"Negotiating with the ransomware author"
AKA: Is a nice alias for the ransomware author...
A data recovery company is dubiously claiming it has cracked decryption of Dharma ransomware – despite there being no known method of unscrambling its files. Infosec researcher Brett Callow of Emsisoft had a little fun trying to replicate Emsisoft's exposure of ransomware middleman company Red Mosquito Data Recovery earlier …
They may be, or be affiliated with, the ransomware author; or they may be an independent third party. Both are viable business models. The former offers greater profit, but requires more work and entails greater risk. The latter has a much lower cost of entry.
....however someone would have to go through the data to identify which decypted data set is the same as the unencrypted data. So yes decryption is possible but will take a very very long time and then yet even more time for someone to identifying the unencrypted data.
So not impossible just very very very time consuming
I would be interested to know who is willing to pay billions for the technology though, perhaps the mobile storage companies given that the decrpyted set it likely to be larger than all the data used anywhere in computing to date
"So not impossible just very very very time consuming"
You're missing about 10^24 copies of the word "very" there. I don't know how you define impossible, but I'd say that "not possible before the sun goes supernova" is, for all intents and purposes, a good definition.
Well, you'd be "somewhat" UNDER-estimating CERNs desire to destroy the world by wanting to make black holes*. OK, it's technically not a supernova but maybe they've been too scared to go public with their plans for bombarding the sun with enough mass to make it go supernova.
And CERN haven't denied it...
* I read it in the tabloids....it must be true...
*I'm too tired for this shit* okay, listen: if the SUN would be replaced by a black hole with an equal mass, do you know what would change over here on Earth...? Nothing. Well, save for a major problem for the solar generator plants soon followed by all kinds of related major problems for everybody else. In the same vein, it really wouldn't make any damn difference if we somehow managed to suck all of Earth's matter into a black hole the size of a pea - the rest of the solar system wouldn't give no shits whatsoever, least of all the Sun.
They mean the technology that can do the decryption in a reasonable amount of time and that could be done for a measly $175 charge.
As in there is a f'ton of processing going on really quickly without burning the world down or making it short of several nuclear power plants worth of electricity kinda billions worth.
It's not a matter of "several nuclear power plants worth of electricity", it's a matter of "several galaxy clusters worth of electricity" (ie, turning the rest mass of several galaxy clusters into electricity, and use that).
Decent asymmetric encryption is *really* hard to break.
'Offline' is a moveable feast.
Backup is a copy . Where it is and how connected it is are very variable things.
I do auto backup. If my data were corrupted the backup would be, if I didn't notice for 24 hours.
But I am protecting against hardware failure, not malware.
If I were concerned about that, I would do a check on file/backup and if the difference were massive abort and notify.
I don't consider that this particular malware is a serious threat on Linux.
person who changed the tapes was outsourced
Or used the same 3 tapes ad-infinitum, had tape error warnings turned off and never actually bothered to do a test restore.
Sadly a true case.
 Said tapes eventually more resembled bits of clear sellotape without the sticky bits. The only bits that still worked were the last bit of the tape that didn't actually get used.
Better still is when the data grows large enough to require two tapes for the entire system - so they put the first one in, let the process run, come back and see that the tape has been ejected and there's a message on the screen saying to insert a tape to continue... Decades ago, so no idea on the wording, but it was ambiguous enough that for a lot of the time both parts went onto the first tape.
"Possibly its when they find out their backups havent been working for months as the person who changed the tapes was outsourced."
In the case of backup run at a manufacturing site of a very large pharmaceutical, operations were switched to office hours only and the cleaner was apparently supposed to swap tapes in the backup device. The operator had failed to check and change the tapes during the day, so the cleaner had been swapping the same two tapes for months, overwriting all the previous backups. A whole load of really important data was lost after a disk failure, so the company sacked the cleaner.
Even if you are doing regular backups, in a lot of cases the backup medium will either be a USB disk that is left plugged in, or some kind of network storage.
In both cases any malware that gets root access will have access to this storage, and may well try to encrypt the backups, and any other storage it can get access to.
