"Keeping up-to-date backups would obviate the need to cave into such demands, and remains the best strategy for safeguarding against ransomware infection."
Jim Sensenbrenner offers an alternate safeguarding method.
Cybercrooks have begun retailing a new easy-to-use ransomware strain that promises profit with only one successful infection. Karmen is being sold on Dark Web forums from Russian-speaking cyber-criminal DevBitox for $175. The new ransomware-as-a-service variant offers a graphical dashboard, allowing purchasers to keep a …
Yes, but a proper backup system comes in to your PC, so you don't have any access rights (normally) on the backup system. After all, if your admin rights are compromised on the PC in the first place to run the nastier sorts, then it can go after backups as well.
Of course, without any backup there is nothing stopping your account from permanently trashing your own files, which is one of the key reasons ransomware works - you don't need a sneaky zero-day privilege escalation, simply the ability to trick the user in to executing something by ANY means.
Setting user-writeable areas to no-execute may be a useful step...
Of course, if the malware gets sneaky and goes after the backups first, and they need to be online at some point in order to receive the backups...
Ah, well done. You've just mentally constructed the argument against online only backups and lack of seperation.
This be why many of us simply kept using those horribly unfashionable and uncool tape drives that the company had already paid for, and simply continued to feed it tapes every day. As a result, many of us have several weeks worth of full backups with archived tapes dating back literially years stored offline and offsite so we just sort of look bemusedly at people who have these problems.
"...we just sort of look bemusedly at people who have these problems"
Others realise that they need greater RPO/RTO than tapes can deliver, need more flexibility, capacity, less manual intervention for a lower cost and want to be able to mount backups as VMs anywhere near instantly and get better than a simple verify check to ensure that their backups are consistent and databases mountable.
It is those people who look bemusedly at people who use tapes as a daily backup and not as an archiving tool and use a well configured, redundant and secure disk based backup system.
Recently at a client. I ask how they organised backups. "We have a perfect solution! Our data is backed up immediately: it's mirrored to our second data centre location. So we even have it stored off-site."
Muhahahahah I think while sending them a certain attachment And I provide advice to those very receptive client's ears on the risks and how to do backups properly.
"Karmen automatically deletes the decryptor if a sandbox environment or analysis software is detected on the victim's computer..."
So, what sort of analysis software? Is it bespoke and proprietary to the security vendors or is it likely to be included in the average AV software?
Because, if the latter, it sounds like keeping it running in the background provides an added insurance policy against infection (along with backups, of course).
They're talking physical honeypots: bait computers set up to catch malware in order to analyze it. Karmen's obviously designed to be honeypot-resistant, probably by performing something a honeypot MUST catch or there's a risk of the honeypot itself being subverted. If it's trapped, the malware knows there's a honeypot. VMs are another way to do honeypots which is why VM detectors are now standard fare (and unfortunately, extremely difficult to fool thanks to physical limitations that can be detected by things like external timing attacks).
So what we need is a file system that doesn't delete files, it just creates a new version. Just like DEC used to do with VMS. That way you'd find all your files have been encrypted but the malware wouldn't be able to remove the pre-encryption files which could then be restored once the malware was purged.
Anyone know if there's a mature Linux file system that does this?
Depends on how 'mature'.
Btrfs supports snapshots and is supposed to be production ready now. ZFS works well but you have the licensing issues (if you care) and again you get copy-on-write snapshots so they take little space for most (i.e. non-changing) files.
So try one of those and set up a cron job for snapshots. FreeNAS offers that in the GUI as it uses ZFS, but you have to make sure you tell it to do the whole file system tree - so check it is actually snapshoting what you expected!
Would it kill anyone to put some actual details of the crypto/ransomware in the article?
Platform? I'm guessing Windows
Attack vector? Office document macros, drive-by vulnerability, trojan, malvertising? What?
Such details are important to people whose job it is to keep systems working. An online search mainly gives you a long list of advertisers who are cross posting info to score higher on sites like Duck Duck Go (as opposed to paying Google for being first in the search list) but no actual data on attack vectors in use.
All I found so far is "The malware is .NET dependent and requires PHP 5.6 and MySQL." - which seems to suggest that having MS code on a Linux platform is not one of the best ideas ever, but that isn't news either.
I have no idea what possessed the original researcher Utku Sen to put the working basics for this online ("hidden tear"), but IMHO he deserves to get sued into the ground for the consequences.