back to article Cryptowall 4.0: Update makes world's worst ransomware worse still

The fourth iteration of the world's worst ransomware Cryptowall has surfaced with gnarlier encryption tactics and better evasion tricks that have fooled current antivirus platforms. Ransomware has ripped through scores of businesses and end-user machines in sporadic and targeted attacks that have cost victims millions of …

  1. Anonymous Coward
    Anonymous Coward

    The end is near

    Seriously, the time is now to get the F out of any business that depends on IT.

    A third of a billion dollars! To be fair, no less ill-gotten than every dollar McAfee or Symantec have ever made.

    1. Anonymous Coward
      Anonymous Coward

      Re: The end is near

      At least to get the F out of anything dependent on a single vendor…

      I avoid systems that rely on Apple and Microsoft these days. Sure, use these platforms, but do not rely on them: aim for systems that can move between these, and other platforms, so that should things turn sour, you can move with minimal disruption.

      1. Anonymous Coward
        Anonymous Coward

        Re: The end is near

        I found it easier for small offices to lock down OSX than Windows, which is mainly the reason we're using it. I'd love to go all out Linux, but the commercial software we use exists on OSX and Windows, and then OSX is simply the easiest way forward (also less expensive over its lifetime).

        Mind you, we're not addicted to Apple - I don't see the point of throwing out huge wads of cash for a high res screen from Apple when the same can be had from the PC market for far less, and I personally prefer a Logitech mouse over the "thing" that Apple calls a mouse, magic or not.

  2. Steven Roper

    Hunt the bastards down and publicly execute them

    Time to bring back public gibbetings and perhaps introduce live human dissections posted to YouTube. These fucking worthless sociopathic parasites serve no good use to humanity whatsoever. They can't be redeemed or rehabilitated. They are vermin, and they should be exterminated, like vermin.

    1. Anonymous Coward
      Mushroom

      Re: Hunt the bastards down and publicly execute them

      And their relatives.

      1. Known Hero

        Re: Hunt the bastards down and publicly execute them

        and anybody on their contact list !!!

      2. Anonymous Coward
        Anonymous Coward

        Re: Hunt the bastards down and publicly execute them

        and their dog!!

        1. DropBear Silver badge
          Joke

          Re: Hunt the bastards down and publicly execute them

          And their fathers! And their father's fathers! And their father's father's fa... ouch... ouch... owww... *runs away*

          1. Anonymous Coward
            Anonymous Coward

            Re: Hunt the bastards down and publicly execute them

            And their cute kittens

          2. Prst. V.Jeltz Silver badge
            Joke

            Re: Hunt the bastards down and publicly execute them

            alright, dont labour the point.

            Its gone all "daily mail" in here!

            1. N2 Silver badge

              Re: Hunt the bastards down and publicly execute them

              "All Daily Mail"

              But sir, there is not one 'Soar', 'Plunge' or 'Plummet' in the text - yet.

          3. Anonymous Coward
            Anonymous Coward

            Re: Hunt the bastards down and publicly execute them

            And their fathers! And their father's fathers! And their father's father's fa... ouch... ouch... owww... *runs away*

            Careful, with some of these scum, that could get recursive!

    2. Phil O'Sophical Silver badge

      Re: Hunt the bastards down and publicly execute them

      How long do we need to wait before someone at NSA/GCHQ/KGB/etc. figures out that tracking this scum down and releasing the keys would actually get them some good publicity for a change?

      Anyway, hanging's too good for them, I'd suggest public "stoning" with the encrypted, bricked, 3.5" disk drives. We could charge $5/throw, money to go to the victims..

      1. joed

        Re: Hunt the bastards down and publicly execute them

        nah, this would not be wise use of public funds and give away capabilities of big brother. just forget it

      2. John Crisp

        Re: Hunt the bastards down and publicly execute them

        The point is that the spooks won't touch it. It plays into their hands.

        Just gives them a reason to say encryption is a bad thing and they should have access to it all......

        Fixing things does them no favours !

      3. Anonymous Coward
        Anonymous Coward

        Re: Hunt the bastards down and publicly execute them

        Jehovah jehovah, jehovah....

    3. Anonymous Coward
      Anonymous Coward

      Re: Hunt the bastards down and publicly execute them

      These fucking worthless sociopathic parasites serve no good use to humanity whatsoever.

      They have been useful to me in one brilliant way. Convince people to get the fcuk off Windows.

      1. JDX Gold badge

        Re: They have been useful to me in one brilliant way. Convince people to get the fcuk off Windows.

        And how is that useful to you, other than feeding your malnourished ego that people are paying attention to you for a change?

        1. Anonymous Coward
          Anonymous Coward

          Re: And how is that useful to you?

          Sounds like your ego can't stand users migrating away from your beloved Windows.. Gravy train and all..

      2. TheVogon Silver badge

        Re: Hunt the bastards down and publicly execute them

        Because you don't get ransomware on Linux. Oh wait:

        http://www.theregister.co.uk/2015/11/09/ransomware_targeting_linux_charging_bitcoin/

        1. Anonymous Coward
          Anonymous Coward

          Re: Hunt the bastards down and publicly execute them

          >Because you don't get ransomware on Linux.

