> Welcome to the new ransomware economy, where hackers have a reputation to consider.
It's not new for organized crime to consider its reputation.
In fact you could argue that organized crime exists solely based on its reputation, and I would certainly argue that for CryptoWall. If nobody trusted that paying them would work, they would lose virtually all reason to do what they do.
I'm not going to defend digital extortion, but it exists because people pay it, and articles like this are part of the problem by making it known to Googlers that paying works.
It's complicated and I think we should think hard about where where we point fingers if we want to fix this.
I beg to disagree. If you effectively made everyone realize that not paying utterly destroys the extortionist's business model, that does "magically fix these kinds of attacks" overnight. Not that I'm saying educating people about this is practical or even possible.
One thing that I think is destructive though is "blaming the criminals", since a) we don't even know who they are, b) their business model depends entirely on them being promoted as a legitimate threat you can pay to fix, and c) blaming them distracts from finding a real solution.
Since, as you say, educating everyone is not possible, you can't destroy the business model. So let's keep the 'magical fixes' out of the discussion.
How does blaming the criminals distract from finding a real solution? (You haven't yet even suggested a viable solution that we could be distracted from)
While I agree with the essence of your message, it is flawed only because of free will. When given the opportunity an individual will usually think selfishly even in regard to a larger system. Isn't this the basis for "game theory"? Everyone individually thinks they can squeak by, get a little bit of an advantage, pay off the extortionists, no harm done right?
Or in another example, if nobody took a job for a shitty company there would be no shitty companies right? So why are people taking shitty company jobs?
I'll have to find the article later, but I read somewhere that about 1.7% of victims actually ended up paying money to the original cryptolocker guys, yet this seems to be enough to keep them in business. For your plan to work, you would need pretty much 100% compliance, which simply isn't going to happen.
This may sound cliche, but ransomeware truly is plaguing the nation. 3 "phone room" busts here where I live in the last month or so, all of which were the "tech support" hot lines that you called into after you've paid the ransom to "fix your PC."
sure, there are many different levels of extortion. Some outfits are very upfront i.e. "your PC has been locked..." others are much more subtle and appear to come across as a legit operation and it isn't until you speak to your techie son-in-law that you find out you've been hit.
IMHO the best way to nab these guys is the phone rooms. More and more cities / states are requiring these rooms to have licenses and in my city the FBI has set up a temporary shop to go after these guys.
thank you, exactly. lots of that going on here. 3 years ago it was timeshare sales then timeshare recovery i.e. "helping victims get their money back from the scam, which in and of itself was a scam."
The problem is not the ransomware neither the criminals ... it's the way internet/computer users became completely unaware of what they are using and blindly trusting everything.
Think of this as a natural balance to the ridiculously insecure internet and people's tech culture. If we are all going to live in a world where we use internet and technologies everyday, we should have a minimum of knowledge on how it works and not blindly trust everything.
One other point, it's useless to try stopping these guys, they are selling the software on the blackmarket with source code, the more you catch the more room you give to new criminals and the better breed the virus becomes ...
I think you're right: People are not afraid of computers anymore, and when they are, it's in all the wrong ways.
When I was younger the internet terrified people. I learned all kinds of simple "don'ts" in the 90s that it seems all got completely forgotten within a decade and now no-one learns anything anymore.
I didn't even use my real name online until a couple of years ago. It was like the first rule of the internet: never put your real-life details on the internet.
Now we have Facebook.
News stories and Outlook viruses made it abundantly clear that you should never ever ever click an attachment if you didn't specifically request it and know exactly what it is (And even then, best to double check).
Now there's a whole bloody black-market industry built on attachment malware.
I was told to never re-use passwords, never write them down, and never give my password to anyone.
Now we have apps that conveniently collect every single one of your passwords to provide a single-point weakness where one password unlocks your entire bloody online identity, and the point of even having separate passwords is completely lost. And it's somehow supposed to be 'more secure'.
The point of services like last pass is that a website with shitty security won't compromise all your accounts on websites with decent security.
The point is you only trust one security specialist company rather than many non security specialist companies.
It's getting to the point where if you don't use something like lastpass, then reusing passwords to some extent is needed - or do you remember 20 different passwords for each site you visit, even when you visit them only once a year?
You're right that the password-vault part is the weakest part of the post, I think, though I'd argue many people probably don't even use (relatively) secure options like LastPass, and probably default to "password managers" built in to browsers or OSes.
I just have this weird cognitive dissonance when I see the 'big threats' that get posted sometimes online. The other day I read a Reddit post about some Dangerous New Threat to Bitcoiners, that amounted to nothing a slightly-more-clever-than-average attachment virus. I don't understand how anyone managed to get as far as even operating a Bitcoin wallet and somehow never learned basics like "don't click blindly on email attachments".
> I don't understand how anyone managed to get as far as even operating a Bitcoin wallet and somehow never learned basics like "don't click blindly on email attachments".
Perhaps you're not the best person to be giving security advice if you don't understand why people - even those who should know better - click on email attachments?
