48 ways you can avoid file-scrambling, data-stealing miscreants – or so says the Ransomware Task Force The Institute for Security and Technology's Ransomware Task Force (RTF) on Thursday published an 81-page report presenting policy makers with 48 recommendations to disrupt the ransomware business and mitigate the effect of such attacks. The RTF, formed last December and populated by representatives from companies like …
I don't know if this would help me, but I have an NFS server on my home network, and I used to be able to move files to and from it at will, as it just appeared as another directory on my filesystem. I've now changed it so I have to use scp to get files to it -- I can still read them. My logic was if they try to encrypt my machine, then they would not be able to rewrite the files on the NFS server.
I don't know how secure this is, but as it makes my life that little bit harder, it would for them too. And hopefully I would only have to rebuild my laptop, with my backups (that run every week) safely stored on my NFS server. Of course, because I use a key to access the NFS server maybe they would too, so I maybe no better off.
But this sort of thing is definitely a worry.
Alternately...
Put a software restriction/AppLocker policy in place on your box with a default level of "disallowed". Then allow programs to run from %program files%, or a subdirectory. Select the "don't apply to admin accounts" option.
Hey presto, if you receive (and run) an bit of malware then it now can't actually execute even if you run it, and would just harmlessly pops a message saying "Sorry Dave, I can't do that". This applies to locker malware, and also to trojans you might run from a USB stick or CD.
If you actually do want to install something that you've downloaded, then you just right click and select "run as admin" and it'll work as normal. This is perfectly secure and doesn't require you to then do anything else. It also uses built in tools available free of charge on every windows computer on the face of the planet.
Not a bad idea, but...
They are wise to this sort of thing and they have started exfiltrating the data from the network, before it is encrypted. Don't pay the ransom? They will blackmail you with the threat of publishing you confidential information online.
So, you might manage to keep your data from being encrypted, but it might be exposed to the world and his dog, if you don't pay up...
.... is software on my NAS that keeps each version of a file for a set (config) amount of time, and if all storage space fills up then it stops accepting updates.
That way if a member of the family gets an infection then it should be relatively easy to recover. As a previous poster noted, just rebuild the infected machine, and set the NAS data back to the unencrypted copy.
Btrfs/ZFS can both do that pretty simply using snapshots; you'd just have to script a rotation of them. Alternatively, using cp -al/rsync there are ways to take snapshots within a filesystem, just make sure you don't have access to the backups from other systems on the network (i.e. don't share via NFS/SMB). I have a USB HD I take snapshots to in this way, means I have versioned backups.
This post has been deleted by its author
Exactly, it's the same old spiel trotted out, crime x supports (worse) crime y, so don't do x. It used to be video piracy supporting whatever, now it's ransomware.
On a tangent, why do investment fund people bother selling unit trusts to the public? If they are so good at it, why don't they just invest their own money and keep ALL the profits? Something stinks there too.
that can come up with recommendations about: not paying ransoms; chasing down the crooks; international cooperation; ... All of this is needed, but there is almost nothing about coming up with technical recommendations.
On page 47 Action 4.3.1: there is a bit about "Unencrypted shadow copies of data", which I assume means backups. This has got to be the best way of recovery: a clean wipe of compromised machines; reinstall the OS; retrieve data from backups. Large organisations should have the manpower to work out how to do this, smaller ones could benefit from HOWTOs that they can follow. Thus if/when attacked you point two fingers at the crooks (== 1 finger for you in the USA). If the crooks don't make as much money they will be less inclined to carry out attacks.
Wipe/reinstall/restore-backups should take about a very busy day if you are well prepared. You will lose 1 day's work assuming daily backups, incremental 1 hourly backups work well when there are many small files (eg word processor documents), not databases but there are ways of handling these.
Yes: this will cost to setup & do and occasionally test, but prob cheaper than 21 days downtime, 287 days to fully recover & $312k average ransom (page 7).
Also: no mention of using more robust software, eg Linux with SELinux (Yes: SELinux does need better documentation & HOWTOs).
A shadow copy is not a backup, per se. It is a copy of the state of the hard drive, before an event took place. VSS can be included in a backup strategy. but it isn't a complete strategy in and of itself. It is designed to keep a backup copy "in place" on the original hard drive/partition (or to a shadow drive/partition).
Some malware already got wise to that and started encrypting that as well.
The latest drops down to the Hypervisor level and encrypts the whole server landscape's virtual drives, from the outside, so no VSS to get back to.
A lot of companies are wise to this and do recover from backups. The ransom has to be set right, to be just less than recovering everything yourself. The other thing is, what do you have to nuke?
The servers that were affected? Fine, but are you 100% sure the other servers are free of malware? What about your PCs and other client devices? For such an attack, if it isn't nipped in the bud, you pretty much have to re-image every PC and rebuild all the servers and restore the data.
Oh, and how long has the malware been on the system? An hour? A week? A month? So, you can recover the data, but you'd still need to really rebuild each server individually, to be sure.
You can take this as far as you want. In some cases, throw away the hard drives/SSDs and replace them with new ones. Not sure if they tampered with the BIOS/EFI? Better install new motherboards, while you are at it...
