# Don't pay up to decrypt – cure found for CryptXXX ransomware, again

It's third time unlucky for the scumbags behind CryptXXX ransomware, as their shoddy coding has been cracked yet again. CryptXXX is a particularly nasty form of the species – a ransomware app that not only encrypts over 40 file formats on a host PC and any external storage devices, but also steals any Bitcoins it can find on …

#### It's fun, because they never learn

"there's no excuse for businesses not having the right secure storage systems in place"

There only needs to be one; they won't pay for it. Businesses are mostly feast or famine about security. "There is no need to pay/do anything extra, we aren't a target," or my favorite "OMG we've been hacked! Secure anything and everything to a point at which it becomes impossible to get normal work done!"

#### Re: It's fun, because they never learn

Sure they back up. To the cloud even. And once they they have all the encrypted files fully backed up the ransom ware demands payment.

The real issue is just how fragile software systems are. One small hole, one silly mistake by one user, and the whole stack crumbles.

#### Re: It's fun, because they never learn

If your backing up data that you can't restore from then I'd personally say you have copies, not backups.

In the old days we used to do backups every day for two weeks on removable media, and then retire one of those bits of removable media as a long term archive copy. It was best practice in 1997, but in 2017 it's ok to keep a single online copy and pray. (Ok, ransoms. What if they demanded more than your company could pay or if they refused to give you the decryption key after paying?!)

The master of the Tao of Backups (http://www.taobackup.com) would despair. (ie; 3. Separation)

I'd be interested to see how online backups score on their backup test, I suspect "not well" is a reasonable answer!

http://www.taobackup.com/audit.html

#### Re: It's fun, because they never learn

The thing is that for many people, "backup" does indeed mean what we call "copies".

One of the truly killer features of OSX is that Apple baked in a proper backup solution in the form of Time Machine. You get weeks, if not months of prior backups you can restore from which will actually save you from these kind of catastrophes.

I've seen similar stuff on other OSes through third-party tools, but the third-party-ness of them means most won't bother with it. Until they get hit by ransomware and by then, it's too late.

rdiff-backup

#### Re: I'll leave this here...

you mean, roughly:

mount /backupdevice

rdiff-backup /home /backupdevice

umount /backupdevice

these malwares could mash any mounted filesystem. You could (also) backup to a remote machine but if that gets malwared at the same time....

But yeah, proper backuop

#### Re: I'll leave this here...

The one thing I haven't seen yet is a way to do something like rdiff-backup where the backup device will only receive new data, with no ability to rewrite existing data from the sending entity.

This scumware only exists because authorities (a) allow quasi-currencies like Bitcoin, and (b) make no attempt to make the quasi-currencies comply with the standard rules that apply to all traditional currencies.

Seriously, what actual use is Bitcoin? What goods and services could not be delivered without it? What would we lose (other than a lot of crime) by simply getting rid of it? (You wouldn't ban it, you'd just legislate to make it difficult or impractical to exchange it for items of genuine value such as currency.)

Brilliant. I've got an even better idea - let's get the authorities to ban the internet. Or computers. Or free will. Then we'd be safe and secure in their thrall and, best of all, we wouldn't have to think at all.

#### Re: "we wouldn't have to think at all"

We're not thinking much right now, so no great loss really.

#### Re: Follow the money. @emmanuel goldstein

Nice hyperbolae there, Tannin asked a reasonable question.

I'm struggling to think of a legal activity that can be conducted with bitcoin that cannot be done with traditional currency. Donations to causes such as TOR from persons within an oppressive regime is about all I can come up with and that's pretty tenuous. Not the method I'd choose in that situation, banknotes in an envelope are far more reliably anonymous.

#### Re: Follow the money. @emmanuel goldstein

Nice hyperbolae there

He headed off on multiple non-returning curves?

#### Re: Follow the money. @emmanuel goldstein

"

I'm struggling to think of a legal activity that can be conducted with bitcoin that cannot be done with traditional currency

"

That's like saying that you're struggling to think of any legitimate activity that can be done with Linux that cannot be done with Windows. Why shouldn't Microsoft and governments be able to see what you are doing on your computer? Only criminals need to hide their data. If you have nothing to hide .... etc.

But to address the point - Bitcoin is not at all about anonymity. That's just a by-product. It is in fact less anonymous than cash.

Today's traditional "money" is not money at all, it is currency (look it up if you don't understand the difference). The pound sterling doesn't even *represent* money any longer. The value of what you have in the bank is controlled by your government. If your country's economy goes down the pan, so does your life savings if you have been foolish enough to keep it in the form of currency.

