Ransomware only really works due to the lack of diversity of operating systems and software. If individuals and businesses were all running different stuff it would be nearly impossible to target them en mass. You could only target them one at a time.
While that is a solution, I don't think it is the solution. Another non-solution would be removing all Internet access. Ransomware problem solved, a whole bunch of other problems created.
Probably irrelevant. There would anyway be some number N of operating systems, and a number K of computers, and the number K will always be very much larger than N. So there would be a huge possible 'market' for these criminals, even if they targeted just one of the N operating systems, as long as the number of vulnerable computers is large enough.
> These "customers," who have zero coding skills or software expertise, take advantage of a ransomware-as-a-service (RaaS) model to gain sophisticated capabilities
> Incredibly, many of these operations look and function like authentic businesses. "They rent office space, they have development teams, data architecture teams, help desks, phone support, and people that negotiate ransoms with targets"
What a crazy world we live in, where criminal organization have a quasi-normal corporate structure and even manage a "customer" support team
I would think organised crime orgs would have a special money laundering department, but apart from that yeah, why would it not be a hierarchy structure like any other large org?
Once you work in a large corp and see parallels with government, you start to realize it's just organizational theory all the way down, except some use physical violence, others don't.
Crime is still business, so they operate like one. Minus the risk of being arrested, there's really no difference between a criminal company and a legitimate one.
A number of major drug cartels would be at least on the Fortune 1000 if they were publicly traded corporations. They have management structures, accountants, IT and security professionals, logistics, HR practices, and so on...
I seem to recall a SalesForce scandal where a people trafficking operation was using SalesForce to manage their operation, and SalesForce may or may not have been aware / helped them configure etc
Reminds me of my favorite scene from The Wire when the New Day Co-op is having a meeting and Stringer Bell grabs his secretary's notebook and screams at him "you're taking notes at a criminal conspiracy?!"
If you want a really wacky use of scrum, try The Rhesus Chart [0] by Charles Stross, in which (mild spoiler) ...
a bunch of newly transformed vampires use scrum to quickly figure out how to acquire lots of fresh human blood without alerting the authorities by a trail of suspicious murders.
> Gangs also have begun encrypting backup systems, including cloud storage services such as Office 365 and Drop-box. Although 56% of the firms surveyed by Sophos regained control of their data through backups, that window appears to be closing. "[Cybergangs] have realized that the ransom demand becomes powerless if you have a full backup set in place and you can revert to it,"
This is why our backups at work write to a storage bucket with permissions such that they can create new files but not delete old ones. I'd definitely recommend this approach to everyone who can afford the storage space.
I want this on a simpler scale: an external drive that has a physical switch. In normal operation the switch is in "append only" mode and the drive ensures that nothing can be erased. Only when the switch is temporarily hit to a "unsafe" mode would it allow deleting to make more space. I don't know how easy or difficult this would be (I assume external drives don't typically know about filesystem-level information like this), but it would be a nice product for people with simpler needs than yours. If the backup system can write only incremental changes then the storage requirements would likely be fine for many users.
There are USB drives that do vaguely similar things but it's all in software. It's difficult to do that unless the filesystem has append only functionality, metadata blocks are rewritten all the time even if data isn't.
For anyone who has serious (I.e. $$$) need of that they already have tapes and optical WORM media though.
You can do something conceptually similar with any sort of NAS that provides immutable snapshots as long as the management and control is effectively out of band.
The out of band part is the key. Our SAN data has snapshots. The backups are written to another storage device that only has an API key to write them to B2 storage. An attacker would effectively need to completely compromise multiple admins in the organization to get at all the stages of data duplication, and frankly there is no additional line of defense for total compromise if the attacker is willing to wait for physical tape or disk swaps.
Fortunately for ransomware, time is money for them too.
Spin up a FreeBSD box, enable ZFS snapshots and disable SSH? You’d only be able to destroy the snapshots from a monitor and keyboard under normal circumstances.
GDPR may require active online systems to delete data in response to a stream of realtime requests, so while the availability solution is to make deletion a hard, manual process or a process controlled only by an isolated infrastructure team, as you automate GDPR deletion requests you will need to start exposing deletion APIs accessible to end users. This is why a lot of the comments about making read-only backups or offline backups are very challenging for firms to do if they are taking GDPR seriously.
Booting to a Live USB/DVD/CD and then doing the backup while in the booted Live OS would minimize the chances of corruption of the backup, either reading from it or writing to it.
Not ironclad but pretty good. Issues with it that first come to mind are the live operating system image was already compromised when it was written to say the USB disk, or compromised firmware, and of course user error (nothing to do with ransomware in this case). I am not familiar with this stuff so I may be missing something very important, if so tell me about it.
hopefully the cost of reverting full diff (which would be the result of a ransomware attack) won't obliterate the subscription tier a victim is on. the ransom cost might be cheaper!
