Price of an education...
...for those without working, protected backup copies I guess.
It's not your job to defend the world against criminals, so the decision to pay a ransomware demand is all about business. The likes of FBI Cyber Division deputy chief James C. Trainor disagree. The Bureau recently advised organisations not to pay lest they "embolden" criminals and encourage others to take start using …
A backup containing encrypted files is not particularly useful you know.
You have to have layered "defence in depth" backup going back weeks if not months to deal with this. That is generally not available for an end-user PC in _ANY_ company. It is done only for servers.
And how much do you trust that you won't get hit again with ransomware? Any time I run across a PC with a nasty it I assume that no matter what I do there's a chance some back door or other nasty will be left on the machine and I wind up wiping it anyway. Yes, it may take a while to get the data back, and yes, the luser will be stuck reinstalling all their programs, but if I reimage the system at least I don't have to worry about missing a back doors. And I keep months of images around, so an unencrypted version of the data should be available.
@nerdbert: Nuke and pave. Format, scram disk, reinstall.
If you're especially paranoid put in a fresh HDD/SSD, take the old one out and put a 1/4" drill bit through it a few times, douse it in petrol and set light to it, once out and cool beat repeatedly with a hammer then encase the remains in concrete and bury in an old mine shaft.
You could always run it through a degausser instead but it's not nearly as much fun...
Absolute nonsense, if my documents, desktop are redirected on desktop PCs, laptops have their documents sync'd then the server backup will capture user data too. Server backups in every place I've worked are done daily, sometimes hourly with every two weeks or monthly backup run off on tape and stored in fire safe. I was doing this in the 90s for a small company of 5 people, our CAD drawings were our business.
It's not a case of it can't be done, if you run a business which relies upon accurate data which you can restore upon equipment failure or malware then it's simply common sense and surprisingly cheap to do. Hell at home I use Crashplan, google drive etc to ensure I have multiple copies going back YEARS.
Yes it's best to prevent infection but any competent professional will plan for when they can't.
Not even just the pros. That folder of family photos needs to be kept backed up, safe.
Yet we still hear of distraught people who have lost all their precious piccies because they lost their mobile phone, let alone a HDD. This is 2016 and too many of us, individuals and businesses, still trust to luck that our data will still be available where we left it.
"You have to have layered "defence in depth" backup going back weeks if not months to deal with this. That is generally not available for an end-user PC in _ANY_ company. It is done only for servers."
I don't recall seeing that bit in your original post...
OS vendors could nip a lot of this in the bud and avoid having to educate people about backups by shipping their OSes with a default filesystem that supports snapshots. This isn't bleeding edge technology anymore, it has been around for several decades.
You mean like OS X and Time Machine? The feature that has been baked into the OS since October 2007.
Oh, I forgot, Register types only consider windows and linux to be acceptable "grown up" OSes, and so they are crying over their overwritten backups as we speak.
In Italy, to put a stop to kidnappings (very frequent in the '70s-'80s - remember John Paul Getty III?), a law was passed to hinder families to pay ransoms. a very hard strategy, true, but it paid off. There are no more kidnappings. Being the State itself hindering payments (up to blocking money), that made threats to families useless.
(The the State itself pays of terrorists hostages abroad for electoral reasons - and the result is they are a valuable pray for those looking for cash)
It is true that kidnappers will not most of the times risk a homicide if they can't get a ransom (if they are "professional", to avoid an harsher incrimination) , while ransomware criminals have no reason to give back your data if they can't get money.
To be fair, there is an economic argument for paying a ransom to get your data back.The moral argument is secondary.
There's no economic argument for paying a kidnapper's ransom: even if you don't want the minor inconvenience of having to recreate your genetic progeny there are plenty of second-hand kids available and you may even be paid to take them. There may be a moral argument - guess it depends on the child...
