back to article Police anti-ransomware warning is hotlinked to 'ransomware.pdf'

Official anti-ransomware advice issued by UK police to businesses can only be read by clicking on a link titled "Ransomware" which leads direct to a file helpfully named "Ransomware.pdf". In case you've been living under a rock, large chunks of the digitised world, including most of the NHS, were, ahem, digitally disrupted by …

Page:

  1. FBee

    Did they BCC or CC?? If CC, then

    Reply All: TAKE ME OFF THIS LIST RANSOMWARE ATTACHED

    1. Aladdin Sane

      Ah, the NHS approach to DDoS.

  2. Captain Scarlet Silver badge
    Flame

    That email

    Its just lazy, I would view that as spam and do a StrongBad from HomeStarRunner.com and shout DELETED

  3. Dan 55 Silver badge

    a downloaded file might have a name or icon that makes it appear to be a document or media file (such as a PDF, MP3, or JPEG), when it is actually a malicious application. A malicious application disguised in this manner is known as a "Trojan".

    Lots of people argued when the first OS X public beta came out that filename extensions shouldn't be used (they never had been before OS X) because then OS X could have the same malware problems as Windows. Apple ignored them.

    1. Anonymous Coward
      Anonymous Coward

      If you don't use filename extension, you need to use filesystem metadata (which are an issue to transfer across file systems not understanding them, or across network transmission), or specific extensions to the file format (i.e the resource fork), but they can still be spoofed, and may require a file type registrations somewhere.

      Maybe OS could become a little more clever and try to understand when "uncommon" (or better, common attempts to deceive users) are present. I.e. the .doc.exe or .pdf.exe extensions, and maybe adding an overlay icon to any executable file, regardless of the file icon. Not resolutive solutions, but better than blindly displaying everything...

      1. Doctor Syntax Silver badge

        "Maybe OS could become a little more clever"

        As in https://linux.die.net/man/1/file and https://linux.die.net/man/5/magic both of which are long time inhabitants of the Unix world.

        1. Anonymous Coward
          Anonymous Coward

          You need to manually run magic, it's a utility, not an OS feature - I would like an OS checking automatically if a file attempts to pretend to be something else - using the magic library, or something alike.

          1. Dan 55 Silver badge

            It's just a presentation/Finder problem. For files written by software, the file type could be stored with the file an xattr. For mail attachments, the file type could be sent/received as a content type ignoring file extensions completely. If no file type is available (e.g. external drive/network) then magic could be automatically run when Finder first sees the file and the result saved as an xattr. If magic guessed wrong then the user can change it in get info.

          2. Simon Harris

            "checking automatically if a file attempts to pretend to be something else"

            I do 3D modelling and use STL (stereolithography) files a lot. Windows seems convinced they should be certificate trust list files (and certificate doesn't even start with a S!).

    2. GlenP Silver badge

      I dislike having file extensions as the control given that a user today deleted several old .pdf files assuming they were documents when in fact they were Payroll Data Files*.

      It was probably time to test the backups anyway!

      *Quite why the payroll software uses this extension, and why they store user generated files in the same directory as the system data files is another matter.

      1. Doctor_Wibble
        Windows

        I can't remember the application name but on my Apricot the Printer Definition Files were quite important!

        Then again, deleting them was not so easy as it would mean finding the floppy disk, sticking a bit of tape over the notch, and then deleting them so although it could still be done, it would be harder to make it look like an accident.

  4. Anonymous Coward
    Anonymous Coward

    Could have been worse, could have been called "ransomware.pdf.exe"

    Are they really that incompetent? I suppose the pdf also tells you not to click links or open pdf's from unknown sources. Unless when you do open it then it comes up in big letters "You Stupid!" and explains why. That would be a good idea and is a good idea for anyone that wants to see if people in their own organisation would open files that they shouldn't. Set up logging to the file on the network to see who accesses it then disable their email and internet forever.

    1. Anonymous Noel Coward
      Black Helicopters

      Are they really that incompetent?