Perhaps, but I once had two hard drives die on me within the space of a few days (different brands), and since then I like to have a copy of my data in the cloud somewhere. Non-writeable doesn't help much if you can't read it either!
I've had many hard drives fail on me over the decades, and keep multiple backups. Keep in mind your cloud storage service can go dark any time for any reason.
Except then you're losing hours and hours of data during a restore. CDP, on the other hands, results in data loss of seconds only. Particularly powerful when combined with archiving in, say, AWS with tiering and object locking for immutability.
No, because you’re reading the local file system using the local processor, which could corrupt reads or writes. Even DMA reads won’t solve it - malware could encrypt/decrypt transparently for a period undetected, then toss away the decryption key once it’s likely that backups are no longer viably usable..
No they don't if you own a tapelibrary.
If the gang thinks you're a big enough target they will make sure your backups are wiped if possible.
The only thing that's going to Help is to seperate the backup infrastructur and pull the backups mit push them.
The encryption process ensues over days, weeks, or months, normally progressing through hard drives, attached drives, and network devices. The C&C server decrypts files as they are needed. Along the way, crooks place a ransom note in every folder that has encrypted files; they might also plant other types of malware on systems. During the final stage of an attack, the ransomware uninstalls itself, the thieves remove the encryption key from the infected system and the victim sees a ransom note on the computer screen.
If the encryption goes on over a long enough period, recovery would be a nightmare or even impossible, especially if the tape rotation period is exceeded.
> Not surprisingly, dozens of major ransomware gangs now exist worldwide, including in Russia, Eastern Europe, and North Korea.
To what extent should ransomware activity be considered low-grade economic warfare by nation-states who can't or won't police cyber-criminals, and thus justification for robust national responses such as sanctions?
To the extent that you'd be willing to cut off your nose to spite your face[1] (Impose economic tariffs on the countries in question, thus hurting your own domestic consumers, and strengthening economic bonds between the nation in question, and their other trading partners), or be willing to kill people over money (Go to war with the nation in question.)
[1] This point is debatable, some people feel that tariffs are not 'both-sides-lose' games. Depending on the tariff, and the situation, I too feel that way - but neither I, nor those people hold to an orthodox understanding of neo-liberal economics. [2]
[2] Which as of 2021 are the primary drivers of trade policy in the Western world. This may, or may not change in the decades to come.
There is actually some talk in the cyber policy space about this topic. [1] In a sense, all the spam, ransomware, and banking trojans that are thrown by other nation states (or their sanctioned criminal groups) raise the noise floor for what U.S. and allies need to address. This helps mask high-skill high-impact attacks (0days) since everyone is trying to figure out how to get their employees to not click spam emails. The U.S. is kinda missing out on creating this noise for our adversaries to deal with.
Kidnapping provides a useful service and should be legal. Schools, kindergardens and parents with poor security practices deserve to be punished for their negligence.
just as fences must be erected to encircle the entire property they guard, rather than just one or two small segments erected to block specific approaches.
Schools, kindergartens and parents have a legal responsibility for children under their protection. However it has been repeatedly proven that businesses who allow enormous amounts of user's personal and financial data to be leaked will suffer no meaningful consequences. See: Yahoo!, Target, Experian, etc.
"I don't like how these people aren't punished how I want, so let's sanction crime against them" is a ... questionable concept, to phrase it nicely. Lot's of nasty precedents. Are you sure kindergardens are punished reliably enough for lapses of security?
Also:
Ransomware gangs also target companies that do not have "enormous amounts of user's personal and financial data".
Since too many companies didn't pay ransomware gangs now have taken to stealing data in addition - are you fine with a ransomware gang selling your personal data then, because they are "helping"?
No, but the alternative is that they would have stolen the data anyway. So it's either neutral or positive.
>let's sanction crime against them
If it were legal it wouldn't be a crime.
>Are you sure kindergardens are punished reliably enough for lapses of security?
Given that I rarely hear about children being kidnapped out of kindergartens, I would assume so. I'm not well educated on this, though, since I don't have a personal stake in the matter.
I get that you're trying to say that Ransomware is a kind of evolutionary pressure to force IT ecosystems to adapt and improve, but that's far from saying it should be legal.
It's like trying to justify armed robbery as a method of convincing people to take self defense lessons, or burglary as a method to get people to upgrade their windows to lexan.
The middle ground, which is always a bit in flux, does already exist. It's known as Bug/Security bounties, similar to what HackerOne tries to make above-board.
I'm not sure how such a rule could be enforced. But let's assume that it could. I think this would cause a huge shift in IT. For example, companies would be more eager to switch from Windows to something more secure. Or if they continued to use Windows, it would be in the form of ephemeral VMs, perhaps on AWS, that lack an attach surface area.