Not quite. A better analogy here is this: there is a supplier of fridges that is notorious for unreliable power circuits. People know this, and buy those fridges anyway, hoping that it won't happen to them, because the fridges are popular and have a particular copyrighted layout of the door and shelves so that they don't have to learn anything new when visiting friends or moving to different house. Initially, the fires weren't the people's fault; but when the people kept buying and installing those fridges in spite of the problem, they expressed their disregard for the issue with their dollars. At that point, they began to deserve the consequences. (Of course, the analogy is quite flawed because not everyone knows; there are always some new users who think they are getting a safe fridge, and are cheerfully sold the death trap.)
Could the "one file free decrypt preview" feature be used to sniff out the crypto key required to decrypt all the other files? Or does the virus need to check in with the backend for every single file for unique keys?
> does the virus need to check in with the backend for every single file for unique keys?
As it's based on CryptoLocker, all the files would be encrypted with the same key. After CryptoLocker was busted by law enforcement, "Fox-IT and fellow firm FireEye introduced an online service which allows infected users to retrieve their private key by uploading a sample file, and then receive a decryption tool" (https://en.wikipedia.org/wiki/Cryptolocker#Takedown_and_reco...)
I wouldn't be so sure this would help: CryptoLocker was using symmetric encryption (AES) for the files while CryptoWall apparently solely use RSA (which creates problems for the pirate, like slow encryption, thus encrypting only small files (.jpeg, .doc...)?). Only the public key seems to be downloaded when the malware installs. (http://stopmalvertising.com/malware-reports/cryptowall-behin...)
If this is the case, I would surprised if they would download the private key for the one free decrypt feature. If they encrypt only small files they might do the decryption on the remote C&C Server?
And that is why I have the "if you don't have backup, I won't bother to help you with your lost files" policy when friend or family come crying. I make only one exception from this rule.
Cryptolocker is not the problem. The lack of reliable backup is.
15 years into the internet age, and 5 into the cloud you have no excuse.
I would genuinely rather lose all my critical data to cryptolocker than put it in the cloud. Given a choice between my data being accessible by no-one or everyone, I will pick no-one every time.
Data in the cloud /is/ available to everyone that matters.
I'd also like to remind you that it can be impractical to back up some forms of data, especially in the cloud. High definition video (weddings, funerals, holidays) is impractically large.
The problem /is/ Cryptolocker. Anyone with an ounce of practicality will take mitigating steps against it, I have no sympathy for anyone who ignores the risk, but the solution is not massive scale global data duplication, that is treating the symptoms. The solution is to dissuade criminals from this path.
Widescale international cooperation in finding these people would be a start.
I do have a physical hard disk for my backups but I also backup some critical data "on the cloud" (actually, some servers of mine). There is always a chance that the pc and the disk are stolen by a burglar or my house catches fire. Then there is the matter of making the encryption and access keys survive any of those events.
I think Duplicity (http://duplicity.nongnu.org) is what you're looking for. For Ubuntu I know there's a nice GUI that anyone who can use a computer can set up. For other platforms I think cli is the only way, but someone could just write a QT/Cocoa wrapper around it.
Indeed, having a recent valid backup turns the cryptolocker variety of virus quite ineffective, you only lose some time to restore vs files you can't replace.
But how is this related to the internet or the cloud in any way? Putting backups into the cloud is a terrible idea and transferring large data collection over a residential Internet connection makes little sense.
Backups for home users became a possibility with the advent of cheap storage, first burners and cheap blank discs and now with large hard drives and flash media.
But the issue at hands here is that with the democratization of the personal computer most users lacks the skills to make their own backups and even among technical people it's not until we got bitten by data loss that we start to take backups seriously.
I'm sorry, but I do exactly what you say is impossible.
> Putting backups into the cloud is a terrible idea
> and transferring large data collection over a
> residential Internet connection makes little sense.
I work with video, music and large images. So my home backup is 3.6 TB. I now use CrashPlan: a cloud backup, who have no problem with the capacity. It took ~ 6 months to store everything, but now it just sends the deltas quietly behind the scenes.
I lost a 1TB drive the other day, and the restore worked well after a bit of jiggerypokery.
Previously I used an LTO2 tape system involving Bacula, a VMWare linux instance and a lot of changing tapes. Cloud backup is so much better
> Backups for home users became a possibility with the advent of cheap storage, first burners and cheap blank discs and now with large hard drives and flash media.
Now your home users need to start regular media rotation with scheduled integrity checks with a full copy stored off-site in a geographically diverse location. Are you starting to reconsider your assertion that “putting backups into the cloud is a terrible idea”?
What you should have mentioned is how many years since the start of the personal computer.
People simply cannot be computer-illiterate in the modern world without eventually being screwed. Nearly every computer ignorant person I know has a virus/spyware/adware ridden PC sitting at home while they're just waiting to find a "computer guy" who can fix it.
I'm surprised that no one has fingerprinted the patterns that these apps take to encrypt the files, then created an antivirus definition for them. Surely they can't be that polymorphic that no one can catch them?
