There is a particularly devious type of malicious software that locks users out of their own computer systems until an individual agrees to pay a ransom to the hackers. In these cases, the FBI has surprisingly suggested just ponying up the dough.
It's not the type of advice one would typically expected from the FBI, but that's exactly what was recommended by Joseph Bonavolonta, the assistant special agent in charge of the FBI's CYBER and Counterintelligence Program Boston office.
"The ransomware is that good," said Bonavolonta at the 2015 Cyber Security Summit in Boston, as quoted by Security Ledger. "To be honest, we often advise people just to pay the ransom."
Yeah, it's RT, but I did a search, and that or similar headlines popped up on dozens of news sites. I clicked a couple of them, and the stories match. Try this one,
https://thehackernews.com/2015/10/fbi-ransomware-malware.html
Personally, I can almost certainly afford to nuke and reinstall, unless they get my RAID array. Then - I'd have to think hard.
Related Stories
A secure-email firm, based in Switzerland, has paid a ransom of more than £3,600 after web attacks crippled its website. The hi-tech criminals behind the web attacks said the payment would stop the deluge of data hitting the site. But despite paying up, the web attacks continued, leaving Protonmail struggling to operate. It has now launched a fund-raising drive to raise cash to tackle any future attacks.
Protonmail did not respond to the message and, soon afterwards, was hit by what is known as a distributed denial of service (DDoS) attack. This tries to knock a server offline by bombarding it with more data than it can handle. Protonmail is a free, web-based, encrypted email service that needs its site up and running to serve customers. The first attack knocked out Protonmail for about 15 minutes and then stopped. A second attack the next day was much bigger and overwhelmed efforts by the email firm and its ISP to stop it.
"This co-ordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just Protonmail," it said on the blog. In a bid to halt the attack, Protonmail said it "grudgingly" paid the 15 bitcoin ransom.
[...]
Post-attack analysis suggests Protonmail was targeted in two phases, the company said. The first aided the ransom demand but the second was "not afraid of causing massive collateral damage in order to get at us".
Switzerland's national Computer Emergency Response Team (Cert), which helped Protonmail cope, said the attack was carried out by a cybercrime group known as the Armada Collective. This group has also targeted many other Swiss web companies over the last few weeks, the team said.
(Score: 3, Informative) by Anonymous Coward on Thursday October 29 2015, @10:51AM
RAID is not backup.
(Score: 3, Touché) by Runaway1956 on Thursday October 29 2015, @11:02AM
I don't recall suggesting any such thing. What I said was, I could easily afford to lose everything on system and /home disks, but the contents of RAID are somewhat more important to me.
ICE is having a Pretti Good season.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @01:35PM
If you have a proper backup, you can certainly afford losing everything on your RAID, exactly because you've got a backup of it. Just wipe the RAID and restore the backup. Nothing to think hard about.
Well, except about the question on how they managed to hack your RAID. You definitely want to plug that hole.
(Score: 2) by Runaway1956 on Thursday October 29 2015, @01:59PM
Well, it appears that they can encrypt anything that you have read/write access to. So, that's how they would access my RAID.
And, no, I don't have a full backup of my RAID. I would have to purchase a few hard drives to do that, along with an NAS of some type. Or, purchase space on some server in the cloud. I'm not a fan of the cloud though.
The good news is - only one user has r/w access to the RAID. All other users have read access only.
ICE is having a Pretti Good season.
(Score: 2) by RedGreen on Thursday October 29 2015, @03:13PM
Well you don't really care about your data then. Personally I have my main copy on a machine connected to the network when I turn it on, then a backup machine with second copy and lastly third machine containing a backup if the backup fails. All using zfs RAIDz for data integrity checking now I did skimp on the two backups as they were re-used old machines left over from past upgrades and they do not use ECC ram in them for rock solid error handling. But they get the job done the main backup machine has ECC ram in it.
"Cervantes definitely was prescient in describing a senile Don fighting against windmills." -- larryjoe on /.
(Score: 2) by Tramii on Thursday October 29 2015, @04:22PM
Well you don't really care about your data then.
To be fair, we don't know how much data is on the RAID array. Sure, most people can easily fit all their important data into 1 TB, so they really have no excuse for not having an offline backup somewhere. But it could be the the OP has many many TBs of data (unlikely, but possible), and attempting to back everything up is simply financially unfeasible.
(Score: 2) by RedGreen on Thursday October 29 2015, @04:56PM
If it is important enough to go out of your way to have it on a RAID then it is important enough to plan for the failure that will occur. Perhaps I am just too anal about it but that is the way I go about it having many years ago lost all my important stuff to them POS Seagate drives I had it on. What I do now is never have a drive that is over two years old holding my main copy, every year and a half or so I start the process of buying the new drives that will hold the new incarnation of my storage. Buying one every couple of months or so until I have enough to copy it all over easy to do if you plan ahead and put aside the money to do it. Middle of next year I am due to start the process all over again as the 4tb drives I bought earlier this year, will by the end of next year be just about two years old ready to go to secondary backup roles.