But I would hope that financial pressure - like insurance companies not insuring unprotected systems - would have the same result without the need for regulation.
> For example, companies would be more eager to switch from Windows to something more secure
Windows is not inherently insecure. Executing a malicious program would work just as well under Linux. (Presumed) technical superiority does not help when it's basically social engineering all the way. Ephemeral VMs don't help too much, either. So I highly doubt this would reduce windows market share in any significant way.
Introduce obligation to report successful cyber attacks under penalty for delay. EU is already doing it. Also make a fine of 10 times the ransom for paying the ransom. Additionally introduce criminal liability for intentionally hiding a ransomware attack in order to pay the ransom.
The biggest reason is to starve the attackers of incentive and resources. If you get 10 million dollars from an attack you can hire 10 people for a year to work on more attacks.
But it's unlikely that companies will change anything besides reporting in their practices. People are bad at evaluating tail risks of 0.001% chance happening in their lifetime.
The article briefly touches on this, but my belief is the one thing that may eventually "take down" cryptocurrency is ransomware.
That is, ransomware as it exists today is only possible because secure, anonymous, non-reversible methods of payment exist in the form of cryptocurrency. Things like bearer bonds were outlawed decades ago because of a similar desire to make large anonymous, easily transportable payments impossible.
Honestly, if anything, I see ransomware as probably the primary use case today for crypto besides speculation.
Crypto, or at least bitcoin, is not anonymous. On the contrary the payment trail is there for the whole world to see. Governments could blacklist those coins such that no exchange or legitimate vendor would ever take them. They choose not for whatever reason but not because the technology offers anonymity.
There are already blacklists and sanctioned bitcoin addresses. It might defeat your point of bitcoin, whatever that is, but not mine... There is no universally agreed "point of BTC".
Depends on what you think the point of cryptocurrency is. I’ve heard a lot of different explanations over the years. I believe the most popular one currently is an inflation resistant store of value, which should be compatible with blacklists.
As for timing, either blocking spending or tracing the transaction back to a person is equally valuable as a deterrent.
Here’s how blacklists destroy your “store of value” argument: Transactions don’t require the receiver’s consent. It’s easy to find large wallets (wallet balance is public record), and then once you’ve carried out your ransomeware attack and gotten paid, your black wallet sends to whatever poor schmuck you want to destroy. Because sends blacken anything they touch, you’ve just turned a lot of money into nothing, at the cost of whatever action it took to get that wallet blacklisted in the first place.
The blacken anything it touches wasn’t my argument. Investigate everything it touches, yes, but if it turns out to be no connection you just confiscate the proceeds of a crime and move on.
It is quite difficult to have global, functioning blacklist system. I would guess for example some country in Asia might have quite different blacklist compared to let's say to some country in Europe.
From criminals perspective they probably have money launderers on darknet markets who are willing to take the dirty crypto, deduct their hefty fee and offer clean crypto instead.
A bitcoin that couldn’t be spent anywhere outside of e.g. China would be far less valuable than one that could be spent anywhere. At very least this would reduce the profitability of ransomware attacks.
How much less valuable exactly would you estimate? These markets for dirty bitcoins probably already exist, I would guess. I think someone would swap dirty btc to clean with price like 10% or maybe 20%. For criminals that would be just the cost of laundering the coins.
For this to work, the blacklist should apply to the receiving wallet AND CASCADE through to wallets to which that wallet issued any subsequent transfers.
Coins used to pay ransomware should effectively taint and freeze everything they touch.
A government could have a “burner” account where all tainted money could be sent. A system where you are warned of tainted deposits (for example, use a micro-transaction from a “US taint detected” account as the message). You have x days to pay the received tainted money to the burner account, or your account gets tainted too.
Of course every jurisdiction would want to be in on the “free” bitcoins so lots of complications...
And there are plenty of ways to circumvent that, including converting it to various privacy coins, using mixer services, using it to buy mining power, etc., etc., etc. Heck, crypto may have even more ways to launder money than cash, and those won't go away with blacklists - which will just make the "privacy" coins, services, etc. more valuable.
The only way it could even plausibly work is for every visible and darknet service in the world to subscribe to and abide by the exact same crypto-wallet blacklist. Good luck making that happen when nuclear superpower governments are in fact transnational crime syndicates.
Assuming that the tracing capabilities are useful for anything beyond taking down the amateurs is overly optimistic.
Nothing is ever perfect. It doesn’t mean you shouldn’t at least try to track down criminals. Which has essentially been the West’s response to ransomware so far.
No question, nothing is ever perfect, and best efforts should be made to utilize the available tracking. Especially so, when the threat is rising to the level of national security concerns as attacks start moving to infrastructure, and are sponsored or unofficially sanctioned by criminal nation-sates, where the response should be kinetic.
