February 24, 2016 at 9:26 am
Rod at work (2/24/2016)
WOW, Eric! That's pretty bad. Up to this point we've been talking about corporate systems. Now you're mentioning a personal computer. I've heard of people being stung by ransomware, but you're the first one I've known who actually experienced it. If you don't mind saying, how did you handle it? And what AV was being used at the time?
I believe most folks like myself who have been victimized by ransomware, at least regarding CryptoLocker specifically, get it on their personal computers. It's not a targeted attack, it's just a trojan program that automatically encrypts data when it executes regardless of where it happens to be. In a way, it's a lot like a phishing scheme, the kind where a fake alert tells you your PC is infected with a virus and to call a skype number for "tech support", except in this case the PC actually is infected and the data held for ransom, so the victim is motivated to cooperate.
In my situation, it was a bare minimum laptop I mainly used to VPN into work, so fortunately there was very little contained under my document folders. I had a local install of Visual Studio and SQL Server that I used to prototype and experiment off hours, but none of it was irreplacable or confidentaial, so I wasn't motivated to get it back. What I did was simply wipe down the laptop, re-installing Windows and the bare minimum stuff I needed to work with, taking the opportunity to upgrade to Windows 8 in the process.
I did have the free version of AVG AntiVirus installed when the trojan hit and never got any alert. This was about two years ago, so maybe they have since added a scan pattern for it.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 24, 2016 at 9:43 am
I think the direction things are need to/are going is individualized sandboxes per application. Of course you could always use virtualbox as a staging point to evaluate things. But with windows server 2016 there is the ability to use containers to isolate applications.
February 24, 2016 at 11:00 am
David.Poole (2/23/2016)
My 6 year old niece managed to download some ransomware onto her mother's tablet in an app aimed at children. That's just vile.Going after hospital records is beyond the pale. Aside from the birth of your children a trip to hospital is not one of life's pleasures and the thought that your medical history might be unavailable due to malign activity is worrying. It's on par with attempted murder.
Completely agree here.
February 24, 2016 at 11:09 am
Steve Jones - SSC Editor (2/24/2016)
David.Poole (2/23/2016)
My 6 year old niece managed to download some ransomware onto her mother's tablet in an app aimed at children. That's just vile.Going after hospital records is beyond the pale. Aside from the birth of your children a trip to hospital is not one of life's pleasures and the thought that your medical history might be unavailable due to malign activity is worrying. It's on par with attempted murder.
Completely agree here.
It's unclear whether these are actually targeted attacks. However, I do believe the evil geniuses who build these trojans or those who collect the ransom payments, if they ultimately are found and convicted, should serve time alongside violent sex offenders.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 25, 2016 at 8:25 am
Thanks for sharing, Eric. I haven't heard of this CrytoLocker virus and I honestly thought it was something that was targeted. Now it sounds more like something that just gets transmitted in the usual virus way - i.e.: randomly.
Kindest Regards, Rod Connect with me on LinkedIn.
February 25, 2016 at 11:38 am
Neil Stephenson's book Reamde[/url] started with a Russian mob's accountant getting his mob laptop and backups hit by ransomware. Excellent book. And it came out four years ago.
It's not a ransomware hack, but I read about an interesting attack today on Brian Krebs blog[/url] about a spearfish attack on a company where they spoofed the CEO's email and sent a request to HR for an email PDF copy of all the W-2 tax forms for the company. Fortunately HR said they couldn't do it and to talk to the CFO, at which point the attack was detected and no information was compromised.
Ransomware is usually not targeted, but can be. The attack that Krebs reported was researched and targeted, but was ultimately unsuccessful.
The sad thing about Ransomware is that lots of it is launched from our old friend: Word document macros.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
February 25, 2016 at 12:22 pm
Another issue with ransomware is that when you pay to get the 'fix', the fix is being provided by the person who caused the issue in the first place. What might you be loading along with the 'fix'? A backdoor? Another bit of ransomware that might go into effect in a few months/year? A keystroke logger?
