When your Digital Life is Held to Ransom

crim_with_gun

Ransomware is a type of malware that will lock you out of your files, device, or other resources, and demand a payment to regain access.  Even if you choose to pay up, most often the payment will not result in gaining back access, and your files are permanently lost.

The threat posed by Ransomware is serious, and ongoing.  I last updated this article in September 2015, not long after Cryptolocker became the first widely reported Ransomware threat with thousands of infected computers and resulting in the loss of millions of dollars of data and production.  The problem has only increased in frequency and severity with a range of new variants attacking customers across PC and other platforms.

Over the last few years, we are asked to help businesses recover from a major Ransomware infection about once per week.  Where the infected site has implemented a viable backup system, files and services can usually be restored with some effort and relatively few losses.  In rare occasions we are able to decrypt the files and restore them without backups.  Unfortunately, many businesses and individuals that come to us for help did not have appropriate backups in place and don’t get lucky with any capacity to decrypt so lose their files at huge cost.

This article will outline how Ransomware works, and what you can do to reduce the risk of being hurt.

So, what’s new?  I WannaCry!!!

“WannaCry” ransomware went viral (!) over the weekend (12 May 2017), encrypting millions of files and taking down many sites including a significant chunk of the UK health system, prompting me to review and update this article.  WannaCry is just another event in a trend where new attack vectors are exploited on discovery and yet another wave of attacks ensues.  The result for us is a burst of upset business owners and individuals asking us for help over lost files, downtime, and in one case last week all personal files including the family photos being encrypted (was a older Cryptolocker variant, but they still lost most of the photos).

Perhaps you might expect that after two years of new Ransomware variants, employing ever more sophisticated attacks, more advanced defences would also be required to mitigate the threat?  Perhaps it is reasonable that so many individuals, businesses, and government departments have been hit, and continue to be hit because it is near impossible to predict and mitigate the risk of these attacks?

No.  Not True! This was 100% predictable, just a matter of when.  As I go over my recommended and quite simple suggestions to prevent these attacks from two years ago, I find not much has changed.  The same advice still applies and if taken would largely prevent or mitigate the current attack.  Unfortunately, best practice security measures are still not in place in the wider community, even in some organisations that should know better. It seems many organisations need to be burnt before they will learn.  For some, it’s too late.

I have sympathy for individuals with no professional support to help them understand or mitigate the risks.  Most people don’t understand a lot about how their computer works, nor should they need to (though I think its pretty common sense to back stuff up!).  However, I don’t believe we should have sympathy for professional managers and IT staff wasting our money in government departments by exposing our public systems to unnecessary risk.  From The Independent in the UKA number of hospitals in England and Scotland were forced to cancel procedures after dozens of NHS systems were brought down in Friday’s attack. ….There have been calls for an inquiry into the circumstances surrounding Friday’s major incident, with the Government and NHS chiefs facing questions over their preparedness and the robustness of vital systems. 

The Wannacry attack is targeting a known bug in Windows that was patched by Microsoft months ago.   Prior to that it was known to a department of the US government who kept it to themselves to help them hack the computer systems of anyone they care to, particularly us foreigners.  The problem was only disclosed after their own documents leaked, though fortunately Microsoft released a patch prior to the information being extensively exploited by the hacker community.  Consider the damage if the hackers had got to it first, and the responsibility shared for this attack by the US Government.

Computers kept up to date, an automatic process with Windows 10, are not vulnerable.  Unpatched systems or computers running obsolete operating systems (XP, Vista) are wide open to this attack. You might argue that Microsoft should support their operating systems for a longer period, but consider that Windows XP was released in 2001 and the underlying architecture simply cannot be made secure.  Spending resources to plug holes in legacy designs is not good value compared with working on improving new systems.  It is time to move on and accept that an operating system has a limited design life.  In this case, given the severity of this attack and because it was practical to patch the older systems, Microsoft have released a one off patch for obsolete versions of Windows to help combat the problem.

A Bad Day in The Life of …. John, the owner of a small manufacturing business who has come into the office at the crack of dawn to catch up. Coffee machine working. Check. Time to finally get this tender sorted.

Logging into his PC, John does a double take. There is an impressive looking red and white boxy thing on the screen.“ Your personal files are encrypted!…..pay us or they are gone forever.”

Files exist but nothing will open. Johns not too familiar with the backup system, but he knows they have one. Rings his accounts guy who looks after that. There are backups. They sit on a NAS in another building to the server, so they are “offsite”.

Tries to restore. Files won’t open. They have been encrypted as well. Very Bad Day.

How does Ransomware infect and hurt my computer systems?

The most common way to get infected is by clicking on an attachment or link in a malicious email.  The email may appear to have been sent from reputable company such as Australia Post or Telstra.