> nor the family tech geek responsible for storing that sad lone copy of family photos
You may as well treat a ransomware infection as if it were a catastrophic hard drive failure. You have a 2-3% probability per year of that happening in the early life of the hard drive anyway. If you're not prepared for such a failure, well, clearly you were happy to accept the consequences.
Ransomware can also permeate into backup media
True, but keeping an eye on the backup process can help detect large deltas.
The way I do backups has been the same for many years:
If something were to start encrypting files en masse, I would see it pretty soon, either in the rsync summary (being longer/larger than usual) or in the size of the increment as stored on the disk---after the backup, I calculate the delta size by counting files that only have a single hard link; these must be the changed files. Because hard-linking takes up relatively little space, I maintain these "snapshots" going back for quite a long time and only delete them manually, so that gives me a second chance to notice any damage and to roll back when it does happen.
I also use a hand-rolled file integrity system based on the same idea as the "shatag" tool. I will periodically update SHA256 hashes for all files and store them in the file system as extended attributes. I also collate these hashes across all machines and use the metadata to enforce a replication policy across multiple machines (or at least to verify that it's working). I've also got a separate scheme (using erasure codes to give a high level of redundancy with modest overheads) for cold/archival data.
One other thing I've toyed with is using the LVM snapshot facility. It could replace the hard-linking scheme I use to some degree. In this case, larger-than-expected deltas would overflow the copy-on-write buffer, alerting me to something strange/unusual via a message about a failed backup. I prefer the hard-linking scheme, though, since it's more permanent and gives better historical integrity. LVM's snapshot facility is perfect for backing up volumes with databases on them, though, since you get an atomic backup without needing to lock the database first.
Your process is admirable, but not in the realm of technical capability of Aunt Kath. Remember the comment thread you are replying to basically says that about 3% of disks will fail without any malicious ransomware, so it is hard to have sympathy for those without backups. That's why I think of who the victims are. The average El Reg commentard is too super DevOps skilled to fall for the phishing schemes that deploy this ransomware. But our Aunt Kath will go right ahead. So the people most at risk of infection would have no clue what rsync or hard links mean and the concept of incremental backups isn't even on their radar.
There is so much CRAP backup software out there, that Aunt Kath will be very lucky to avoid paying.
Lets assume that she uses windows. Virtually none offer a bare metal system backup. So we also assume she is backing up only her treasured photos.
Most simply synchronize a copy of whatever is current in the cloud, there are not a lot that provide previous versions, if they are indeed actually working ( not at all helpful cause the photos are now encrypted! )
So even if Aunt Kath tried to do the right thing, the market will mean that she has probably failed.
The law and the police aren't something outside of society (or at least they shouldn't be). They are just some specialists that we as a country are employing to help us in achieving our ideal of how society should work. The job of creating that society in the image that we want is ours.
You wouldn't, I hope, ignore a shoplifter or walk past some teenagers mugging an old lady. How is this different?
I've upvoted you for the sentiment, but you asked "how is this different"?
If I saw someone breaking into a car and stealing a hard-drive or a camera, I wouldn't ignore that, of course. As you say it is our duty to intervene.
But if someone stole a hard-drive containing my family photographs, or the only copy of (encrypted) customer data, or unencrypted sensitive information, or a camera whose card contains the only copy of someone's wedding photographs, I would pay the thief to get it back.
What's the difference? One is a crime in progress, the other is mitigating the damage from a crime which has already occurred. They are different.
You're right it is different and I've probably been a bit lazy with my analogy. But there are two crimes; one is encrypting your hard drive and the other is extortion. The latter is still in progress at the point you're deciding to pay the ransom.
Fun fact. If you suspect that the ransomware group may be funding terrorists and you pay them anyway then you are a criminal too.
If I'm mugged at gunpoint, that's a crime in progress, but I'll be handing over my wallet all the same. If a child is kidnapped in practice you find that often people do what the criminals want first, then go to the police only afterwards.
