Insane blackhats behind world's most expensive ransomware 'forget' to backup crypto keys Variants of the KillDisk data wiping malware, famous for nuking computers in Ukrainian energy utilities, is now being used in possibly the world's most expensive ransom attacks. Attackers are targeting Windows and Linux desktops and servers and demanding a laughable 222 bitcoins (right now US$247,000) for the data to be …
>No-one has paid; this is a good thing, even for victims laden with cash, since the attackers cannot decrypt files because encryption keys are not saved locally or transmitted to command and control servers.
>"Let us emphasise that the cyber criminals behind this KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware," ESET researchers Robert Lipovsky and Peter Kalnai say.
Time will tell if anybody pays, sure, but there is no causality between blackhats being able to decrypt files and the victims paying up... victims will usually discover that the files cannot be decrypted after they have paid, I guess ... unless you expect the blackhats to be honest (ROFL) and admit they cannot decrypt files, which I find unlikely. They will cash-in and run off.
"unless you expect the blackhats to be honest (ROFL)"
Not too much laughing, thank you. The whole ongoing scam relies on the marks having confidence that if they pay the ransom they'll get their files back. In may sound contradictory but their success depends on the unscrupulous being scrupulous.
This is either a particularly stupid bunch of scammers or an attempt to yank the rug out from under the whole scam by destroying that confidence.
"This is either a particularly stupid bunch of scammers or an attempt to yank the rug out from under the whole scam by destroying that confidence."
Second thoughts, they're playing a long game - drive the scam into the ground for now and come back in a couple of years time when the competition's out of business.
the concept of Ransomware is that they *do* cough up the keys. Its the business model.
Why wouldnt they give you the key? it dosent cost anything.
If they never paid up people would learn never to pay.
The story here is that these idiots have fked up the malware so they cant hand the keys over.
It's not necessarily a government, but I can see that it could be someone who has done this in order to prevent further attacks by making people decide that there is no point in paying up because it won't get their data back. i.e. by poisoning the well.
Publicly kill the hostages and you can ensure that nobody will pay the hostage-takers.
Indeed, I'd think that the whitehats helping people with ransomware decryption could help just by getting the targets to claim (loudly) that they sent the money but did not get any decryption, and only the (gratis) whitehats decrypted their files.
Lying sure, but for a very good cause: the destruction of the ransomware business model...
Check out the "Contributions" tab for origin info
Your reflexes are good.
Myself, I verified whether the URL was referenced more than once before accessing and still the nagging thought remains that it would be a good vector.
Yes, there is EcmaScript, but at least google docs stuff cannot run macro viruses in your browser (I think) so there is that. Anyway, QubesOS when??
Me? Not being a paranoid Daily Mail reader, or a paranoid tinhat wearer, or running windows, or linux, I just clicked on the link directly.
Turns out that my browser doesn't have the access ability to scrub my network, fire abusive texts to my boss, or start world war 3. Who'd have thought it?
Seriously, if you can only safely open links by going through a sandbox or temporary VM, you are either doing it wrong, or have the stupidest OS setup going, and should not be acceseing the internet with it in the first place.
However, if you are just showboating, feeding overly paranoid advice to the populace doesn't help security, the grandstanding just muddies the water.
One must believe you are either a daily mail hack, or an anti-virus writer..
"Seriously, if you can only safely open links by going through a sandbox or temporary VM, you are either doing it wrong, or have the stupidest OS setup going, and should not be acceseing the internet with it in the first place."
I absolutely agree that it *should* not be the case that browsing to a link should be able to compromise your machine, but unfortunately, time and again, it has been shown to be possible, even with properly installed and maintained operating systems. Suggesting that people don't click on unknown links, at least without taking precautions, is hardly "overly paranoid advice" let alone "showboating" or "grandstanding."
And where does the Daily Mail come into it?
"Turns out that my browser doesn't have the access ability to scrub my network, fire abusive texts to my boss, or start world war 3. Who'd have thought it?"
Every browser has those capabilities...
*"Scrub the network": JavaScript can send custom-built packets out to your network and perform all the discovery it wants, or every modify files that your user account is capable of accessing.
*"fire abusive texts to my boss": Every phone provider out there has a web-based SMS utility, a piece of malware could leverage a cross-site scripting bug to access your account and send texts to anyone
*"start world war 3": This one is ridiculously easy, a state actor could leverage your system to proxy a connection through your machine back to their own to launch some type of weapon. The state could then declare that your country attempted to hack them cause war, which many countries would respond with a declaration of war after being accused of attempting to start one.
Paranoia <= Practical Defense...
...Options :-
1) Open sketchy link in a disposable Sandbox VM
2) Open sketchy link on iPhone/iPad (That is then promptly restored from a backup if you're up to "TinFoil headware is actually not a bad idea" level of paranoia)
3) Point VirusTotal (https://www.virustotal.com) at the URL
4) Go full crazy and click the link trusting that RegCommentards may have some level of decency / accountability should "A bad thing" (tm) happen...
If anything this tactic will kill this attack method variant dead in the water. The whole purpose of this type of scam is to fool the less tech savvy into parting with their cash to get their sh1t back but if this tactic continues and the general public begin to believe that they wont receive their precious wedding pics even IF they fork out a few hundred quid then the whole thing becomes a waste of time and the incentive/temptation to pay is removed from the equation.
Well done you thick black hatters, this group of scum just toppled the whole cash pyramid. We just need Joe public to believe that they wont recover their files whether the pay or don't pay and then you have lost your revenue stream. Bring on a few more attacks just like this !
They failed at step 1... make paying less hassle than recovering from backups.
For Randsomware to be effective, the price needs to be about £50. That's the amount most people would pay in the hope of getting their data back. When you get beyond that it becomes less and less likely they will pay. Technical-ish people will have backups, non-technical people will trash the Malware and make the files unrecoverable trying to fix it. On top of this, the more you demand, greater the chances of law enforcement becoming involved.
Essentially they need to target a price-point that is about the same as a years licence to a quality anti-virus/anti-malware suite.
At £50, if people are reasonably sure they will get their files back, they will just pay.
"Essentially they need to target a price-point that is about the same as a years licence to a quality anti-virus/anti-malware suite."
Sounds like a bargain, at least the shitty AV won't have been slowing your PC down for a year before failing to protect you when you actually needed it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