The problem is that to kill ransomware, we would need a near-perfect system, and that is extremely unlikely, or thee will be substantial leakage, and continued profit for ransomers. I'd say it'd be easier to entirely shut down crypto globally than to ransomware-proof existing crypto.
Probably means that the real solution will be to do both. Sanction only fully traceable cryptocurrencies and shut down the rest.
I don't see this going in the direction of a heavily enforced response, although some places may talk big. While a collective ban is rationally sensible, nations are made of individuals and every person will do a calculation of personal benefit relative to national interest. Crypto is valuable as a refuge, so a recurring story is currently playing out in destabilized nations all over the world where crypto is used to escape the inflated local currency: the government gets wishy-washy about what it's going to do with the stuff, with different officials taking wildly different stances according to their own self-interest. They talk of a ban, and then of national cryptocurrency, and then of nationalized mining. Everyone is looking for safe harbor but pulls in a different direction.
Focusing on controlling onramps and offramps to cryptocurrency, like controlling goods import/export, is a relatively straightforward compromise to this internal dilemma and allows the government to be a player in the space without much direct oversight, even if some folks are slipping through the cracks. A sloppy, haphazard enforcement is likely to prevail.
And there's another way to reassert state control within that framework. If the bad cryptocriminals come for your stuff, the government can bail you out - if you play by their rules. The loss compensation mechanism is a simple plan to mitigate dangers, since it's easy for governments to create and redistribute credit internally and doing so can build consent.
Submitting to this framework does mean that the government is truly in competition with decentralisation to provide a better, more trustworthy service to handle central credit, and has to massively step up security efforts in the process. Everyone started "asleep at the wheel" on this, with individual tech firms all building out their own insecure house-of-cards fiefdoms and relying on the intellectual property law framework to keep them up. But everyone knows it's flawed - of course you can copy, what's important is if you can get credit, and that part is also changing with the crypto sector - assignment of credit is the whole thing of NFTs in a nutshell. The nation that can grasp this the quickest and turn it into a coherent part of their economic framework will cruise ahead.
I like your thinking here! Of course it raises several questions
Will any substantial number of govts have the foresight to setup such a system of on/offramp controls + rules/bailout + investigation and enforcement soon enough?
If the ransomeware plague stays in the non-critical commercial realm, it would work
The key looming problem I see is that it is already sanctioned by criminal adversary nation-states, and there will be a lot of profit temptation to go after critical or military infrastructure - some ransomware gangs are just going to be that short term 'smart' long-term stupid. A sufficiently serious enough attack could cause war-level damage...
How would they know if the coin is from ransomware? If the randomware criminals say it's not, so it's word against word? And if they accepted just one payment to the wallet (so there's not a pattern of accepting money from strangers)
Or if the organization that got broken in to, doesn't want to be public about that? (Doesn't want to talk with the government)
Ransomware isn’t lucrative enough to be the primary transactional or consumptive use case of crypto.
Comical world view, to me.
Of course, the nature of cryptocurrency makes both of our claims unfalsifiable. I would suggest hanging out in crypto-adept communities more, being privy to a 300-participant transaction or other things communities get excited about, to give you a different view of how people use it.
Bitcoin is not anonymous. there are strict KYC rules in place.
Bitcoin is not for speculators, it's primary use case is a Store of value. There's large demand for a store of value, especially now that the bond market is finished.
"These "investors," who have zero industry skills or expertise, take advantage of a [insert economic activity]-as-a-service (?aaS) model to gain sophisticated capabilities"
The type of billionaire individuals who by virtue of inheriting billions upon billions, don't ever have any real skills (nor the need to develop any) and yet, they live in societies (subcultures) which expect that they keep having (and making) billions upon billions.
Think of descendants of descendants of founders of what are now giant corporations.
They fund VC-backed startups, which they then own (by proxy). They can barely use an iPhone; let alone understand how it works or is made.
Except the business being funded is a criminal enterprise, maybe their riches originally come from "shadier" dealings?
My point is that the underlying principle is the same, it's a very powerful principle. This is how the market enables societies to build super complex stuff. The marketplace abstracts away the complexities. This 'principle' is a technology, it's ethically neutral.
Users need to be able to edit the same files that ransomware encrypts, and differentiating between a legitimate user and a ransomware program is difficult.
If the backups are made by the system, and the user can't access them, and the system protects itself (and the backups, obviously)... ransomware shouldn't be possible.
No matter what the application does, it can't access the backups in such a system.
>
If the backups are made by the system, and the user can't access them, and the system protects itself (and the backups, obviously)... ransomware shouldn't be possible.
And if the gang get's admin rights on the box your backups are gone.
I was speaking in the context of the files, not the backups.
How is this program to know that a file edited by the virus to encrypt is legitimate or not when the edit is being made by a user that created and owns those files? The backups themselves can be contaminated months before the encryption and ransomware attack is sprung. Restoring from last week or last month's backup might still lead to your system being encrypted.