Bitcoin is real honest-to-goodness money. Just like gold or cowry shells. It cannot be manufactured in huge amounts by any government, and it cannot be devalued by any government. It's value is dependent only on the World market - i.e. the ordinary people & companies that use it. As most currencies are being continuously devalued (because governments routinely spend more than they have and effectively print currency to make up the deficit, diluting that currency), if Bitcoin becomes sufficiently established, it will see a steady rise over time compared with any currency. I bought £100 of Bitcoin just 3 weeks ago. I could now sell it for £114. Had you bought Bitcoin this time last year, it would be worth almost double today. How does that compare with the interest you are getting from your bank? If I use Bitcoin to buy goods from another country that has a different currency, I will not be giving a significant percentage of the transaction to a millionaire banker for performing a trivial currency exchange. Instead I voluntarily pay a very, very small amount per transaction to a large group of global "miners" for their work in doing the (highly distributed) book-keeping work and ensuring that the transfer is not fraudulent. So long as governments do not sabotage Bitcoin (e.g. by making it illegal or heavily taxing it), it will be an excellent investment and means that you can use all of your money for transaction rather than keeping bankers supplied with yachts and champagne.

But because Bitcoin is not under government control, there is unfortunately a good chance that it will be sabotaged. No doubt with you cheering because you "Don't see the point, except for criminals." I bet you are also quite happy with a few big companies controlling what happens to your data and allowing the government to snoop on your computer activities as well. Because criminals.

#### Re: Follow the money. @emmanuel goldstein

@Cynic_999 Nice post. If only more people would "get" the bullshit nature of fiat money.

#### Re: "It is in fact less anonymous than cash"

Funny, that's not how I've been hearing it described since, oh since it's inception. In fact, in these very hallowed pages, there is a report on how boffins "managed" to thwart that.

I specifically remember begin told in innumerable posts how BitCoin was indeed anonymous, on top of being the Next Best Thing. Heck, listen to the apologists for long enough and you'll get the impression that BitCoin could impregnate a sterile woman; it is just that good.

Personally I have a hard time buying that anyone can be anonymous for long on the Internet. What really gets me, though, is all the criminal activity taking place with that currency that, apparently, no police force on Earth can trace. Yet, the NSA is supposedly recording all my calls, wherever in the world I am, and I'm willing to believe they know it's ME.

I'm not a criminal, much less a terrorist, but I am under surveillance. Millions upon millions of dollars in illicit transactions are happening all the time, damaging the lives of innocent people around the world, but the ones who benefit are more anonymous than I am.

For me, that sucks more than government control of the value of my money.

#### A solution to the idiots that pay the ransom

Make it illegal to pay the ransom. Something along the lines of "accessory to a criminal act". Business should face imprisonment for paying.

If the money source dries up, the criminals will move on to something else.

#### Re: A solution to the idiots that pay the ransom

Yeah, because making something illegal is always guaranteed to stop people from doing something. (rolls eyes)

#### It's only a matter of time ...

... before the cryptoscammers overcome the price sensitivity by using a dutch auction. Big businesses will pay $BIG for immediate decryption, consumers will wait until it drops to under$100 or so.

Restoring from backups is a bit of a chore. Making backups is even more of a chore (because if you aren't restoring them and testing them they aren't backups). What seems really effective against ransomware are snapshots and versioning file systems. For a consumer, wouldn't write-protection of all photos and videos be 80% of the solution?

#### Re: It's only a matter of time ...

Wouldn't a variation on Windows UAC achieve that already?

#### Re: It's only a matter of time ...

Local snapshot and versions may still just store encrypted files if you don't have enough local space to go back enough in time. And if a ransomware is run with enough local privileges it could disable and remove snapshots and versions. Backups should not be local, and not directly accessible by infected machines.

#### Re: It's only a matter of time ...

"Wouldn't a variation on Windows UAC achieve that already?" --- Nifty

I think it could. Presumably it would be possible to create a system where UAC prevented some files / folders from being deleted or overwritten regardless of the privilege level of the user, and the only way to do so would be to turn UAC off (am I right in thinking UAC can only be turned off by booting to safe mode?) to do whatever was required before turning it back on and returning to normal operating mode.

#### Re: It's only a matter of time ...

@LDS, I mostly agree but still think snapshots can be used ...

My home ZFS box snapshots itself every minute, whilst another cronjob tidies snapshots periodically (keeping a few hours' worth of per-minute snaps, a few days' worth of 6-per-hour snaps ... etc., etc., ... down to quarterlies which are never auto-removed). None of the remote users are sudoers; root cannot log in remotely; so I think snapshots can only be removed from the console.