So to avoid this you either have to physically unplug your backup disk (and hopefully store it in a fire safe or offsite), or perhaps have your network storage move completed backups to a separate area that the infected machine doesn't have access to.
Network storage is not necessarily corruptible. I just had a (definitely-not-)quick and (definitely-not-)fun little romp trying to set up a "write-only" network share - you can write to it as long as you wish or until it runs out of free space, but (short of compromising that machine too) you can never alter anything already written...
Yes, and perhaps they've captured a Magic Decryption Fairy.
Many people have looked at Dharma. Even people who can write competent English prose, which apparently is a skill not available at Fast Data Recovery. (What are they doing with the profits from their many successful recovery cases?)
It is much, much more likely that this is simply another iteration of the ransomware middleman scam.
"Our Priority Evaluation service cost[s] $350AUD for most for most type of infections with the exception to [sic] Dharma and Gandcrab infections."
Soooo, I can roll up at an infected client, have a look at a few files and say "Yep, you got it!" and collect my fee?!
Sign me up!
That whole reply email oozes snake oil and was written by a shrewd BOFH
Physical implementations of General Quantum Computing machines have so far been a bit underwhelming. They may remain so for quite a while yet, though it's always possible we'll see significant improvements.
To the best of my knowledge, 21 is the largest integer yet factored1 using an implementation of Shor's algorithm on a true GQC machine with a program to factor arbitrary integers.
There have been larger numbers factored using Shor's and GQC, at least as great as 4088459, but those are integers of special form, where the factors differ by only a few bits.
There have been larger numbers factored using adiabatic quantum computing (AQC), as implemented by e.g. the D-Wave machine; but AQC has limited application and it's not clear that it offers any real advantage over classical computing, at least for most applications. I mean, if you want to predict how your spin glass will anneal, it could be pretty handy, but you're not using it to break someone's ECCDH key.
In any case, none of these demonstrations is about doing a better job of factoring a number than your six-year-old does. It's about showing that these very preliminary GQC and AQC machines can in fact be used to implement certain algorithms, even if only for trivial inputs.
"they have tools and computing power beyond that of the NSA"
Tools, I'm ready to kind of believe. After all, it did happen in the past a single individual proved to be better than whole organizations ...
But computing power ??? WTF ? They'd have to have billions in funding !
"We utilise our resources to reverse engineer the ransomware decryption key on your sample files."
This proves they don't understand cryptography. You technically don't reverse engineer it, as they info is nowhere in the code of the malware, unless the authors have been *really* stupid. You *discover* the key by whatever cryptanalysis method (brute force, good luck ! or anything else).
This is pure scam, only by wording ...
It's definitely a scam of course, but I don't think technically bogus wording proves it.
In most companies, there will be technical experts who can actually do something, and then there will be marketing communications specialists who will be responsible for writing the emails that get sent to real users.
After a couple of days of the technical expert trying to explain what is going on to the marketing communications specialist (broken up by a few hours of them restfully banging their head against a brick wall), this is the sort of nonsense that will result.
1) Their website is not good. They claim to have international clients, and only show three logos, none of which point to a testimonial from the website of the company in question. Oh, and they use the same guy on the two pics that show people - looks like they don't have all that many techs available.
2) They brag, that's not professional.
3) They tout a 100% success rate in "decrypting, analyzing and preventing ransomware attacks", which is simply ludicrously impossible.
4) Their testimonials are badly written, with the same kinds of mistakes across several "different" entries.
I look at that website and the wording itself screams "scam!" at me.
Quick look on Kaspy - yes, they have a such a tool. On the site you linked - they mention that a specific file contains an encrypted (or encoded) password file which contains the user's decryption key. From the sounds of the description either this is encrypted using a weaker method OR the malware writer's decryption key has been released somewhere.
Would love to get a copy of Dharma and slap a 7 (or XP) install on some spare hardware (would try a VM but I mostly keep my VM's on my working machines and wouldn't want a 'leak' accidentally!) and have at it. I can readily furnish a few thousand image and doc files to give it a good run.