"Cervantes definitely was prescient in describing a senile Don fighting against windmills." -- larryjoe on /.
(Score: 2) by darkfeline on Friday October 30 2015, @12:22AM
>If it is important enough to go out of your way to have it on a RAID then it is important enough to plan for the failure that will occur.
Actually no; this is one thing that most people get wrong. RAID is not for data protection, although it provides a tiny amount of protection as a side effect: using RAID to protect your data is like using the side effects of some cancer treatment drug to lower your fever.
RAID is for data redundancy. That is, if a disk fails, your server can keep chugging while you swap it out, as opposed to restoring from backup.
If your data needs 24/7 availability, use RAID. If you care about losing your data, use backups. It just so happens that the two often overlap.
Join the SDF Public Access UNIX System today!
(Score: 2) by Nollij on Friday October 30 2015, @11:45PM
RAID does provide data protection from certain types of data loss - most notably, drive failure. Backups provide a superset of protection for other types - most notably user error
Given that hardware failure is the most common source of data loss for people, I would hardly call it "a tiny amount of protection"
In my experience, by far the #1 cause of backup failures is that people just won't do them, even after it's been setup. They also don't test them to see if they work.
It's also possible to have data that's important enough to have on a RAID, but not important enough to have backups for. Just like it may not be important enough for off-site backups, or sensitive enough for encryption.
(Score: 2) by Justin Case on Saturday October 31 2015, @06:40PM
hardware failure is the most common source of data loss
by far the #1 cause of backup failures is that people just won't do them
Well, which is it? Hardware failure or human failure? Because your second point is entirely a human failure.
Plus accidental deletes, getting pwned, installing crapware (but I repeat myself...)
In my completely unscientific opinion, human failures trash a lot more data than hardware. Especially since hardware, properly configured (with redundancy) can be nearly 99.9999... faultless. So again, the decision not to do that is another human failing.
Oh and if you can't afford redundancy, you can't afford a computer. Because sooner or later some part is going to fail, and that's when you'll realize the value of the time you spent creating all that information, plus the time you will now spend trying to piece back together whatever you can salvage, far exceeds the price of doing it right the first time.
I think what I'm saying here is computers would be perfect if nobody ever used them! :)
(Score: 2) by Nollij on Monday November 02 2015, @12:45AM
They measure two different things. One measures data loss as a whole, one measures failures of the backup system. Most people will only use the backup system after suffering data loss, which I find happens most after hardware failure.
Excluding the human factor from a system will guarantee failure - If someone knows they won't send in the rebates, they shouldn't factor them into a buying decision. Yes, it's a human error, but it is still going to happen. If I know I won't run the backups, then I shouldn't be pretending that I will. Instead, I should make a plan that I will actually follow.
That is absolutely absurd, for so many reasons. First, are we talking about the computer or the data? I can use a computer to do all sorts of things that don't require any data to be saved. Second, each piece of data has a value - Do I need backups of my movie collection? How much am I willing to spend to create a backup? Or, put another way, how willing am I to lose that data? What if it's my personal photos? Original, unedited source files? Legal correspondence?
On top of all that, it's an elitist statement, dismissive of those who don't have or aren't willing to spend money on this. Should they really not have access to technology in general, just because some of them will have a problem with it?
Obviously, everyone has to plan for equipment to fail - but that plan does not need to be a blanket answer across the board. I have my movies on a RAID for convenience, and to prevent a common source of data loss. If, however, the RAID should fail, or I get hit by a virus, I won't be heartbroken to lose that data. Therefore, I'm not investing in off-site backups or anything like that, at least not for this.
(BTW, I have my important data - my really important data, and nothing else - backed up on GDrive. I have more data that I feel is important enough backed up on my LAN)
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @04:19PM
I am considering building a triple-redundant "RAID" (using ZFS) for the sole purpose of back-ups.
I have been making do with smaller hard-drives because I have no idea how to back-up otherwise. (Can't really afford tape)
(Score: 3, Interesting) by Tramii on Thursday October 29 2015, @04:31PM
RAID guards against certain types of hardware failure. There's lots of failure modes that it doesn't guard against. Some examples include things like:
A good backup system should support:
(Score: 0) by Anonymous Coward on Friday October 30 2015, @08:10AM
I think I was not clear:
The RAID would be off-site, and off-line.
The machine housing the disks will contain a Public-Private key pair, such that I can encrypt the backups in transit with only the public key.
The sole purpose of using triple-redundant ZFS is to be able to detect read/write errors (and then correct them). If I had money, I would just use tape.
(Score: 3, Insightful) by darkfeline on Friday October 30 2015, @12:17AM
>And, no, I don't have a full backup of my RAID. I would have to purchase a few hard drives to do that, along with an NAS of some type. Or, purchase space on some server in the cloud. I'm not a fan of the cloud though.