Comparing on the one hand, paying an extortionist to retrieve irreplaceable property, and on the other, being too idle to shout "Oi!" at a casual thief, is just silly. They are different.
For you to become a crimnal would require a jury to find you guilty.
I would say that if you commit a crime, you're a criminal. If you haven't been found guilty then (quite rightly) the criminal justice system will treat you as innocent, no newspaper would be allowed to call you a criminal, etc, etc. But without wanting to get in to too much of a philosophical discussion of Objectivism, there is such a thing as reality. It may be the case that what matters for the question of whether you should be treated as a criminal is whether you have been found guilty. But for the question of whether you are a criminal, all that matters is whether you committed the crime.
"What's the difference? One is a crime in progress, the other is mitigating the damage from a crime which has already occurred. They are different."
No. The second is actually adding another crime to one that has already occurred. First you have the crime of theft, and then you have the crime of extortion that is still underway at the point you hand the money over. So they are both ongoing, and not as different as you suggest.
Why pay the person holding your belongings to ransom?
Why trust them twice over? The first time with what they now have, the second time with what you are now giving them?
If you start paying shoplifters to take items from your store and return them... is it not a rod for your own back?
Most of the victims are not IT savvy, you cant blame people for that.
The ransomeware plauge has made me change my back up plans, especially as malware now deals with networked drives etc.
So i now have 3 back ups, the cost of a 3tb drive is small enough to justify the cost and my songs, pics and docs which i have collected since i was using my Amiga are more precious to me than a 90 quid hard drive.
People need educating, not berating for not being IT savvy. Remember, some of these non IT people are surgeons, solicitors, scientists. Not understanding malware does not automatically mean they are not intelligent.
Sadly most people, including some IT-literate sorts, simply have no plan for data loss. It could be a HDD failure, some "gross administrative error" formatting something, a laptop being stolen, or a cryptolocker attack. Sooner or later it happens (couple of % per year for HDD, no idea how common cryptolocker is in comparison) and only then do most folk do anything about it.
When its too late.
I own a circular saw I bought for one job. I pretty much could guess how it worked, but after revving it up and realizing I could take my leg off with this thing, I did half an hour of safety research before embarking on the single 15 second job it ever did.
Problem is that computers are sold as "being easy" with vendors of all ilk going out of their way to tell you all the wonderful things you can do (/expose/lose if it goes wrong).
If somebody breaks into your house and steals your TV (does anybody do this any more..anyway..) - The police would be expected to come round, dust for prints, and make a vague attempt to recover your TV.
Can you imagine walking into your Police station with an encrypted laptop and asking them for help?
No, they need berating and shaming for being too LAZY to learn even the BASICS of IT. It's 2016 - time to stop catering to the intellectually lazy.
If someone refused to learn anything else needed to live in today's world, people would call them crazy, etc. But if it's tech related--in today's COMPLETELY tech dependent world--OH NO, it's okay if you're intellectually lazy... someone will wipe your arse for you every time.
Time for people to either put out the effort to learn technology, or STOP using it (and screwing it up for the rest of us) entirely!
Paying up means potentially getting items decrypted, it can also mean getting nothing back or getting partial data back - which is arguably far worse than accepting some data loss and restoring from a known good backup source.
And nobody ever considers data theft and tampering. So you get "your" "data" back, but never consider if the crooks tampered with your payroll records and updated the bank account numbers with their own? Come payday, you pay them a second time.
What if the highly confidential documents you had were stolen? You wouldn't want your competition to go over them, would you? So you pay them again. Do you trust them enough that they never showed the documents to anyone?
What if the highly confidential documents you had were stolen? You wouldn't want your competition to go over them, would you? So you pay them again. Do you trust them enough that they never showed the documents to anyone?
The malware artists won't have taken your documents away -- just encrypted them in situ so that you can't access them. What you get (of you're lucky) when you pay the "ransom" is not a clear copy of the documents, it's a key you can use to decrypt the copies that are still on your PC.