-SQLBill
February 25, 2016 at 1:37 pm
SQLBill (2/25/2016)
Another issue with ransomware is that when you pay to get the 'fix', the fix is being provided by the person who caused the issue in the first place. What might you be loading along with the 'fix'? A backdoor? Another bit of ransomware that might go into effect in a few months/year? A keystroke logger?-SQLBill
Excellent point, Bill. There's no way to know for sure. No doubt you would definitely want to do a deep probe/scan of your systems while cleaning up after such an event. Maybe initially unlock a workstation disconnected from the network and inspect it before applying it more widely?
One interesting thing is that there are a number of such malware packages out, and some of them are poorly implemented and have been broken. There are web sites that you can send a file to that they'll check the file and see if it's from one of these broken installations.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
February 25, 2016 at 5:14 pm
Even if the data I lost was important to me, I would not pay the ransom, because there it's entirely plausible that it's part of a scheme to raise money for terrorist activities. This is why I agree with Apple that tamper proof security features on personal computing devices is important. If we start putting back doors into PCs, smart phones, and other internet devices (like what the US government is currently suggesting), then we open the door for hackers of all types, both small time and large scale.
BTW: For the government to request such a back door from Apple, they must either be either naive or dishonest. I'll give them the benefit of the doubt and assume they're being dishonest. If the government (or anybody) wants to crack a 4 - 6 digit PIN on a smart phone, then why not simply rip an image the iPhone's SD, and then install a copy along with an iPhone emulator on a 1,000 node virtual machine farm? Using that method, they could brute force crack the PIN overnight. I'm not even a security expert, just a regular IT Joe, and I know that can be feasibly done. I could do it myself on Amazon. I'm sure the FBI has already done exactly that, just as they have 10,000 times before with other suspects, so why are they asking for a convienent back door now unless it's for casual browsing on a mass scale?
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 9, 2016 at 4:44 pm
Can't say enough about backups, multiple backups.
March 22, 2016 at 8:15 am
Eric M Russell (2/25/2016)
Even if the data I lost was important to me, I would not pay the ransom, because there it's entirely plausible that it's part of a scheme to raise money for terrorist activities. This is why I agree with Apple that tamper proof security features on personal computing devices is important. If we start putting back doors into PCs, smart phones, and other internet devices (like what the US government is currently suggesting), then we open the door for hackers of all types, both small time and large scale.BTW: For the government to request such a back door from Apple, they must either be either naive or dishonest. I'll give them the benefit of the doubt and assume they're being dishonest. If the government (or anybody) wants to crack a 4 - 6 digit PIN on a smart phone, then why not simply rip an image the iPhone's SD, and then install a copy along with an iPhone emulator on a 1,000 node virtual machine farm? Using that method, they could brute force crack the PIN overnight. I'm not even a security expert, just a regular IT Joe, and I know that can be feasibly done. I could do it myself on Amazon. I'm sure the FBI has already done exactly that, just as they have 10,000 times before with other suspects, so why are they asking for a convienent back door now unless it's for casual browsing on a mass scale?
... On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farooks iPhone. Testing is required to determine whether it is a viable method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for assistance from Apple Inc. (“Apple”) set forth in the All Writs Act Order in this case ...
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
March 22, 2016 at 8:20 am
Stinks of being a ruse. Someone is playing an angle here.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
March 23, 2016 at 8:21 am
They need Jeff Goldblum from Independence Day. The dude connected a Mac laptop to an alien network, he can handle an iPhone hack.
I read this morning[/url] that a hospital in Kentucky got hit with a ransomware infection. The ransom demand was all of four bitcoins, some $1600. They're probably going to putz around and waste ten times that before they pay.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
Viewing 14 posts - 16 through 28 (of 28 total)
You must be logged in to reply to this topic. Login to reply