          Just goes to show Linux is getting more like Windows everyday (thanks Red Hat!). That's why you are better off on a purer POSIX OS that places a premium on code correctness like with the BSDs or even Solaris (though if you are stupid enough to run lots of userland code unjailed as root on an internet facing server no OS is going to save you).

    4. Destroy All Monsters Silver badge

      Re: Hunt the bastards down and publicly execute them

      But what if they transfer their ill-gotten gains directly to charity?

      Eh, eh? Answer me that!

    5. asdf Silver badge

      Re: Hunt the bastards down and publicly execute them

      >introduce live human dissections posted to YouTube. These fucking worthless sociopathic

      I agree they are pieces of feces and deserve long jail sentences but wanting humans dissected for public entertainment is beyond sociopathic and into psychopathic land.

      1. Vic

        Re: Hunt the bastards down and publicly execute them

        wanting humans dissected for public entertainment is beyond sociopathic and into psychopathic land.

        Oh.

        OK, as you were, then.

        ::shuffles off::

        Vic.

      2. Steven Roper

        Re: Hunt the bastards down and publicly execute them

        "But what if they transfer their ill-gotten gains directly to charity?"

        Well, firstly for some reason I doubt they do. Second, even if they did, it doesn't excuse blackmailing people with ransomware. To argue a charitable cause as a justification for such vile behaviour is treading perilously close to ends justifying means.

        "wanting humans dissected for public entertainment is beyond sociopathic and into psychopathic land."

        Or the product of a mind that has been reading too many George R.R. Martin novels lately... ;)

      3. Anonymous Coward
        Anonymous Coward

        Re: Hunt the bastards down and publicly execute them

        Gave you an upvote, but only due to being accurate. I'm somewhat known for psychopathic tendencies. Need popcorn! (I'm not joking.)

    6. Anonymous Coward
      Anonymous Coward

      Re: Hunt the bastards down and publicly execute them

      why sure they do ... they keep IT freelancers employed and they let us have the "I told you so" phrase when they don't want to pay for the security and backup solutions that we know work.

      Everyone should have a cold storage system in place that grabs snapshots. this should be a linux box that has almost all of its functions disabled.

  3. Christopher Lane
    Devil

    Straw poll...

    On more constructive note...how do you guard your business against this threat, FSRM File screens, SRP/Whitelisting etc? Votes/comments please...

    1. Fitz_

      Re: Straw poll...

      Deploy AppLocker policies so that only executable code placed where users cannot write to can be executed.

      Use shadow copies and keep backups. The one that encrypted / decrypted on the fly to poison backups sounded particularly evil, however would have been defeated by AppLocker.

      1. ok i'll sign up

        Re: Straw poll...

        unfortunately whilst Applocker may be the best defence on a budget that many people have, it isn't a complete solution,

        for example you probably allow IE or Word to run, Applocker doesn't monitor what those processes execute and you are still at risk of this.

        The latest iteration of Craptolocker does make it difficult, databases can be tested if you have something like Veeam SureBackup, individual files is far harder.

      2. TheVogon Silver badge

        Re: Straw poll...

        "Use shadow copies and keep backups"

        Even the early Cryptowall versions deleted all shadow copies and encrypted any backups they could get to...

    2. Anonymous Coward
      Anonymous Coward

      Re: Straw poll...

      Mitigation seems to be much easier than prevention at this stage: A decent backup strategy (that's tested on a regular basis) would go a long way against this kind of crap.

      1. Anonymous Coward
        Anonymous Coward

        Re: Straw poll...

        A decent backup strategy (that's tested on a regular basis)

        This… is what saved us last time CryptoWall struck.

        That, and the fact that CryptoWall decided to try for some very big and juicy virtual machine images, which bogged it down since it was doing the re-write over gigabit Ethernet shared with the entire office. So it was something of a monkey-trap, it had a fist-full of files that it would not let go of, but couldn't fit its laden fist through the hole to release itself.

        I think we lost about 6 files on the network drives, none of which were of any great importance.

      2. Groaning Ninny

        Re: Straw poll...

        But did you read the bit: "That meant months of backups would contain encrypted data that could not be decrypted unless a ransom was paid for the respective key."?

        The encryption happens under your nose, without you being aware of it for a number of months. You don't know wbout it because there's a decryption layer in place... until they decide to ask for the ransom.

        Even backups aren't going to save you now. Even if you have backups going back that many months, can you afford to lose all the work you've done since then?

        This is getting really ugly.

        1. 2+2=5 Silver badge

          Re: Straw poll...

          > But did you read the bit: "That meant months of backups would contain encrypted data that could not be decrypted unless a ransom was paid for the respective key."?

          > ...

          > This is getting really ugly.

          The really ugly bit is if (when) your anti-virus program gets an update, realises you are infected and removes the virus. Then you suddenly find there is no way to decrypt your data, and you don't even have the option of paying the ransom.

          1. Martin an gof Silver badge

            Re: Straw poll...

