Fantastic write-up, I really enjoyed all of the details on how the forensics are done for these cases. Certainly a good reminder to make frequent air-gapped backups of any mission-critical machines on the network. And even with those, as the author points out, rebuild time and effort could be horrible.
Steve Gibson has been heavily covering the increase in ransomeware on his excellent podcast Security Now. From SN I’ve learned some interesting points, including that Ransomeware-as-a-Service is now definitely a thing. There have been a few major operations which hand out ransomeware packages to unethical hackers in exchange for a % of the Bitcoin they collect.
I can only see ransomeware becoming more and more of a problem in the future, though I certainly hope I’m wrong.
As an industry, to mitigate such risks over the long term, we have to move to continuous restoration, which will require innovation in workflows, tools, and services.
I also think that we've begun a reassessment of just how much information needs to be stored, because "Data is a toxic asset." A lot of these systems have data they don't need mixed in with mission-critical data, which raises the complexity of restoration.
I commend researchers in this field. Ransomware has a tangible impact on lives, particularly in cases involving healthcare facilities, for instance. Such criminals deserve harsh response for the chaos they create.
Also, I can’t help but thinking that the global internet that we’ve created is highly irresponsible. That criminals with sufficient skill and means can anonymously pull off these kinds of crimes with little chance for pursuing justice is indication of some fundamental flaw in the internet’s design. While people should have the right to be anonymous, there’s simply too much potential for abuse by such criminals. I wonder if the internet is ripe for disruption via redesign of core protocols. As I recall, this has been discussed on hn previously but I’ve lost track of such research..
Most property crime goes unpunished in the non-internet world. An anonymous someone walked off with my bike a few years ago, a crime unpunished to this day. Does this point to a fundamental flaw?
Yeah, I think it does point to a fundamental problem in our society. Check out your local Nextdoor and I think you’ll find people calling for very harsh punishment of bike thieves.
The difference is how malleable the internet infrastructure is compared to the real world. Would ransomware have taken off like it has without bitcoin? Is there some technical change to bitcoin that could make it less attractive to bad guys?
The first ransomware payment I saw predated Bitcoin, and had the victims use a Western Union money order.
It's definitely an inhibitor for the attacker. For a start, it took days for them to get payment. The current "our Onion site will detect the payment and release keys automatically" took a human workflow, which had to impact their scale. I have no doubt some sort of mule received the payment, but it's still much more traceable if overseas LE actually wanted to investigate. And managing that mule again had to hurt scale. The amount of ransomware we see today could never have happened without Bitcoin.
Edit: that too started with an open RDP server. All these years and we're seeing the same vectors in this write up.
>The difference is how malleable the internet infrastructure is compared to the real world.
Just put up cameras with facial recognition everywhere, require every citizen to have biometric IDs (face from multiple angles, fingerprints, DNA), make covering your face illegal and bam you catch like 99% of bike thieves.
>Would ransomware have taken off like it has without bitcoin?
Probably, yeah. Gift cards work well too for example (they're just not as convenient), and I'm sure there are plenty of other ways to transfer money too if you're willing to incur like 50% transaction losses.
>Is there some technical change to bitcoin that could make it less attractive to bad guys?
Bitcoin already tracks every transaction ever. You'd have to somehow prevent mixers from existing, but I'm not sure how that'd be possible.
Pointless at best and toxic to liberty at worst. Often these types of attacks come from comparatively poor nations. It costs the attackers a lot less to attempt the crime than for us to negate the crime via employees who are paid wages appropriate to our own economy. Anonymity certainly offers utility when it comes to cybercrime, but the real challenge is a resource matter not an intelligence matter.
Fascinating article. I'm especially concerned about the browser passwords being vulnerable - how serious is this, really? I would have hoped in 2020 that Mozilla, et al would have something better than plaintext for passwords.
Also the article never really identified how the "patient zero" machine was infected in the first place. RDP brute force?
Mozilla does store the passwords encrypted, but unless you set a master password, it's more of an obfuscation, as the decryption key is stored in a key file next to logins file. If you set a master password that is sufficiently complex, you should be safe-ish, unless you are facing Mossad.
- I had Windows Server 2016 with few Hyper-V VMs running
- RDP was exposed to the Internet
I remember I was working on that computer, and the screen got locked, like someone pressed Win+L. So, I logged in and saw the folder on my desktop called, if remember correctly "Process Explorer 2" or something similar. The screen got locked on me again after a few seconds.
I immediately realized the computer got infected. But after a few minutes, I had a very important meeting and only came back to investigate after about 3 hours.
Results:
- most of the files on the computer were encrypted. But files, which were in use (should I say "locked"?) - stayed. For example, VM disk images stayed unencrypted (but not metadata). That's how I saved one VM, which was somewhat important for me.
- I had Synology NAS with btrfs connected via SMB to that Windows Server and few folders got encrypted. But because I have daily snapshots - I restored that in few minutes.
After that incident, I reinstalled Windows Server (this time 2019) and started to pay more attention to the security, installed winlogbeats and found, that RDP is getting brute-forces at about 400 000 attempts / week from ~55 000 IPs.
