back to article When you've paid the ransom but you don't get your data back

Almost one in three firms that pay ransom fail to get their data back, according to new research from Trend Micro. A poll of IT managers at 300 UK businesses sponsored by Trend Micro found that 44 per cent of UK businesses have been infected by ransomware in the last two years. The study also found that around two-thirds (65 …

Silver badge

"A further 60 per cent claimed they were able to recover the data from back up files"

That is a depressingly low proportion of businesses. Oh well, I guess in future years it will improve as the once-burnt lot learn, the encryption threat will no longer be profitable, and ultimately less companies will suffer when hardware faults take out machines.

9
0
Silver badge

I suspect that a chunk of the rest don't have isolated backups so the backup files were also encrypted.

7
0

I suspect the infections are on laptops where people have a lot of 'work in progress' documents, 'vital spreadsheets' for their personal reporting needs, or email archives etc, which haven't been put onto a backed up share. Either because the IT department only gives them a small amount of storage(or mailbox), or because trying to work on a document stored on a network drive is slow and infeasible when you need to access it in a customer meeting etc.

I've yet to work at a company which has a good solution for this, and genuinely intrigued if other places really do mandate a policy of 'nothing can be stored on your laptop' or have sensible backup software available that guarantees all essential data can be recovered?

2
0

For clients with 365, we recommend OneDrive for stuff like that. If it's encrypted, we can rely on file versioning to retrieve most of it and infact it's saved peoples bacon before now.. :)

0
1
Anonymous Coward

genuinely intrigued if other places really do mandate a policy of 'nothing can be stored on your laptop' or have sensible backup software available

The company I work for provides something called CrashPlan backup, which I installed. It was crap, constantly consuming CPU power, my laptop battery life halved and it was generally running warm/hot all the time. I uninstalled it after a few weeks, and rely on making my own backups when I think they are necessary. It helps that my laptop is not my primary system, of course.

0
1
Anonymous Coward

In my experience, people who lose data because they didn't back up seldom learn lessons; the behaviour is ingrained...

In other news, I discovered yesterday we'd been hit by "Zepto" on Friday. Managed to get all affected data back (it only managed to encrypt some of the data in <100 directories before it gave up for whatever reason) from shadow copy though tape backups would also have worked. A bit of a storm in a teacup in the end, but a hassle nonetheless.

I'd previously set up "Crypto Canary" (see https://community.spiceworks.com/how_to/100368-cryptolocker-canary--detect-it-early?page=4) but it didn't work on the new .zepto file extension - it pays to keep up with these things as this is a very powerful tool for identification. Particularly as my AV of choice (BitDefender) still doesn't recognise the offending email that caused it as being dodgy (a depressing 6 of 55 scanners on VirusTotal mark it as dodgy, all of them seeing it as different viruses) and it had already passed through a Barracuda scanner by the time it hit Exchange.

As warning users not to fucking well open clearly fucking dodgy attachments is clearly not working, my next step is to prepend all inbound emails that have certain characteristics (subject lines including invoice etc. and keep the list updated) with a warning; turns out even Exchange 2010 can add an HTML-enabled (BIG RED TEXT!) message if it obeys the rules you set. I'll see how that goes; I don't want to be the IT guy who rejects all inbound attachments ("It looks like you're trying to send my organisation an attachment. Fuck Off. Or use yousendit.com").

And relax. Until the next time.

6
0
Anonymous Coward

We have rules in place on the firewall that either delete all attachments of a certain type (e.g. vbs, wsh, exe etc) or lock them so they can't be opened without an IT person unlocking it. This applies to any other files like .zip, .doc, .docm etc but not things like .docx, .pdf. There is about 50 file types that it checks for.

If there is a persistent sender of the locked document types the user is encouraged to ask them to send in a different format.

3
0
Anonymous Coward

Got all the former list and have added the macro ones too but they seem able to sneak through in zip files occasionally. There's also the possibility of personal webmail accounts. The future sucks.

3
0
Silver badge
Go

Risk of personal webmail accounts?

I've yet to work in a firm (dating back to the early 2000's) where use of personal webmails on company machines is permitted. In my current firm (and my previous 2 if I remember correctly) it would be a sacking offence (assuming you could get past the blacklist) to use personal webmail.