Additionally, as the other user pointed out the goal would be to gain access to the appropriate user with the level of permissions, such as an admin or root account, and use those credentials to carry out the attack.
The OS, files and configuration which can be unchangeable are trivially replaceable and thus does not really need to be protected.
The configuration and data which gets changed all the time is valuable (the effort that was made in making those changes) and the prime target of ransomware, and it can't be write-protected because, well, it needs to get changed. I mean, if "reimage all these computers to the default configuration" would be a viable solution, everybody would just do that instead of paying large ransoms.
Well, that's true, OS being able to protect itself is useful and necessary, but my point is that it's nowhere near sufficient (as your parent post seems to imply) for preventing consequences of ransomware attacks, because by the time standard OS protections (which are reasonable) are broken because attackers have privileged access, they can also do worse things than just attack the single computers' OS, and if they can't get privileged access, well, then the OS is effectively write-protected anyway unless you're using something totally outdated. IMHO if the OS and its configuration would be securely write-protected (perhaps from media that's physically read-only?) that wouldn't help much if at all.
It won't prevent lateral movement through the network (that's often memory only, no need to write to disk), it won't prevent persistence through theft of credentials or kerberos tickets (and possibly make it harder to rotate credentials), and of course it won't prevent the exfiltration, encryption and/or destruction of the actually valuable data.
If we look at an advanced ransom attack (e.g. as many described in this article - manually operated after initial access like many Emotet attacks, not some purely automated malware) then I struggle to imagine what parts of the attack would be thwarted if the OS and config would be write protected - do you have something specific in mind?
First - protect the AD and authentication infrastructure from a black start event.
I'd have an offline physical machine, no matter how old, that was a viable backup domain controller. I would have a stack of hard drives for it, and a copy of clonezilla. Every so often, clone the hard drive, boot the replacement, and sync it with the domain, then turn it off.
For the truly paranoid, do this in each location. Keep the machine and drives in a safe.
Test the black start backups on a temporary network built from spare hardware. Note that if you boot a Windows machine, it might adapt itself to the hardware and cause issues, so discard that image, and regenerate it.
In a black start event, you could turn off all the outside networks, and start with the old AD server, and restore from backups.
--
Any Virtualization or SAN layers should have administrative credentials that are unused for anything else, and only written down on pieces of paper, never scanned or typed in.
All servers should have saved images in offline, unencrypted hard drives, in a safe.
--
The main thing then is to get periodic offline unencrypted backups of the systems and data in a safe.
--
So, if the system is breached, there is at least a way to restore to the last backup, and you have some confidence it actually works.
Embedded systems can have their software burned into ROMs. It can't be corrupted. But nooooo, people put it into EEPROMs with a software write-enable switch.
My prediction: Ransomware will be the scapegoat that leads the way on making the use of encryption a criminal offence. This is exactly what many governments want. Up till now, the best argument against encryption is "we can't see what criminals are doing", but that isn't very tangible for many people. Just wait until a powergrid or water treatment plant in the US is down for weeks due to being "attacked with encryption" (yes, that will be the spin), and you'll have tons of people ready to vote for the outlawing of any and all encryption without a license/backdoor/etc.
Let's say you outlaw encryption, what would be the impact on ransomware criminals? They will continue not following the law and do their criminal things, using "illegal encryption" (aka non-backdoored encryption).
I doubt it, my guess is it will (understandably) be used as the scapegoat to kill cryptocurrency and/or put it under a central authority controlled by governments.
Ransomware was basically non-existent before criminals had a way of being paid anonymously.
Social engineering scams manage to get millions wired (https://variety.com/2018/film/news/pathe-loses-more-than-21-...). Crypto may be more convenient and less risky, but I don't see a crypto ban stopping ransomware completely. Plus there will always be someone wanting to do it for laughs or infamy.
This is one of the reasons crypto sucks. I'm building a list:
- Attacks sovereign currencies and ability of countries to set fiscal and monetary policy. Instead, it rewards "crypto geniuses" that got in early. I'm not sure these are the people that should have power over our elected governments.
- A waste of human and resource capital that could be spent solving more important problems
- Hugely bad for the environment
- Lack of KYC that enables money laundering, terrorism, and other illicit activities. Including randomware attacking hospitals
- Rewards pump and dump and crazy schemes like NFTs that don't contribute to innovation or the economy
- Relies on cryptography to remain post-quantum safe
>>Not surprisingly, dozens of major ransomware gangs now exist worldwide, including in Russia, Eastern Europe, and North Korea. Incredibly, many of these operations look and function like authentic businesses. "They rent office space, they have development teams, data architecture teams, help desks, phone support, and people that negotiate ransoms with targets," says Alexander Chaveriat, chief innovation officer at Tuik Security Group. "They buy server space all over the world using cryptocurrency, change servers as needed, and use virtual private networks and other tools to hide their location."