Polymorphism typically referred to worms and viruses that changed their own code base as they spread. Most infections, however, happen from phishing emails either with attachments or linking to the payload. Changing the files produced so as to no longer be caught by antivirus signatures is trivial, and you can even create a unique variant for each phish.
Many legitimate programs will seem to act similarly - opening files and overwriting contents with something else. ID3 tag writers for MP3s, file type converters, batch image processing, etc. This means you can't match easily against the types of actions being taken.
Let's imagine, however, that the antivirus was still able to detect that something odd was happening. If it prompts the user, they will inevitably click 'yes run this file', because that's what they have always done. If it quarantines the file... well, you just add another few lines to the phishing email saying that the attachment is perfectly safe ("scanned by symantec" apparently...) and to go ahead and bring it back out from quarantine
The problem is that the signature-based antivirus model assumes 1980s-speed networking where an attacker releases a single program which has months or years to spread around the world. In the Internet era, the attacker receives the same AV updates when you do and can tweak an executable until it's no longer detected locally before immediately deploying it. This approach can even be automated both to permute the executable until it passes and to stop spreading it after it starts being flagged.
HitmanPro.Alert (http://www.surfright.nl/en/alert) includes a variation of this - it's not looking for fingerprints, it's monitoring for process behavior characteristic of individually encrypting bunches of files.
My wife's father died about a month ago - two days after he died his widow got a call from some bunch of scoundrels saying "we need to fix your late husband's PC so you can get at his tax records"....
Fortunately, he never had a PC (he was in his mid 80s) so it was obviously a scam but we were all appalled at the cheek of such an approach and the for the fact that a lot of people, particularly the elderly in a moment of stress, would fall for such as scam.
This is an update of another scam, wherein scam artists prowl the obituaries and send "brown package material" with embarrassing contents to the surviving family member, claiming the deceased had ordered it.
Their hope is that the surviving member will pay up to avoid embarrassment. Yeah, you have to be a sicko to think this stuff up.
So the title is "How My Mom Got Hacked" and the only thing it actually says about that actual title is:
The virus is thought to infiltrate your computer
when you click on a legitimate-looking attachment
or through existing malware lurking on your hard
drive, ...
So, there's really nothing about how his mom got hacked.
Don't get me wrong, it's an interesting article, interesting to read about the process that ensues once you've been hacked, and I've up-voted it, but I'm disappointed not to see anything about how it happened.
It might be considered clickbait since the story barely touches (and never actually answers) the how of the headline (i.e. using a somewhat sensationalist headline to increase clicks).
Jesus. The publisher is the New York Times, writing a story about a real threat to ordinary people. It's not a great headline, but neither is it really misleading either. It effectively communicates what the article is about to SNYT readers.
Apparently anything that is not 100% dull now is clickbait.
It's not about being dull, or exciting, and it's not about click-bait or otherwise. It's about accuracy, reporting, and expectations. The heading was "How My Mom Got Hacked" so I expected to see something about how her mom got hacked.
But I didn't. It was a great story about what happened after her mom got hacked, and it was interesting, and mildly engaging, but it simply wasn't what it said.
Calling it something like "Paying the hackers" or something like that would have been accurate and just as intriguing.
Is it too much to ask reporters to title the article with something that actually refers to what is in it?
Sorry, but I really don't understand that comment. I read the article, and commented that the title doesn't match the content. In what sense do you then claim that I've just blandly parsed a headline?
>Their "business model" is extremely restricted. 99.99 of their victims cannot handle the Bitcoin thingy.
Its actually pretty interesting how this developed. Some of guys running variants of cryptolocker realized how much money they were missing out on and established customer support channels to help their victims figure out how to pay.
Apparently CryptoWall does a dumb copy of the files before encrypting them and do not zero-out after deleting. If it still proceeds this way, that makes it fairly easy to do some recovery.
Hey, that's really useful/helpful info! I'll endorse TestDisk/PhotoRec as a mechanism for recovering deleted files, should be appropriate for most (though you might want a trusted tech savvy person to execute this recovery). The System Rescue CD includes these packages.
You'd think Putin might be persuaded to take action against some of the guilty parties. I know that has not been the Russian tradition but things could change.
Has anyone ever done a serious technological evaluation of one of these programs? I'd be very interesting in learning more specifically about its encryption mechanism. For example, To be able to decrypt (edit: used to say encrypt) the files, it has to store the private key (and obviously the public key) somewhere on the computer, whether in memory or elsewhere to decrypt the files. In addition to this, if this is a variant like mentioned in the article, where you can "decrypt one file for free", then the software obviously has to access both keys to decrypt that, meaning with the right tools you should be able to capture those keys if you can capture the program in the action of decrypting a file.
While an obviously viable solution to this is good backups and educating people about computer security, that won't put these people out of business, which is what would really stop this.
Either way though, if anyone here knows of any material delving into hacking ransomware like this let me know, I'd love to read about it.
It doesn't have to know the private key, just the public one, woth the private being on the virus-owner's side.
Furthermore, it's possible to encrypt each file with a different key so one public key would only deceypt one file.
