Ransomware Goes Big Time

by  Alex Tabarrok in

Washington Post: The cyberattack struck Los Angeles Valley College late last month, disrupting email, voice mail and computer systems at the public community college in Southern California. Then, school officials found a ransom note.

The missive advised the college that its electronic files had been encrypted and that the files could only be unlocked with a “private key.” The attackers would supply the key after receiving payment in the valuable digital currency known as bitcoin, which can be used anonymously without a centralized bank.

“You have just 7 days to send us the BitCoin after 7 days we will remove your private keys and it’s impossible to recover your files,” the attackers warned, according to a copy of the note obtained by The Washington Post.

Leaders of the Los Angeles Community College District decided to pay the ransom.

The college paid $28,000 and the files were restored.

ArsTechnica: According to the FBI, ransomware payouts in the United States jumped from $25 million in all of 2015 to over $209 million in just the first quarter of 2016.

Clearly, this is just the beginning.

Comments

Ron Byrnes

How do the cyber criminals determine the ransom amount?

Axa

If they were able to encrypt the files they could also ran a search on emails where people discusses money. You make a guess of how much money they need to recover from the attach without paying the ransom and compare it with the liquid money the victim have access to. The ransom payment should be less but close to the lower of those two amounts......jeez, working on optimization problems has made a monster.

anon

Incorrect. Ransomware encrypts the data locally, attackers do not get access to it, so there's no searching through emails.

Some ask for a standard amount, some attack a certain class of targets (like hospitals) and have a higher ransom. And I suppose all of them know to raise the price if the victim is reckless enough to let them know what organization they represent.

Comments for this post are closed

Comments for this post are closed

Slocum

These places would have backups and could recover their systems, but it would take time and money, some things would likely go wrong, and they'd lose some number of transactions that hadn't been backed up yet...so the ransom has to look like an obviously better deal than having to go through all that.

Comments for this post are closed

Lord Action

Not joking here: A/B testing. They move towards amount that get paid.

Mark Thorson

That sounds worthy of a paper in Journal of Criminal Economics.

Lord Action

Maybe, but if you view this sort of thing as a part-time effort on behalf of some underemployed East German IT worker or web-programmer, it's not exactly surprising. It's the level of sophistication you'd expect.

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

Brian

Consider that this is an American college or university.

They should demand a thorough financial disclosure, including assets, sources of income, a long multi-year history of tax and balance sheet documentation, and bank records.

Then they can determine the maximum to charge every one of the clients. Just like the school does.

Comments for this post are closed

Comments for this post are closed

David Pinto

I was at a cyber security talk in 2015 that discussed this issue. My take-away was that law enforcement is afraid of these hackers coming after them and is not doing much to stop these attacks, nor capture the perpetrators. Their advise is to pay the ransom.

This is why institutions need a good disaster recovery plan. If an attack like this happens, throw the old machines out and restart from backup.

Lord Action

Backups don't really solve the problem in general. Depending on how long they let you operate with the encrypted files, you may have nothing but encrypted backups.

Sergey

This is absurd. Once files are encrypted, you're locked out.

Lord Action

What are you talking about? How often do you test your backups?

Are you assuming the files become non-functional when encrypted? That nobody leaves a wrapper around them that they later turn off? I.e., you are assuming no quiet encryption occurs?

Lord Action

I should note that to my knowledge, this isn't very common yet. But it's certainly talked about a lot in infosec circles.

Comments for this post are closed

Ray Lopez

Yes, you're right even when you're wrong Lord Action. Inspired by your original post (I also code in C# for fun, or used to when I had more time), I found out your 'wrapper' idea is ahead of its time (for now, I'm sure they'll think of it later, like those polymorphic viruses that change their hash signature). From nomorerandsom.org: "Back-up! Back-up! Back-up! Have a recovery system in place so a ransomware infection can’t destroy your personal data forever. It’s best to create two back-up copies: one to be stored in the cloud (remember to use a service that makes an automatic backup of your files) and one to store physically (portable hard drive, thumb drive, extra laptop, etc.). Disconnect these from your computer when you are done. Your back up copies will also come in handy should you accidentally delete a critical file or experience a hard drive failure" - this advice only works if there's no "ON/OFF" switch on the ransom virus.

Comments for this post are closed

Jeff

I believe Ray Lopez is correct here and it's what I do. And yes, I do a test restore from time to time. It's worth noting that some online backup services are starting to offer endless versioning - they keep all versions of your files back to when they were first created. So although it may take a bit of work to find how far to go back, in theory everything can be recovered.

Comments for this post are closed

Sergey

If the wrapper makes the files readable, that's what's getting into backups as well.

Comments for this post are closed

Lord Action

Regarding quiet encryption, I didn't invent it; I think I first heard of it on the defensive security podcast something like a year ago. https://www.defensivesecurity.org/

What you describe helps with something simpler, and more common: trying to get on the network and directly infect the backups. That's not what I'm talking about, which is to transparently function with encrypted data for long enough that the backups are replaced with encrypted data. Then deny the key.

"If the wrapper makes the files readable, that’s what’s getting into backups as well."

Only if it has the key, right? The wrapper looks for the key every time the file is accessed (simplifying a little because I understand sometimes this involves replacing a library or something), all you do is provide the key for a while, and then stop providing it. The key need not reside on the infected device - it may be, for example, out on the internet.

Comments for this post are closed

Dan Lavatan-Jeltz

But if that were the case the key would also be backed-up. This is why real encryption systems have to enter a key on each boot. Every block of data accessible on the underlying storage media is backed-up, they are not doing something weird with access control lists.

Comments for this post are closed

Lord Action

"But if that were the case the key would also be backed-up. "

The key need not be present on the infected system. It need not be in a file that can be backed up. Heck, I'm sure with a little bit of public key encryption knowledge, it need not even be present in a transitory fashion.

You implement a wrapper which queries a control server for the key whenever it's necessary to provide data to the user during the incubation period, when the ransomware victim is infected but not symptomatic. When you want the ransom, you just stop providing the key.

Comments for this post are closed

Sergey

>> If the wrapper makes the files readable, that’s what’s getting into backups as well.

> Only if it has the key, right?

No. If normal software can read the files as if unencrypted, backups software will as well and that's what will backed up and backups will be fine. Transparent background encryption is necessary to encrypt everything apparently at once not to raise alarm, but it doesn't corrupt backups.

Comments for this post are closed

Lord Action

"No. If normal software can read the files as if unencrypted, backups software will as well and that’s what will backed up and backups will be fine. Transparent background encryption is necessary to encrypt everything apparently at once not to raise alarm, but it doesn’t corrupt backups."

I don't think you understand. Decryption requires a key. Normal software can read the backups fine because the wrapper pulls in the key as necessary so long as the adversary supplies it. So your files look fine through the wrapper, and your backups look fine through the wrapper, as long as the key is being provided. But they are really all silently corrupted, or rather encrypted.

You just access them through your normal library, fileio() or whatever, that has been replaced by the adversary and now includes a call to a control server outside your system whenever you want to read or write something. And that control server provides the key for that transaction. If the adversary wants the encryption to become apparent they simply stop responding to the requests for a key.

Perhaps someone with computer experience can weigh in? Is Dan Weber around today?

Comments for this post are closed

Sergey

I write backup software for a living. Just stop.

Comments for this post are closed

TallDave

You just access them through your normal library, fileio() or whatever, that has been replaced by the adversary and now includes a call to a control server outside your system whenever you want to read or write something. And that control server provides the key for that transaction. If the adversary wants the encryption to become apparent they simply stop responding to the requests for a key.

I write in about 30 languages, but while I don't write ransomware (yet), I do think the virus programming team has some issues with your design. Why on Earth would you want them calling your server over and over all day every time someone accesses a disk? You can only hide a signal's source for so long before the vans show up. It makes far more sense to store the key locally, then delete it locally when the encryption finishes. You still have the key and dreams of buying a midsize Hyundai with bitcoin.

In any case the backups would be recoverable, unless they specifically hacked the backup software as well, but if you're a medium-sized institution you might just pay a five-figure ransom anyway. Restoring an entire system from backup is often very painful and expensive.

Comments for this post are closed

TallDave

BTW one of my favorite IT stories was a client who had an IT guy lock them out over Christmas in the late 1990s after his career arc didn't go as well as he'd hoped. Asked for $100K to unlock them, they told him to come pick up the check, cops arrested him at the office in front of his kids.

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

Sergey

"The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom."

https://www.ic3.gov/media/2016/160915.aspx

Sergey

Here's a very fresh example of paying but not getting your data: https://krebsonsecurity.com/2017/01/extortionists-wipe-thousands-of-databases-victims-who-pay-up-get-stiffed/

Dan Lavatan-Jeltz

Yes people have an obligation to run so many of these attacks without restoring data that nobody pays and so that nobody will attack any more, otherwise people will just keep attacking.

It should be legal however to kill everyone ever met by the attacker in order to extract the key without paying, which is probably cheaper.

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

Art Deco

If law enforcement agencies did advise you to give in to extortionists, that's a scandal. Prosecute people who pay this sort of protection money and it stops.

stephan

The FBI doesn't advise anymore to pay the ransom, but they did advise it not so long ago.

https://www.cryptocoinsnews.com/fbi-now-says-dont-pay-bitcoin-ransomware-extortionists/

Comments for this post are closed

Comments for this post are closed

prior_test2

Some people seem a bit unclear on the concept - whether you pay or not, you are screwed to the extent that you did not take measures that allow recovery from something that has been going on since the Windows 9x days two decades ago.

And really, one should not ignore the fact that when a government uses this as a tool (think war and crippling as much digital infrastructure as quickly and broadly as possible), money will not be involved anyways.

Comments for this post are closed

Comments for this post are closed

Rock Lobster

Well that's one way to divert money from liberal arts to STEM.

Abhi

under-rated.

Comments for this post are closed

Comments for this post are closed

David Pinto

Sorry, should be advice.

Comments for this post are closed

Sergey

For more see https://krebsonsecurity.com/2016/12/before-you-pay-that-ransomware-demand/ and other posts at https://krebsonsecurity.com/tag/ransomware/

Comments for this post are closed

Axa

People imagines a super hacker from another country. But, after working in several companies and looking at the poor security practices......it is just too damned tempting to pay a hundred bucks to the janitor to plug an USB drive in the right place.

Comments for this post are closed

Dominik Peters

In my view, it is not a great idea to widely spread stories like these about how ransom contracts are honored. It is much better to spread rumors and stories where the ransomers did not decrypt files even though ransom was paid. If uncertainty spreads, ransoms will get less profitable and hence happen less often, destroying less capital.

Ray Lopez

Well in the long run you're right, but in the short run just pay is good advice (moral hazard argument). The same thing happens with kidnappings (paying encourages more kidnappings in the future, but in the short run you get John Doe back alive). Also I recall a Maine police department a few years ago that paid their ransomware to get unlocked.

Comments for this post are closed

Comments for this post are closed

prior_test2

'Clearly, this is just the beginning.'

Or just the end of the beginning, for anyone paying attention - 'Encrypting ransomware returned to prominence in late 2013 with the propagation of CryptoLocker—using the Bitcoin digital currency platform to collect ransom money. In December 2013, ZDNet estimated based on Bitcoin transaction information that between 15 October and 18 December, the operators of CryptoLocker had procured about US$27 million from infected users.[34] The CryptoLocker technique was widely copied in the months following, including CryptoLocker 2.0 (though not to be related to CryptoLocker), CryptoDefense (which initially contained a major design flaw that stored the private key on the infected system in a user-retrievable location, due to its use of Windows' built-in encryption APIs),[24][35][36][37] and the August 2014 discovery of a Trojan specifically targeting network-attached storage devices produced by Synology.[38] In January 2015, it was reported that ransomware-styled attacks have occurred against individual websites via hacking, and through ransomware designed to target Linux-based web servers.' https://en.wikipedia.org/wiki/Ransomware#Encrypting_ransomware

For those interested in actual reporting theregister.co.uk is a fine source for such information presented in a distinctive style.

Like this article from March 2016 - 'The success of file-encrypting ransomware such as CryptoLocker, CryptoWall, Locky has rendered earlier system locker malware unfashionable if not obsolete. Ransom lockers can be normally be cleaned by using “rescue discs”, unlike file-scrambling malware strains.

The latest strain represents an advancement of ransom locker malware as it is using Tor to communicate to its command and control servers. The Windows nasty prevents users from booting in safe mode.

Researchers at Cyphort Labs conclude that the malware slingers are testing the waters with a strain of malware that still in its early stages of development.

