Cryptowall 4.0: Update makes world's worst ransomware worse still The fourth iteration of the world's worst ransomware Cryptowall has surfaced with gnarlier encryption tactics and better evasion tricks that have fooled current antivirus platforms. Ransomware has ripped through scores of businesses and end-user machines in sporadic and targeted attacks that have cost victims millions of …
At least to get the F out of anything dependent on a single vendor…
I avoid systems that rely on Apple and Microsoft these days. Sure, use these platforms, but do not rely on them: aim for systems that can move between these, and other platforms, so that should things turn sour, you can move with minimal disruption.
I found it easier for small offices to lock down OSX than Windows, which is mainly the reason we're using it. I'd love to go all out Linux, but the commercial software we use exists on OSX and Windows, and then OSX is simply the easiest way forward (also less expensive over its lifetime).
Mind you, we're not addicted to Apple - I don't see the point of throwing out huge wads of cash for a high res screen from Apple when the same can be had from the PC market for far less, and I personally prefer a Logitech mouse over the "thing" that Apple calls a mouse, magic or not.
Time to bring back public gibbetings and perhaps introduce live human dissections posted to YouTube. These fucking worthless sociopathic parasites serve no good use to humanity whatsoever. They can't be redeemed or rehabilitated. They are vermin, and they should be exterminated, like vermin.
How long do we need to wait before someone at NSA/GCHQ/KGB/etc. figures out that tracking this scum down and releasing the keys would actually get them some good publicity for a change?
Anyway, hanging's too good for them, I'd suggest public "stoning" with the encrypted, bricked, 3.5" disk drives. We could charge $5/throw, money to go to the victims..
>Because you don't get ransomware on Linux.
Just goes to show Linux is getting more like Windows everyday (thanks Red Hat!). That's why you are better off on a purer POSIX OS that places a premium on code correctness like with the BSDs or even Solaris (though if you are stupid enough to run lots of userland code unjailed as root on an internet facing server no OS is going to save you).
>introduce live human dissections posted to YouTube. These fucking worthless sociopathic
I agree they are pieces of feces and deserve long jail sentences but wanting humans dissected for public entertainment is beyond sociopathic and into psychopathic land.
"But what if they transfer their ill-gotten gains directly to charity?"
Well, firstly for some reason I doubt they do. Second, even if they did, it doesn't excuse blackmailing people with ransomware. To argue a charitable cause as a justification for such vile behaviour is treading perilously close to ends justifying means.
"wanting humans dissected for public entertainment is beyond sociopathic and into psychopathic land."
Or the product of a mind that has been reading too many George R.R. Martin novels lately... ;)
why sure they do ... they keep IT freelancers employed and they let us have the "I told you so" phrase when they don't want to pay for the security and backup solutions that we know work.
Everyone should have a cold storage system in place that grabs snapshots. this should be a linux box that has almost all of its functions disabled.
Deploy AppLocker policies so that only executable code placed where users cannot write to can be executed.
Use shadow copies and keep backups. The one that encrypted / decrypted on the fly to poison backups sounded particularly evil, however would have been defeated by AppLocker.
unfortunately whilst Applocker may be the best defence on a budget that many people have, it isn't a complete solution,
for example you probably allow IE or Word to run, Applocker doesn't monitor what those processes execute and you are still at risk of this.
The latest iteration of Craptolocker does make it difficult, databases can be tested if you have something like Veeam SureBackup, individual files is far harder.
A decent backup strategy (that's tested on a regular basis)
This… is what saved us last time CryptoWall struck.
That, and the fact that CryptoWall decided to try for some very big and juicy virtual machine images, which bogged it down since it was doing the re-write over gigabit Ethernet shared with the entire office. So it was something of a monkey-trap, it had a fist-full of files that it would not let go of, but couldn't fit its laden fist through the hole to release itself.
I think we lost about 6 files on the network drives, none of which were of any great importance.
But did you read the bit: "That meant months of backups would contain encrypted data that could not be decrypted unless a ransom was paid for the respective key."?
The encryption happens under your nose, without you being aware of it for a number of months. You don't know wbout it because there's a decryption layer in place... until they decide to ask for the ransom.
Even backups aren't going to save you now. Even if you have backups going back that many months, can you afford to lose all the work you've done since then?
This is getting really ugly.
> But did you read the bit: "That meant months of backups would contain encrypted data that could not be decrypted unless a ransom was paid for the respective key."?
> ...
> This is getting really ugly.
The really ugly bit is if (when) your anti-virus program gets an update, realises you are infected and removes the virus. Then you suddenly find there is no way to decrypt your data, and you don't even have the option of paying the ransom.