It is getting to the point where the threat is beyond office functions and to manufacturing, infrastructure and IOT.
With the threat escalating to that genuine national security level, and often under sponsorship or blind eye of criminal govts (NK, RUS...), we are not far from the point where the appropriate response is to deliver a kinetic response - as in a cruise missile through the window.
138 comments
[ 2.7 ms ] story [ 192 ms ] threadHowever, a complete lack of interoperability would make it really hard to, you know, interact with other businesses and systems.
This isn't throwing the baby out with the bathwater so much as drowning the baby in the bathwater.
(edit: removed some meaningless words)
> Incredibly, many of these operations look and function like authentic businesses. "They rent office space, they have development teams, data architecture teams, help desks, phone support, and people that negotiate ransoms with targets"
What a crazy world we live in, where criminal organization have a quasi-normal corporate structure and even manage a "customer" support team
From "Why Drug Dealers Live With Their Moms" By Steven D. Levitt and Stephen J. Dubner
https://www.latimes.com/archives/la-xpm-2005-apr-24-oe-dubne...
Edit: link: https://www.bloomberg.com/news/articles/2019-03-27/fifty-wom...
If you want a really wacky use of scrum, try The Rhesus Chart [0] by Charles Stross, in which (mild spoiler) ...
a bunch of newly transformed vampires use scrum to quickly figure out how to acquire lots of fresh human blood without alerting the authorities by a trail of suspicious murders.
[0] https://en.wikipedia.org/wiki/The_Laundry_Files#The_Rhesus_C...
https://archer.fandom.com/wiki/El_Contador
This is why our backups at work write to a storage bucket with permissions such that they can create new files but not delete old ones. I'd definitely recommend this approach to everyone who can afford the storage space.
https://en.wikipedia.org/wiki/Write_once_read_many
For anyone who has serious (I.e. $$$) need of that they already have tapes and optical WORM media though.
You can do something conceptually similar with any sort of NAS that provides immutable snapshots as long as the management and control is effectively out of band.
The out of band part is the key. Our SAN data has snapshots. The backups are written to another storage device that only has an API key to write them to B2 storage. An attacker would effectively need to completely compromise multiple admins in the organization to get at all the stages of data duplication, and frankly there is no additional line of defense for total compromise if the attacker is willing to wait for physical tape or disk swaps.
Fortunately for ransomware, time is money for them too.
Sigh. When are people going to accept that software switches are inherently not secure? How many times must these fail?
> It's difficult to do that unless the filesystem has append only functionality, metadata blocks are rewritten all the time even if data isn't.
There's no reason to continue writing anything to a hard drive once the backup to it is finished.
A physical read-only switch is required.
Not ironclad but pretty good. Issues with it that first come to mind are the live operating system image was already compromised when it was written to say the USB disk, or compromised firmware, and of course user error (nothing to do with ransomware in this case). I am not familiar with this stuff so I may be missing something very important, if so tell me about it.
Just think of all the security issues that would just go away with physical write-enable switches.
Heck, I'd go further, and demand from disk makers a physical write enable switch for a separate volume. Use that volume for the system software.
Even more secure would be hardware write only storage. CD-ROMs fit in this category, but they aren't big enough.
But all we need are hard disk drives with a physical write-enable switch. Turn it on, write your backup, turn it off. No software can then alter it.
A stupidly simple idea, and yet every time I mention it in HN it gets dismissed, denigrated, etc. Apparently people like malware, ransomware, etc. :-(
The encryption process ensues over days, weeks, or months, normally progressing through hard drives, attached drives, and network devices. The C&C server decrypts files as they are needed. Along the way, crooks place a ransom note in every folder that has encrypted files; they might also plant other types of malware on systems. During the final stage of an attack, the ransomware uninstalls itself, the thieves remove the encryption key from the infected system and the victim sees a ransom note on the computer screen.
If the encryption goes on over a long enough period, recovery would be a nightmare or even impossible, especially if the tape rotation period is exceeded.
To what extent should ransomware activity be considered low-grade economic warfare by nation-states who can't or won't police cyber-criminals, and thus justification for robust national responses such as sanctions?
[1] This point is debatable, some people feel that tariffs are not 'both-sides-lose' games. Depending on the tariff, and the situation, I too feel that way - but neither I, nor those people hold to an orthodox understanding of neo-liberal economics. [2]
[2] Which as of 2021 are the primary drivers of trade policy in the Western world. This may, or may not change in the decades to come.
1. https://www.usni.org/magazines/proceedings/2019/october/gran...
Defense has to work every time. Attackers just have to get through once. That's a game that favors the attackers.
Game 2: Every time offence scores, they get $100 of my money. Defense loses nothing.
Neither is fair to defence, but game 2 is unfair to me, and that's what's important.