Oh, and a fun fact - with the newest cryptography algorithms it's even possible to modify the files without knowing what they contain. If I'm not mistaken it would even be possoble to create a software that can conpute checksums of files without knowing the file contents.
> Oh, and a fun fact - with the newest cryptography algorithms it's even possible to modify the files without knowing what they contain. If I'm not mistaken it would even be possoble to create a software that can conpute checksums of files without knowing the file contents.
To my knowledge, this is only true in a purely academic (not practical) sense at present. There do exist homomorphic encryption schemes but current implementations are ridiculously slow.
> To be able to encrypt the files, it has to store the private key (and obviously the public key) somewhere on the computer
Why do you say that? The very purpose of public-key crypto is so that you can send only the public key, have the other end encrypt with that, while you hold onto the private key which is the only thing that can decrypt it.
No guarantee this uses public key for the crypto though. From what I know, a symmetric key is more suitable to encrypting huge amounts of data. Could be wrong about that though.
My mistake. I said encrypt when I should have said decrypt. You are correct though, symmetric key encryption would be better for this, and utilizing the answer giving by kolinko below, I wouldn't be surprised if they did use a different key for each file.
You only need to decrypt once the payment has been received, so the private key doesn't need to be sent to the infected machine before that. Encrypt/Decrypt, it seems to be a moot point.
The "decrypt one file for free" feature seems to be specific to CryptoWall which, some have reported, do not use symmetric encryption like CryptoLocker. CryptoLocker stores symmetric keys for each file on the infected machine, encrypt those with a public key and when the payment is received, send the private key from the C&C Server. I would say it's very unlikely CryptoWall would store remotely a private key per file. That could mean a lot of information to be transferred over the wire. Probably because of using only asymmetric (slow) encryption, CryptoWall apparently only encrypt small files completely, and only a piece of the larger ones. One way the "decrypt one file for free" feature might work is by actually uploading the file (or the the encrypted piece of file) to the C&C Server, decrypting it remotely and sending it back. But the feature is definitely worth investigating.
> From what I know, a symmetric key is more suitable to encrypting huge amounts of data.
Symmetric key encryption is more efficient, but the typical approach when using public key encryption with large files is to use symmetric key encryption, then encrypt the symmetric key with the public key, and then transmit that over the wire.
I imagine that the process used in this software is the following:
1. Generate symmetric key
2. Encrypt symmetric key using (known) public key (the private key remains on the malware owner's servers)
3. Delete the unencrypted symmetric key.
If these three steps are done before the user is told that their files have been held hostage, then by the time that they know they are infected, it's too late to do any analysis of the program, sniff memory, etc. (at best they'll be able to recover the public key and the encrypted symmetric key, which is useless without the corresponding private key). As soon as the ransom is paid, the malware owners will decrypt the symmetric key (using their private key), and send that back to the victim[0].
This could, of course, also use a different symmetric key for each file as well, in addition to the above.
[0] In theory, the malware owners don't even need to store anything per-victim, since the encrypted symmetric key can remain "safely" with the users the entire time. All they need to store is the single master private key.
Also, wouldn't it be possible to recover the files on most filesystems, assuming the disk is too not full?
The program has to encrypt them, unlink the files, and save the encrypted files / archive. If the filesystem needs more space later, it writes over those (discarded) files, right? Everything else would increase disk wear and decrease performance.
Edit: of course excluding SSDs with TRIM/discard enabled.
The problem is that "needs more space later" can occur as soon as the malware moves on to the next file to encrypt.
Also, overwriting discarded files can happen even before the filesystem runs out of space; it depends on the allocation strategy. To maximally preserve the possibility of undeleting files, there would have to be a policy of using the least recently freed blocks for new allocation. That could be pessimistic in other regards, like minimizing fragmentation and seek time.
I work for a school district in the US and we see this occasionally. We just wipe the computer and restore files to the Users network drive from backup.
I personally think getting into a good backup regimen is a better use for the money than paying some scumbags.
Not really. Most useful technologies can be used in crime and we'd get nowhere if we allowed that fact to be used as an argument against the technology.
Pre-Bitcoin, the scammer would have her call an expensive foreign premium-rate phone number or mail cash to a foreign address.
How about when in a few years time there's a scalable, functioning market for hits/murders with bitcoin as payment?
I love the elegance of the bitcoin protocol, but I am worred that the civilized world will have to clamp down on it. You just can't have a place where anyone with enough money (a few k EUR/USD) can perform murders without any reasonable risk of being exposed. This will effectively turn us into a bandit country like Russia. I also think it will become harder to effecticely clamp down on cryptocurrencies as time passes, so time is of an essence.
> You just can't have a place where anyone with enough money (a few k EUR/USD) can perform murders without any reasonable risk of being exposed.
Your 'reasonable risk of being exposed' is when you plan and execute the hit. It's pretty difficult to do. Also, when your target winds up dead, the first investigation is into whether anyone might want that person dead (motive), not the money trail.
Any hitman worth his salt will already today know to get paid in cash or similar liquid assets. As opposed to the ransom situation, the payment of a hit can be arranged long before investigators start looking, so you can easily ship a boxful of cash to a dead drop and avoid ever meeting the hitman in person.