IME, if Kaspersky says they can recover the files then I'm pretty sure they can, and in this case it's not the shop working with the malware writers but using freebie Kaspersky tools at a premium. Same as the people who used to use Dogbert's free laptop password recovery tools (and yes, having used those many times myself, quite convinced they work)
ISTR some years back there was another ransomware variant that created a file on disk that contained the decryption key, which was then uploaded to the writer - of course said file could be recovered by file recovery tools as it wasn't over-written (or was poorly overwritten). But that was some years back and I have other work I need to do
They are simply outsourcing the decryption to a third party. Ok so they are low-lifes, and the third party just happens to be an organised crime syndicate, but in essence it's no different to the loads of scumbag companies profiteering from 'PPI', "Injury claims" etc when individuals can do the job themselves for much less money ... In fact the first three or four Gargle hits offer exactly the same services. I believe that's what they lovingly encourage as "Good Capitalism" and I'm sure the Orange Hair Monster or his mad British cousin would shake their hand.
The fact the the original perpetrators are still out there and able to actively conduct significant financial 'business' apparently without risk of being caught and issued with a free orange jump-suit I find exceptionally worrying.
Yes they're charlatans, but I have zero sympathy for anyone affected any more than I have for someone who leaves their front door open all day then gets burgled. If the message about always making multiple backups - preferably to read only media occasionally - hasn't got through by now then the victims are actually victims of their own stupidity and hence darwinism in the computer enviroment.
If the message about always making multiple backups - preferably to read only media occasionally - hasn't got through by now then the victims are actually victims of their own stupidity
I got news for you it hasnt.
this isnt the 90's ,no one uses "read only media" DVD simply aint big enough.
Most muggles use facebook as their photo depository.
the more less mugly may use drop box
The clever ones may have a few USB sticks
The advanced have a NAS(s)
Ransomware is mostly possible because of lax IT practices, which despite all the warnings have simply gone unheeded. I have come to the conclusion that this is in large part to the option to back-out of the mess by paying the ransom. The only way this ends is with the removal of that option and a wave of malware that does the encryption but doesn't retain the keys. Total data loss resulting in organisational failure and mass sackings top down is the only way to turn the situation around.
I sincerely hope that doesn't happen, and 'we' soldier on trying to get patching done and paying up where it isn't, as there's simply no way of knowing what data would be lost (other than near on every bit of it in the NHS). Some suicide hacker or an anarchist/terrorist type is inevitably going to go for this, either that or it'll happen by accident as some cowboy stuff up key retention for their ransomware.
It's frequently not as hard as it looks to trace bitcoin. Someone has to take the money out at some point, and all previous transactions are available for as long as bitcoin keeps working. See "Silk Road" and other such things if a large government gets really interested in where the money went.
As an old man of computing, first program 1969, and thought networks were pointless, my comments are probably not worth much but here goes anyway.
If you Data is not on media you own, it’s not your data anymore. If you keep your backups online (powered up and attached to the machine) they are not backups. Every few years as the price point comes down buy larger disks, copy your data, and put the old disk in the equivalent of your socks draw.
You will loose data , just not all of it.
If you Data is not on media you own, it’s not your data anymore.
True.. But I encrypt the folders that I share with Dropbox, Mega and Box (except a few that I wish to have publicly available). That way, they can look at all they want they still not gonna see anything unless the encryption is broken.
If your data is as local as you can have it, but you run W10, then it's not your data either and MS can ship it off at a whim for a looksee if you're online, at least with the home versions (read the EULA if you doubt me!)
If you keep your backups online (powered up and attached to the machine) they are not backups. Every few years as the price point comes down buy larger disks, copy your data, and put the old disk in the equivalent of your socks draw.
Owncloud, Box, Mega and many other cloud servers provide for retrieving older versions of files (at least so long as you haven't cleaned out the old versions cache!). As you say, keeping them online is a risk but at least with the ability to get older versions, there's a good chance a good copy is still around.
(I have old disks going back at least as far as 2002 - not sure if they'll still work).
Biting the hand that feeds IT © 1998–2020