Ransomware victims: Just pay up, grin, and bear it – says the FBI Firms that fall victim to infection from file encrypting ransomware should simply pay the ransom, Joseph Bonavolonta, an assistant special agent with the FBI, told delegates to Boston's Cyber Security Summit 2015, adding that developments such as CryptoWall are essentially unbreakable. “To be honest, we often advise people …
This post has been deleted by its author
I can name one excuse: The backup system was affected by the attack and thus all the backups were encrypted by the same ransomware as everything else. This happened to the Public Services department of the local junior college (where my dad's an instructor). They lost 30 years worth of data, but being an educational institution paying the ransom was not an option. The budget just wasn't there.
Now quite how the backup system was affected I have no clue. That's not my IT department. My IT department would have had a years worth of backup tapes in a fire safe and at least another seven years worth safely tucked away in a safe deposit box. I can only assume that either they used a tapeless backup solution or that the ransomware had been on the system longer than their tape rotation cycle before it was noticed.
This post has been deleted by its author
...of the encrypted data. Encryption breaking is a fast advancing technology...if "technology" is the correct term to use here...and a tool to decrypt the hostage data should materialize within a decade. I realize that this is a repulsive solution on many levels, but it's cheap and almost certain.
This post has been deleted by its author
Nobody is going to be much impressed if you offer to restore year old backups in a full recovery scenario
You misunderstand. We have this week's tapes in the drive, the previous weeks plus the first week of each month from the last year in the tape safe, and the first set from July for the last seven years plus the two weekly sets previous to last week in the safe deposit box. Our worst case scenario is two week's worth of lost data. And that scenario would require someone leaving the fireproof tape safe open (or dousing it with something that burns at 3000+ degrees) and the building burning down. Anything less dramatic than that and we can't lose more than a weeks worth.
The backup system was affected by the attack and thus all the backups were encrypted by the same ransomware as everything else.
Ok, but what the hell was holding the backups? I get that the article said ransomware is becoming increasingly sophisticated, but how sophisticated are we really talking about here?
My nightly backups go to a large ZFS array running on a BSD box. I'm reluctant to believe they're going to have any joy infecting that.
The weekly's go offsite to a huge disk repository running some kind of scale out filesystem on Linux (I'll be honest, they won't let me on site with them, so I don't really know what's in there) and from there the monthly's are laid down on 3 tapes which are stored in 3 different safe locations.
I'm fairly certain whatever this is isn't getting to any of that either.
The only way I can see this happening is if the "backup" is just a NTFS shared folder on an unloved and unpatched Windows box - which might be sufficient to protect a home user from the little things like "My hard disk failed" but isn't appropriate for a business situation, where valuable data is involved surely?
This post has been deleted by its author
Dead right!
Losing your data to some evil hound is bad, and you can probably think of hundreds of things you would like to do if you ever got to meet the bastard, but losing your data to a disk crash is something most of us have experienced and should now be prepared for.
It amounts to the same thing — you laugh all the way to your backup.
What’s needed, however, is for the operating system to make frequent backups simple and automatic. Time Machine on the Mac, and whatever else is available on Windows should be a bare minimum.
@AC - "The price you pay for not having back-ups, I guess. Just be glad you're able to get your data back."
That assumes that paying the ransom *will* actually get your data back. There's nothing stopping the perpetrators from simply pocketing the money and going silent. It's amazing the amount of trust people place in faceless, ruthless, criminals who have no incentive to actually do what they are claiming to. Considering some organisations can barely afford to pay the ransom, paying the ransom without any confidence that you will get your data decrypted really is taking a risk.
Especially as a smart criminal could simply give the decryption key, while remaining present on the network and re-encrypting the data again (perhaps they already have), for another payout in a year's time. Before you know it there's an unhealthy protection racket going. I'm betting that a small organisation that gets badly hit by a ransomware attack would doubtful be completely secured after the cleanup, which probably wouldn't completely cleanup the mess, the best targets are the ones who you've already hit.
<evil thought>The best time to hit an organisation with a ransomware attack would be just as they are rebuilding the network and storage following a previous ransomware attack, then you can be sure that all data is within the reach of the attack. You probably wouldn't even have to leave the network, just stay low in a rootkit somewhere on a network device, biding your time.</evil thought>
That assumes that paying the ransom *will* actually get your data back. There's nothing stopping the perpetrators from simply pocketing the money and going silent. It's amazing the amount of trust people place in faceless, ruthless, criminals who have no incentive to actually do what they are claiming to.