And even if there was a money trail, you couldn't hope to get to a hitman by following it unless you have the other end to start down - ie. you know the "customer", who's the bigger criminal anyway.
> This will effectively turn us into a bandit country like Russia.
No, the availability of anonymous payments is not the defining difference between Russia and 'us'. The rule of law is.
> You just can't have a place where anyone with enough money (a few k EUR/USD) can perform murders without any reasonable risk of being exposed.
I strongly suspect that we will see a whitelist-endorsed-by-some-reputation-broker approach sometime in the future. The suggestion of this kind of thing usually creates a big backlash among many Bitcoin supporters (for good reasons IMO). But eventually there will be many folks using Bitcoin without any ideological attachment to it, and they'll be lured by the appeal of interacting with agents endorsed by some other party.
> Pre-Bitcoin, the scammer would have her call an expensive foreign premium-rate phone number or mail cash to a foreign address.
A foreign address is still an address, which if used to perpetrate crime on a large scale, would represent a point of vulnerability for the criminals even in a somewhat lawless country. Bitcoin's role in these crimes is analogous to an alternate universe, lawless by design, where criminals can retrieve ransoms anonymously and with impunity.
The article doesn't seem answer the question raised in the title. How did Mom get hacked? Actually it's buried in there:
> "So what can we all do to protect ourselves? Keep our computers backed up [...] and most of all, Beware the Attachment."
Ah, so the Attachment is what got Mom!
You know, the above should really be "Beware the Attachment processed on a Microsoft Windows box using the default and/or most popular handlers for its file type."
Also: "beware of letting naive users use the same Windows PC's for Internet-based consumption activities net surfing and e-mail, and for production/retention of important content."
That's effectively saying that non-experts should only use something like iOS or maybe ChromeOS. The same class of attacks works against any user using any operating system which allows them to install arbitrary code - Mac, Android, Linux, etc. all have past examples of successful attacks which started with an email attachment, browser drive-by, etc.
That actually may be a very good idea. It's not that non-experts should be forbidden from using these thing it is that we should stop handing people guns that they end up using to shoot themselves in the foot with.
Agreed – I'm not cheerful about the implications of making things less user-serviceable but … it's not like we don't know how well that's worked out.
If you haven't already read it, SwiftOnSecurity's “A story about Jessica” is rather good for illustrating how badly we've failed as an industry to produce devices which are safe for non-experts to use:
It started as a parody Twitter account (https://twitter.com/SwiftOnSecurity and e.g. https://imgur.com/a/1PDRJ) but got more serious over time. The author really came into their own around the time of last summer's celebrity iCloud attack when so many people were jumping to blame the victims for assuming that big tech companies were good at security.
I don't see any mention here, but as someone who deals with front-line response to users regularly, take a look at CryptoPrevent from FoolishIT (yes, really, https://www.foolishit.com/vb6-projects/cryptoprevent/) and HitmanPro.Alert (http://www.surfright.nl/en/alert) with CryptoGuard. The first does a bunch of local policy setup to restrict where executables can run along with some optional subscription signature watching;the second does more watching for encrypting behavior including on a host sharing files via SMB.
I also recommend making sure that shadow copies are turned on and allocated plenty of space - including on a separate partition or drive if the user in question regularly comes close to filling the drive. It's not a backup, but it is much faster to restore from a shadow copy than from an offsite backup.
Good to know; I've only dealt with a couple and they were on workstations that encrypted files on mapped network shares - vssadmin wouldn't have any access to remove shadow copies on the file server, and in all but one of those cases we had both shadow copies locally on the file server and offsite file backups in place (backups only for the last).
Yes, I meant try to delete... My first impression about CryptoWall is that it was hacked together quicker than CryptoLocker. It doesn't bother with generating a symmetric key per file but rather seems to use a single asymmetric key. It also apparently make a copy of the file before encrypting and doesn't zero-out after deleting the plain text file (see another of my comment in this thread)
" The main difficulty in stopping cybercriminals isn’t finding them, but getting foreign governments to cooperate and extradite them."
Sorry, but no, fuck off please.
US extraditing people from other countries is an abhorrent practice which should not be happening, ever. Imagine if you got an extradition request from Saudi Arabia, because you broke some of their laws on the Internet. Every single country in the world would tell them to sod off. Yet when US does this it's somehow ok? Absolutely not.
110 comments
[ 3.4 ms ] story [ 171 ms ] threadIt's not new for organized crime to consider its reputation.
In fact you could argue that organized crime exists solely based on its reputation, and I would certainly argue that for CryptoWall. If nobody trusted that paying them would work, they would lose virtually all reason to do what they do.
I'm not going to defend digital extortion, but it exists because people pay it, and articles like this are part of the problem by making it known to Googlers that paying works.
It's complicated and I think we should think hard about where where we point fingers if we want to fix this.
No amount of educating end users will magically fix these kind of attacks, whether or not people write articles about their ransom payments.
One thing that I think is destructive though is "blaming the criminals", since a) we don't even know who they are, b) their business model depends entirely on them being promoted as a legitimate threat you can pay to fix, and c) blaming them distracts from finding a real solution.