If this is a risk at your firm, then you really need to have a talk with upper management and get that particular door shut VERY firmly!

4
0
Anonymous Coward

Re: Risk of personal webmail accounts?

Really? I've yet to work in one where that would get past the CEO. Indeed my current one saw the CEO using his to contact the senior management because he didn't trust my predecessor not to be snooping...

SMEs tend to work to much more informal rules where certain users exert much more influence than IT can bring to bear.

6
0
Silver badge

I'd previously set up "Crypto Canary" (see https://community.spiceworks.com/how_to/100368-cryptolocker-canary--detect-it-early?page=4

That one is ineffective as it looks for new files with given extensions.

You need the opposite - drop a file into several "folders of interest" and set a trigger on trying to delete it or overwrite it. Call it "DO_NOT_TOUCH_BOFH_AT_WORK.doc" if you wish. You do not even need it in every folder - it is a canary, having a couple of them on shared storage is more than sufficient.

With Samba or Windows 2010 you can lock out the user and machine doing it the moment you detect a write.

With other filesystems you are on your own and will need to track changes via a script and declare full shutdown and quarantine manually once it has been detected. In any case - you will have it detected in time, before the encrypted files have propagated into the backups and that is what matters.

1
0
Anonymous Coward

"You need the opposite - drop a file into several "folders of interest" and set a trigger on trying to delete it or overwrite it. "

I'm not sure how that would have worked either in my case; the infection had several hundred Gb in thousands of folders to choose from but only attacked a few random, alphabetically diverse ones before giving up for whatever reason (it wasn't detected and wiped until several days later). If I only have the canary in some folders and it doesn't hit them then I'm not sure how it would help? Genuinely confused but happy to be educated - anything is a bonus. As it is, anyone creating files with .zepto now is triggering the warnings. Next stage is to set FSRM to shut down the machine if it detects any action...

1
0
Silver badge

"prepend all inbound emails that have certain characteristics ...with a warning"

"Oh yes, I saw that. I didn't know what it meant."

4
0
Anonymous Coward

There is that, and of course the chance of it becoming normalised over time, but I've put it in as plain English as I can boil it down to. Any plainer and they really shouldn't be working here...

0
0
Silver badge

Re: Risk of personal webmail accounts?

"it would be a sacking offence (assuming you could get past the blacklist) to use personal webmail."

Unless, of course, the offender was someone over your head. Then YOU'RE the one that gets sacked...

1
0

Is it legal to pay this?

Surely you can't add a payment to a criminal in the company accounts, do they give you an invoice with their company details, are they VAT registered? If you could it sounds like an ideal way of getting money out of a company without paying tax.

1
0
Anonymous Coward

Re: Is it legal to pay this?

I bet they break some laws - funding criminal activity, non-reporting of a crime (isn't it illegal these days?)

Perhaps it's petty cash, comes from "other expenses" :)

0
0

Re: Is it legal to pay this?

No different from kidnap for ransom pay-outs, and there's no law against them across most of the world

0
1

Re: Is it legal to pay this?

"No different from kidnap for ransom pay-outs, and there's no law against them across most of the world"

That's no reason why we shouldn't have such a law here as every payout encourages the fraud and puts everybody else at increased threat which even if you have good defences (like avoiding the more risky OS) and solid backup it has knock on consequences.

The fact that the threat is only property and not life makes it indefensible plus the only reason they have been caught is because of BOTH inadequate defence against a well known risk and, even worse. even more inadequate backups. That's gross negligence in my book.

The organisations deserve to suffer the consequences if they don't pay up and if they do - even greater consequences. Making the directors personally culpable may be an encouragement for better and safer practices (speaking as a company director myself).

1
1
Silver badge

Re: Is it legal to pay this?

No different from kidnap for ransom pay-outs, and there's no law against them across most of the world

No law - sure. Now if you also explain me exactly how to get that past accounting as a business expense...

2
0
Silver badge

Re: Is it legal to pay this?

"That's no reason why we shouldn't have such a law here as every payout encourages the fraud and puts everybody else at increased threat which even if you have good defences (like avoiding the more risky OS) and solid backup it has knock on consequences.