>The good news is - only one user has r/w access to the RAID. All other users have read access only.
This is a facepalm-worthy setup. Okay, you don't have a backup. There's a user with direct write access. If that user gets compromised (stuff happens), you're screwed. If YOU make a mistake (rm -rf /home /bob/tmp), you're screwed. If ANY non-hardware-failure-related error happens (including if an HDD microcontroller loses its sanity), you're screwed (cosmic rays are a thing, however rare they are).
There's a reason you should make backups, and there's a reason that "RAID is not a backup". I'm not sure whether I should pray that you learn this lesson the hard way--better sooner than later?
Join the SDF Public Access UNIX System today!
(Score: 2) by Runaway1956 on Friday October 30 2015, @07:38AM
LOL - I've learned the lesson, really.
Another poster mentioned cost. Not everyone can afford a home server. I can't, really, but I have one anyway. In fact, my workstation is on the server, because my most recently purchased workstation kinda crapped out.
In all honesty, I suppose that I have "backups". JBOD - disks that I've collected over the years. Some purchased from retail vendors, and many more recovered from machines that have been parted out. My months old RAID has absorbed the data from the JBOD, and now those disks reside in a couple of cardboard boxes. If the RAID dies unexpectedly, I could recover all of it. Just as I could, in theory, recover all the data that was backed up years ago on floppy disks and later CD's.
This RAID that I'm so proud of right now was my summer project. Maybe this winter, I'll spend the bucks, and build an actual backup system. Or, I may put it off til next summer.
As for off-site backups - I'll probably never get around to that. Or, maybe I'll eventually make an encrypted volume, add those files and folders that I consider most important, then put that volume in the cloud. I would never consider using the cloud for backup if the provider holds the encryption keys. That will never happen - we've seen how easily some of those providers have been compromised.
Ehhh - life is risk, and risk is life. The only data that is essential to me, resides in my head anyway. I can recover and/or rebuild everything else after a catastrophic loss. It would be a major inconvenience to do so, but it could be done.
ICE is having a Pretti Good season.
(Score: 1) by bart on Friday October 30 2015, @08:40AM
How about
If it's important to you have the data backed-up off-site. You really need to set up your system, so that in case of complete loss of system, you can go to the store, buy a new computer, and be up and running again in a few hours of reinstall.
(Score: 0, Troll) by jasassin on Thursday October 29 2015, @10:51AM
Someone needs to pull a Guantamo Bay/Silence of the lambs here. Find the fuckers that are doing this ransomeware and make them eat cockmeat sandwiches while it puts the lotion on its skin and after that a few hours of waterboarding... every day until they finally expire.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 5, Informative) by Anonymous Coward on Thursday October 29 2015, @12:16PM
Oh look everyone, it's an Internet edgelord. Advocating torture for trivial crimes since the invention of the BBS.
(Score: 1, Insightful) by Anonymous Coward on Thursday October 29 2015, @03:30PM
Oh look everyone, it's an Internet edgelord. Advocating torture for trivial crimes since the invention of the BBS.
While I'd fully agree that the torture suggestion is absolutely wrong, to the point of worrying about the GP, I would not call the crimes trivial. It could be trivial, but depending on what information is stolen, it could indeed be quite serious.
(Score: 0) by Anonymous Coward on Friday October 30 2015, @05:36AM
The data is not being stolen, it's being kidnapped and in an easily preventable way. The severity of the crime does not change based on how irresponsible the victim was, it's not a greater crime to break in a house protected by a simple lock than to break into one with a forcefield around it.
(Score: 2) by Subsentient on Thursday October 29 2015, @08:50PM
I hope we come up with some 'pain machine' that we can use in place of prison. A few hours of unbridaled agony, coupled with drugs to make you never ever forget, and you're done with your sentence for murder.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 4, Insightful) by jdavidb on Thursday October 29 2015, @01:12PM
ⓋⒶ☮✝🕊 Secession is the right of all sentient beings
(Score: 5, Insightful) by looorg on Thursday October 29 2015, @11:39AM
Isn't this really just the same advice law enforcement normally gives? Don't be a hero. If someone sticks a gun in your face and asks for your wallet then give them your wallet. We'll try and sort it out afterwards. Same thing here. We won't be able to save your files or unlock them, the encryption is just to good. If you want the files back really bad then pay them. Try and learn from the experience and don't do the same mistake again, after all you did do something wrong since ransom-maleware just doesn't show up out of nowhere. Even if the ransom is in the form of a bitcoin transaction it does generate some kind of trail or evidence we can or might be able to use at a later stage.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @02:55PM
They use to say the same about aircraft hi-jackings... until 911.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @04:27PM
Your right, they could fly those encrypted files right into the side of a building! We need TSA on our internet connection giving full packet scans and filtering out the terroristic packages!