How does blaming the criminals distract from finding a real solution? (You haven't yet even suggested a viable solution that we could be distracted from)
Or in another example, if nobody took a job for a shitty company there would be no shitty companies right? So why are people taking shitty company jobs?
sure, there are many different levels of extortion. Some outfits are very upfront i.e. "your PC has been locked..." others are much more subtle and appear to come across as a legit operation and it isn't until you speak to your techie son-in-law that you find out you've been hit.
IMHO the best way to nab these guys is the phone rooms. More and more cities / states are requiring these rooms to have licenses and in my city the FBI has set up a temporary shop to go after these guys.
Here's a short article explaining the process and the Verge covered the subject in length: http://ipensatori.com/2014/05/27/tech-support-scams-what-lie...
http://www.theverge.com/2012/5/10/2984893/scamworld-get-rich...
Think of this as a natural balance to the ridiculously insecure internet and people's tech culture. If we are all going to live in a world where we use internet and technologies everyday, we should have a minimum of knowledge on how it works and not blindly trust everything.
One other point, it's useless to try stopping these guys, they are selling the software on the blackmarket with source code, the more you catch the more room you give to new criminals and the better breed the virus becomes ...
When I was younger the internet terrified people. I learned all kinds of simple "don'ts" in the 90s that it seems all got completely forgotten within a decade and now no-one learns anything anymore.
I didn't even use my real name online until a couple of years ago. It was like the first rule of the internet: never put your real-life details on the internet.
Now we have Facebook.
News stories and Outlook viruses made it abundantly clear that you should never ever ever click an attachment if you didn't specifically request it and know exactly what it is (And even then, best to double check).
Now there's a whole bloody black-market industry built on attachment malware.
I was told to never re-use passwords, never write them down, and never give my password to anyone.
Now we have apps that conveniently collect every single one of your passwords to provide a single-point weakness where one password unlocks your entire bloody online identity, and the point of even having separate passwords is completely lost. And it's somehow supposed to be 'more secure'.
I don't understand the internet anymore.
The point is you only trust one security specialist company rather than many non security specialist companies.
It's getting to the point where if you don't use something like lastpass, then reusing passwords to some extent is needed - or do you remember 20 different passwords for each site you visit, even when you visit them only once a year?
I just have this weird cognitive dissonance when I see the 'big threats' that get posted sometimes online. The other day I read a Reddit post about some Dangerous New Threat to Bitcoiners, that amounted to nothing a slightly-more-clever-than-average attachment virus. I don't understand how anyone managed to get as far as even operating a Bitcoin wallet and somehow never learned basics like "don't click blindly on email attachments".
Perhaps you're not the best person to be giving security advice if you don't understand why people - even those who should know better - click on email attachments?
As it's based on CryptoLocker, all the files would be encrypted with the same key. After CryptoLocker was busted by law enforcement, "Fox-IT and fellow firm FireEye introduced an online service which allows infected users to retrieve their private key by uploading a sample file, and then receive a decryption tool" (https://en.wikipedia.org/wiki/Cryptolocker#Takedown_and_reco...)
edit: technically the files are encrypted with different keys but those keys are stored on the victim's machine and encrypted with a single key -- http://www.welivesecurity.com/2013/12/19/cryptolocker-2-0-ne...
If this is the case, I would surprised if they would download the private key for the one free decrypt feature. If they encrypt only small files they might do the decryption on the remote C&C Server?
It's worth investigating anyway.
Cryptolocker is not the problem. The lack of reliable backup is.
15 years into the internet age, and 5 into the cloud you have no excuse.
Data in the cloud /is/ available to everyone that matters.
I'd also like to remind you that it can be impractical to back up some forms of data, especially in the cloud. High definition video (weddings, funerals, holidays) is impractically large.
The problem /is/ Cryptolocker. Anyone with an ounce of practicality will take mitigating steps against it, I have no sympathy for anyone who ignores the risk, but the solution is not massive scale global data duplication, that is treating the symptoms. The solution is to dissuade criminals from this path.
Widescale international cooperation in finding these people would be a start.
Design a simple system that uses amazon as backend to store encrypted data and the keys never leave your control.
There were 4TB drives at 100-sh bucks for big things.
The problem is not Cryptolocker because there will ALWAYS be malware that targets the data itself. And some people will do it just for fun.
I use Duply to schedule incremental backups of my server logs to S3 (write only) and then have S3 expire them after 60 days. Works great.
But how is this related to the internet or the cloud in any way? Putting backups into the cloud is a terrible idea and transferring large data collection over a residential Internet connection makes little sense. Backups for home users became a possibility with the advent of cheap storage, first burners and cheap blank discs and now with large hard drives and flash media.
But the issue at hands here is that with the democratization of the personal computer most users lacks the skills to make their own backups and even among technical people it's not until we got bitten by data loss that we start to take backups seriously.
I lost a 1TB drive the other day, and the restore worked well after a bit of jiggerypokery.