Other methods of infection include visiting infected web sites, malicious code embedded in downloadable applications, and attacks on security flaws in operating system software and services.  Any attack that can run executable code on your computer has the potential to infect you with malware.

The most common Ransomware will scan your computer for valuable files, such as office documents and photos, and encrypt them.  Ransomware may also encrypt files on any network accessible locations or attached disks.  Once done, the malware presents a message with a promise to decrypt the files if you pay up.

Files encrypted cannot usually be recovered without a key generated by the criminals or from backups.  There are some exceptions where flaws in the malware has allowed security researchers to decrypt files, but don’t count on it!.  Backup files accessible to ransomware, such as those located on an attached drive, may be encrypted alongside other files.  Backup sets may also be compromised with any backup process run after encryption has started including a mix of newly encrypted files and unencrypted files, potentially overwriting the original files depending on the backup system design.  At best this requires you to sift through backups for the last good copy.

By the time the damage is noticed, even if you have current backups you may find your business suffers with downtime to services while you restore the damage.  Even large organisations with multiple layers of security and backups have been hurt.

There was an IT security issue this morning which affected some of the ABC’s broadcasting systems and created technical difficulties for ABC News 24, as a result, we broadcast stand-by programming from 9:30am before resuming live news broadcasts from Melbourne at 10:00am. – ABC news 8th October 2014

…cybersecurity firm Qihoo 360 said that 29,372 institutions, including government offices, bank machines and hospitals had been infected over the weekend. – Chicago Tribune 15th May 2017 on WannaCry Ransomware

… those who didn’t apply the update were still open to attack, resulting in the mammoth attack starting Friday that infected 48 UK National Health Service trusts, FedEx, Telefonica, Renault and Nissan car manufacturing plants, U.S. universities, Russian governments and Chinese ATMs, amongst many other systems across 150 countries. – Forbes 14th May 2017

Cryptolocker3

 

Are my other devices vulnerable?

Ransomware is most common and dangerous on a Windows PC, but this type of malware is also growing rapidly on other operating systems and devices.

Infections on Android devices are normally triggered by a malicious app.  The most common versions of Android Ransomware try to lock the user out of their device and demand payment to allow access.  These variants do not always encrypt files, leaving some hope of restoring them.  There are work arounds to gain back access in most cases, but not always.

Since I last updated this article in 2015, attacks on android devices have continued with some Malware variants now able to encrypt files.  The problem is not as bad as on Windows machines, but it is useful to be aware of the risks and take appropriate precautions.  SLocker is probably the most dangerous Android malware as I write, with over 3000 known variants, some of which are not detected by android security applications and may be downloaded through app stores.

Ransomware can potentially attack Apple iOS and OSX devices, such as iPhones.  In 2014 Apple customers, primarily in Australia, woke to a message on their phone screens : Hacked by Oleg Pliss. For unlock YOU NEED send voucher code by 100 $/eur one of this (Moneypack/Ukash/PaySafeCard) to helplock@gmx.com.  This attack was probably indirect, where a vulnerability in the user’s iCloud accounts was exploited to then attack the phones.  A handy reminder to set up two-factor authentication on important accounts and to set, and regularly change, a strong password on your accounts.

More recent attacks on iphones used a design flaw in the Safari browser to practically lock the user out of their phone with pop up windows and then direct them to pay a ransom.  That flaw has since been solved with a patch.  Another lesson there!

FBI__ransom_Android

 

I’m not at risk, I have a virus scanner!?

It is a common and dangerously mistaken belief that an up to date virus scanner can guarantee protection from malware.  A virus scanner will protect against many known, and some newly released malware, but no scanner can protect against all such threats.

Failure_300When Cryptolocker attacked in late 2013, no virus scanners I am aware of picked it up or prevented its actions.  It went right through the scanners as well as other security systems and infected many thousands of computers.  Days and weeks later virus scanners caught up and could block the malware, but then a variant of Cryptolocker was released to bypass them and a second wave of infections ensued.  To rub salt into those wounds, they also took the opportunity to raise the ransom amount.

Research by LastLine Labs (and others) confirms that anti-virus are never 100%, and can never be 100%: “On Day 0, only 51% of antivirus scanners detected new malware samples … After two weeks, there was a notable bump in detection rates (up to 61%), indicating a common lag time for antivirus vendors”

Seeing comments like the following are common after an infection, when it too late and people realise antivirus alone is not enough “…got a Crypt/Dorifel virus(an early version of cryptolocker) and all Symantec was doing is quarantining the modified documents….”

The good news is that techniques used by antivirus programs have improved over the past few years and are less reliant on malware signatures while improving other techniques such as “heuristic” scanning.  The recent WannaCry outbreak was detected and blocked by at least some security software products.  These new techniques are not entirely reliable, just an incremental improvement and pose risks of their own.

Antivirus will protect you at times, but it cannot be more than one element of a protection strategy.