We could expand this by filtering out all sorts of unapproved packages after they are all probed deeply! We could put all suspicious packages on a no transmit list and give other government approved packages a fast lane into our networks without any probing!
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @03:39PM
Good thing is they can then bring federal charges against you for sending a payment to a criminal organization, since you are easier to find.
(Score: -1, Flamebait) by Anonymous Coward on Thursday October 29 2015, @12:07PM
Thanks FBI. I wouldn't be surprised if this was another FBI gig to fund their drug operations. (Manufacturing and selling drugs, that is.)
(Score: 5, Informative) by Ethanol-fueled on Thursday October 29 2015, @02:06PM
FBI fund domestic terror operations. Drug-running is the CIA's game.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @04:38PM
I really hope they only fund anti-terror operations. ;-)
(Score: 1, Insightful) by Anonymous Coward on Thursday October 29 2015, @07:23PM
You must be new to life. The CIA has a long history of supplying weapons to and training terrorist cells. Taliban, ISIS, etc. And then there's the US's local terrorist organizations, the DEA, TSA, DHS, and NSA. Especially the DEA.
(Score: 3, Insightful) by inertnet on Thursday October 29 2015, @12:09PM
I would have no problem with that advice to pay the ransom, but only if it leads to the arrest of the criminals. So the authorities will have to follow my money all the way back to the parasites and bring them to justice.
(Score: 5, Informative) by EvilSS on Thursday October 29 2015, @12:16PM
If you don't have good, offline backups and you need the files you won't have much choice. A few of the keys have been recovered over the years but if you are unlucky enough to get hit with this and it's not one that's been exposed yet you're screwed. I've had customers pay to get source code, CAD files, and other IP back. Doesn't help that the ransoms are cheap enough to make it appealing to the companies to just pony up and be done with it. The really frustrating thing is that most of the ransomware doesn't require admin, it will just happily go about encrypting anything on your local machine or network drives that you have RW access to. They also have a bad tendency of just walking right past most antivirus products with no issues at all. We've tested versions we get from customers who have been infected and most of the time none of the big three enterprise products catch it, even with the latest engines and defs. Eventually it gets in the AV definitions but by then the makers have mutated it to get past again.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @12:45PM
that's because antivirus is the biggest waste of CPU cycles in software history, it's herd immunity for the common virii that gets sent to mailing lists and the like, if you were to be targeted today by somebody wanting to infect your network, they would and it will get past all software defenses, AV vendors would need to have samples of the executables sent to them to then protect others from the same threat, but by that time its too late.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @03:13PM
I have to agree with this. My company forces one on us, but I can honestly say that it hasn't picked up anything bad in the past 10 years.
Maybe I am just lucky, and I know not to click on those attachments from friends and family that say "look at this!".
At home we use one of the big WebMail services and it is pretty good at finding attachments with malware, so those never get to our PCs.
My kids get malware every so often and they know the standard remediation is wipe and reload...makes them more conscious of what they click on.
I have seen WWW sites that are malicious and don't need clicks to cause problems, but I haven't encountered one....I do keep the browser software uptodate.
(Score: 2) by Hairyfeet on Thursday October 29 2015, @07:15PM
THIS, this right here. I stress to my customers that having multiple backups is critical and with both the prices of BD burners and USB HHDs being so cheap there is really no excuse. For your pictures and documents a single BD can hold more than most users will ever need and can easily be stored in a safety deposit box or a relative's home, and for backing up the entire OS and large data files like videos you can't beat the prices of multi-TB USB HDDs today.
BTW those looking at AVs who want to know which ones are the most likely to catch this crap? ESET and Comodo, every test I've read plus what I've seen with my own two eyes have shown these two to be the most capable, with the added bonus that Comodo is free for personal use. You have to tweak Comodo a little* if you want maximum protection but OOTB it will work pretty damned good and ESET is rock solid and ready to go OOTB but will cost you yearly so it all comes down to personal preference really.
*.- For those that want to know what to tweak here ya go, simply go in and turn on HIPS which is off by default, I usually set it to learning mode long enough to launch all their programs then set it for paranoid mode. Follow this up by telling it to sandbox everything, by default it sandboxes the browser (which is a HUGE benefit as most malware will come through the browser) but unless they are gaming the overhead of simply running everything in a sandbox is pretty trivial compared to the protection it provides. Then finally turn on Comodo Secure DNS which uses the same DNS they use for their server offerings, not only is it fast but they seem to catch recently infected pages a hell of a lot faster than anybody else. If you wish to use another DNS it won't make that much of a difference but the way I see it having phishing and recently infected sites blocked at the DNS level is just one more layer of security on top of the multiple layers Comodo already provides so why not? I have yet to see a customer that I have given this setup come back with so much as a single bug and considering how click happy some of my worst customers are? That is saying a HELL of a lot.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by frojack on Thursday October 29 2015, @07:21PM
If you don't have good, offline backups and you need the files you won't have much choice.