Apart from good old customer service.
If these criminals took the money and failed to deliver the hostage data back, then no subsequent victim is going to pay them knowing they will get nothing for the money.
@wierdsmith - "If these criminals took the money and failed to deliver the hostage data back, then no subsequent victim is going to pay them knowing they will get nothing for the money."
Except that people don't like to state that they paid ransoms and thus wouldn't like to admit they paid a ransom that didn't work.
It would seem that there are some stories of ransomware ransoms not resulting in decryptions. An indication - https://blog.kaspersky.com/cryptolocker-is-bad-news/3122/ "It comes as no surprise that a few infected users that paid the ransom are saying that they never received the decryption key in return"
Because many groups use ransomware, one could make a lot of money without having to give out decryption keys, as somany will payout in desperation in case they are held by a group that does decrypt. It is still a case of putting a lot of trust into a group that doesn't deserve it.
This post has been deleted by its author
@1980s_coder - "No, because in this case once the data has been de-crypted, you should do a fresh, full backup of everything, (just as you should have done before for forensics), re-install OS and applications from read-only media, or digitally signed sources, and finally manually restore your configuration files and user data, after looking through them to be sure that they are safe and uncompromised."
You misunderstand me. Yes, one *should* do as you stated, but considering many companies have gotten into this situation and didn't had good backups, what are the chances they don't do anything or everything that you list? Just look at some of the examples above.
Many small organisations barely had the money to pay the ransom, I'm betting they had terrible sysadministration before, that got them into the mess and they wont have the resources or nous to properly prevent the situation afterwards.
Most organisations that do as you state proably wouldn't have gotten a ransomware problem in the first place (because they had good security, long term offline backups, etc). I'm betting most organisations that do get ransomware infections they can't clear up without paying ransoms are still good targets after they have had to pay the ransom. Just cows to be milked.
And ensure the malware that got you in the first place is now part of your recovery process?
Yeah, I know you mean after you've cleaned up the system, but how can you be sure you did that successfully? Sure you can build all the new systems from scratch, but at some point you have to get he data from the infected system to the clean one.
Yes a merely competent sys admin should be able to recover you from a ransomware threat just by going to the backups. I'm just not convinced that even an excellent sysadmin can get you a clean system after a bad one has been compromised.
This post has been deleted by its author
It's easy to be glib and just tell people to back their stuff up, but with the increasing sophistication of these programs, quick restores may not fully address the problem. Some of the slow-encrypting variants that make a mess of your files *over time* defy the "we'll just restore from yesterday's backup" answer. If the crook is patient and careful enough to stay under the radar for some period of time, good luck figuring out your good restore points - and for what files. It's not that it can't be done, but it's going to be one hell of a research project to get your files back - assuming your backups go back far enough.
Don't underestimate the ability of these guys to make a huge mess of your tidy little IT environment. If you don't have canary files hanging around with really solid alerting, and good endpoint detection tools (and NO, AV doesn't quality) then you'd better pray you don't get targeted by a patient adversary.
This post has been deleted by its author
Yes but that is exactly the problem : many computer users are new to the environment and have barely enough knowledge of IT to do their work correctly, let alone prepare and execute contingency plans for things they have never even heard of.
Computers are a great tool, but they are also a world of risk that few users are even aware of. People who just work with them don't even know what they risk until it happens - and most of them don't even bother with the backups people who do know keep telling them about.
I think most people view computers like their car : bring it to the garage when it breaks. Only then do they learn that, unlike a car, repairing can well mean losing everything they stored in it.
This post has been deleted by its author
There are legitimate versions, businesses that do disk recovery for busted raid sets, or HDDs for people that have had problems that required backups and discovered them to be not what they'd hoped...
(a backup strategy is not up to much if it isn't regularly tested).
These data recovery companies don't charge a normal hourly rate consistent with other expertise in the business. They charge 10s of thousands for a days work because they can and because the loss of that data will cost the business far more.
"Have backups" Yes, always a good idea.
But this crap of blaming the victim as if thievery was the norm and just trying to go about your business is a target on your back when the bad guys come calling? Gimme a break.
<rage level="nuclear">A proper solution is to track down the human garbage that does this and take them out.</rage>. Err, A proper solution is to track them down, give them a fair trial, and then hang them.
While the major blame always falls on the criminal, sometimes it IS appropriate to blame the victim. If you know you have to walk through the seedy part of town, you don't dress up in your best tux and adorn yourself with diamond studded gold cuff links/finest silk evening gown and best pearl necklace.
