Since educating users, and backups seem to be off the table, the solution to ransomware seems to be versioning / logging file system, where nothing is ever deleted, and anything can be rolled back.
Cybercrooks have put together Hitler-themed ransomware that simply deletes files on encrypted PCs. The (apparently prototype) Windows malware displays a lock screen1 featuring the infamous Austrian dictator, together with a demand falsely stating that files have been encrypted. The ransomware says files can supposedly be …
Wednesday 10th August 2016 14:34 GMT theModge
Wednesday 10th August 2016 14:42 GMT Doctor Syntax
"“However the approach to delete all of the files upon reboot after initiating an OS crash leaves users few alternatives.”
1. Boot from any live Linux disk and rename the user's directory.
2. Boot from any live Linux disk and back up the files.
3. If the user reboots first and assuming the S/W didn't actually overwrite the files before deleting them boot from one of several available live recovery disks and recover the files. I've done that with better ransomware than this one.
Wednesday 10th August 2016 17:50 GMT Baldy50
That's what I was thinking but if the person infected with this nasty doesn't know how to even DL an ISO and burn it so as to boot from it to make a repair, they'll just re start the machine and lose all.
Maybe it's time basic malware detection and removal was taught in schools and colleges along with other IT skills as a essential, necessary prerequisite to growing up in an seedy online world from as soon as they're able.
With the clean up software easily available from say Bleeping computer and Windows BBS, lessons reading and understanding the virus and malware removal logs and trying the necessary software out that deals with these infections could create a far more robust user base.
While we wait for the software companies and legal authorities to get their act together, so maybe by 2099 we'd be sorted.
I know what your going to say and yes a lot of students would not have the mindset to do this sort of thing but possibly would spot an infection before too much harm was done and might know someone that could help them, perhaps a nerdy friend who was in the same class.
Yes I still use trig so as I thought at the time along with a load of other stuff not useful to me, this would be used all the time I'm sure, spotting the signs is big chunk of the problem and where to go for the tools you'll need and how to sort it, might get a few more youngsters involved in IT.
Wednesday 10th August 2016 14:44 GMT ma1010
The lock screen features a misspelling “Ransonware”, further evidence that the malicious code was either hastily or sloppily put together.
And the fact that they say "Your files was encrypted" could be further evidence of hasty/sloppy assembly, or the fact that the malware writers just don't speak no good English.
This post has been deleted by its author
Wednesday 10th August 2016 14:58 GMT tiesx150
I got a fishing email from 'Samtander' last week where the crooks couldn't even spell the bank correctly in the email subject.
Surely if these people invest the time crafting these packages to socially engineer us folk then maybe they should use spelll check ?
Yes that WAS a deliberate typo. )
Wednesday 10th August 2016 15:09 GMT Anonymous Coward
Wednesday 10th August 2016 15:12 GMT Anonymous Coward
Thanks to the rather high availability of malware toolkits on the "dark" interweb, the barrier to entry for illiterate script kiddies is now dismally low. Be prepared for more of this.
There are ways to make it harder for ransomware to attack your PC (restricting access to .tmp and other files via GPOs for example). Bleeping Computer and other sites can provide guidance. Ad-blockers et al should be your friends. Despite the occasional inconvenience of such measures, I still sleep a little better at night.
Sadly, the web world remains a bad place and is getting steadily worse. Having large swathes of the PC ecosystem populated by insecure browsers, OSes, Flash installs and the many other cr*p solutions the industry must still answer for is no help.
So just stay patched up and keep educating your users about the dangers of random clickery. Good and regular backups on separate media are also useful.
It is still very difficult to fix human ignorance, fallibility (and greed) by technical means.
Wednesday 10th August 2016 16:32 GMT Soruk
Wednesday 10th August 2016 19:31 GMT Anonymous Coward
You think its bad now..
The latest variant of C-L (5.0) attacks the common BIOS's, network cards and even writes nasty code to the EDID chips on the LCD and external panel so you can't connect it to another setup without triggering the 4* BTC ransom demand.
Essentially every part is locked to the machine, however just changing the hard drive and resetting the BIOS to default (cough crisis disk /cough) can get rid of it at the cost of not being able to see the LCD or network adaptor until the defective chips are rewritten.
I'm pretty sure that this one was written with full knowledge of the specific machines (ie manufacturers handed over secret documents) which is even worse.
It seems that the attack vector is to directly infect the vulnerable network adaptor and then download parts of itself into any writeable chip's slack space so it can reconstruct itself when damaged, the code also searches for a more recent BIOS update and edits it to add the malicious code, changes the checksum and rewrites on the next boot to get around protected mode.
Wednesday 10th August 2016 19:57 GMT Anonymous Coward
Friday 12th August 2016 08:35 GMT Anonymous Coward
Re: You think its bad now..
Ironically this is why setting a complex password to access the BIOS is a good idea.
If it needs this typed to flash the malware can only ever trash the HDD/screen and thats it.
Also some router manufacturers added CAPTCHAs for this reason, good idea IMHO.
I have the dead machine here, its a brick. HDD ruined, can't even use the memory. Bastards!
Only good part was the CPU so unless they can read CPUID.. AUGH<NO CARRIER>
Thursday 11th August 2016 05:43 GMT David Roberts
Thursday 11th August 2016 08:06 GMT Big_Boomer
"Rançon" is French for ransom so I suspect someone is either French/Francophone or else wants us to think so. Have now seen several instances of Ransom-ware and anyone who pays should be permanently denied all internet access privileges and only be allowed a phone if it involves yoghurt cups and string. Backup your data people!!!