The thing is, it is JUST AS CHEAP to not put yourself in BOTH of those boxes.
For under $250 there are a number of NAS storage products up to 4TB from a multitude of different companies, as well as some off-site "zero knowledge" cloud storage products.
No, you are mistaken. I've always had this sig.
(Score: 2) by EvilSS on Friday October 30 2015, @01:25PM
I completely agree. The problem is two fold. One, most companies don't TEST their backups until they actually need them. This bit two of my customers with Ransomware. They thought they backing everything up but it turned out they were missing certain shares due to misconfigurations. The other problem is that users have a bad habit of putting documents places where they are not supposed to be. Having a doc management solution is worthless if everyone store revisions on their local PCs and never checks them back in. Backing up PCs is usually not in the cards for most enterprise level companies with tens of thousands of devices out there.
(Score: 3, Interesting) by danomac on Thursday October 29 2015, @10:46PM
Someone clicked a bad link in an email and it installed this. It slowly, but surely, started going through the entire workstation encrypting everything it could see, including any network shares. However, it did not spread from there and we caught it relatively quickly.
Our backups saved us for the most part. We did lose some files but none of them critical, things like temporary scratchpad spreadsheets and the like. The only reason our financial data were saved was because it was in use and so the malware couldn't encrypt it.
Having snapshot backups meant we lost only a few hours of work. After that our spam filter was tweaked to not let through emails for services we actually use (they're used internally but never get sent an outside email.) Which is why we got burned... the phishing email came in was from a service we actually use. Well, used. We're moving away from that particular service now, but not because of the phishing attempt, too many other issues with it.
(Score: 2, Interesting) by WillAdams on Thursday October 29 2015, @12:58PM
They need to better justify their budget:
Billions for defense, not a penny for tribute.
One of the justifications for the war on drugs is that the people who deal in drugs are not nice and do nasty things --- why do these people get a bye?
If there isn't equal justice under the law, then where's the law?
(Score: 3, Insightful) by jdavidb on Thursday October 29 2015, @01:13PM
One of the justifications for the war on drugs is that the people who deal in drugs are not nice and do nasty things --- why do these people get a bye?
Many of us are not persuaded by that justification for the war on drugs, so this reasoning isn't going to carry much weight.
ⓋⒶ☮✝🕊 Secession is the right of all sentient beings
(Score: 3, Insightful) by tathra on Thursday October 29 2015, @07:30PM
they do nasty things because of the insanely, ridiculously high profit margins on drugs created specifically because of prohibition. legalize drugs, and voila, drug cartels evaporate almost overnight because their primary source of money has vanished. remove their reason for doing "bad things" - ludicrously high profit margins created by prohibition - and there's no more reason for them to do those "bad things". for a real-world example of exactly this happening, see alcohol prohibition, which created the mafia, who then basically vanished in the US upon passage of the 21st amendment.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @08:09PM
"That's pinko-commie terrorist Islamic Mexican talk." - D Trump.
(Score: 2) by darkfeline on Friday October 30 2015, @12:24AM
News flash: you cannot beat mathematics by being competent.
Join the SDF Public Access UNIX System today!
(Score: 2) by skater on Thursday October 29 2015, @01:32PM
I have a server with our 'media' files on it, primarily our photographs, and we'd hate to lose it. I do multiple backups, online backups, etc., but I'd like to limit damage to the media drive as much as possible. I don't worry about any of the computers themselves - they can all be reinstalled or whatever; nothing critical is stored on them (at least, I hope that's what my wife is doing...). I'm mainly concerned about that media drive, which I do have set up for network access.
One thing I do is set all of the photographs to read-only access. I do this mainly to reduce the chance of an accidental erasure/edit, but would it also help protect against these kinds of attacks? If so, there are huge swaths of that drive I could make read-only; it's rare that we need to edit a file after we've put it in its spot. Are there other things we can do, aside from backups?
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @01:49PM
I back up to a 2Gb USB hard drive that stays disconnected when done. Plus... I use Linux.
(Score: 2) by mmcmonster on Thursday October 29 2015, @02:14PM
A smart ransomware would try to change the write permission on any file you own on the drive. And they are all very, very smart.
Best thing is off-line backups. But you have to be careful even with offline backups. The last thing you want is to overwrite an offline backup with a version which is encrypted by the ransomware.
Probably offline backups with version control? Something like Apple Time Machine?
(Score: 1, Informative) by Anonymous Coward on Thursday October 29 2015, @04:06PM
Back up to non-rewriteable optical media.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @11:14PM
1. Share all your user folders on your home network such that they are read-only to a non-you user.
2. Get a raspberry pi and attach a usb drive to it.
3. Have it scan your user folders for changes.
4. Save the differences as necessary.
5. For additional safety, turn off the raspberry pi when not backing up, or set it to shutdown automatically when done.
(Score: 2) by martyb on Thursday October 29 2015, @02:28PM
It's unclear to me what operating system you are using. That said, the same general approach should apply.
