Price of an education...
...for those without working, protected backup copies I guess.
It's not your job to defend the world against criminals, so the decision to pay a ransomware demand is all about business. The likes of FBI Cyber Division deputy chief James C. Trainor disagree. The Bureau recently advised organisations not to pay lest they "embolden" criminals and encourage others to take start using …
A backup containing encrypted files is not particularly useful you know.
You have to have layered "defence in depth" backup going back weeks if not months to deal with this. That is generally not available for an end-user PC in _ANY_ company. It is done only for servers.
And how much do you trust that you won't get hit again with ransomware? Any time I run across a PC with a nasty it I assume that no matter what I do there's a chance some back door or other nasty will be left on the machine and I wind up wiping it anyway. Yes, it may take a while to get the data back, and yes, the luser will be stuck reinstalling all their programs, but if I reimage the system at least I don't have to worry about missing a back doors. And I keep months of images around, so an unencrypted version of the data should be available.
@nerdbert: Nuke and pave. Format, scram disk, reinstall.
If you're especially paranoid put in a fresh HDD/SSD, take the old one out and put a 1/4" drill bit through it a few times, douse it in petrol and set light to it, once out and cool beat repeatedly with a hammer then encase the remains in concrete and bury in an old mine shaft.
You could always run it through a degausser instead but it's not nearly as much fun...
Absolute nonsense, if my documents, desktop are redirected on desktop PCs, laptops have their documents sync'd then the server backup will capture user data too. Server backups in every place I've worked are done daily, sometimes hourly with every two weeks or monthly backup run off on tape and stored in fire safe. I was doing this in the 90s for a small company of 5 people, our CAD drawings were our business.
It's not a case of it can't be done, if you run a business which relies upon accurate data which you can restore upon equipment failure or malware then it's simply common sense and surprisingly cheap to do. Hell at home I use Crashplan, google drive etc to ensure I have multiple copies going back YEARS.
Yes it's best to prevent infection but any competent professional will plan for when they can't.
Not even just the pros. That folder of family photos needs to be kept backed up, safe.
Yet we still hear of distraught people who have lost all their precious piccies because they lost their mobile phone, let alone a HDD. This is 2016 and too many of us, individuals and businesses, still trust to luck that our data will still be available where we left it.
"You have to have layered "defence in depth" backup going back weeks if not months to deal with this. That is generally not available for an end-user PC in _ANY_ company. It is done only for servers."
I don't recall seeing that bit in your original post...
OS vendors could nip a lot of this in the bud and avoid having to educate people about backups by shipping their OSes with a default filesystem that supports snapshots. This isn't bleeding edge technology anymore, it has been around for several decades.
You mean like OS X and Time Machine? The feature that has been baked into the OS since October 2007.
Oh, I forgot, Register types only consider windows and linux to be acceptable "grown up" OSes, and so they are crying over their overwritten backups as we speak.
In Italy, to put a stop to kidnappings (very frequent in the '70s-'80s - remember John Paul Getty III?), a law was passed to hinder families to pay ransoms. a very hard strategy, true, but it paid off. There are no more kidnappings. Being the State itself hindering payments (up to blocking money), that made threats to families useless.
(The the State itself pays of terrorists hostages abroad for electoral reasons - and the result is they are a valuable pray for those looking for cash)
It is true that kidnappers will not most of the times risk a homicide if they can't get a ransom (if they are "professional", to avoid an harsher incrimination) , while ransomware criminals have no reason to give back your data if they can't get money.
To be fair, there is an economic argument for paying a ransom to get your data back.The moral argument is secondary.
There's no economic argument for paying a kidnapper's ransom: even if you don't want the minor inconvenience of having to recreate your genetic progeny there are plenty of second-hand kids available and you may even be paid to take them. There may be a moral argument - guess it depends on the child...
> nor the family tech geek responsible for storing that sad lone copy of family photos
You may as well treat a ransomware infection as if it were a catastrophic hard drive failure. You have a 2-3% probability per year of that happening in the early life of the hard drive anyway. If you're not prepared for such a failure, well, clearly you were happy to accept the consequences.