I just hope no one ever holds you up to the standards you demand of everyone else.
Also, the thing is, our immune system isn't exempt from false-positives. I'm not sure we want a society with as many false-positives.
Also:
Ransomware gangs also target companies that do not have "enormous amounts of user's personal and financial data".
Since too many companies didn't pay ransomware gangs now have taken to stealing data in addition - are you fine with a ransomware gang selling your personal data then, because they are "helping"?
>let's sanction crime against them
If it were legal it wouldn't be a crime.
>Are you sure kindergardens are punished reliably enough for lapses of security?
Given that I rarely hear about children being kidnapped out of kindergartens, I would assume so. I'm not well educated on this, though, since I don't have a personal stake in the matter.
No it's not, but because random data stealing is a lot less lucrative than ransoming.
It's like trying to justify armed robbery as a method of convincing people to take self defense lessons, or burglary as a method to get people to upgrade their windows to lexan.
The middle ground, which is always a bit in flux, does already exist. It's known as Bug/Security bounties, similar to what HackerOne tries to make above-board.
That's probably the only solution, besides the obvious ones like actually protecting the systems.
But I would hope that financial pressure - like insurance companies not insuring unprotected systems - would have the same result without the need for regulation.
Windows is not inherently insecure. Executing a malicious program would work just as well under Linux. (Presumed) technical superiority does not help when it's basically social engineering all the way. Ephemeral VMs don't help too much, either. So I highly doubt this would reduce windows market share in any significant way.
The biggest reason is to starve the attackers of incentive and resources. If you get 10 million dollars from an attack you can hire 10 people for a year to work on more attacks.
But it's unlikely that companies will change anything besides reporting in their practices. People are bad at evaluating tail risks of 0.001% chance happening in their lifetime.
That would be true if in 2021 the alternatives were more secure than Windows, which I doubt.
That is, ransomware as it exists today is only possible because secure, anonymous, non-reversible methods of payment exist in the form of cryptocurrency. Things like bearer bonds were outlawed decades ago because of a similar desire to make large anonymous, easily transportable payments impossible.
Honestly, if anything, I see ransomware as probably the primary use case today for crypto besides speculation.
Also a hacker could just buy something with the coins between the time the victim sends the money and the time the government is notified.
As for timing, either blocking spending or tracing the transaction back to a person is equally valuable as a deterrent.
From criminals perspective they probably have money launderers on darknet markets who are willing to take the dirty crypto, deduct their hefty fee and offer clean crypto instead.
Coins used to pay ransomware should effectively taint and freeze everything they touch.
Of course every jurisdiction would want to be in on the “free” bitcoins so lots of complications...
The only way it could even plausibly work is for every visible and darknet service in the world to subscribe to and abide by the exact same crypto-wallet blacklist. Good luck making that happen when nuclear superpower governments are in fact transnational crime syndicates.
Assuming that the tracing capabilities are useful for anything beyond taking down the amateurs is overly optimistic.
The problem is that to kill ransomware, we would need a near-perfect system, and that is extremely unlikely, or thee will be substantial leakage, and continued profit for ransomers. I'd say it'd be easier to entirely shut down crypto globally than to ransomware-proof existing crypto.
Probably means that the real solution will be to do both. Sanction only fully traceable cryptocurrencies and shut down the rest.
Focusing on controlling onramps and offramps to cryptocurrency, like controlling goods import/export, is a relatively straightforward compromise to this internal dilemma and allows the government to be a player in the space without much direct oversight, even if some folks are slipping through the cracks. A sloppy, haphazard enforcement is likely to prevail.
And there's another way to reassert state control within that framework. If the bad cryptocriminals come for your stuff, the government can bail you out - if you play by their rules. The loss compensation mechanism is a simple plan to mitigate dangers, since it's easy for governments to create and redistribute credit internally and doing so can build consent.
Submitting to this framework does mean that the government is truly in competition with decentralisation to provide a better, more trustworthy service to handle central credit, and has to massively step up security efforts in the process. Everyone started "asleep at the wheel" on this, with individual tech firms all building out their own insecure house-of-cards fiefdoms and relying on the intellectual property law framework to keep them up. But everyone knows it's flawed - of course you can copy, what's important is if you can get credit, and that part is also changing with the crypto sector - assignment of credit is the whole thing of NFTs in a nutshell. The nation that can grasp this the quickest and turn it into a coherent part of their economic framework will cruise ahead.
Will any substantial number of govts have the foresight to setup such a system of on/offramp controls + rules/bailout + investigation and enforcement soon enough?
If the ransomeware plague stays in the non-critical commercial realm, it would work
The key looming problem I see is that it is already sanctioned by criminal adversary nation-states, and there will be a lot of profit temptation to go after critical or military infrastructure - some ransomware gangs are just going to be that short term 'smart' long-term stupid. A sufficiently serious enough attack could cause war-level damage...