Define multiple users on your system. One (or more — in case you somehow lock yourself out of that account) of which have write access, and all the rest have read-only access. For watching videos or viewing pictures, only access the files with a read-only-access user. When inserting new files, use the user account that has the write access. You can accomplish this with ACLs (Access Control Lists). Here's a link for a windows environment [stackoverflow.com] — a similar approach can be used for *nix-like OSs with world/group/user level permissions.
Wit is intellect, dancing. I'm too old to act my age. Life is too important to take myself seriously.
(Score: 4, Informative) by VanderDecken on Thursday October 29 2015, @02:39PM
One option you have is to use a NAS server that allows for automated filesystem snapshots, such as FreeNAS [freenas.org] with ZFS. If you get hit by it, you roll back to a known good copy. You should still have offline backups, but having automated snapshots can minimize the damage and downtime.
I know of a company where an admin assistant got hit by one of those malwares, where it (as usual) started by encrypting what it could find on network drives. When people realized that something was wrong (the encryption was still in progress, but it hit a file that someone else was looking at), she killed the power on her workstation. They burned her machine to the ground (ie: reimaged it) and restored the network filesystems from the last good snapshot. Not more than 30 minutes' worth of data was lost, and everyone else was up and running in less than an hour. (Her machine took a bit longer for the reimage, but no data was lost there because nothing of consequence is kept on the workstations.) They were using a different ZFS-based NAS solution, but the same idea applies.
The two most common elements in the universe are hydrogen and stupidity.
(Score: 2) by Hyperturtle on Friday October 30 2015, @01:55AM
I am not sure what you are saying. Are you saying that because a file was in use and someone noticed something was wrong and they killed power to her workstation, and as such it prevented her machine from eventually reaching the NAS? You said "started encrypting what it could on the network drives" and then "restored the network filesystems". I do not understand the difference between these two things. I do understand the difference between a SAN and NAS, but you said NAS, so that to me is "file share on the network", no different than any other mapped drive.
What kind of NAS protects against this if her machine had write access to it for the image to be stored? Did the NAS itself actually consist of a backup server of some kind, that then pulled data with a different account that was unrelated in any way to hers, so that if a virus like this hit it, it would not have access to it because it didnt have an account with permissions to exploit with since it couldn't use hers?
RAID is not backup. NAS is not backup. NAS is just a file share on the network that might be a single SD card, a USB stick, a disk drive, or a fancy case with multiple drives running some sort of OS to manage it that... serves files and has file system access, like a vulnerable windows share or linux share. NAS is often just "non-microsoft tax file share for network accessible storage".
Having file storage on the network and calling it NAS instead of "Not even a raid" or "yeah its a raid but" still is not a backup, and if the user can write to it, then so can the virus.
But I agree that offline backups are the best type.
I do realize that you said this was a company you knew (FoAF in other words), so you may not have much detail, but you had enough detail to describe it as NAS with a ZFS file system. What I am getting at is that if a user can access it to write to it, it could be pencil and paper and they can still spill ink on it. The paper and pencil have nothing to do with the user managing to screw it up.
Sorry if I come across as harsh, but I have known clever people to defeat safeguards in products to make things more convenient and easy and then still repeat the claims on the tin even though the tin has something else in it.
(Score: 2) by VanderDecken on Friday October 30 2015, @06:44AM
Ok, let me try this again.
If it's providing a network filesystem, I'm calling it a NAS. If it's providing a block device over the network, I'm calling it a SAN. Terms can get muddy, especially when marketing steps in, but let's go with those definitions. (In reality, most modern boxes can provide either. Whether it's ethernet, fibrechannel, or whatever doesn't matter at a high level.)
In this case, the server was exporting a CIFS share backed by a ZFS filesystem, and ZFS was set to take automatic snapshots every 5 minutes or so. From the client machine perspective, yes it looks like a disk. When the malware hit, it was in the process of encrypting those portions of the CIFS share accessible to the admin assistant. The fact that someone else noticed the problem before the malware was done is irrelevent; it could have finished encrypting the whole thing and it wouldn't have mattered.
So the recover procedure was:
No, a NAS by itself is not a backup, and RAID is not a backup, but exporting a log structured filesystem (and with snapshots enabled) on a RAID means that you can do most recovery operations without going to traditional backups. You still need the traditional backups for archival and disaster recovery scenarios, though, including the case of losing more disks than your RAID has redundancy (at whatever level).
Does that help?
The two most common elements in the universe are hydrogen and stupidity.
(Score: 2) by Hyperturtle on Friday October 30 2015, @05:19PM
Yes indeedy!
My goal really was to provide for posterity a description from someone like you (and me) that having a network share to store backups on doesn't mean it's a backup -- it means its another copy.