Methinks a hacker who wanted to alter your payroll data or steal your documents for blackmail purposes wouldn't draw attention to his visit by leaving ransomware as a calling card.
"To this end the FBI and others would be better saving their breath and offering advice about how victims can identify and then decrypt their ransomware infections, rather than delivering sermons from an ivory tower"
However although "breaking criminal business models is not, however, the job of the system administrator" it is the FBI's job so the best thing they could do is get on with it.
"There is considerable risk here and all payments should be made with the expectation that crims will take the money and run."
Surely if the expectation is the scammers will take the money and run you shouldn't pay?
If you don't think you'll get the data back in any event then write it off as lost, and don't give your money away for no benefit.
Suppose your PC got infected with ransomware and you got the message, etc., but police managed to capture the criminal behind the ransom, but you didn't pay up yet? Do you have any chance to get your files back, or are they completely lost?
It depends on whether you find out about it in time, and whether the ransom-bound keys are recovered by law enforcement, and whether they actually work to find who needs them, and whether they deliver. At least you can prove that a key is right whereas if you paid them, good luck proving any of their money came from you...
But the fact is that in business, the cost of paying is lower than losing data or being unproductive for days or weeks. So I guess:
A) Backups! Keep them on stored media if possible? (You might unintentionally back up the ransomware if you back everything up to a storage device)
B) Harangue users about opening attachments and going to links from unknown sources.
C) Like walking outside in winter, lots of layers are best, except in this case we're talking security.
D) I suppose that air gapping would help, if you have some systems or networks where it is practical to do that.
Once again you bunk up an article because you didn't read your source correctly. This, or your just remarkably stupid. This is what the FBI's website states:
The FBI doesn’t support paying a ransom in response to a ransomware attack. Said Trainor, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.
Just another left wing idiot who repeats what others tell him, instead of doing research himself and using his own brain to critically come to a conclusion.
So, reread the FBI's web page. The information provided is sound.
The article did NOT say that the FBI recommends paying up.
In fact I believe it was the author saying that paying up was reasonable under many circumstances, despite what the FBI said.
The Bureau recently advised organisations not to pay lest they "embolden" criminals and encourage others to take start using ransomware.
Trainor added that "by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
-1 for left-wing idiot (center-right myself, not a lefty). No need for political insults, is there? Was there anything political in the article?
2nd, you mistakenly conflate your expertise (which I accept at face value) in issues involving high-profile, high-value targets, such as DoD and banks with its applicability in this case.
The situation is very different. In one case, the organization presumably has high value, sensitive information. And, one would hope, actual restorable backups somewhere. Along with a staff and consultants to deal with the damage. The perps are doing this on a low volume basis, so they may as well extract as much from one victim as they can, no reputation to manage.
On the other side is Joe Shmoe, homeowner. No significant value data, outside of confidential info whose confidentiality is fried either way, whether you pay up or not. No staff. Possibly no backup. Data which is many case is just going to be photo/video in nature.
The perps' best interest could be to "appear honest" and actually restore the data, since they cast a wide net and hit many victims.
i.e. you are in the right in your sphere of work. But it does not automatically transfer to the modern ransomware phenomena which seems to scale best with automation, many victims and minimal subsequent manual exploitation by the initial perps (though I wouldn't be surprised at selling off the data to other crims for future exploitation). Time will tell.
This article is food for thought. I don't agree with it entirely and I think planning and backups are the better plan. But I agree even less with your glib over-generalizations and dismissive disdain of those who don't have your expertise.
What a gaffing laugh this is. Perhaps Mr. Pauli won't mind reimbursing a victim then... when they take his advice, pay up, but don't receive a key to unlock their data. Or the data has been screwed with.
I've been in InfoSec for a long time. Working for both the Department of Defense and banking industry. I know many of my peers, and I can't think of one person who in general and as a rule recommend paying the ransom. There may be a few exceptions where the risk is acceptable, but for the most part... it isn't.