            The really ugly bit is if (when) your anti-virus program gets an update, realises you are infected and removes the virus. Then you suddenly find there is no way to decrypt your data, and you don't even have the option of paying the ransom.

            Interesting dilemma though, isn't it? There's a similar one regarding hostage takers. If the policy is never to give in to demands then inevitably that means there will be some casualties - hostages will be injured or killed - but equally if the hostage takers realise that they will never get paid, even if they prove willing to kill the hostages, does that make it less likely they (or others) will try again?

            The loss of data is similar. It's unlikely to be as bad publicity as a government refusing to pay up for its citizens, so if all anti-virus programs remove the ability to pay up, and the people behind the encrypting software realise they will never get paid, does that mean they'll stop doing it?

            Of course this will never work because there is always someone who will pay.

            Where's the IT equivalent of the SAS, parachuting in, in the dead of night to "take out" the hostage takers and recover the hostages?

            M.

    3. John H Woods

      Re: Straw poll...

      I'm not sure I really know what I'm talking about here but how about "almost WORM" storage systems, where there is firm/hardware based version control and old versions can only be deleted when a hardware switch is engaged?

    4. Doctor Syntax Silver badge

      Re: Straw poll...

      Tackle it at OS level.

      Store data in a drive or partition only accessible to specific servers. Applications request read/write through these services, similar to a database engine. ID is extended to include application as well as user so the service can be set up to limit write access to the correct application & maybe grant read access to other specified applications e.g. you can only update your contacts via the contact app but your email client can ask for an email address.

      The server would need a mechanism for verifying the ID of the request and the application installation mechanism would have to be fairly closely guarded to ensure substitutions weren't made.

      One tricky aspect would be having storage that out of bounds to the kernel - or maybe some sort of micro-kernel arrangement. I'm not sure Windows could manage this but maybe OpenBSD could.

    5. theOtherJT

      Re: Straw poll...

      All our user data is held on ZFS running on Linux or BSD machines, which are mounted as SAMBA shares on the windows boxen with GP to redirect every folder the user can write to onto the network drive. No access to any local filesystem is permitted.

      ZFS snapshots hourly, sends backups to the onsite backup (more ZFS) nightly, and the onsite backup backs up offsite weekly.

      Any user machine that is infected with anything is simply confiscated and an identical unit dropped in to replace it whilst it is DBAN'd and then re-installed by one of our hell-desk monkeys. During this process the user gets a strict telling off and isn't allowed to carry on working until they've reset every password we have under the watchful eye of one of our IT team.

      Obviously it's not perfect - users could manage to get files in their home directory encrypted and then that could make it's way through the layers of backups before they noticed. On the other hand, there's a word for data like that "WORN" so it probably won't matter.

      Mostly however we protect ourselves by running Linux on every desktop that doesn't _HAVE_ to run Windows for operational purposes. In a building with over 1000 machines in it, the asset DB tells me only 89 of them are Windows.

      1. This post has been deleted by its author

    6. Anonymous Coward
      Anonymous Coward

      Re: Straw poll...

      Put Windows in the bin where it belongs.

      1. Anonymous Coward
        Anonymous Coward

        Re: Straw poll...

        >Put Windows in the bin where it belongs.

        No windows is actually a decent host OS for vms (for home use anyway) and for the widest selection of games they need that windows bare metal. Try not to access the internet with Windows though regardless. Solaris runs nicely under Virtual Box on Windows and it gives you a sweet unity mode for free for non business use. That way you can run all your internet apps under Solaris right on your windows desktop and at least for me had all the software I needed available.

  4. Mark 85 Silver badge

    $325M (US) in one year <low whisle>

    I realize that they have <ahem> expenses... but this is unbelievable. I almost would expect them to drop out of sight and go live on their ill-gotten gains.

    Ok.. expenses.. cops maybe? Influential country leaders? Bankers? Someone's handling the money at their end.

    Who would know...? Since TOR is involved, I'd suspect that NSA or one of the 5-Eyes would or could know but then they would lose a tool for their escapades in spying.

    Still.. that much money and they're still at it. They must have one hell of a retirement fund set up. And yes, if their ever caught, hanging would be too good for them.

  5. Anonymous Coward
    Anonymous Coward

    Send the Scumbags to Siberia (without a coat)

    Oh wait.... Perhaps they are there already????

    1. Anonymous Coward
      Anonymous Coward

      @AC - Re: Send the Scumbags to Siberia (without a coat)

      You mean they are already in Siberia or they are already without a coat ?

  6. Vernon

    perhaps it is state sponsored, hence the continuing attacks?

    1. Jim Cosser

      Unlikely to be state sponsored generally they are after information and so are low and slow. The last thing a state sponsored attacker would do is raise a flag.

      This is classic organised crime, lots of these gangs are moving from drugs into malware because of better margins and less chance of getting caught.