      It's the Police...

      1. eldakka
        Coat

        It's the Police...

        So it's a Sting?

    2. Just Enough

      And what's the betting that the PDF contained absolutely nothing that couldn't have be written in plain text in the email, just with pretty pictures and logos?

      My all-time greatest example of this stupidity was an email with an attached doc, that consisted of little except an embedded URL, which you clicked to reach a webpage that could have been an HTML email.

    3. macjules

      Are they really that incompetent?

      Yes, this is nothing.

    4. Mark 85
      Facepalm

      Are they really that incompetent?

      See icon... only response I can up with... my flabber is gasted.

  5. Alister

    As you can see, we clicked the link – and after routing through some standard email marketing click tracker stuff, it hotlinks to a file titled "Ransomware.pdf". We chose not to let it open in our VM.

    And you didn't try the file link from a Mac or Linux box?

    For shame...

    1. Anonymous Coward
      Terminator

      Watching this whole WannaCrypt debacle, it's like being stuck in the bubonic plague epidemic in the Dark Ages armed with a supply of antibiotics. All the while the natives wilfully ignore the cure and keep trying the old ineffective remedies, such as rubbing chopped-up onions on the infections. But it's a bacterium you cry and there is a cure. Not so says the natives, it's the wrath of God because we're not been saying our prayers.

    2. Tomato Krill

      I didn't see any mention of the OS they were using?

      Or is this an extension of the Mac's Dont get Trojans thing?

  6. cbars Bronze badge

    That's shrewd!

    The police in the UK are playing a clever game:

    Step 1: Get journalists to install ransomware

    Step 2: Demand that any interesting targets (El Reg hacks who keep annoyingly revealing Gov's snoop fetish) reveal the passwords/encryption keys to the files they have in their possession

    Step 3: Lock 'em up

    That is how this works, right?

  7. wolfetone Silver badge

    You know, when I see the Police doing mad stupid shit like this, it makes me wonder how on the ball they are when they're spying on everyone's communications?

    Criminal: "You got any of that plastic stuff left over? Need it for a job tomorrow. It's a big one."

    Copper: "Plastic stuff? A job tomorrow? Probably construction. Nothing to worry about."

    ----

    Ordinary Joe: "Have you seen that big bomb in Aston mate? It's going to go off shortly?"

    Copper: "TERRORIST! TERRORIST!!!!!"

    1. katrinab Silver badge

      If you drive along a road at 21 mph, or steal something from a supermarket, they know how to deal with it. Anything more complicated, and they are completely out of their depths.

      1. Peter2 Silver badge

        Frankly, yes.

        But that's probably how it should be. Most people want a 999 call for somebody breaking in late at night answered by big burly chaps with lots of training in using handcuffs, a truncheon and little hesitation in using both rather than an a nervous accountant/IT type. Not a new issue!

        Basically, to go with basic physical enforcement of the law the powers that be came to the conclusion in 1854 that they needed people with more subtle detective skills, hence CID. What we need now is a separate department to deal with IT issues, and drawing in people from the rank and file police is largely a waste of time.

        Simple solution, create a department called Crime (IT) and then just hire enough people who can do "magic bits" (like resolving IP addresses) and explaining bits to police officers who are happy with going out with handcuffs.

        1. tfewster
          Facepalm

          "like resolving IP addresses"

          with a GUI written in VB?

      2. Anonymous Coward
        Anonymous Coward

        Clueless Plods

        If you drive along a road at 21 mph

        They can't even get that right. The Plods routinely hand-hold their speed guns, thereby invalidating any readings. They also forget to calibrate them (has to be done daily to make their measurements valid) and when challenged to produce the Calibration Certificate bluster about it being "lost". If you get nicked by means of a speed gun, ALWAYS challenge it.

        The clueless Plods will always be forced to back down and in many cases have had to pay substantial damages to the persecuted motorists. My last settlement from Thames Valley Plod was £8250 plus expenses of £4728 (I had to fly in from Canada to defend the case).

