infected. This can be as easy as having Linux read Windows files or vice versa. The anti-malware/anti-virus people could also implement something that effectively does the same, although it would be a bit more difficult to do that within your usually operating system. Simply having a guaranteed uncontaminated machine running your usual operating system reading the working systems data disks might possibly do. The bad guys would have a problem trying to hide from a file reading process that is independent of the system they have contaminated.
You know they've developed multi-system malwares capable of infecting both Windows and Linux machines in the same package? Meaning whichever system reads it, it can infect that system and compromise it, probably employ a privilege escalation and then take over the other OS.
Another way may be separate payloads for different OS's that act as poison files. If you know you're going into a system that can be read from multiple OS's, then you could keep exploits for BOTH OS's so that you can deal with both the main OS and the guard OS.
Anonymous Coward, I assume you are replying to my initial post.
Yes, I do know that payloads can and are able to infect more than one operating system. However, the presence of a payload does not mean it is operational. Note that my initial post also said that you could actually use another version of your work system that was guaranteed not to be infected by just mounting a data drive on the guaranteed uninfected system.
At some point a file read has to fail or no one would pay a ransom. Why not use that requirement to detect ransomware encrypted files? All you need is a disk read that is completely independent of your working system. As I said earlier, you could even have the code running under an infected operating system; it just cannot use the any of the usual, possibly infected, disk read/write mechanism. Indeed, any computer that had its own, unique disk read/write method would make it difficult for ransomware to encrypt files in the first place, although it could be done by encrypting/de-encrypting at the application level.
And I'm saying that the very act of reading the file can become an infection vector. That's why you have poisoned JPG files and StageFright. Meaning there's no real way to guarantee your system will not get infected from an ingenious zero-day that can nail both real systems and guard systems regardless. And recall that newer malwares are smart enough to sleep in for a bit to try to sneak into backups and to prevent immediate detection by "poison tasters".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