      1. GrumpyOldBloke

        States have all manner of objectives. Stuxnet was not about gaining information, it was about industrial espionage. The CIA has a long and poorly distinguished history of drug and gun smuggling to raise money for the of gift democracy and freedom. Iran Contra or more recently fast and furious had objectives other than information. The 'intelligence' agencies supporting the 5-eyes shadow government monitor all internet traffic that passes through their domains and the NSA has compromised TOR. Is it really conceivable that they cannot trace the traffic or failing that cannot offer a decryption service. It is far more probable that this is yet another black ops money raising exercise for people like ISIS R US than to believe that the combined resources of Western governments cannot hack a control server in plain site on the internet and find the people behind the malware.

        1. Jim Cosser

          True there are different motives but the only motive here is money, Stuxnet isn't really comparable it was also low and slow trying to hide itself and the damage it was doing for as long as possible.

          It's a profit exercise, as another poster points out sometimes to stop these kind of things as a government you would need to show your hand in terms of tooling and control. It doesn't always mean they couldn't stop the attackers just that it's a balance.

          It could be a government but I think it's way less likely than an organised crime group.

          1. g e

            Slush fund generator

            Would be an excellent way for a state attacker to generate unaccountable slush fund cash to fund other 'more traditional' activities below an auditing/accounting radar.

            1. veti Silver badge

              Re: Slush fund generator

              In 'state sponsored' terms, this would be pretty small potatoes. For comparison, the UK - itself a second-rank player in intelligence - spends about £2 billion a year on the whole field, so one-third of a billion over several years doesn't really compare.

              No, this is organised crime at its best worst most typical.

      2. Vic

        less chance of getting caught

        Strange, that.

        We keep getting new laws foisted upon us that are supposed to help the Authorities keep us safe from this sort of thing. We keep hearing that the Authorities are keepiung us safe.

        So why are these criminals not already behind bars?

        VIc.

        1. John Crisp

          Cos they haven't got a back door.... or so they'll bleat

      3. foliovision
        Pirate

        As others have noted, who would have believed that the CIA would sell weapons to Iran to finance illegal guerillas in Nicaragua. Yet Oliver North told us its true.

  7. msknight Silver badge

    They will be hunted, they will be traced, they will be caught. They already know this. It's only a matter of time. Enjoy the Ferrari while you can guys. The brightest burn the shortest.

    Prevention/detection? Checksums I guess. Behaviour issues on file stores; massive numbers of files being accessed at once should be an alert for the OS to stop and warn. As for the database key replacement... can't think of a way to handle that, unless the engine keeps a secondary repository and if the key changes, it flags up and stops processing.

    1. g e

      Most stored files are never modified

      So move them to an RO repository off your PC and only keep the stuff you are working on in a RW storage location.

      Will be doing that with the NAS's this week. Not that I expect to get caught but my security is dependent to some extent on the security of those I regularly communicate with and frankly they're probably rubbish.

      1. msknight Silver badge

        Re: Most stored files are never modified

        Agreed, I already do this myself. Have done for a few years. The normal desktop account can read, but there is a separate for write back to the OpenIndiana server via SFTP. And even then, none of those accounts have admin access to the server itself; those are separate accounts yet again.

        Of course, a physical attacker can work their way through that, but it should be enough to stop software.

  8. Count Erpoint

    another b*s* estimate

    did we learn nothing from the billion vulnerable to stagefright, yet not one andifone compromised?

    only hard fact is that 992 businesses complained they were asked for between $200 and $10000. Anecdotally, most of it is for the low end, where it is easier to pay than to bother pulling out the backup. The reason is that crims do not know the victim and assume it is SOHO. So actual take is is probably $5MM / year, and declining returns.

  9. Palpy

    Seen the future, it is murder?

    Clearly conventional antivirus is not pro-active and the crims are increasingly making it irrelevant. Are Windows workstations and average office users an unfixable exploitation route? If so, perhaps at some point businesses may move internet-facing workstations to something like Qubes OS -- the only way to access internet is through an untrusted VM; the only way to work on critical data and files is in a privileged VM which can't access anything beyond the hypervisor's firewall VM.

    On the other hand, the entity for which I work is so deeply vested in Microsoft and Windows that it would be a huge budget-time-staffing effort to move even one department to an alternate OS, let alone the city-wide mass of vulnerable workstations currently squatting on line workers' desks. I suspect this is typical of many business's infrastructure?

    Quod tempora haec.

    1. POSitality

      Re: Seen the future, it is murder?

      Haha! Almost exactly my set up :)

      I limit general surfing to a Linux running inside VirtualBox, games playing to the Windows host and all my "work" on a Windows VM running on a separate Hyper-V server. Maybe it's slightly annoying switching between the three but speed-wise it's barely any different than running it all through one Windows PC.

      I take your point on OTT firewall settings though. On my next rebuild I'll take your tip and drop the "work" VM completely off the Internet and make it LAN-access only. I'll probably also dump my Windows Server in favour of something like FreeNAS. The only attack vector I'll probably leave open (purely for convenience) is sharing the clipboard between machines.

      If you think of it like this: what do you need Windows or OSX for (the former being the most dangerous) I can only make a case for games and Visual Studio.

      Oh and a shout for GlassWire, not particularly efficient but very beautiful firewall monitor :)

    2. John Sanders
      Linux

      Re: Seen the future, it is murder?

      It would be easier in some environments not to have an OS that can execute things by default and a browser restricted to be able to use internal stuff only.

      Just saying.

  10. technocrat

    Thank god for Datto! Expensive but worth every penny! We got hit with Cryptowall 3 and were back up and running in minutes....

  11. JEF_UK

    Backups? Check them!

    Where I worked I saw similar/v3? on two networks at companies. ( + many home users)

    Any suspect PC was formatted server in to ours ( in same town.) blast away "Data" partition;

    Restore backup; Server back on site at 8 am next day.

    I get paid and paid again to implement what I had advised.

    Some one will say "you cant take a server out how can anyone work!"

    Eh.... no one could work?

    One company had not had any backup 2 months prior when i started their IT support.They swapped the USB disk... both were dead.

    How do you prevent this? Policies!

    I'm blocking PE files at the perimeter to most desktops. I'm SSL bumping EXCLUDING the bank(s) used. scanning all with inline AV. Email goes through "cloud" spam/virus service, on box AV before getting to an exchange server with suitable AV and policy's. User gets a email (normally they don't understand) and call up

    "You revived an attachment from 'blod@place.com' the attachment was rejected, they have been contacted automatically but you are advised to contact this person.

    The original email is attached."

    Email servers can exclude zip and EVERY vector I'v seen has been in a zip. Yeah its a bit of a pain what IS worse?

    Also only PCs I have seen any crypto ransom-ware on run "not an AV" MSE. That's a swear word.

  12. Zog_but_not_the_first Silver badge
    Alert

    And the open skylight is...

    Have the companies or individuals that have fallen victim to this extortion indicated how the attack was made (insofar as they might know)? Dodgy links in dodgy emails? Dodgy web sites? Rouge USB sticks.

    1. MJI Silver badge

      Re: And the open skylight is...

      All I have come across are emails and accountants

      1. moiety

        Re: And the open skylight is...

        I'm getting a lot of dodgy emails these past few weeks; all vaguely business orientated. I would imagine that email attachments would be the main vector, so the cheap and nasty way would be to get your mailserver to filter out any attachments that are executable or archive files.

        1. Anonymous Coward
          Anonymous Coward

          Re: And the open skylight is...

          Two vectors come to mind:

          - email attachments

          - malvertising

          The former has been with us since the early days of MIME email. The latter is more recent, and harder to shield against.

  13. teknopaul Silver badge

    gotta be state run

    Or mafia.

    How do you launder .3 billion you need more than just crypto tech skills. If it were really a lone Wolf he'd have a life's work trying to spend that amount.

    1. Old Handle

      Re: gotta be state run

      The other possibility is they're just sitting on it, unsure what to do next, much as Dread Pirate Roberts apparently was.

  14. Nifty

    So is Bitcoin the root of all evil?

    All the while, Bitcoin is the elephant in the room.

    Without an anonymous online payment system, ransomware would not be a profitable industry.

    And how are we to know that ransomware is not funding terrorism?

    Is it time for a 'licensed' version of Bitcoin to appear, with a snoopers charter attached, and non-licensed Bitcoin becomes illegal?

    1. Grikath

      Re: So is Bitcoin the root of all evil?

      yeah, and organised crime did not have ways to make large streams of money virtually untraceable up until virtual playmoney was thought up.

      Virtcoins make things easier and more cost-effective for the crims, that is about all.

    2. Anonymous Coward
      Anonymous Coward

      Re: So is Bitcoin the root of all evil?

      You forget wire transfers: the money laundry de facto of the past. All Bitcoin does is take mules out of the equation, but they can easily be put back in.

      And as for all the people demanding the head honchos'...heads, how do you do that if they're located in a country hostile to the West like Russia or China?

    3. Old Handle

      Re: So is Bitcoin the root of all evil?

      I've only encountered ransomware once, but it didn't ask for bitcoin, it asked for "Green Dot Moneypak", some sort of pre-paid cash card. So did the tech support scammers who called "from Windows" to fix my computer (I strung them along to get to this part for the hell of it).

  15. Haku

    "Badly-Coded Ransomware Locks User Files and Throws Away Encryption Key"

    At least with Cryptowall 4.0 there is a possibility of retrieving your non-backed up data, unlike this strain of ransomware that completely irreversably encrypts your data with no chance of ever getting it back:

    http://it.slashdot.org/story/15/11/08/1353209/badly-coded-ransomware-locks-user-files-and-throws-away-encryption-key.

    Back your shit up, people, back it up good and proper.

    1. David Pollard

      Re: "Badly-Coded Ransomware Locks User Files and Throws Away Encryption Key"

      ... and test samples on separate hardware to check that the backup works.

      1. Preston Munchensonton

        Re: "Badly-Coded Ransomware Locks User Files and Throws Away Encryption Key"

        IT Rule #1: Always have backups.

        IT Rule #2: No seriously, fucktard. Back your shit up and test it, already!

  16. Tezfair

    Seen it three times..