Previously I used an LTO2 tape system involving Bacula, a VMWare linux instance and a lot of changing tapes. Cloud backup is so much better
Now your home users need to start regular media rotation with scheduled integrity checks with a full copy stored off-site in a geographically diverse location. Are you starting to reconsider your assertion that “putting backups into the cloud is a terrible idea”?
People simply cannot be computer-illiterate in the modern world without eventually being screwed. Nearly every computer ignorant person I know has a virus/spyware/adware ridden PC sitting at home while they're just waiting to find a "computer guy" who can fix it.
Many legitimate programs will seem to act similarly - opening files and overwriting contents with something else. ID3 tag writers for MP3s, file type converters, batch image processing, etc. This means you can't match easily against the types of actions being taken.
Let's imagine, however, that the antivirus was still able to detect that something odd was happening. If it prompts the user, they will inevitably click 'yes run this file', because that's what they have always done. If it quarantines the file... well, you just add another few lines to the phishing email saying that the attachment is perfectly safe ("scanned by symantec" apparently...) and to go ahead and bring it back out from quarantine
Fortunately, he never had a PC (he was in his mid 80s) so it was obviously a scam but we were all appalled at the cheek of such an approach and the for the fact that a lot of people, particularly the elderly in a moment of stress, would fall for such as scam.
Their hope is that the surviving member will pay up to avoid embarrassment. Yeah, you have to be a sicko to think this stuff up.
Don't get me wrong, it's an interesting article, interesting to read about the process that ensues once you've been hacked, and I've up-voted it, but I'm disappointed not to see anything about how it happened.
For what it's worth, I found your comment somewhat snarky.
I agree about the snarkiness though.
But anyway after reading the article it's clear what happened. Evil mail attachement --> infection.
Just as bad if you ask me. There's still nothing about how she caught it.
Think "How I Met Your Mother", which has little to do with the mechanics of Ted meeting his future wife, but rather the story surrounding it.
Apparently anything that is not 100% dull now is clickbait.
But I didn't. It was a great story about what happened after her mom got hacked, and it was interesting, and mildly engaging, but it simply wasn't what it said.
Calling it something like "Paying the hackers" or something like that would have been accurate and just as intriguing.
Is it too much to ask reporters to title the article with something that actually refers to what is in it?
(you can swap in "publications" without really changing what you meant, but I guess it's fair to not blame reporters)
Not really. Their "business model" is extremely restricted. 99.99 of their victims cannot handle the Bitcoin thingy.
(though today they can certainly get ... cheap coins)
Its actually pretty interesting how this developed. Some of guys running variants of cryptolocker realized how much money they were missing out on and established customer support channels to help their victims figure out how to pay.
Source: http://www.wyattroersma.com/?p=108
http://www.cgsecurity.org/wiki/PhotoRec
http://www.sysresccd.org/SystemRescueCd_Homepage
While an obviously viable solution to this is good backups and educating people about computer security, that won't put these people out of business, which is what would really stop this.
Either way though, if anyone here knows of any material delving into hacking ransomware like this let me know, I'd love to read about it.
Furthermore, it's possible to encrypt each file with a different key so one public key would only deceypt one file.
Oh, and a fun fact - with the newest cryptography algorithms it's even possible to modify the files without knowing what they contain. If I'm not mistaken it would even be possoble to create a software that can conpute checksums of files without knowing the file contents.
To my knowledge, this is only true in a purely academic (not practical) sense at present. There do exist homomorphic encryption schemes but current implementations are ridiculously slow.
Why do you say that? The very purpose of public-key crypto is so that you can send only the public key, have the other end encrypt with that, while you hold onto the private key which is the only thing that can decrypt it.
No guarantee this uses public key for the crypto though. From what I know, a symmetric key is more suitable to encrypting huge amounts of data. Could be wrong about that though.
The "decrypt one file for free" feature seems to be specific to CryptoWall which, some have reported, do not use symmetric encryption like CryptoLocker. CryptoLocker stores symmetric keys for each file on the infected machine, encrypt those with a public key and when the payment is received, send the private key from the C&C Server. I would say it's very unlikely CryptoWall would store remotely a private key per file. That could mean a lot of information to be transferred over the wire. Probably because of using only asymmetric (slow) encryption, CryptoWall apparently only encrypt small files completely, and only a piece of the larger ones. One way the "decrypt one file for free" feature might work is by actually uploading the file (or the the encrypted piece of file) to the C&C Server, decrypting it remotely and sending it back. But the feature is definitely worth investigating.
https://blog.fortinet.com/post/cryptowall-another-ransomware...
http://stopmalvertising.com/malware-reports/cryptowall-behin...
Symmetric key encryption is more efficient, but the typical approach when using public key encryption with large files is to use symmetric key encryption, then encrypt the symmetric key with the public key, and then transmit that over the wire.
I imagine that the process used in this software is the following:
1. Generate symmetric key
2. Encrypt symmetric key using (known) public key (the private key remains on the malware owner's servers)
3. Delete the unencrypted symmetric key.
If these three steps are done before the user is told that their files have been held hostage, then by the time that they know they are infected, it's too late to do any analysis of the program, sniff memory, etc. (at best they'll be able to recover the public key and the encrypted symmetric key, which is useless without the corresponding private key). As soon as the ransom is paid, the malware owners will decrypt the symmetric key (using their private key), and send that back to the victim[0].