Ransomware can also permeate into backup media
True, but keeping an eye on the backup process can help detect large deltas.
The way I do backups has been the same for many years:
If something were to start encrypting files en masse, I would see it pretty soon, either in the rsync summary (being longer/larger than usual) or in the size of the increment as stored on the disk---after the backup, I calculate the delta size by counting files that only have a single hard link; these must be the changed files. Because hard-linking takes up relatively little space, I maintain these "snapshots" going back for quite a long time and only delete them manually, so that gives me a second chance to notice any damage and to roll back when it does happen.
I also use a hand-rolled file integrity system based on the same idea as the "shatag" tool. I will periodically update SHA256 hashes for all files and store them in the file system as extended attributes. I also collate these hashes across all machines and use the metadata to enforce a replication policy across multiple machines (or at least to verify that it's working). I've also got a separate scheme (using erasure codes to give a high level of redundancy with modest overheads) for cold/archival data.
One other thing I've toyed with is using the LVM snapshot facility. It could replace the hard-linking scheme I use to some degree. In this case, larger-than-expected deltas would overflow the copy-on-write buffer, alerting me to something strange/unusual via a message about a failed backup. I prefer the hard-linking scheme, though, since it's more permanent and gives better historical integrity. LVM's snapshot facility is perfect for backing up volumes with databases on them, though, since you get an atomic backup without needing to lock the database first.
Your process is admirable, but not in the realm of technical capability of Aunt Kath. Remember the comment thread you are replying to basically says that about 3% of disks will fail without any malicious ransomware, so it is hard to have sympathy for those without backups. That's why I think of who the victims are. The average El Reg commentard is too super DevOps skilled to fall for the phishing schemes that deploy this ransomware. But our Aunt Kath will go right ahead. So the people most at risk of infection would have no clue what rsync or hard links mean and the concept of incremental backups isn't even on their radar.
There is so much CRAP backup software out there, that Aunt Kath will be very lucky to avoid paying.
Lets assume that she uses windows. Virtually none offer a bare metal system backup. So we also assume she is backing up only her treasured photos.
Most simply synchronize a copy of whatever is current in the cloud, there are not a lot that provide previous versions, if they are indeed actually working ( not at all helpful cause the photos are now encrypted! )
So even if Aunt Kath tried to do the right thing, the market will mean that she has probably failed.
The law and the police aren't something outside of society (or at least they shouldn't be). They are just some specialists that we as a country are employing to help us in achieving our ideal of how society should work. The job of creating that society in the image that we want is ours.
You wouldn't, I hope, ignore a shoplifter or walk past some teenagers mugging an old lady. How is this different?
I've upvoted you for the sentiment, but you asked "how is this different"?
If I saw someone breaking into a car and stealing a hard-drive or a camera, I wouldn't ignore that, of course. As you say it is our duty to intervene.
But if someone stole a hard-drive containing my family photographs, or the only copy of (encrypted) customer data, or unencrypted sensitive information, or a camera whose card contains the only copy of someone's wedding photographs, I would pay the thief to get it back.
What's the difference? One is a crime in progress, the other is mitigating the damage from a crime which has already occurred. They are different.
You're right it is different and I've probably been a bit lazy with my analogy. But there are two crimes; one is encrypting your hard drive and the other is extortion. The latter is still in progress at the point you're deciding to pay the ransom.
Fun fact. If you suspect that the ransomware group may be funding terrorists and you pay them anyway then you are a criminal too.
If I'm mugged at gunpoint, that's a crime in progress, but I'll be handing over my wallet all the same. If a child is kidnapped in practice you find that often people do what the criminals want first, then go to the police only afterwards.
Comparing on the one hand, paying an extortionist to retrieve irreplaceable property, and on the other, being too idle to shout "Oi!" at a casual thief, is just silly. They are different.
For you to become a crimnal would require a jury to find you guilty.
I would say that if you commit a crime, you're a criminal. If you haven't been found guilty then (quite rightly) the criminal justice system will treat you as innocent, no newspaper would be allowed to call you a criminal, etc, etc. But without wanting to get in to too much of a philosophical discussion of Objectivism, there is such a thing as reality. It may be the case that what matters for the question of whether you should be treated as a criminal is whether you have been found guilty. But for the question of whether you are a criminal, all that matters is whether you committed the crime.