        AC for obvious reasons!

    2. Lotaresco

      "You know, when I see the Police doing mad stupid shit like this, it makes me wonder how on the ball they are when they're spying on everyone's communications?"

      They are terrible at it, mostly because that's someone else's job.

  8. chivo243 Silver badge
    Trollface

    Why?

    You have a vm, just open the damn link and be ready to nuke your vm should anything interesting come of it?

    You have a pic, but what happened?

    1. eldakka

      Re: Why?

      There is VM-escape malware out there - i.e. Malware that can break out of a VM and infect the hypervisor and all VMs running under that hypervisor.

  9. rob_leady

    McAfee sent a very similar email out...

    Dear McAfee Customer,

    Be careful what you click on. This malware was distributed by phising

    emails. You should only click on emails that you are sure came from a

    trusted source. <ul>Click here</ul> to learn more about phising emails.

  10. adnim

    Mmmm

    "Always use caution when opening (such as by double-clicking) files that come from someone you do not know,..."

    My advice:

    Always delete emails without reading or opening attachments when they come from someone you don't know. Always treat with caution email attachments from those you do know.

    1. Martin Gregorie

      Re: Mmmm

      ..and make sure that mail preview windows are DISABLED - because they open attachments automatically.

      1. Anonymous Coward Silver badge
        WTF?

        Re: Mmmm

        "..and make sure that mail preview windows are DISABLED - because they open attachments automatically."

        I've never seen a preview window open any attachment automatically. Care to cite your source or name the software?

        Unless you're referring to displaying inline images, which is a different matter. Excepting rendering bugs, they are not executable or exploitable.

        1. CrazyOldCatMan Silver badge

          Re: Mmmm

          Unless you're referring to displaying inline images, which is a different matter

          And in most (certainly the competent ones) mail UI programmes, you have to explicitly allow remote images..

    2. wolfetone Silver badge

      Re: Mmmm

      "Always use caution when opening (such as by double-clicking) files"

      And what do you do if you have double click disabled?

      I don't think they've thought this through.

    3. veti Silver badge

      Re: Mmmm

      "Coming from someone you know" is a pretty low hurdle to clear. Was a useless rule for dealing with last week's attack.

      And seriously, preview panes opening attachments automatically? That hasn't happened in at least 10 years, probably longer. By default, most email clients don't even download linked web content such as images, much less execute anything.

  11. handleoclast
    Facepalm

    How things have changed

    The advice about e-mail safety these days is very different from what it used to be back when I first got on the net (dinosaurs still walked the earth in those days).

    In the early days of the intertoobz, people were told it was perfectly safe to open attachments that were images, it was only executables they had to worry about.

    It wasn't so long before that advice was rescinded, thanks to Microsoft "helpfully" hiding file extensions. So that "x.gif.exe" was described as "x.gif" (but had a strange icon). The advice became "make sure it's really an image before you open it."

    That was superseded by "Microsoft's buggy image-handling routines mean it's no longer safe to open image attachments even if they really are images."

    Then spammed malware became common so advice was amended to include not opening attachments from unknown sources.

    Then malware writers clued up and started going through the user's address books. So you'd get infected spam mail from people you knew. So only opening mail from known sources was no longer a defence.

    But things have changed:

    Always use caution when opening (such as by double-clicking) files that come from someone you do not know

    There ya go. This problem has been solved without me realizing it. Something (I don't know what) now makes it perfectly safe to open attachments from people you know. It's only attachments from people you don't know that are unsafe.

    Now I can open that mail from my mate Tom, the one titled "Look at these pics of what I got up to when I was drunk last Saturday." It's perfectly safe. It's not just El Reg telling me this, it's almost every news site on teh interwebz. New technology, released without announcement, now means it's perfectly safe to open attachments as long as they're from people you know.

    Before everyone downthumbs me, I did see the bit about "or if you were not expecting them." The thing is, I often get unexpected mail from friends because they're eager to tell me about something I didn't even know happened. Such mail may contain attachments. And if the text is brief enough and generic enough, it will seem genuine to a large proportion of people.