People mistake raid for backups, and copies for backups, and indeed a raid can host copies of backups, and you can backup copies onto a raid, and if you have a raid 10, you have a parity copy hardware backup of those drives in raid 0 and... I didn't think you made the mistake.
I had a day of dealing with stupid, so please pardon if I stooped to an uninformative level. I would mod your reply informative, but I wanted to let you know that I see you answered my question and it is informative.
Lots of people out there, despite all the drum beating, do not get it, and other people still beat the drum at the whiff of others not getting it.
(my replying again doesn't win us points, though, but at least I am happy, right? well if that's not so good--think of all the posterity you helped!)
(Score: 2) by richtopia on Thursday October 29 2015, @03:32PM
After spinning my own for years I've moved to just using SpiderOak for most of my backup needs. I think their terabyte plan is 15USD a month, and you can usually find discounts. Even compared to the price of a raspberry pi and a USB 1TB drive that is relatively comparable, and a lot less headache/more reliable.
(Score: 4, Insightful) by MrGuy on Thursday October 29 2015, @02:02PM
The FBI isn't saying not to report it. They're saying they can't help. Why does this surprise you?
If you have ransoms are on your machine, there are three possibilities.
1.) You have acceptable backups and don't mind losing the delta from last backup to now. Great. Nuke the machine and restore from your backup.
2.) You don't have backups and so can't go with option 1. You can either:
2a.). Give the machine up for lost, accept the loss of all your files, start over as a wiser person about backups.
2b.). Accept you've been beaten, and pay them to unlock your files.
What other option were you expecting? Option 3 to call the FBI and have them decrypt your drive for free?
They're NOT saying don't report it. They encourage you to report it. They're saying your best option in case 2 is to pay up. This surprises...who?
Sorry, friends, but if we agree strong crypto should be allowed in private hands, and effectively untraceable crypto currencies should exist (I believe in both, BTW), then what exactly do you expect the FBI to tell you when someone locks your files with strong crypto and demands bitcoins?
(Score: 2, Funny) by Anonymous Coward on Thursday October 29 2015, @02:32PM
Restore your data from the NSA's copy, of course. ;-)
(Score: 2) by jimshatt on Thursday October 29 2015, @02:20PM
(Score: 1, Informative) by Anonymous Coward on Thursday October 29 2015, @02:36PM
If you know the full unencrypted data, "decryption" is trivial: Just write the unencrypted data back to its original place.
Otherwise, I'd expect them to use encryption algorithms where no known-plaintext attacks are known, so your partial knowledge probably won't help you.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @05:58PM
Theoretically let say you had one file that was the same as the stuff that had been encrypted. Could you encrypt that one file with every possible key and then compare it to the encrypted version to find the correct key?
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @11:04PM
Related question -- theoretically
What if my backups weren't current, but were good for everything a month old or older. In that month I might have changed a hundred important files. Given that I have unencrypted versions of nearly all my files (many thousands...), could that help to decrypt the recent ones that were hit by ransom ware?
Separate question -- is there any type of "inoculation" available that could run in the background and watch for (and kill) any process that was encrypting files? I don't normally encrypt any of my local files...
(Score: 2) by darkfeline on Friday October 30 2015, @12:29AM
>theoretically
>every possible key
Yes, you'll just need to wait for the heat death of the universe, and having any number of non-encrypted files makes no difference, you need a known-plaintext vulnerability for that.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @03:01PM
I've never heard of this ransomware happening on Linux.
(Score: 2) by present_arms on Thursday October 29 2015, @03:14PM
Yes
http://trinity.mypclinuxos.com/
(Score: 4, Interesting) by Runaway1956 on Thursday October 29 2015, @03:32PM
1. Linux isn't immune to anything, really. Generally, Linux users are savvy enough to avoid this kind of thing, and permissions are stricter, but Linux can be exploited.
2. You're right - several articles claim that to date, no Linux system has been hit with ransomware.
It's probably safest to assume that it will happen, but as usual, few virus writers support Linux.
ICE is having a Pretti Good season.
(Score: 3, Interesting) by jcross on Thursday October 29 2015, @04:41PM
"...as usual, few virus writers support Linux."
I love the way you put that. One case where crappy Linux support is actually a good thing.
(Score: 1) by cats on Sunday November 08 2015, @02:36AM
Surprising really considering that if ransomware started targeting EC2 instances and shutting down startups they'd probably be able to get x10 the ransom.
(Score: 2) by VanderDecken on Thursday October 29 2015, @05:58PM
The two most common elements in the universe are hydrogen and stupidity.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @07:34PM
Remember when Mac used to be "virus free" too? That stopped as soon as there were enough targets using it to make it worth attacking. At best its the same as security through obfuscation.
(Score: 0) by Anonymous Coward on Friday October 30 2015, @07:39AM
its security through...