    1. 'Client' staff member opened payload and decided to ignore it, went home with pc running, next day couldn't figure out why she wasn't able to access anything, ignored it for most of the day until she got hold of me. Had to restore data from 3 days prior because the last 2 were also infected.

    2. Called out to a domestic job, basically his laptop was fully encrypted, as was his backup which was also connected at the time. He admitted that he had taken it to a local IT shop for repairs and they couldn't do anything, so called me out. I worked out that he had been infected some 2 weeks earlier and told him that there was bugger all that anyone could do.

    3. 'Client' staff member emailed me to say that a file on her desktop was no longer accessible, but because she had been busy hadn't bothered to get in touch. I remoted in and only because her machine was full of old profiles and offline server work had it kept the crypto busy all day locally. It had just started to much through the server when I screamed at her to pull the network cable.

    Spiceworks gave me a good method using file services / monitoring that I have that in place at all the sites so if a crypto starts on the server I get an email (because clearly I can't rely on AV or users).

    I still think there needs to be some sort of background monitor that can be installed on local machines that will flag up a message or perform an action that if x number of files are read / modified within x number of seconds. Maybe there needs to be a folder / honeypot on the local drive that contains a couple of hundred small docs so the only thing that would access it would be a crypto.

    It's just a thought.

    1. Anonymous Coward
      Anonymous Coward

      Re: Seen it three times..

      Nice idea on the background monitor, but I fear it is doomed. A common feature of the victims' experience is the time between first being infected, first noticing and then calling in IT help. So an attacker can go low and slow for a few days and still fly under the radar of a monitor.

      And that's to say nothing of legitimate systems that beat up the filesystem. Have you ever run FileMon on a Windows machine? It's a wonder the hard drive in most laptops isn't on fire!

      I predict in a few years that someone will start offering cloud VDI good enough for home users and then perhaps the attacks will cease (or at least be aimed at the cloud provider, hopefully who has a clue). That leaves games, which I would be sorry to lose on the PC platform. Of course, if VDI takes off, no one will ever buy a PC again and games for PCs will disappear.

      1. Anonymous Coward
        Anonymous Coward

        Re: Seen it three times..

        "Of course, if VDI takes off, no one will ever buy a PC again and games for PCs will disappear."

        As the song goes, "Ain't nothin' like the real thing, baby." Anyone that's tried to graft VDI onto games has run into the sheer physical obstacles of lag and bandwidth. Consoles have tried to make a dent on PC gaming for three generations or so, and instead they've switched gears. Xbox One, PS4, Steam Machines, even today's arcade machines are all based on PC architecture.

  17. captain veg

    language mauling

    "One of the most unique was a variant that silently encrypted and decrypted databases on the fly in a bid to avoid detection."

    If you must mash the English tongue, do it properly. It's "uniquest".

    -A.

    1. Zippy's Sausage Factory

      Re: language mauling

      You can't qualify "unique", surely? And anyway, I'd prefer "One of the most terrifying" personally.

      1. captain veg

        Re: language mauling

        > You can't qualify "unique", surely?

        You can, but only once.

        Don't call me Shirley.

        -A.

    2. Groaning Ninny

      Re: language mauling

      Nah - it's "most uniquer"

      Put an -est on the end of that if you want.

  18. captain veg

    world's worst ransomware

    Some new variant of the Irish virus?

    -A.

    1. Annihilator

      Re: world's worst ransomware

      Yeah I wondered that. Worst ransomware, or best ransomware? All a matter of perspective...

  19. phil dude
    Joke

    this is an absurd post...

    Surely, without the ransom part, this would be pretty good enterprise software?

    I mean, trains are for people, not unencrpyted govt laptops...

    P.

  20. Glenn 6

    Stop hiring computer-illeterate people!

    Since using a computer is an essential part of any business, why are businesses not including even some basic computer skills and security training when they hire people? Businesses today still think they can just show any old employee what to click on and how to use their specific app, and not care if they understand basic computing.

    The result is what you see in every office: People who click on any browser popup, install any tool bar, open any email attachment, etc etc. The fault here are the business owners - 99% of the time aren't computer knowledgeable themselves - not making computer skills a required qualification.

    1. Anonymous Coward
      Anonymous Coward

      Re: Stop hiring illiterate people!

      Better.

    2. Anonymous Coward
      Anonymous Coward

      Re: Stop hiring computer-illeterate people!

      "Since using a computer is an essential part of any business, why are businesses not including even some basic computer skills and security training when they hire people?"

      Probably because if they did that, they'd exclude all applicants. It's hard to set a high bar when no one can clear it.

    3. Anonymous Coward
      Anonymous Coward

      Re: Stop hiring computer-illeterate people!

      "Stop hiring computer-illeterate people!"

      Ah, the ironing is delicious..

    4. Medixstiff

      Re: Stop hiring computer-illeterate people!

      "Since using a computer is an essential part of any business, why are businesses not including even some basic computer skills and security training when they hire people?"

      We use http://www.securingthehuman.org/ all staff have to go through the 50 odd video's followed by the accompanying questions what really gets them, is that if they get one wroing, the answers change so answer A will now be C, which really makes them look at the question and answers properly. they must do this within the first month of starting.