    So the real advice is "Don't open attachments. Ever." Oh, but there was that bug in some mail readers where merely opening the mail passed attachments through to rendering s/w so you could see a thumbnail of it, and the rendering s/w was flawed. So the real advice is "Don't read mail. Ever." Oh, but wasn't there a mail reader that would pre-generate the thumbnail before you opened the mail, and that had a flaw? So the real advice is "Don't fire up your mail reader. Ever."

    Ob Hill Street Blues

    1. Anonymous Coward
      Anonymous Coward

      Re: How things have changed

      Ah yes. The old file extension trick. The old ones are the best.

      Please forward this message on and all your dreams will come true plus you'll get a blowjob and save 5 puppies from being thrown in a burning oil drum in front of starving African children who will also get a meal and clean water if you forward this on.

    2. veti Silver badge

      Re: How things have changed

      The thing is, everyone knows this sort of advice doesn't really make anyone safer. It's just The Authorities covering their collective arse.

      This way, when someone gets hit, they can throw up their hands and say "We told them!" And that means it's officially Not Their Problem any more.

      If the gov't could designate someone whose problem it definitively is, then we might get something more useful. Until then, we're on our own.

    3. CrazyOldCatMan Silver badge

      Re: How things have changed

      In the early days of the intertoobz, people were told it was perfectly safe to open attachments

      In the old days, emails were 7-bit ascii and you didn't have to worry about complicated stuff like attachments. Because they didn't really happen..

      Links to dodgy FTP or gopher sites.. well, yes. But they were generally of the "don't let your boss/SO/HR department see you open this" type of link..

      Ahhh. The old days were the oldest!

    4. adnim

      Re: How things have changed

      Plain text.

      I send email in plain text PGP signed. I read in plain text.

      All attachments are potentially unsafe and a plain text rendering of an email will indicate if any links contained within point to mycutekitty.org or iownyaass.com

  12. Anonymous Coward
    Linux

    We chose not to open the PDF file

    Have you tried booting from a Linux CD and then opening the file?

    --

    Microsoft, the company that made letters and numbers dangerous

    1. Paul Crawford Silver badge

      Re: We chose not to open the PDF file

      Have you tried booting from a Linux CD and then opening the file?

      Is the almost-right answer.

      Have you tried booting from a Linux CD, disconnecting the network, and then opening the file?

      See, better!

      1. eldakka

        Re: We chose not to open the PDF file

        Have you tried booting from a Linux CD, disconnecting the network, and then opening the file?

        Yes...but forgot to put it in the faraday cage.

        1. Paul Crawford Silver badge

          Re: We chose not to open the PDF file

          Yes...but forgot to put it in the faraday cage.

          Oh no, you don't put it in the Faraday cage, that is what your tin-foil hat is for!

          You do have one, don't you?

    2. Wensleydale Cheese
      Unhappy

      Re: We chose not to open the PDF file

      "Microsoft, the company that made letters and numbers dangerous"

      They also gave us widespread use of the Arial font by dint of defaulting to the first font alphabetically.

      It was a pleasant change from the previous choices of Times New Roman or Courier, but gave us a font in which capital I, lowercase L and the numeral 1 all look the same.

      1. veti Silver badge

        Re: We chose not to open the PDF file

        Objection! The numeral 1 in Arial is quite distinctive, nothing like the lowercase L or capital I.

        But Arial is also the venue of Microsoft's biggest crime against typography, and that is "zero thought put into kerning". Which means that in a lot of MS-derived software, it's impossible to tell the difference, visually, between 'd' and 'cl', or 'm' and 'rn'.

        1. Jonathan Richards 1
          Joke

          Re: We chose not to open the PDF file

          What is this keming of which you speak?

          1. Brenda McViking
            Go

            Re: We chose not to open the PDF file

            Kerning (and yes I saw what you did there) - there's an obligatory xkcd for that!

  13. tedleaf

    Oops

    DOH !!!

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like