I have, very recently, deliberately infected a client machine attached to this storage, and sure enough it immediately started encrypting every file in its network attached folder (in fact, one of my monitoring scripts on the ZFS box mailed me to tell me that there was a huge peak in write activity). When it subsided, I successfully recovered all the test files from snapshots (although I cheated and just went for a the last snapshot before my deliberate infection: if I had not known the date of the infection and the files had been changing there'd have been a bit more work to do (I'm trying to work out a decent way of automating this).

One could create and market a NAS box which was "reasonably ransomware resistant" using a number of similar approaches.

"Backups should not be local" --- agreed, because of fires, theft, etc. I'm not remotely suggesting that snapshots replace backups. My box makes encrypted copies of my most important files and dribbles them up to Dropbox.

But it seems to me that there is no technical obstacle to "reasonably ransomware resistant" local storage.

#### 70%?

So seventy percent of the 600 businesses they surveyed didn't have working backups?

Words fail me.

$10k is nothing compared to the costs to restore data, let alone the down time which is usually measured in thousands of dollars an hour. I would wager that many just made the call that it's cheaper to pay. #### Port 445 Are people still not doing egress filtering on netbios and SMB? Christ on a unicycle... #### Why doesn't Microsoft (assumption Windows is biggest target) simply implement a default policy (via Windows Update) that denies scripts, batch files & executables etc permission to run from temp folders? Or at least prompt the user with a suitable warning before allowing execution. The typical attack vector for ransomware is vbs scripts masquerading as invoices or other official looking documents. Most users would at least have the sense to say no to a warning msg that pops up instead of the PDF or Word doc they thought they were opening. & before anyone says implement that policy yourself, just try doing that yourself first and tell me how easy it is to ensure it works not just for the temp folder but also ANY randomly named subfolder under temp. #### Re: Why doesn't Applocker will do that for you. You can even turn it on in audit mode for a while to see if it blocks anything you still want to run. You can then add exceptions before you turn it on for real. We implemented this as one of our cryptomalware mitigations. Stop random executables and scripts from running from user profiles or other suspicious locations. Your faith in the userbase is touching. In my experience most users will blindly click on anything they are presented without reading it. #### Re: Why doesn't A while back the company admin sent out an email admonishing people to not click on Windows update links sent to them in email. In the example, everything was simply wrong, and I'm still amazed that people fall for that stuff. (Like program1.exe is a self-extracting file containing a.exe, blah blah blah) No, they don't back things up, and no, they don't know how to restore it, and yes, they click on everything. #### Re: Why doesn't > & before anyone says implement that policy yourself, just try doing that yourself first and tell me how easy it is to ensure it works not just for the temp folder but also ANY randomly named subfolder under temp. Do you want a POC ? Very easy ... Look up HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command, see the "%SystemRoot%\System32\WScript.exe" "%1" %* String value ? Do this: "%SystemRoot%\System32\WScript.exe" "c:\path\to\My\script.vbs" "%1" %* Your VBS would then have code to check if "%1" is in %TEMP%/Desktop/Downloads (subfolders thereof) and if so, simply refuse to run and print a big fat warning, else just run it. This is trivial VBS code, using instr, msgbox, and ShellExecute ... look it up, you might even find working examples on google ... easily defeated by using a binary, but if VBS is a problem .... Do the same for HKEY_CLASSES_ROOT\VBEFile\Shell\Open\Command Would take me less than 10 minutes to write & test ... Then, GPO or Chef or puppet it to clients ... HKEY_CLASSES_ROOT\JSFile\Shell\Open\Command Is yet another, and this one is tricky ... guess where your browser stores the JavaScript files before execution ... #### Re: Why doesn't @Hans1 - Good examples but rather than rebut the original comment they prove it. Many (most?) El Reg readers could handle this but the comment was about how practical it is for Windows users. Most of them are the very people causing the problem by clicking anything that stands still long enough and then clicking it again and again as it didn't do what it said it would. And then clicking it again just in case it worked this time. This is like the old Windows security that allowed or even encouraged all accounts to be Admin level which then became a requirement to enable Games to be installed/run so that anyone with half a clue couldn't run their PC in a secure manner AND play games on it. The ransomware is taking advantage of sloppy default security but fixing that while leaving the PC usable is not a simple task #### Re: Why doesn't Your faith in the userbase is touching. In my experience most users will blindly click on anything they are presented without reading it. A really good client of mine once called me up to beg me to fix one of his clients laptops and, because I'm an idiot, I said yes. The laptop was ancient, slow, the dvd drive was shot, many of the keys were missing, the lid would only stay in place if standing straight up. The physical state of the machine was nothing compared to the state of the software though. Once I eventually managed to log in I found that the amount of malware installed on the thing was beyond belief. I told them that to properly fix the software an OS reinstall would be required, but that the hardware was in such a state that it wasn't worth it. Instead I would remove as much malware as possible to get the thing barely running again hopefully long enough to abandon ship. After some extremely long runs of spybot, malware bytes and friends the laptop achieved a state of kind-of-barely-functional. When I returned it I met the owner for the first time. I gave her the laptop and told her to make sure she could use it while reiterating nature of the situation. Her response: "As long as I can play my game." I watched in disbelief as she opened up Internet Explorer and browsed to one of the sketchiest sites I've seen in my life to play one of those stupid match-the-colours-on-the-balls games. Maybe 30% of the middle of the browser showed the game, the remainder of the screen was covered in flashing ads warning the user that her PC was not optimized, had a virus, etc. She said "I hate these things" and I watched in disbelief as she clicked on them - to get rid of them. I stopped her before she ran the executable she had just downloaded, the first of many no doubt. After explaining the situation to her I could tell that there was not a shred of comprehension but just that she had learned that she shouldn't click on "Your PC is infected!!!" while I was in the room. At that point I fled. I wouldn't be surprised of that piece of garbage is still out there somewhere, with the same user downloading and installing malware package after malware package, the system log filling up with error messages that read "kiiiiiiiillll meeeeeeee, kiiiiiiilllllll meeeeeeee". My my, victim blaming, aren't we? Saying that backups aren't difficult is easy. Actually having usable backups is really difficult. It is a tedious task, that requires attention and a lot of planning. It is time-consuming, so difficult for small companies with little resources to spare.. And it's not like malware slingers are unaware of that backups exist. They're known to wait for months before asking the ransom. So when the last 6 months of tediously organized backup are also useless, what choice is there? #### I have spotted your fallacy Backups protect against many other threats besides ransomware. Most of which are unlikely enough, on their own, to make backups appear more costly than suffering the consequences, if that was the only thing all that effort was protecting against; but it's a ton of feathers. If you consider the likelihood of any one of several events is the sum of their individual probabilities, a backup strategy starts to seem more worth it. As long as you can't do business because your computer system is out of action, you are not going to bring in any money, yet you will still have -- as near as damn it is to swearing -- the full operational expenditure. It's really that simple. But yes, it is always easier to propose solutions to other people's problems. It is a tedious task, that requires attention and a lot of planning. It is time-consuming, so difficult for small companies with little resources to spare.. So is paying your VAT. Are you implying that running a business means you only have to do the easy stuff? Vic. Not paying your VAT gets you to jail. You can file that under "strong incentive". #### This exhausts me. I look after a small business and for years (8 of them) I begged, pleaded and tried cajoling them into having a better backup then the floppy disk and then the monthly USB stick. Their 12 year old Server finally broke so I was able to use a bit of guile and included hardware and software for proper backups. The owner didn't stop complaining about the$10,000 the hardware and software cost.