So, I installed fail2ban analog for Windows: https://github.com/DigitalRuby/IPBan and now I'm getting about 600 failed attempts/week
"rdp exposed to internet" - this is the biggest issue. Don't be in the DMZ with your machines!
I have an openssh server running (no password but unique credentials) and need to connect to my VPN in order to interact with my machines. Everying else just asks for hackers.
Looks like textbook security services masquerading with whats known, but I wouldnt like to say which country. Most security researchers are not wise to the offline tactics employed by the security services which here in the UK starts when you are school, your school reports, your NHS medical records, your financial transactions, the motivators of your parents, siblings, relatives and friends, along with their phenomenal resource and cutting edge knowledge which they get from University and others leading their fields. Jeez when will people wake up and realise your lives are more scripted that you can possibly imagine because your knowledge and expertise is compartmentalised in mainly one domain, possible two, but never full spectrum domain knowledge, with an element of pre-emptive action based on genetics and socioeconomic standing which helps reinforce stereotypes. The spooks do what will never get passed the ethics boards of university's because in warfare & survival there is no ethics despite the rhetoric!
Why do you say that? You havent been on the receiving end of the UK Security Services & UK Police which started when I was a primary school. But hey dont worry, I'm now officially catagorised as F22 Delusion by the NHS, go back to sleep twat!
20 comments
[ 4.6 ms ] story [ 57.8 ms ] threadSteve Gibson has been heavily covering the increase in ransomeware on his excellent podcast Security Now. From SN I’ve learned some interesting points, including that Ransomeware-as-a-Service is now definitely a thing. There have been a few major operations which hand out ransomeware packages to unethical hackers in exchange for a % of the Bitcoin they collect.
I can only see ransomeware becoming more and more of a problem in the future, though I certainly hope I’m wrong.
I also think that we've begun a reassessment of just how much information needs to be stored, because "Data is a toxic asset." A lot of these systems have data they don't need mixed in with mission-critical data, which raises the complexity of restoration.
Also, I can’t help but thinking that the global internet that we’ve created is highly irresponsible. That criminals with sufficient skill and means can anonymously pull off these kinds of crimes with little chance for pursuing justice is indication of some fundamental flaw in the internet’s design. While people should have the right to be anonymous, there’s simply too much potential for abuse by such criminals. I wonder if the internet is ripe for disruption via redesign of core protocols. As I recall, this has been discussed on hn previously but I’ve lost track of such research..
The difference is how malleable the internet infrastructure is compared to the real world. Would ransomware have taken off like it has without bitcoin? Is there some technical change to bitcoin that could make it less attractive to bad guys?
Monero is much harder to purchase in US
It's definitely an inhibitor for the attacker. For a start, it took days for them to get payment. The current "our Onion site will detect the payment and release keys automatically" took a human workflow, which had to impact their scale. I have no doubt some sort of mule received the payment, but it's still much more traceable if overseas LE actually wanted to investigate. And managing that mule again had to hurt scale. The amount of ransomware we see today could never have happened without Bitcoin.
Edit: that too started with an open RDP server. All these years and we're seeing the same vectors in this write up.
Just put up cameras with facial recognition everywhere, require every citizen to have biometric IDs (face from multiple angles, fingerprints, DNA), make covering your face illegal and bam you catch like 99% of bike thieves.
>Would ransomware have taken off like it has without bitcoin?
Probably, yeah. Gift cards work well too for example (they're just not as convenient), and I'm sure there are plenty of other ways to transfer money too if you're willing to incur like 50% transaction losses.
>Is there some technical change to bitcoin that could make it less attractive to bad guys?
Bitcoin already tracks every transaction ever. You'd have to somehow prevent mixers from existing, but I'm not sure how that'd be possible.
Also the article never really identified how the "patient zero" machine was infected in the first place. RDP brute force?
- I had Windows Server 2016 with few Hyper-V VMs running
- RDP was exposed to the Internet
I remember I was working on that computer, and the screen got locked, like someone pressed Win+L. So, I logged in and saw the folder on my desktop called, if remember correctly "Process Explorer 2" or something similar. The screen got locked on me again after a few seconds. I immediately realized the computer got infected. But after a few minutes, I had a very important meeting and only came back to investigate after about 3 hours.
Results:
- most of the files on the computer were encrypted. But files, which were in use (should I say "locked"?) - stayed. For example, VM disk images stayed unencrypted (but not metadata). That's how I saved one VM, which was somewhat important for me.
- I had Synology NAS with btrfs connected via SMB to that Windows Server and few folders got encrypted. But because I have daily snapshots - I restored that in few minutes.
After that incident, I reinstalled Windows Server (this time 2019) and started to pay more attention to the security, installed winlogbeats and found, that RDP is getting brute-forces at about 400 000 attempts / week from ~55 000 IPs. So, I installed fail2ban analog for Windows: https://github.com/DigitalRuby/IPBan and now I'm getting about 600 failed attempts/week
Here is the screenshot of how the number of RDP attempts decreased after enabling IPBan: https://hsto.org/webt/oq/q1/ir/oqq1irnzeagwsqnbfpe4gbl9f_o.j...