The fact that the threat is only property and not life makes it indefensible plus the only reason they have been caught is because of BOTH inadequate defence against a well known risk and, even worse. even more inadequate backups. That's gross negligence in my book.

The organisations deserve to suffer the consequences if they don't pay up and if they do - even greater consequences. Making the directors personally culpable may be an encouragement for better and safer practices (speaking as a company director myself)."

You haven't really thought through the consequences of your statements. making paying ransoms illegal will just mean people wouldn't tell the police at all, and it's rare that criminalizing being a victim has worked.

0
1
Pirate

Re: Is it legal to pay this?

Maybe yes maybe no, but they should consider suing for misrepresentation. Actually they should have insisted on paying by PayPal, then they could get the money back when the key failed to decrypt.

1
0

Where do they get these figures from?

I have a lot of customers and a high percentage of them have been hit by ransomware attacks. None of them have paid the ransom. Even those who don't actually have an IT department but just "someone that knows how to reboot" have been able to recover their files.

0
1
Facepalm

"Quizzed about their motivation behind a decision to pay the ransom, most companies (37 per cent) said they were worried about being fined if data were lost. Other reasons included encrypted data being highly confidential (32 per cent)"

They're worried about being fined for data lose or because the data is highly confidential? I'd argue that the ransomware encrypted data is now considerably safer than it obviously was in their hands to begin with!

4
0
Silver badge

"They're worried about being fined for data lose or because the data is highly confidential? I'd argue that the ransomware encrypted data is now considerably safer than it obviously was in their hands to begin with!"

Not if copies get passed off to the bad guys as well. They'd know the key so would be able to decrypt them (or they can be passed in the clear before they were encrypted).

0
0

One place I do work for got hit with a .encrpt ransomware. Fortunately they had an unencrypted backup (something I emphasised strongly to them) and so we were able to determine the encryption key and recover all their invoices. which were the only things encrypted.

1
0

Anyone who pays "ransom" and hasn't a current backup of their data is a fool and deserves to lose their $$! Wipe your drives. Reset your firmware (bios, etc), and lock down your systems as you install a new (hopefully a more secure) OS.

0
3
Anonymous Coward

I've personally had to manage and resolve 3 attacks of this kind (2 at the same company within a matter of weeks of each other) whilst doing managed services. Each one was due to either personal USB devices being plugged into the company network or personal emails being accessed via webmail.

We had to pay the ransom for one company due to the fact their backups were sh*te, they had no complete recovery and we'd been telling them this for a number of months (old knackered tape drive, outdated software and tapes stored in the back of someone's car next to the speakers). Needless to say, we refused to pay after the 2nd incident (which arose from the same person plugging the same usb drive in.)

There are steps to stop this from happening, however most companies won't put these in place for fear of upsetting their technically incompetent employees.

In my view everyone who uses a computer should be trained in general security, how to spot these emails and made to sign a waiver saying that if an infection is proven to come from them they pay the ransom if no other method of recovery is available. Also stop USB drive usage, documents can easily be transferred using cloud storage (free accounts for personal use) so there should be no need to ever have to plug one in.

Oh and listen to your IT provider when they tell you your backups are useless. It might save your highly confidential and auditable data one day

1
1
Silver badge

"There are steps to stop this from happening, however most companies won't put these in place for fear of upsetting their technically incompetent employees."

Particularly technically-incompetent executives who can overrule you.

4
0
Silver badge

"In my view everyone who uses a computer should be trained in general security, how to spot these emails and made to sign a waiver saying that if an infection is proven to come from them they pay the ransom if no other method of recovery is available. "

You might need to change the law first, as making employees personally liable for costs tends to be frowned upon, at least in the UK.

2
0
Anonymous Coward

"You might need to change the law first, as making employees personally liable for costs tends to be frowned upon, at least in the UK."

Under what law? IINM such an agreement would become a written contract and therefore legally binding. I don't think there's a law that says you can't hold someone financially liable for gross negligence on their part.

0
0
Silver badge

"In my view everyone who uses a computer should be trained in general security, how to spot these emails and made to sign a waiver saying that if an infection is proven to come from them they pay the ransom if no other method of recovery is available. Also stop USB drive usage, documents can easily be transferred using cloud storage (free accounts for personal use) so there should be no need to ever have to plug one in."