Six weeks after it was all up and running, the idiot clicked an email. Two hours later I got a phone call about the system not working right. He had clicked a link and activated Crypto infection. As a result of my deviousness I was able to restore all their data and neutralised the infection in about 6½ hours. They lost half a days data input most of which was scavenged from memory and some paperwork plus I spent another few hours searching for and removing encrypted files.

Ten weeks later the owner is very happy that his business was saved by the protections that he had complained about spending money on. It's a shame that you can't convince a business that they really need to take these precautions and that the cost is minimal when compared to business losses or indeed the loss of the whole business. The owner later figured if we didn't have the backups then he would have lost between $80 - 100,000; less if his customers were honest and paid what they owed but that is not something you can count on. The cost of protection was minimal compared to what it actually cost him and even now, I am unable to get them to spend$200 on the final piece, a cheap UPS for the Server. Until they have a disaster, they cannot see how cheap the prevention is by comparison to not having it. In my case they would much rather spend $15,000 on a holiday than$200 on a vital piece of infrastructure. I would like to say this business was unique but like the rest of you IT professionals, they aren't are they.

I have also been bleating to deaf ears on backup precautions, though not on a professional basis. I have even offered to drop in and do it myself in some cases (for the hairdresser, and other acquaintances I know and who know me and what I do).

Every single time, the answer is something along the line of "yeah, I know I'll have to get around to it".

Year. After. Year.

I have dropped the inquiries. If ever they come and complain about losing their data to some disaster or another, I think the look on my face will pretty quickly quell that line of conversation.

#### SRP white list

A few years ago we had a customer who got bitten twice by ransomware in quick succession. Both times we got them back to where they were that morning using backups/shadow copies.