The thing is, in physical space you get that separation between the good part of town and the seedy part. With the internet, it all comes right to your doorstep including the worst drug dens of seediest part of the seediest town on the planet. If you aren't willing to deal with that reality, get off the internet.
This post has been deleted by its author
am glad the FBI doesn't write the script on what to do when a PERSON is held hostage for ransom. Thankfully people aren't as important as a business' data.
I wonder if there's a training class where they teach federal agency employees how to use both sides of their mouth when speaking.
The sad story is that many times the crims are Johnny Law. Whether it be the CIA smuggling drugs to fund weapons or fast and furious smuggling weapons to fund drugs or those amazing ransom ware authors whose activities fall smack bang in the middle of the oft stated purpose of the nsa/gchq/asio et all and yet nothing can be done. With Russia having blown up many US proxy assets in the Mid East we can expect these ransom ware scams to increase. Distopia on a regional scale doesn't come cheap.
> With Russia having blown up many US proxy assets in the Mid East
Keep thinking it was anything the Russians did and not general US government policy incompetence. They would want that. The Russians are betting the farm in Syria precisely because they have even less influence in the Middle East now than even the US.
ISUS R US were advancing prior to the Russian bombing, now they are not. While the Russians' are definitely trying to get back to the position they had in the ME prior to the wars against Iraq and are protecting their bases in Syria I don't think you can chalk this up to US incompetence. The US were dressing mercenaries as freedom fighters and pretending they were supporting the good guys in a civil war (friendly organs of their enemies eating moderate terrorists) - it had worked before. Their bluff has been called and they are back to a slow expensive cold war against Russia possibly aided by China. Only this time it is the US and NATO economies in ruins plus NATO members under pressure from sanctions and refugees from all the other 'civil wars'. We will have to see if Russia has the manufacturing strength and the cyber security to push back against the warlords in Washington, London and Tel Aviv. Putin with his ~90% approval rating can take his country with him. Our side - I am not so sure.
>Only this time it is the US and NATO economies in ruins
As compared to Russia or even China's economy? US economy is fine. As far as push comes to shove the US is not doing shit (other than lame covert symbolic stuff) in Syria as long as they don't mess with the US homeland. Obama talks a good game but he knows Assad and Russia winning is not even close to the worst option.
this advice looks incomplete.
If you 'just' pay the ransom I guarantee you'll be flagged as a soft target and it will happen again sooner rather than later. For most people and organisations that aren't high profile security is about being more diligent than the mass of other potential targets out there.
If you're secure enough not to get hit or get hit but can detect early, segregate data and restore from good backups then you're unlikely to be specially targeted again in the short term. Any organisation, small or large, that gets hit, quietly pays up and considers that that's the end of the matter will definitely find a different but eerily similar looking set of Danes on their doorstep again soon.
If you get hit and have no alternative to paying then pay but for God's sake put some money and time into planning the layered defences you should have had in place beforehand. If you consider that you can't afford that because you just spent the money on a ransom then your judgement is probably not good enough to run a business that anyone should deal with.
Hey FBI wankers! Why don't you and the rest of the anti-privacy gang divert some of the resources you're using to break encryption, HTTPS, and TOR to this problem? You've got billions budgeted to rape away our Constitutional protections, but can't spare a few processor cycles to break Ransomware for the public benefit? Instead you shake your head sorrowfully and say "just pay up"?!?! Do you puling bastards do ANYTHING for the citizen anymore, or are you simply the New Stasi?
Bazdmeg az anyad kurvapicsajat, lo fasz a seggedbe! (grrrr...)
Apparently backup procedures need a validation component. This is probably application-specific, but certainly practical in most cases, isn't it? Can a backup region be seeded with validation markers that would be corrupted by rogue encryption that the ransomware cannot detect?
So let me get this straight. Companies produce bad software that is vulnerable to online attacks, and that often gives the attackers root access to the OS.
Then they put this software on line so it can be attacked and often give root access to the attackers.
Then when users of this software are attacked and bad things happen, they demand action from government to stop the attacks, while ignoring the fact that they would be secure if
1. The software wasn't crap.
2. The software wasn't on line.
3. They were too stupid to realize 1 and 2.
Hold software developers responsible for their failures and software will become secure overnight.
needed
Hold software sellers and their executives responsible for their failures and software will become secure overnight.
There, because as we've found out with VW, its all too easy to blame the guys on the shop floor when in reality, its board level decisions cocking everything up
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