Do I get my files back if I pay?

Sometimes.  These programs are written to make the criminals money.  It makes sense then that if you pay up, usually $100s to $1000s of dollars, they will decrypt your files or unlock your device so the next guy has some hope and will also pay them.

…ransomware campaign known as Angler took in an estimated $60 million a year before getting shut down in 2015. — Wired

Sometimes paying will work.  More often the remote attacking servers will have been taken down, access blocked to prevent further infections, the software simply breaks and will not decrypt correctly, or the attackers never intended to allow the option to decrypt.  If you get hit, ask for advice to look at all other possible ways to restore lost files, and only try paying up as a desperate last resort.

…there have been no reports of anyone getting their files back, despite nearly 170 payments (about US $50,000 at the time of writing) having been made to the bitcoin wallets associated with the ransomware.The Conversation on WannaCry Ransomware three days after the attack began. CTB-Locker

Is there any other way to get my files back?

Restoring from your backups is the most reliable and most often the only method to recover from a ransomware infection.  Where backups are accessible from the infected computer, they may have been encrypted and therefore practically destroyed.  Offline backups are not vulnerable and may be an option if your current most up to date backups have been compromised.

The effectiveness of backups depends on their design and many poor backup system designs are vulnerable to ransomware.  If you are reading this as a business owner and are not entirely familiar and confident about your backup system, please review it!  In our experience the majority of SMEs do not have an adequate backup system, and many who believe that have a working system in fact have no useful backups at all.

CERT Australia was contacted by a number of organisations that had suffered significant business disruption as a result of corrupted backups. – Australian Computer Emergency Response Team on Ransomware advisory.

MrBackup

For users of some versions of windows, you may be able to restore older versions of files, the ones present before the malware attacked, by accessing the shadow copy snapshots stored on your computer (if the feature is enabled – and note it is not available on the basic home versions of windows).

In rare cases, security organisations have discovered flaws in the encryption process or intercept encryption keys from the attackers, allowing files to be decrypted.  This is a long shot.

There may be other copies of your information cached or stored in places you are not aware of.  Think about files that may have been copied to pen drives, other devices, uploaded into the cloud, and so on.  There may be deleted files on devices that can be retrieved.

Ask for professional advice if you appear to have lost critical files.

How can I protect my business from Ransomware?

There is no one simple solution to insure a business against ransomware or similar malware and related disasters.  Implementing a number of measures can greatly reduce your risk of serious data loss or downtime.

Insurance

Some of the measures you can use to reduce the risk to your business:

  • Educate staff in ways you might be attacked and what to look out for to avoid infection, such as suspicious emails.
  • Implement a planned and verified backup system including an offline copy. Ensure a senior person fully understands the design and how to verify its operation.
  • Ensure operating system patches are fully up to date on all computers.
  • Do not plug any PC still running an obsolete operating system into your network (where security updates are no longer supported by Microsoft such as Windows XP and VISTA)
  • Where backups run across your network to a shared location, such as a NAS, set a password to limit access so that only the backup process can use that share.
  • Block malware delivery with services such as a spam and virus checking service to filter email before it hits your user mailboxes and a web filtering service to block malicious or infected websites.
  • Ensure up to date antivirus systems are installed on all computers.
  • Limit account permissions – do not log into a computer with an administrator account for general use. Limit individual users account access to network resources they need.
  • Turn on User Access Control (its on by default, many people turn it off. Do not.)
  • Turn on Volume Shadow Copy where available (keep old version of files automatically).
  • Reduce your attack surface.
    • Use firewalls and NAT routers so internet traffic cannot reach devices that may be vulnerable. Be careful with port forwards and do not use the DMZ feature on your router unless you know what it is!!
    • Block access to suspicious web sites at network level.
    • Turn off services you don’t need.
  • Implement software restriction policies to block execution of unknown software and other appropriate organisation wide group policies (for server based networks).
  • If you suspect an infection, physically unplug any infected machine from the network, and if not sure what to do, shut it down immediately. If encryption is not complete this will save files.

Further Reading

Why installing software updates makes us WannaCry

New variants of SLocker Android malware target corporate data

How My Mom Got Hacked – New York Times

Why Ransomware Will Continue to Rise in 2015 – McAfee Labs

Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks – LastLine Labs

Antivirus Isn’t Dead, It Just Can’t Keep Up

Ransomware @ Wikipedia

New Windows 10 scam will encrypt your files for ransom @ ZDNet

Hackers lock up thousands of Australian computers, demand ransom @ SMH

Ransomware Advisory @ CERT

Ransomware Explained @ Microsoft

Cryptolocker @ Krebs on Security

Crypto-ransomware attack targets Australians via fake Australia Post emails @ ABC

Editors note:  Original article October 2014.  Latest update May 2017.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *