SoylentNews is people
SoylentNews
Alina Simone writes in the NYT that her mother received a ransom note on the Tuesday before Thanksgiving.“Your files are encrypted,” it announced. “To get the key to decrypt files you have to pay 500 USD.” If she failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data would be lost forever. "By the time my mom called to ask for my help, it was already Day 6 and the clock was ticking," writes Simone. "My father had already spent all week trying to convince her that losing six months of files wasn’t the end of the world (she had last backed up her computer in May). It was pointless to argue with her. She had thought through all of her options; she wanted to pay." Simone found that it appears to be technologically impossible for anyone to decrypt your files once CryptoWall 2.0 has locked them and so she eventually helped her mother through the process of making a cash deposit to the Bitcoin “wallet” provided by her ransomers and she was able to decrypt her files. “From what we can tell, they almost always honor what they say because they want word to get around that they’re trustworthy criminals who’ll give you your files back," says Chester Wisniewski.
The peddlers of ransomware are clearly businesspeople who have skillfully tested the market with prices as low as $100 and as high as $800,000, which the city of Detroit refused to pay. They are appropriating all the tools of e-commerce and their operations are part of “a very mature, well-oiled capitalist machine" says Wisniewski. “I think they like the idea they don’t have to pretend they’re not criminals. By using the fact that they’re criminals to scare you, it’s just a lot easier on them.”
(Score: 2) by VLM on Monday January 05 2015, @01:08PM
I've been migrating from Debian to FreeBSD over the systemd thing at home and work. Devuan is coming, but I've already gone, sorta. Anyway ZFS to the rescue.
If I understand your question correctly, if you're running freebsd on zfs, and if you're doing daily snapshots as some kind of "admin disaster recovery scheme" (hopefully not your only backup or DR plan, either) then running
zfs list -o space -r rpool
I think the used column for each snapshot is the amount of unshared data in that specific snapshot. That would be both a canary to let you know something crazy happened and also rolling back to an older snapshot would quite effectively fix things.
So... make snapshot, change 10 megs, repeat 5 times, you'll have 5 snapshots listed each 10 megs in "used" because exactly 10 megs changed.
I suppose if you estimate you havel 250 gigs of "stuff" and a cron job found today's zfs allocation showed more than 25 gigs changed, then it could freak out.
One obvious problem is the way your "virus" got access to F up your files is probably by owning the OS as root, so you can't trust ZFS. Probably the first thing a competent virus writer would do is wipe all the ZFS snapshots. Then again what if I'm storing my backups of my AFS data on a freebsd box that isn't exploited... Sure own my desktop, puppet will make me a new one in 10 minutes, but owning both a freebsd backup server and a linux desktop simultaneously might be a challenge...
A well written virus would of course only encrypt 1% per day in order of oldest atime, so you wouldn't notice until its too late, and then this strategy wouldn't work.
Another thing you could look into is the immutable flag. I think only root can set it such that root can't mess it up which is what you'd need if you got owned. chflags and the attributes are like simmutable or s_immutable or immutable_s or something don't remember exactly.