      Then one month every year - we just did ours in October - all staff including the CEO and IT staff, do the training again, as they do update their videos and answers.

      We have found just by doing this, we are getting way less people clicking on stuff willy nilly, we've had 3 USB keys dropped near our premises in the last year, two had malware, all three were passed directly to ICT and even better staff are now putting anyone calling up and asking questions of a social engineering nature - what OS do we use and all that type of thing - directly through to IT. So it has definitely made a difference to ourselves.

    5. John Sanders
      Thumb Up

      Re: Stop hiring computer-illeterate people!

      Yes,

      Most people make terrible decisions/mistakes because they do not know better, a small training course every now and then explaining what a virus is, what a phising scam is and basic computer usage training goes a very long way to improves things for a fraction of the cost of most security suites.

      Security is a process not a feature.

      Also using an OS that does treat everything as an executable helps a lot in this regard.

  21. captain veg

    illegal encryption

    "Ransomware has ripped through scores of businesses and end-user machines in sporadic and targeted attacks that have cost victims millions of dollars in ransom payments made to criminals who have illegally encrypted valuable files."

    Careful, it's not illegal yet.

    -A.

  22. G R Goslin

    Perhaps

    Perhaps you should ask GCHQ if they'd let you have a copy of their copy of your files as they were before Cryptowall struck.

  23. HAL-9000
    Alert

    There was a time

    When I was worried about being snooped on, but this lot behind cryptowall are making the sooper dooper state snooper security look rather incompetent. Unless of course government spy agencies standby, and watch business and individuals getting ripped in this manner?

  24. A Ghost
    Boffin

    Time to add another tool to protect your PC

    Antivirus is just one line of defense. I don't rely on it at all. In fact, I could quite happily run without it.

    Try this new program called Voodooshield:

    https://voodooshield.com/

    --------------I am not affiliated with this company at all.---------------

    It's free and works on xp through 10. It's super lightweight, has a learning mode, and is compatible with all AV softs due to its design.

    I use it as an extra line of defense in my setups. In fact, on machines that I run with NO AV at all this is always on there as it is practically invisible with practically no performance hit.

    I think there is a good chance that Voodooshield would stop these cryptoviruses from running, due to how it works. It really is ingenious and there's nothing really like it to my knowldedge. The free version will probably do all you want and will work fine for most use cases. If you want the extra features you can get a 2-computer license for 20 dollars I think it is.

    I use Voodooshield on my audio systems where no real time AV or AM is allowed to run, just pure system hardening via EMET etc. etc.

    I really think more people need to take a look at this. The guy that codes it is active on Wilders Security which as you know is pretty much the no.1 forum on the net for these things. The dev is open to feedback and is an excellent chap to deal with.

    --------------I am not affiliated with this company at all.---------------

    I use everything from system hardening via Emet, to sandboxing, to Vms, to AV/AM, on demand scanners, third opinion scanners, HIPS (host intrusion prevention systems) like Defense+, anti-keyloggers, anti-screengrabbers etc. etc. - Voodooshield is a whole other paradigm to everything else (though it may possibly be closest to HIPS) and works so silently in the background you would never know it is there. You need to train it for a bit (like any good HIPS), but that can be turned off and on. It really is a superb bit of software. For free, the protection it gives could prevent a lot of these nasties I believe, before they take hold.

    One last time, I've got absolutely no vested interest in this company at all. Just a heads up for those that don't know about it yet.

    Still, there is no substitute for having all your data backed up and tested!

    1. John Sanders
      Windows

      Re: Time to add another tool to protect your PC

      Or do not use anything like that and be fine fine, just do not do stupid things like running Windows systems connected to the internet for mission critical tasks.

      Having said that I think you are trolling.

  25. Rob Burke

    Very worrying...

    At my last company, someone executed a cyptolocker binary from a unknown sender offering an invoice.pdf.exe in their personal Hotmail. I wish commonsence could be taught.

    The result was about 30k encrypted files over multiple network drives. Spent a few good days cleaning that up... extracting the list of encrypted files from the laptop registry, regex pokery, excel, vlookups to shadow copy paths, conversion to robocopy scripts, running them in daily batches....

    The fact that this malware supposedly doesn't keep a plan text copy of affected files is giving me a cold sweat. I must remember to look into those powershell scripts tomorrow that try and prevent mass file changes...

  26. David Roberts Silver badge
    Devil

    On a more positive note

    It is good to see an IT business with strong financial numbers ploughing some of the profit back into product development.

    Perhaps the next step is to go legitimate and offer fully encrypted local and cloud storage and personal PC protection against other malware?

  27. NipseMuscle

    Not their fault.

    Don't blame the scammers who earn millions from ransomeware. Blame companies like Microsoft and those in control of web standards for making it possible for them to commit these crimes in the first place. The scammers are like poachers; they can only get away with what the gamekeeper allows them to.

    1. John Sanders
      Windows

      Re: Not their fault.

      ""Blame companies like Microsoft""

      Now we are getting somewhere!

      1. TheVogon Silver badge

        Re: Not their fault.

