Skip to main content

The rise of ransomware and the devil that is Cryptolocker

Over time, with advancements in anti-virus and anti-spyware, the ne'er do wells would eventually evolve. Their cunning and understanding of human behaviour has resulted in the devil that is ransomware. An innocent email from Australia Post arrives or a letter from the Australian Federal Police turns up in your inbox - most people are curious, even excited by an unexpected package, or concerned about a letter from the AFP and so they click the link. Boom! All their data starts to be infected - encrypted with heavy encryption and a lovely letter to say pay us or never get your stuff back.

We've seen it live and in the field on at least 5 occasions and had one or two clients actually pay the ransom - buying their Bitcoins and getting their decryption key back. Sadly, we've had people try this only to find out the website they need to talk to has been closed down by the authorities and their data irretrievably lost - until we restore it from backups that is... but sometimes even this doesn't work if people haven't moved data to the servers for backup. It's not good.

It seems like it was inevitable that a new mode of making money from people would have to emerge. Stealing credit card details and personal information - while profitable - is also fraught with danger of being identified when you try to use them. An anonymous ransom - helpfully supported by an anonymous currency - means a relatively straightforward exchange - a key for your own data back. It's kind of elegant in a way. This doesn't mean I don't think these people should be prosecuted - I've seen and experienced the stress and pain of business owners as their data becomes inaccessible and I'd love to pass that back to the perpetrators.

There are ways and means of protecting yourself from this, but it comes down to being systematic about it - just like these thieving bastards have been. Consider your vectors of risk:

  • external influences
    • email
    • websites
  • physical influences
    • users
    • dodgy USB keys
  • active attacks
    • hack attempts
    • social engineering
There could be more.

Defending against these requires defence in depth. Some of these things are passive - they do the job all the time, with managed updates and some are active - people actually need to think about what's happening. Here are a few examples:-
  • email scanning (externally if possible)
  • strong firewall
  • internet scanning (if possible)
  • anti-virus and anti-spyware on the machines
  • Chrome instead of good old IE (or awful Edge)
  • user education - the single best form of protection and typically the one with the least amount of time and resources put into it. Honestly, it makes me experience sadness that people aren't trying to get their staff skilled up a bit on the computer. It doesn't take all that much!
  • backups
  • backups of backups offsite
  • restorable backups
Of course, this kind of systematic approach doesn't just cover the awfulness of ransomware, but could be helpful against many other risks - attacks, environmental (fire / flood / famine / Justin Bieber), malicious employee activity (still identified as the Number #1 risk by many security dudes) and other "out of the box" issues.

I haven't mentioned patching or updating your system although I know this is critical. Updates are a beast of a thing, and anyone caught with a SharePoint update that means a database rebuild will feel where I'm coming from with this - security updates can cause more pain than if the damn thing was hacked or compromised in some way. Understanding the impact of an update on key infrastructure is very important and it isn't a passive security mechanism like some of the other things I've mentioned.

Reporting is also a tricky thing - yes it's great to have all this stuff going on, but who wants to plough through 20 or 30 system generated emails in a morning? I have for the last 12 years and it's bollocks. I don't care for it at all, and to be honest - it becomes so rote and routine that I miss things (sometimes very important things) because I'm just skimming. I urge you to consider some sort of consolidation report or webpage with information colour coded according to rules so that things going wrong are immediately obvious. We only have a limited attention time (and I think I've written about this elsewhere) and so we need to make sure that time is being carefully put to use and not wasted on stuff that's all OK and we don't care about. Likewise, with Nagios or other monitoring software I'm using, the thresholds for things going wrong is quite high - i.e. tell me when something is really going to be in trouble, not that it's just experiencing some sadness now. 

This post has diverged somewhat from cryptolocker, but the principles in keeping that piece of garbage out of your network are similar across a wide range of threats. 

Comments

Popular posts from this blog

Windows 10 Enterprise Eval - gotchas

After an annoying turn of events where my Windows 10 Enterprise USB drive failed, attempts to install Win10 onto a computer failed miserably. I turned to the net and managed to get my hands on Microsoft's Windows 10 Enterprise Evaluation. I have an enterprise key so I thought - cool! Here's the opportunity to get it going and to then upgrade the license later. Full install, patched etc and all is swell. Except when I try to upgrade. I straight up tried changing the licence key only to get a variety of errors, most of which are pertaining to the activation system being unavailable. The I try this: https://winaero.com/blog/upgrade-windows-10-evaluation-to-full-version-easily/ but it doesn't work either. Next I'll try this: h ttp://www.edugeek.net/forums/windows-10/174594-upgrading-windows-10-enterprise-90-evaluation-full.html And if all else fails, in goes the bootable USB I've now created. If only I'd had this in the first instance I would not be writing t

Plone - the open source Content Management System - a review

One of my clients, a non-profit, has a lot of files on it's clients. They need a way to digitally store these files, securely and with availability for certain people. They also need these files to expire and be deleted after a given length of time - usually about 7 years. These were the parameters I was given to search for a Document Management System (DMS) or more commonly a Content Management System (CMS). There are quite a lot of them, but most are designed for front facing information delivery - that is, to write something, put it up for review, have it reviewed and then published. We do not want this data published ever - and some CMS's make that a bit tricky to manage. So at the end of the day, I looked into several CMS systems that looked like they could be useful. The first one to be reviewed was OpenKM ( www.openkm.com ). It looked OK, was open source which is preferable and seemed to have solid security and publishing options. Backing up the database and upgradin

Fixing a black screen after doing a Kali Linux update

Kali Linux is a rolling Linux distribution designed for security and penetration work. You can find details on it here: www.kali.org . We run this excellent product for a range of different security work and it's been great. I built the image in VMplayer, then shared it to the team and we've all been at it since. A recent update broke it though - black screen, no network and completely unresponsive. There are lots of posts about similar things - mostly to do with graphics adaptors, however, we found that executing the following at a root prompt fixed it. But how to get to the root prompt from a blank screen? Linux has a number of terminals available to the user - most of us use the graphical one to do our day to day, but you can access a command line prompt without much trouble. Simply hold CTRL-ALT and then F2 or F3 down at the same time and it drops you to a command line login. BOOM. Time to fix it up. For me, and for the other fellas in the team, all it too was to