The big factor your informed opinion lacks is: loss of control over the data. In short, your data is no longer trustworthy. You don't know what changes have been made to it. What code has been added to it, etc. You may get your data back, but it may come with some extra bits you don't want. You're basically paying for f-up'd data which could cost you a lot more later on.
It's apparent you and your other 'informed' friends aren't very experienced with ransomware, outside what you hear from other people with opinions but little experience.
I suppose there are instances where some data is obvious if tampered with, photos and video. But you'd have to strip it of everything except the raw images to be safe after the fact.
Oh, and I'd only attempt the physiological payment, not the economic one with these guys. Though just spending time on the effort might be enough of a waste.
maybe blinkered by your own experience you assume there is a big factor; the loss of control of data
however for the high volume low value cryptolocker business they don't have the time to try and process your data and do something with it. it would be possible (but no cases confirmed yet) that they would locate files of value based on location or extension, like data from accounting software, and transfer that out while encrypting your data. but the scheme here isn't to steal data, something that would be best done with a rootkit botnet tool, but to encrypt the files and ask for payment.
and if the web is full of reports of the decryption failing / data being tampered when paid then they would see a decrease in payments, as the author noted. Ransomware hasn't shown signs of data siphoning.
i think rather, when thinking about data theft and modification you should be worried about the silent rootkit-botnet that you've had installed for months, which once it has collected your important data then deploys some ransomware to encrypt your photos and what not to squeeze the last cash out of you.
i don't advocate paying ransomware, instead i advocate multiple high quality backups. I'm yet to find the perfect solution for the home user, but third party software backing up to an infrequently connected usb drive usually stored elsewhere generally ticks the boxes, as long as you can afford to lose the data between connections and backups.
that said, most home users I come across don't have any backup, so paying to have a harddrive recovered or a ransom, it's all they can do it get it back.
Embolden? This guys is a fucking moron so no surprise at his statements.
It seems that "being a fucking moron" is on the job description for FBI mouthpieces at present...
He needs to embiggen his educationing.
As do we all. But in this case, his use of the word "embolden" is correct.
Yes, paying ransomware is bad for society in general, and you might not even get your data back, but ignoring all of that there's still the fact that your computer has been compromised by bad guys. If you pay them, it's been compromised by bad guys who know you have the means and willingness to give them money.
That is not your computer any more. Whether you get the data back from it or not, you can't trust anything on it.
Time to wipe down to bare metal. If you have the skills, you could try and first determine how it was compromised to avoid future repeats, but the thing's good for nothing else before it's been cleansed with fire.
We recently experienced Cryptolocker and whilst we recovered pretty well, it was not a pleasant experience.
There were three features that kept us from the front pages:
1. The virus didn't replicate itself (apparently some now do)
2. We have four hourly backups to a cloud provider
3. This one will draw some heat from the many anti-microsoft readers (if they scroll this far down): We change the location of My Documents from their local drive, to OneDrive for Business. OneDrive (and SharePoint) comes with version control, so should one version be encrypted, simply restore the previous.
There was no f(*&ing way, I was going to pay these bastards.
So no matter what systems or tools you use, your objective should include finding a way to NOT store data, only on a device.
I hope this helps.
Making random payments to unidentified bad guys in the hope that the data fairy will grace you with a visit sounds like hopeless optimism, to me.
... but if the purpose of the ransomware is to extort money to fund a terrorist organization it may (depending on where you live/work) be a crime to pay to the ransom. Even where it is not directly a criminal offence any victim who decides to decides to pay is likely to attract uncomfortable scrutiny from the security forces.
FBI could make plenty of fake trails on forums etc about these 'professional' ransom attacks, falsely claiming that keys were not forthcoming after payment was made. That's one way to discourage payment -- users will google the message and draw the conclusion that it's not worth paying. Not a completely legit strategy but not as bad as most of the stuff they get up to.
Biting the hand that feeds IT © 1998–2020