The really ugly bit is if (when) your anti-virus program gets an update, realises you are infected and removes the virus. Then you suddenly find there is no way to decrypt your data, and you don't even have the option of paying the ransom.
Interesting dilemma though, isn't it? There's a similar one regarding hostage takers. If the policy is never to give in to demands then inevitably that means there will be some casualties - hostages will be injured or killed - but equally if the hostage takers realise that they will never get paid, even if they prove willing to kill the hostages, does that make it less likely they (or others) will try again?
The loss of data is similar. It's unlikely to be as bad publicity as a government refusing to pay up for its citizens, so if all anti-virus programs remove the ability to pay up, and the people behind the encrypting software realise they will never get paid, does that mean they'll stop doing it?
Of course this will never work because there is always someone who will pay.
Where's the IT equivalent of the SAS, parachuting in, in the dead of night to "take out" the hostage takers and recover the hostages?
M.
Tackle it at OS level.
Store data in a drive or partition only accessible to specific servers. Applications request read/write through these services, similar to a database engine. ID is extended to include application as well as user so the service can be set up to limit write access to the correct application & maybe grant read access to other specified applications e.g. you can only update your contacts via the contact app but your email client can ask for an email address.
The server would need a mechanism for verifying the ID of the request and the application installation mechanism would have to be fairly closely guarded to ensure substitutions weren't made.
One tricky aspect would be having storage that out of bounds to the kernel - or maybe some sort of micro-kernel arrangement. I'm not sure Windows could manage this but maybe OpenBSD could.
All our user data is held on ZFS running on Linux or BSD machines, which are mounted as SAMBA shares on the windows boxen with GP to redirect every folder the user can write to onto the network drive. No access to any local filesystem is permitted.
ZFS snapshots hourly, sends backups to the onsite backup (more ZFS) nightly, and the onsite backup backs up offsite weekly.
Any user machine that is infected with anything is simply confiscated and an identical unit dropped in to replace it whilst it is DBAN'd and then re-installed by one of our hell-desk monkeys. During this process the user gets a strict telling off and isn't allowed to carry on working until they've reset every password we have under the watchful eye of one of our IT team.
Obviously it's not perfect - users could manage to get files in their home directory encrypted and then that could make it's way through the layers of backups before they noticed. On the other hand, there's a word for data like that "WORN" so it probably won't matter.
Mostly however we protect ourselves by running Linux on every desktop that doesn't _HAVE_ to run Windows for operational purposes. In a building with over 1000 machines in it, the asset DB tells me only 89 of them are Windows.
This post has been deleted by its author
>Put Windows in the bin where it belongs.
No windows is actually a decent host OS for vms (for home use anyway) and for the widest selection of games they need that windows bare metal. Try not to access the internet with Windows though regardless. Solaris runs nicely under Virtual Box on Windows and it gives you a sweet unity mode for free for non business use. That way you can run all your internet apps under Solaris right on your windows desktop and at least for me had all the software I needed available.
I realize that they have <ahem> expenses... but this is unbelievable. I almost would expect them to drop out of sight and go live on their ill-gotten gains.
Ok.. expenses.. cops maybe? Influential country leaders? Bankers? Someone's handling the money at their end.
Who would know...? Since TOR is involved, I'd suspect that NSA or one of the 5-Eyes would or could know but then they would lose a tool for their escapades in spying.
Still.. that much money and they're still at it. They must have one hell of a retirement fund set up. And yes, if their ever caught, hanging would be too good for them.
Unlikely to be state sponsored generally they are after information and so are low and slow. The last thing a state sponsored attacker would do is raise a flag.
This is classic organised crime, lots of these gangs are moving from drugs into malware because of better margins and less chance of getting caught.
States have all manner of objectives. Stuxnet was not about gaining information, it was about industrial espionage. The CIA has a long and poorly distinguished history of drug and gun smuggling to raise money for the of gift democracy and freedom. Iran Contra or more recently fast and furious had objectives other than information. The 'intelligence' agencies supporting the 5-eyes shadow government monitor all internet traffic that passes through their domains and the NSA has compromised TOR. Is it really conceivable that they cannot trace the traffic or failing that cannot offer a decryption service. It is far more probable that this is yet another black ops money raising exercise for people like ISIS R US than to believe that the combined resources of Western governments cannot hack a control server in plain site on the internet and find the people behind the malware.
True there are different motives but the only motive here is money, Stuxnet isn't really comparable it was also low and slow trying to hide itself and the damage it was doing for as long as possible.
It's a profit exercise, as another poster points out sometimes to stop these kind of things as a government you would need to show your hand in terms of tooling and control. It doesn't always mean they couldn't stop the attackers just that it's a balance.
It could be a government but I think it's way less likely than an organised crime group.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