. more switched on user base (slightly higher bar to entry)
. lack of click-through privilege escalation
. no registry
. users tend not to have admin privs and only su/sudo when necessary
. use of large vetted official software repositories (less need to download executables from third party websites)
windows is getting better though
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @04:12PM
seems like not everybody is running openbsd on their desktops/laptops
(Score: 1, Insightful) by Anonymous Coward on Thursday October 29 2015, @04:32PM
Sorry, but OpenBSD won't protect you from that type of malware. Sure, the malware could not encrypt your complete disk. But you don't care that much for the contents of /usr/bin, do you? The data you care about is usually in your user account, and especially writeable from your user account. And thus it can also be encrypted from your user account. Your user account is no better protected under OpenBSD than under any other operating system.
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @06:12PM
I have a laptop less than 10 years old, so I doubt BSD supports any of the hardware. I also have a USB mouse, so that seems unlikely to work as well.
(Score: 2) by isostatic on Friday October 30 2015, @01:53AM
What good is a secure operating system when you download and run a script
#!/bin/sh
sudo rm -Rf /
(Score: 1) by fritsd on Thursday October 29 2015, @05:17PM
This is slightly off-topic, but I have a question about backup:
Years ago, I worked for a short time as a sysadmin assistant, who was tasked with doing the daily backups for a development group (not the company's "real" backups, they had special people for that with the key to the vault).
That company had an elaborate schedule with which tapes to use for which days, which friday tapes to use for the month tape, and which tapes to send to off-site secure bunker storage.
Can you point me to such a "best practices" schedule? Because obviously, such a schedule answers a lot of questions of the form: "how to minimize the loss if the company burns down on day X of the month" and "salary processing is always on day Y so tape from day Y should have high probability to be in the month tapes box" and "what gives the highest probability that a file from 3 years 11 months ago is still on tape somewhere" and "tapes usually wear out after Z writes so then the daily tapes become the month tapes become the year tapes".
There's a humongous amount of experience tied up in such "best practices" schedules, I think.
(Score: 0) by Anonymous Coward on Friday October 30 2015, @10:11AM
This might have been a backup scheme based on the towers of Hanoi. You can find information about that if you look for backup and hanoi.
(Score: 1) by dak664 on Thursday October 29 2015, @06:11PM
You can get a secure incremental backup with just a 2x increase in storage cost and a few minutes every night. A raspberry pi can automate the process from all networked storage and needs very little attention. The beauty of incremental backup is when file(s) get encrypted or otherwise corrupted you can restore to any previous time on a new computer, within the granularity of your backup schedule.
Don't know if autobackup NAS if off-the-shelf, sounds like a good business opportunity if not. But anyone who ends up paying a ransom to get access to their own indispensible data is an idiot for trusting storage never to fail, and I would rather the FBI director had forcefully pointed that out instead of his wimpy "these things happen, pay up and move on".
(Score: 2) by bzipitidoo on Thursday October 29 2015, @07:29PM
Heck of a choice when it's pay the ransom to hack your body, or die.
Oh, wait, who are we talking about again?
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @11:24PM
Remember this gem? " rel="url2html-31847">http://motherboard.vice.com/read/the-fbi-cant-find-hackers-that-dont-smoke-pot
(Score: 0) by Anonymous Coward on Friday October 30 2015, @02:34AM
But what? They always lie? More than others? Zzze Rassians?
(Score: 2) by Yog-Yogguth on Saturday October 31 2015, @11:22PM
Yeah same thought here: what do people have against RT? What is supposed to be /worse/ about RT? But I don't think that was the intention of the statement since the link to the RT story is from their RSS feed which would usually mean that Runaway1956 subscribes to it (as do I) and that he's only trying to avoid being ignored by people who still think badly of RT or are trapped in a time warp to the 1980ies.
(I guess I should point out that while I read RT, I don't watch it beyond some very short clips once in a while and don't know how big a difference there might be between the two).
As gewg has often pointed out one can almost always (and it's easy to test) remove any end part of an URL that starts with a question mark without any loss of function (it's only there to tell, in this case RT, that the origin of the URL is from someone who subscribes to their RSS). In this case it kind of served a function not to…
Sure when I grew up the journalistic integrity of places like the BBC, hell even the CNN, was either held up as shining examples or assumed to be fairly pristine. These days even those old times look like nothing but a cruel joke of a lie. It didn't get worse: it was always shit, always controlled, always massaged into a suitable shape or the least damaging. Not as bad as the old Soviet Pravda but still horribly bad.
Do I expect RT to be any better? No, but at least they're under somewhat different control (not directly under US/NATO/AnyEyes influence or outright control like goddamned everything in the west), and in practice I come across fewer “stop with the bullshit” moments (but there are still plenty, especially if/when they say the same as BBC/CNN etc.).
They do like to troll a bit though; like when they tip over into the “Look! UFOs! *chortle*” kind of stuff but that could be a good thing. Wish that also applied when they get into the occasional PC "defend islam" mode but I doubt it does.
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))