This could, of course, also use a different symmetric key for each file as well, in addition to the above.
[0] In theory, the malware owners don't even need to store anything per-victim, since the encrypted symmetric key can remain "safely" with the users the entire time. All they need to store is the single master private key.
Each file gets its own key, and those keys are stored on the victim's computer, encrypted with a single key.
DeCryptoLocker can defeat the encryption and restore your files[2].
Symantec says CryptoWall similarly uses public-key encryption with a 2048-byte key[3], but no indication if it can be defeated like CryptoLocker was.
[1] https://news.ycombinator.com/item?id=8834012
[2] https://www.decryptcryptolocker.com/
[3] http://www.symantec.com/security_response/writeup.jsp?docid=...
The program has to encrypt them, unlink the files, and save the encrypted files / archive. If the filesystem needs more space later, it writes over those (discarded) files, right? Everything else would increase disk wear and decrease performance.
Edit: of course excluding SSDs with TRIM/discard enabled.
Also, overwriting discarded files can happen even before the filesystem runs out of space; it depends on the allocation strategy. To maximally preserve the possibility of undeleting files, there would have to be a policy of using the least recently freed blocks for new allocation. That could be pessimistic in other regards, like minimizing fragmentation and seek time.
I personally think getting into a good backup regimen is a better use for the money than paying some scumbags.
Pre-Bitcoin, the scammer would have her call an expensive foreign premium-rate phone number or mail cash to a foreign address.
I love the elegance of the bitcoin protocol, but I am worred that the civilized world will have to clamp down on it. You just can't have a place where anyone with enough money (a few k EUR/USD) can perform murders without any reasonable risk of being exposed. This will effectively turn us into a bandit country like Russia. I also think it will become harder to effecticely clamp down on cryptocurrencies as time passes, so time is of an essence.
Your 'reasonable risk of being exposed' is when you plan and execute the hit. It's pretty difficult to do. Also, when your target winds up dead, the first investigation is into whether anyone might want that person dead (motive), not the money trail.
Any hitman worth his salt will already today know to get paid in cash or similar liquid assets. As opposed to the ransom situation, the payment of a hit can be arranged long before investigators start looking, so you can easily ship a boxful of cash to a dead drop and avoid ever meeting the hitman in person.
And even if there was a money trail, you couldn't hope to get to a hitman by following it unless you have the other end to start down - ie. you know the "customer", who's the bigger criminal anyway.
> This will effectively turn us into a bandit country like Russia.
No, the availability of anonymous payments is not the defining difference between Russia and 'us'. The rule of law is.
I strongly suspect that we will see a whitelist-endorsed-by-some-reputation-broker approach sometime in the future. The suggestion of this kind of thing usually creates a big backlash among many Bitcoin supporters (for good reasons IMO). But eventually there will be many folks using Bitcoin without any ideological attachment to it, and they'll be lured by the appeal of interacting with agents endorsed by some other party.
A foreign address is still an address, which if used to perpetrate crime on a large scale, would represent a point of vulnerability for the criminals even in a somewhat lawless country. Bitcoin's role in these crimes is analogous to an alternate universe, lawless by design, where criminals can retrieve ransoms anonymously and with impunity.
Isn't this a pretty strong argument against cash?
Isn't this a pretty strong argument against email attachments?
No; totally different arena.
> Isn't this a pretty strong argument against cash?
Cash is a lot more traceable than bitcoin transactions.
> Isn't this a pretty strong argument against email attachments?
? :)
This is extremely false. How did you get this idea?
> "So what can we all do to protect ourselves? Keep our computers backed up [...] and most of all, Beware the Attachment."
Ah, so the Attachment is what got Mom!
You know, the above should really be "Beware the Attachment processed on a Microsoft Windows box using the default and/or most popular handlers for its file type."
Also: "beware of letting naive users use the same Windows PC's for Internet-based consumption activities net surfing and e-mail, and for production/retention of important content."
If you haven't already read it, SwiftOnSecurity's “A story about Jessica” is rather good for illustrating how badly we've failed as an industry to produce devices which are safe for non-experts to use:
http://swiftonsecurity.tumblr.com/post/98675308034/a-story-a...
On the other hand, WTF is up with that blog?!?
I also recommend making sure that shadow copies are turned on and allocated plenty of space - including on a separate partition or drive if the user in question regularly comes close to filling the drive. It's not a backup, but it is much faster to restore from a shadow copy than from an offsite backup.
edit: added links
http://stopmalvertising.com/malware-reports/cryptowall-behin...
Sorry, but no, fuck off please. US extraditing people from other countries is an abhorrent practice which should not be happening, ever. Imagine if you got an extradition request from Saudi Arabia, because you broke some of their laws on the Internet. Every single country in the world would tell them to sod off. Yet when US does this it's somehow ok? Absolutely not.