How would they know if the coin is from ransomware? If the randomware criminals say it's not, so it's word against word? And if they accepted just one payment to the wallet (so there's not a pattern of accepting money from strangers)
Or if the organization that got broken in to, doesn't want to be public about that? (Doesn't want to talk with the government)
(I don't know much about crypto coins.)
Comical world view, to me.
Of course, the nature of cryptocurrency makes both of our claims unfalsifiable. I would suggest hanging out in crypto-adept communities more, being privy to a 300-participant transaction or other things communities get excited about, to give you a different view of how people use it.
Bitcoin is not for speculators, it's primary use case is a Store of value. There's large demand for a store of value, especially now that the bond market is finished.
The type of billionaire individuals who by virtue of inheriting billions upon billions, don't ever have any real skills (nor the need to develop any) and yet, they live in societies (subcultures) which expect that they keep having (and making) billions upon billions.
Think of descendants of descendants of founders of what are now giant corporations.
They fund VC-backed startups, which they then own (by proxy). They can barely use an iPhone; let alone understand how it works or is made.
Except the business being funded is a criminal enterprise, maybe their riches originally come from "shadier" dealings?
My point is that the underlying principle is the same, it's a very powerful principle. This is how the market enables societies to build super complex stuff. The marketplace abstracts away the complexities. This 'principle' is a technology, it's ethically neutral.
Why can't the OS be write protected? Why can't the configuration also be write protected?
No matter what the application does, it can't access the backups in such a system.
And if the gang get's admin rights on the box your backups are gone.
How is this program to know that a file edited by the virus to encrypt is legitimate or not when the edit is being made by a user that created and owns those files? The backups themselves can be contaminated months before the encryption and ransomware attack is sprung. Restoring from last week or last month's backup might still lead to your system being encrypted.
Additionally, as the other user pointed out the goal would be to gain access to the appropriate user with the level of permissions, such as an admin or root account, and use those credentials to carry out the attack.
The configuration and data which gets changed all the time is valuable (the effort that was made in making those changes) and the prime target of ransomware, and it can't be write-protected because, well, it needs to get changed. I mean, if "reimage all these computers to the default configuration" would be a viable solution, everybody would just do that instead of paying large ransoms.
Precisely the wrong way to think about this.
If the OS can't protect itself, you've got a system with zero security.
It won't prevent lateral movement through the network (that's often memory only, no need to write to disk), it won't prevent persistence through theft of credentials or kerberos tickets (and possibly make it harder to rotate credentials), and of course it won't prevent the exfiltration, encryption and/or destruction of the actually valuable data.
If we look at an advanced ransom attack (e.g. as many described in this article - manually operated after initial access like many Emotet attacks, not some purely automated malware) then I struggle to imagine what parts of the attack would be thwarted if the OS and config would be write protected - do you have something specific in mind?
First - protect the AD and authentication infrastructure from a black start event.
I'd have an offline physical machine, no matter how old, that was a viable backup domain controller. I would have a stack of hard drives for it, and a copy of clonezilla. Every so often, clone the hard drive, boot the replacement, and sync it with the domain, then turn it off.
For the truly paranoid, do this in each location. Keep the machine and drives in a safe.
Test the black start backups on a temporary network built from spare hardware. Note that if you boot a Windows machine, it might adapt itself to the hardware and cause issues, so discard that image, and regenerate it.
In a black start event, you could turn off all the outside networks, and start with the old AD server, and restore from backups.
--
Any Virtualization or SAN layers should have administrative credentials that are unused for anything else, and only written down on pieces of paper, never scanned or typed in.
All servers should have saved images in offline, unencrypted hard drives, in a safe.
--
The main thing then is to get periodic offline unencrypted backups of the systems and data in a safe.
--
So, if the system is breached, there is at least a way to restore to the last backup, and you have some confidence it actually works.
Most/all of these ransomware attacks use the built-in Windows encryption.
Ransomware was basically non-existent before criminals had a way of being paid anonymously.
- Attacks sovereign currencies and ability of countries to set fiscal and monetary policy. Instead, it rewards "crypto geniuses" that got in early. I'm not sure these are the people that should have power over our elected governments.
- A waste of human and resource capital that could be spent solving more important problems
- Hugely bad for the environment
- Lack of KYC that enables money laundering, terrorism, and other illicit activities. Including randomware attacking hospitals
- Rewards pump and dump and crazy schemes like NFTs that don't contribute to innovation or the economy
- Relies on cryptography to remain post-quantum safe
It is getting to the point where the threat is beyond office functions and to manufacturing, infrastructure and IOT.
With the threat escalating to that genuine national security level, and often under sponsorship or blind eye of criminal govts (NK, RUS...), we are not far from the point where the appropriate response is to deliver a kinetic response - as in a cruise missile through the window.