But what if the one who made the mistake is an executive or some other "over your head" position? As for USB storage, the cloud's not trusted for confidential data and is inefficient for large transfers (because one end or the other could be metered or on allowance).

0
0
Silver badge

Reason

"Other reasons included encrypted data being highly confidential (32 per cent) ..."

I'm not sure why this is a definite reason for wanting access to the data. Surely, "we really want it back" is the reason for paying up.

1
0

At a company I do work for I always advise not to open zip, unless they are expecting it. I think the Win10 update reset hide extensions so a user clicked a link in an email, got sent to a onedrive site and downloaded an invoice pdf (.pdf.zip), then rang me and asked if he should have! The zip seemed to contain stuff for android, so I don't think it did anything.

@ Voland's right hand I think you have a great point there. I backup users Win10 machines onto a Linux server using rsync via DeltaCopy ... so I'll try and work out how to do this.

1
0
Pirate

Well, for a start...

Why are You dealing with Non-dealers?

0
0
Silver badge

A couple of "solutions"...

First: Maybe a re-vector of the ransomware to somebody in the Russian government might work. I understand that many of the malware check to see what the domain name is and judicially skip some domains presumably for fear of retaliation.

Second: Make people to got plain text email. The fancy attachments and the like (javascript in an email? No!) shouldn't really happen.

Third: Get rid of somebody who gets infected. Stupid users are probably the biggest reason these things happen. They probably get suckered by Nigerian princes with cash gushing out of their pockets.

Get a clue people!

0
0
Silver badge

Re: A couple of "solutions"...

"First: Maybe a re-vector of the ransomware to somebody in the Russian government might work. I understand that many of the malware check to see what the domain name is and judicially skip some domains presumably for fear of retaliation."

I figure it was more to prevent "friendly fire".

"Second: Make people to got plain text email. The fancy attachments and the like (javascript in an email? No!) shouldn't really happen."

Then how do they pass documents around? Any other vector can be hijacked or poisined, yet people still need to pass stuff around: usually stuff that doesn't fit into 7-bit ASCII.

"Third: Get rid of somebody who gets infected. Stupid users are probably the biggest reason these things happen. They probably get suckered by Nigerian princes with cash gushing out of their pockets."

Trouble is, how do you get rid of stupid executives, who are frighteningly frequent yet have the power to overrule even IT (because they're the board)?

0
0
Bronze badge

Hurry up already

It'd be nice if Trend would update their non-SaaS version so that we lesser minions could drill down in the console and see just which computers and processes are supposedly ransomware infected. Instead I get a 48point font-sized RED ALERT that 37 machines have ransomware and no way of seeing which of them it is. (Although I know which ones they are, they're point of sale machines that encrypt data before transmitting it to the Oracle server).

How about it huh Trend?

0
0
Trollface

What planet do these people live on?

"Quizzed about their motivation behind a decision to pay the ransom, most companies (37 per cent) said they were worried about being fined if data were lost. Other reasons included encrypted data being highly confidential (32 per cent) and an easy-to-pay, low ransom amount (29 per cent)."

worried about being fined if data were lost. : its not been lost, you just can't read it, stupid

encrypted data being highly confidential : so confidential that even hackers will have trouble reading it

easy-to-pay, low ransom amount : I also have a nice bridge across the Thames I can sell you for a song

0
0
Silver badge
Headmaster

Schrödinger's Backup

The existence of a backup is not known until you've successfully restored.

0
0
Silver badge

Re: Schrödinger's Backup

That's like saying you can't truly prepare for an emergency without an emergency...

0
0

Information Assets?

"...over a quarter (26 per cent) believed the data encrypted wasn’t valuable or confidential, and hence was not worth paying for."

Why keep it then? If it isn't an asset it's automatically a liability.

0
0
Silver badge

Re: Information Assets?

Not necessarily. Assets have different values. For example, your license documents probably have more importance than say your sales history, which is useful for forecasting and studying trends, but if they were to burn in a fire you can wing it. Whereas if those license documents go up, you legally cannot operate without them (since they usually say, "This document must be prominently displayed in public. This is a legal requirement.").

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017