Even if you are lucky and catch it early and can clean or rebuild the 1 or two servers that were affected, the latest scheme is to exfiltrate the data they are encrypting. If you don't pay up, your plans, confidential emails and documents etc. will be posted online for the world to see...
Even if I paid to get the data recovered, that would only be the start of the process. You can never trust the infected machines again, so you would be rebuilding or replacing them anyway, just copying the recovered data to the new machines, instead of restoring from backups...
From my dealings with them:
Shadow copies are deleted
Adminstrative accounts are created with the system account.
Any backups that are accessible by network are deleted / destroyed / encrypted, Including trashing tape infrastructure.
Takes more than a day to rebuild from bare metal just to be able to restore from tape.
Esxi host are safer than Microsoft host.
They are smart and know you and your network before encrypting the systems.
They start the encryption on late Sunday night.
If you RDP into the infected server, they can infect your pc as well. (Did not believe it till I saw it)
Their objective is to make you hurt as much as possible.
Don’t look to government for solutions, their only tools are more regulation and committees. When It is your butt on the line, keep your backups offline.
Much of the problem is finding out where you can start from again. Just because you find the encryption today does not mean that the cause is not lurking in the backups ready to become active the minute you restore it.
In terms of the recovery times, what you can do as a well organised professional on personal equipment is not the same as an enterprise with 1000s of VMs, and data at scale in hundreds of terabytes or even petabytes. The targets (that we know about) now appear to be those with a high impact targeting education, public sector and healthcare.
Bluntly this is not very different from the times when various organisations would phone in bomb scares and then blow something up once in a while to keep everyone on their toes. The damage is just not as visible.
The report seems very reactive: for businesses, do this if you get knobbled.
Instead it should be proactive - businesses, change your software and operating systems.
Users should be siloed so when they execute the malware, they only can encrypt their own files. And - copies of them, to boot.
I wonder which operating systems can support that?
We cannot change, at least, not yet. Excel, Word & Outlook, not to mention Access, are way too engrained in our IT environment to allow for upsetting the boat.
Ironically, all the big names are doing their damndest to make change possible. Once everything is in The Cloud (TM), it'll be a cinch to ditch Windows and go for a more secure Linux environment.
So support The Cloud (TM) and we'll be able to kill Windows at some point in an undetermined future.
Agree with making it someone else’s problem.
But before you put your business or paycheck in the cloud, make sure who you dealing with. Parlor found that out the hard way. They have proven that they will decide what value your business is to them, not what you value your business.
In some cases the cloud is perfect. Risk assessment on a per individual basis is a must for all business. Fire, theft, Government, connectivity, employees, managers, owners, on and on. Your quality of life is dependent on how well you mitigate risk.
Why can't the OS trigger an alert when it sees multiple files being updated/written in quick succession under the control of a single process? Suspend the process until the user confirms the action. Have the ability to whitelist certain processes like backup software to avoid false positives.
Or, for that matter, a bunch of files of the same type (especially Office files) being written in quick succession, regardless of process. The user is unlikely to be able to edit 20 Excel files in under 10 seconds, so freeze everything if it happens.
For that matter, seems like a backup server could detect this as well, in much the same way.
...tax breaks for organizations as an incentive for adopting secure IT practices...
Oh yeah, that ought to work. Maybe make it even easier and just pass a law that gives ALL these companies tax money? Then when they inevitably don't do it the money they get will be there in fewer steps! God, it's like they don't even realize the farce they live in day to day.
.........just so I understand this......we've got plenty of advice about fixing the problem once it's happened.
.........but what I'm wondering is this........how did the bad actors get execute (and/or) write permissions on your network in the first place?
Maybe ransomware isn't the real problem! Maybe preventing bad guys running stuff on your network might be a better target for remediation????
Maybe preventing bad guys running stuff on your network might be a better target for remediation
If you can figure out how to do that, a fortune awaits you. So far as I can see, not connecting your computer(s) to a network -- ever -- is the only known method of preventing all malware attacks. And even THAT may not be sufficient if you insist on inputting "data" to your computer(s).
"Other ideas include: tax breaks for organizations as an incentive for adopting secure IT practices"
Great. Can I stop paying tax because I've patched my devices this week?
How about this as an incentive.
If you have lax IT security, then not only will you get hacked, your hard fought brand name turned to mud, massive direct financial losses, but you may get fined at the same time.
If that's not enough of an incentive, then fuck em.
First, do backups to something that can't be overwritten, like WORM tape, ideally LTO-8. Starter hardware is under $4,000. No excuses.
Second, encrypt the backup so reading it won't yield usable results for the ransomware.
Now that you've got your recovery sorted, you can look into ways of hardening your network. The biggest impact would be to install all patches and updates. Yes, it will hurt and some of your applications will break. Live with it and fix the application instead of trying to run an unpatched OS. The professional ransomware attack is via known vulnerabilities to gain control of your OS and BIOS. This applies to Windows, Mac, and Linux (which used to have security via obscurity but now is increasingly targeted with malware like RansomEXX). This won't stop zero days but it will make you much less vulnerable in general.
Then you can look into scanning everything that comes into or goes out of your network your network, from browsers and social media on down. Don't just scan for malware, scan for size (reasonable), encryption (appropriate) and destination (known, approved)
Bottom line, if your CEO isn't complaining, you haven't done enough.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