“This new discovery is an advancement of ransom locker malware as it is using Tor to communicate to its CnC servers,” Cyphort’s Paul Kimayong explains in a blog post. “By using Tor, the attacker adds a layer of anonymity while doing its malicious activity.”

“Also, while the attacker got your machine kidnapped, they created a Tor hidden service that allows the attacker to utilise your system for bitcoin payments or other malicious activity,” Kimayong added.' http://www.theregister.co.uk/2016/03/22/encryption_ransomware_going_out_fashion/

Ray Lopez

Yeah, the Register, "Biting the hand that feeds IT" ran a story saying the original Crypto ransomware had been neutralized (the hackers gave away the private keys) but this is version two.

Comments for this post are closed

Comments for this post are closed

stephan

The silver lining ? Ransomware is counted as an import, so will be tariffed under Trump, generating revenues

Comments for this post are closed

Brett

What's the answer? Periodically back everything up in physically separated servers, so you can just restore the system if you have to wipe it clean because of ransomware?

prior_test2

The answer is the sort of professional hardware/software backup system that looks for directory/file corruption before replacing any file. However, such systems are normally used as part of a more simple, and expensive, framework, where no back-ups are ever overwritten, so that it is possible to find a version before the problem occurred. Corruption detection (which tends to come with lots of overhead that costs time and/or money, to a noticeable extent) is an attempt to detect a problem as soon as possible, and does not always work. Thus explaining the straightforward back-up approach of making new backups on a regular basis (weekends tend to be available for such at a company), and thus ensuring that you can make at least a partial recovery from a point in the past.

Comments for this post are closed

Comments for this post are closed

Troll me

Let's ban paper records to save money.

It will be cheaper.

Comments for this post are closed

dearieme

The CIA blames Putin no doubt.

prior_test2

Nope - but I'm sure if you work hard enough, you can blame Hellary.

Comments for this post are closed

Comments for this post are closed

TMC

This is because too many people have admin privileges that they shouldn't. Remove local admin and add whitelisting of applications and this goes away. Product called Viewfinity claims 100% success against ransomware.

prior_test2

'Remove local admin and add whitelisting of applications and this goes away.'

Not precisely, but it is certainly a help - opensuse (and other Linux distros) use apparmor, which goes several steps beyond mere whitelisting (which while useful, is just a very first step - firewall whitelisting of applications is better than a first step in that particular case, though). https://wiki.ubuntu.com/AppArmor

TMC

Interesting, From the demo I saw, I think that's how viewfinity worked. Gave an admin token to the process, not the user.

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

TallDave

Another reason everything is moving toward the cloud. Let Amazon's programmers deal with these problems, midsize and large institutions are not cut out to handle these challenges.

Physical separation and backup buys you little, any device connected to a network somewhere is vulnerable. And the ransom is small enough that you'd probably pay it rather than pull your weekly or monthly backups.

prior_test2

'Physical separation and backup buys you little, any device connected to a network somewhere is vulnerable.'

I'm curious - leaving aside 'physical' separation (which can also include using different OSes, thus hopefully keeping problems with attacks limited to the problematic data of the attacked system), what defense do you think Amazon has against a new exploit that makes data unusable, except to use back-ups?

Comments for this post are closed

Comments for this post are closed

TallDave

This is interesting:

http://www.techrepublic.com/article/10-tips-to-avoid-ransomware-attacks/

Research if similar malware has been investigated by other IT teams, and if it is possible to decrypt it on your own. About 30 percent of encrypted data can be decrypted without paying a ransom, Kolochenko of High-Tech Bridge says.

TMC

My sister's small company got hit and she found an application that would decrypt the files. You had to have a good copy of one file along with the encrypted one. It could then decrypt all the others as long as it was smaller than the first set. I had turned on the 'previous versioning' so I did recover all of them that way, but she had quite a few done by the time she told me.

Comments for this post are closed

Comments for this post are closed

Johnny B

The geniuses who run my university's IT got hit last summer. They paid something like 20k in Bitcoin. Our email system was down for about two weeks during the crisis. So all communication with grad students etc had to go to gmail equivalents. The best part was after it was over, the lawyers for the university informed us that all emails we had sent or received on private accounts during the crisis had to be uploaded to the university's system.

Comments for this post are closed

Comments for this post are closed