        ""Blame companies like Microsoft""

        You know there are several Linux versions - including ones that infect NAS systems and websites? And those spread without user interaction!

  28. Anonymous Coward
    Anonymous Coward

    new disk format

    How easy will it be to create a disk format or disk Firmware that prevents encryption? I'm not suggesting this necessarily for working machines, but for back-ups. This way, you will always be able to get data back (up to the last point a back-up was run).

    Imagine a USB drive that was completely safe from any future encryption ransomware - i think people would buy that - if it could be done,

    1. Anonymous Coward
      Anonymous Coward

      Re: new disk format

      How would you go about detecting encryption? How would any program be able to tell the difference between encrypted data and raw random noise?

      1. Fitz_

        Re: new disk format

        "How would you go about detecting encryption? How would any program be able to tell the difference between encrypted data and raw random noise?"

        Actually that might be relatively easy for certain data - you could abstract the filing system, perhaps by virtualising it, from the apps and probably also the OS itself (perhaps using off-box storage for everything, such as a NAS / SAN that the machine boos from, this could possibly be built into a hard drive at some point, but it must be accessible only at high level) with a system that was 'data aware'. For example, it knows what a .docx should look like, and if anything didn't fit into that data definition, it could be flagged, the storage cut off and the original recovered from snapshot.

        1. Anonymous Coward
          Anonymous Coward

          Re: new disk format

          The thing is, what if the .docx was corrupted from the outset, meaning the copy that's giving the system a hissyfit is in the snapshot, too? Plus, what's to prevent me from changing its assigned role? Finally, what about container formats that are multi-purpose. I can tell you magic numbers won't easily allow a computer to distinguish between an .epub, a .odt, and a .zip (because they're all, structurally, essentially identical to the last).

    2. John Sanders
      Holmes

      Re: new disk format

      The whole concept of the computing model you know and love is that there is no distinction between data and code.

      The processor only sees numbers, there is no way to distinguish anything other than you arbitrarily telling it what is what. You point it at data and it will happily try to execute it (and will obviously crash)

      On the other hand the OS could choose not to run everything that comes from the interwebs at the minimum opportunity.

    3. Anonymous Coward
      Alert

      Re: new disk format

      How easy will it be to create a disk format or disk Firmware that prevents encryption?

      Shhhh!!! France will try to make such firmware a legal requirement!

  29. jason 7 Silver badge

    Amazed at how many people...

    ...still don't have a clue about how this stuff works.

    "Make sure you have backups and you'll be fine!"

    Well yeah by all means, but make sure they are not connected to any machine or network as this thing will rip through your servers, mapped drives, NAS, USB HDDs and cloud. Seen it happen to a couple of small businesses in my area.

    Cryptoprevent installed on maximum! Oh and maybe upgrade the security and email scanning on your cheapo Exchange server hosting too!

  30. relmasian

    There is a simple way to detect ransom/crypto ware that would be hard to defeat. Just have your data drives read by a another operating system that is independent of the one you usually use. Your "foreign" system should fail to successfully read ransomware encrypted files, telling you that your working operating system has been infected. This can be as easy as having Linux read Windows files or vice versa. The anti-malware/anti-virus people could also implement something that effectively does the same, although it would be a bit more difficult to do that within your usually operating system. Simply having a guaranteed uncontaminated machine running your usual operating system reading the working systems data disks might possibly do. The bad guys would have a problem trying to hide from a file reading process that is independent of the system they have contaminated.

    1. Anonymous Coward
      Anonymous Coward

      You know they've developed multi-system malwares capable of infecting both Windows and Linux machines in the same package? Meaning whichever system reads it, it can infect that system and compromise it, probably employ a privilege escalation and then take over the other OS.

      Another way may be separate payloads for different OS's that act as poison files. If you know you're going into a system that can be read from multiple OS's, then you could keep exploits for BOTH OS's so that you can deal with both the main OS and the guard OS.

      1. relmasian

        Anonymous Coward, I assume you are replying to my initial post.

        Yes, I do know that payloads can and are able to infect more than one operating system. However, the presence of a payload does not mean it is operational. Note that my initial post also said that you could actually use another version of your work system that was guaranteed not to be infected by just mounting a data drive on the guaranteed uninfected system.

        At some point a file read has to fail or no one would pay a ransom. Why not use that requirement to detect ransomware encrypted files? All you need is a disk read that is completely independent of your working system. As I said earlier, you could even have the code running under an infected operating system; it just cannot use the any of the usual, possibly infected, disk read/write mechanism. Indeed, any computer that had its own, unique disk read/write method would make it difficult for ransomware to encrypt files in the first place, although it could be done by encrypting/de-encrypting at the application level.

        1. Anonymous Coward
          Anonymous Coward

          And I'm saying that the very act of reading the file can become an infection vector. That's why you have poisoned JPG files and StageFright. Meaning there's no real way to guarantee your system will not get infected from an ingenious zero-day that can nail both real systems and guard systems regardless. And recall that newer malwares are smart enough to sleep in for a bit to try to sneak into backups and to prevent immediate detection by "poison tasters".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019