Hugh Pickens writes:
Alina Simone writes in the NYT that her mother received a ransom note on the Tuesday before Thanksgiving.“Your files are encrypted,” it announced. “To get the key to decrypt files you have to pay 500 USD.” If she failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data would be lost forever. "By the time my mom called to ask for my help, it was already Day 6 and the clock was ticking," writes Simone. "My father had already spent all week trying to convince her that losing six months of files wasn’t the end of the world (she had last backed up her computer in May). It was pointless to argue with her. She had thought through all of her options; she wanted to pay." Simone found that it appears to be technologically impossible for anyone to decrypt your files once CryptoWall 2.0 has locked them and so she eventually helped her mother through the process of making a cash deposit to the Bitcoin “wallet” provided by her ransomers and she was able to decrypt her files. “From what we can tell, they almost always honor what they say because they want word to get around that they’re trustworthy criminals who’ll give you your files back," says Chester Wisniewski.
The peddlers of ransomware are clearly businesspeople who have skillfully tested the market with prices as low as $100 and as high as $800,000, which the city of Detroit refused to pay. They are appropriating all the tools of e-commerce and their operations are part of “a very mature, well-oiled capitalist machine" says Wisniewski. “I think they like the idea they don’t have to pretend they’re not criminals. By using the fact that they’re criminals to scare you, it’s just a lot easier on them.”
My thoughts exactly! Is it confirmed that it was exploited Linux machines and not average Linux users?
Give it a try - it's pretty fun if you don't get obsessed about things like passing.
If some day there's gonna be a wikipedia entry for soylentnews trolling phenomena (which is not instantly deleted), I'm gonna buy you a beer, or three. Deal?
You are thinking the problem wrong way around. There's no foolproof way of detecting this post-hoc, but there's a known way to make the whole point of encryption-based ransomware moot: a proper logging file/backup system that runs on higher privileges than your normal account.
Wanna know how I spot the difference, why I came up with FOSSie in the first place? Its the logic hoops.
Take the article we had on Chromebooks recently. I said they are still more restricted than a regular laptop which is why the local Craigslist is full of them for less than $80 whereas any Worst Buy Special with Windows you can wipe and run anything from BSD to WinXP, no restrictions. That is simple, logical, verifiable, and to the point, right? If X can only run Y and Z but Y can run A-Z then X is more restricted than Y, its just common sense.....so what did I get? A Googleite saying "Nuh uh, Chromebooks can run anything a regular laptop can!" and when I asked for a citation, because if that were true I could go grab all those $80 Chromebooks and refurb 'em? He sends me a link to a single article on how to hack a Chromebook PIXEL!! Riiight, because I HAD to be talking about the Pixel, a unit I have better odds of winning Powerball than seeing, right? After all Google isn't selling Chromebooks on price, nope its gotta be luxury!
THIS is how you tell the nutters from the advocates, its the logic hoops. Nobody sane would go "He is talking about Chromebooks selling for $80, he MUST be talking about the $1600 Pixel Chromebook, right?" No different than how the FOSSie when shown all the Linux websites hacked, shown "How to write a Linux virus in 5 easy steps" doesn't go "Ya know, this is a legitimate point, I should change my debate to take this into account" but instead breaks out a dictionary so they can argue that "it doesn't count" because it doesn't meet the first definition in the Oxford dictionary of a virus, never mind the fact the fourth definition clearly says that ALL malware is commonly called virus by the MSM, all that matters is they find a way to back up their preconceived notion! I saw the same thing when OSX got hit by MacDefender, instead of going "Yep its a bug, but here is why I still prefer OSX over Windows and Linux" they broke out the dictionary because all that matters is "Apple doesn't get bugs". Like anybody who just lost their CC to macDefender would care it doesn't fit the classical definition.