When it became clear that ransware was an increasing threat and that backups might also be affected, we configured a decent SRP whitelist with some restrictions on email attachments. Only stuff already installed may run or if it's in the white list (hashed). We also engaged in an end-user education campaign about what to look out for and if in doubt tell us - don't ignore/hide the issue as the quicker we know the less damaged may be caused.

So far, so good as they've not had issues since then.

Every business large or small has to have decent backups, in my time working for a MSP I have seen about 10 ransomware infections. You can implement various degrees of protection but at the end of the day backups are the main one. Be it infection, theft, fire etc.

Any company that doesn't have a decent backup may as well just invest their money at the roulette table instead!

#### Clarification bitte

"Research last week from IBM's X-Force security team chatted to 600 business customers and found 70 per cent of them had paid ransomware spreaders"

What was the universe? Were those 600 random IBM business customers, or 600 IBM business customers that had been on the receiving end of a "ransomware" attack? Or something else?

Another time consuming but worthwhile step, have only a company email system permitted (no private email) and have a spam/malware filter that stops ALL executable attachments including anything in a compressed archive.

I see numerous attachments on a daily basis that are either identified as ransomware or almost certainly are new (unidentified) versions of the same. This, BTW, means stopping ALL Excel and Word files from going in (or out) without inspection. Tedious, YES, effective, yes.

It is by no means an entire solution, we are still vulnerable to mistakes, to illicit personal email, to official email containing malicious links, and files coming in via portable USB and the like, but it sure cuts out a heap of potential issues.

Just to note, we also have a comprehensive backup scheme including on and off site with two backup locations on site. We would be vulnerable to a cleverly designed piece of ransomeware that significantly delayed action and infiltrated multiple backup locations; we *should* see via alerts if one started encrypting before any backups/shadows were compromised but new malware techniques may get around what we have. We also have a regular user education activity, reminding everyone of what to watch out for and what to do should they make a mistake.

The other point is that good practice is, IMHO, multi-layered protection and response. Everything from an anti-virus package (can't see the new ones but there's still plenty of known ones to watch for), firewall policies to prevent inwards and outwards traffic associated with malware, scanning and blocking actively, education, backups and replication, etc , etc, and etc.

And we could still get hit and lose "X" hours or days of data depending on how "clever" the infecting agent was. But at least we reduce our exposure. Would we pay, maybe, if it was necessary I guess so, but we do hope to make it not ever required. So far (cross fingers and everything else) we've escaped infection for years, and long may it continue.

#### Great precautions

So, your business / Agency / NGO can afford to have or to hire in a real IT department, and by the looks of it have at least one full-time equivalent working on Information Assurance.

This is very good, but in NZ where I live, the average business has less than 4.1 employees.

I expect you're beginning to see the problem here ...

#### Bitcoin

The people who support Bitcoin and think its great will defend it to the death, in the face of any logic.

Those of us who look at the world, analyze what is going on, and make decisions based on that, look at bitcoin, look at how it is being used, and put it down on the facts of its behaviour.

Earlier, someone used a "I bought some a while ago, and made a bunch of money off holding it" argument. I agree that you are happy you made some money on it. However, how is that a defence of all the other issues. The reason its value probably went up is because of all the people forced to buy some to pay off their ransomware. So, quite likely, you are enjoying the proceeds of crime, indirectly. Hmm...

#### Help the users

"Six weeks after it was all up and running, the idiot clicked an email." (from an earlier comment); and there was another about a lady clicking on some game.

Clicking on stuff is what a mouse is for isn't it?

Please stop sneering at the customers/clients/users - help them.

I'm not a dev/sys admin or whatever. I've registered here as a user interested in understanding more about datacentres/cyber security but as a generalist not an expert. I am glad I did because I am getting aware more about this bad stuff. It's not if bad things will happen, it's when.

People (users, me) have no idea - and about half of them have an IQ lower than their body temperature - yet they are allowed to use computers, drive trucks, cars, planes.

If Microsoft can do the top right X not closing but agreeing trick then the really bad guys are going to have worse tricks.

Is there a solution?

I don't know - perhaps concentrating anti malware effort at the internet ISP level - because that's a sort of data funnel. A billion users can't be made malware savvy, but a few thousand ISPs can, maybe?

A PC/phone/tablet should be tool or a toy not a way to blow up your own company or whatever.

#### Machiavellianism

Call me a cynic, but for me this whole crypto currency + ransomware marriage stinks of machiavellianism.

1. create problem

2. offer solution

3. profit

I've never really understood the point of cryptocurrency except in the sphere of control.

The PTB love control

## POST COMMENT House rules

Not a member of The Register? Create a new account here.