"What's the difference? One is a crime in progress, the other is mitigating the damage from a crime which has already occurred. They are different."
No. The second is actually adding another crime to one that has already occurred. First you have the crime of theft, and then you have the crime of extortion that is still underway at the point you hand the money over. So they are both ongoing, and not as different as you suggest.
Why pay the person holding your belongings to ransom?
Why trust them twice over? The first time with what they now have, the second time with what you are now giving them?
If you start paying shoplifters to take items from your store and return them... is it not a rod for your own back?
Most of the victims are not IT savvy, you cant blame people for that.
The ransomeware plauge has made me change my back up plans, especially as malware now deals with networked drives etc.
So i now have 3 back ups, the cost of a 3tb drive is small enough to justify the cost and my songs, pics and docs which i have collected since i was using my Amiga are more precious to me than a 90 quid hard drive.
People need educating, not berating for not being IT savvy. Remember, some of these non IT people are surgeons, solicitors, scientists. Not understanding malware does not automatically mean they are not intelligent.
Sadly most people, including some IT-literate sorts, simply have no plan for data loss. It could be a HDD failure, some "gross administrative error" formatting something, a laptop being stolen, or a cryptolocker attack. Sooner or later it happens (couple of % per year for HDD, no idea how common cryptolocker is in comparison) and only then do most folk do anything about it.
When its too late.
is stupid.
I own a circular saw I bought for one job. I pretty much could guess how it worked, but after revving it up and realizing I could take my leg off with this thing, I did half an hour of safety research before embarking on the single 15 second job it ever did.
Problem is that computers are sold as "being easy" with vendors of all ilk going out of their way to tell you all the wonderful things you can do (/expose/lose if it goes wrong).
If somebody breaks into your house and steals your TV (does anybody do this any more..anyway..) - The police would be expected to come round, dust for prints, and make a vague attempt to recover your TV.
Can you imagine walking into your Police station with an encrypted laptop and asking them for help?
No, they need berating and shaming for being too LAZY to learn even the BASICS of IT. It's 2016 - time to stop catering to the intellectually lazy.
If someone refused to learn anything else needed to live in today's world, people would call them crazy, etc. But if it's tech related--in today's COMPLETELY tech dependent world--OH NO, it's okay if you're intellectually lazy... someone will wipe your arse for you every time.
Time for people to either put out the effort to learn technology, or STOP using it (and screwing it up for the rest of us) entirely!
Paying up means potentially getting items decrypted, it can also mean getting nothing back or getting partial data back - which is arguably far worse than accepting some data loss and restoring from a known good backup source.
And nobody ever considers data theft and tampering. So you get "your" "data" back, but never consider if the crooks tampered with your payroll records and updated the bank account numbers with their own? Come payday, you pay them a second time.
What if the highly confidential documents you had were stolen? You wouldn't want your competition to go over them, would you? So you pay them again. Do you trust them enough that they never showed the documents to anyone?
What if the highly confidential documents you had were stolen? You wouldn't want your competition to go over them, would you? So you pay them again. Do you trust them enough that they never showed the documents to anyone?
The malware artists won't have taken your documents away -- just encrypted them in situ so that you can't access them. What you get (of you're lucky) when you pay the "ransom" is not a clear copy of the documents, it's a key you can use to decrypt the copies that are still on your PC.
Methinks a hacker who wanted to alter your payroll data or steal your documents for blackmail purposes wouldn't draw attention to his visit by leaving ransomware as a calling card.
"To this end the FBI and others would be better saving their breath and offering advice about how victims can identify and then decrypt their ransomware infections, rather than delivering sermons from an ivory tower"
However although "breaking criminal business models is not, however, the job of the system administrator" it is the FBI's job so the best thing they could do is get on with it.
"There is considerable risk here and all payments should be made with the expectation that crims will take the money and run."
Surely if the expectation is the scammers will take the money and run you shouldn't pay?
If you don't think you'll get the data back in any event then write it off as lost, and don't give your money away for no benefit.