THAT is why I came up with FOSSie, because there are FOSS advocates that aren't chocked full o crazy or treat their OS as a religion, a FOSSie? No matter how large and flaming that logic hoop is they'l happily jump through it, as long as it backs up their beliefs,like flat earthers arguing the sat pics are faked or young earthers saying Adam rode on a dino. Oh and if you wanna se what the end stage of FOSSieism is? Go look up Robert Pogson, I've been trying for nearly FOUR YEARS to get him to say Microsoft, or MSFT, or even MS but because he is FOSSied so hard he has Voldemort [tmrepository.com] so all you will EVAR get is "the OS from Redmond" or "M$". I guess they think they will offend St iGNUcious if they say the name of "the enemy" or something. Total batshit dude, total batshit.
To some degrees of fanaticism, anything can become a religion.
But you can't joke with a FOSSie, just look at the post above and below you. You have one waving his little penguin flag so hard his arm is gonna break off and the other trying to redefine what a fucking virus is, despite the fact that the MSM changed the word virus to mean malware over a fucking decade ago.
Trying to joke with FOSSies is like trying to joke with religious nutters, its just not a good idea.
And if the terminal that process that prepaid card says [Call police!] then together with a security camera they have lost their anonymous presence?
Need I say more? 99.9% of computer problems and accidents are prevented with backups.
how to write a Linux virus
Virus == self-replicatingSomething that doesn't automagically spread from box to box is NOT a virus.
Malicious script != virusPURPOSELY giving something executable privileges then PURPOSELY running it in no way resembles a Windoze drive-by infection.
You've been told BEFORE that that link's title is crap yet you continue to point to it.That is called TROLLING.
...and what a crap page (construction-wise).It won't allow me to link to my favorite comment there (by diddy).
Felice right below him hits the points I would have made.
.Now, if Linux *was* so easy to infect, Google (with over 1e6 machines running Linux) would constantly be flat on its face and would be in the headlines for that on a recurring basis.Doesn't happen.
Were it only so simple. They typically require you to go down to your local grocer/convenience store and buy MoneyPak or similar product for the stated dollar amount and enter the numbers you get on the paperwork. It's probably even less traceable than Bitcoin, although I haven't researched that angle.
I know your post is just coming from the camp that's sick of hearing "use linux to solve all your security problems no matter how ignorant you are of them," but I WAS just joking...
You know, I've done that a million times in python and have never even considered the lack of execution bit before... Surely that part could be facilitated through as much social engineering as getting someone to open a sketchy attachment though.
"To view your invoice in Ubuntu, please follow these easy directions: Save the sh file to your hard drive, type in Terminal from Unity, and then type the command "sh badtimes.sh".
What would be really cool is if you could come up with some sort of single file that could be malicious in both linux and windows. A naughty pdf that had some sort of script embedded at the top of it or something. I'm sure most file types are pretty touchy about their header information, but there's probably at least one out there that would allow it. I know mp3s let you embed all kinds of crazy stuff in them, but I don't know if you can put it at the top of the file.
News Flash ALL OSes CAN BE HACKED
News Flash ALL OSes CAN BE HACKED
Maybe. However, some of us prefer to start with our pants up rather than our pants down.
I guess you are a lot better off than me. I would call $525 plus the stress of the situation a consequence and I'm not sure you can assume that the mother will not change her (in)actions.
Not paying out of spite is not the same as sacrificing for others.
Fun Fact: Show me one Linux PC user that got the CryptoWall ransomware. It might have been spread by Linux servers but it only infected Winblows and Moc PCs. Show me the proof that a Linux end user got it.
Seems like in this case they only encrypted certain files (way more than 5,726 files in C:\Windows alone). They want you to still be able to use the computer to make the payment... Clearly the solution is to stick all of your files (or backups, hah!) in that and similar folders!
An interesting angle to view the matter from. I agree that the former would provide some valuable insight into just how effective ransomware actually is, it's definitively preferable to the security sensationalism that plagued many tech sites in recent years.
I'm not so sure that the situation getting worse would in itself lead to an improvement though, no matter how bad things could get - taking into account just how humble most malware was just 20 years ago (it was usually much more destructive, I'll give it that) to the BIOS-patching, HDD sector masking incarnations of TDSS that're out there today.
If the drive is permanently attached to the computer, then all that will get you is your backups encrypted by the malware as well.
But... but.. the file was send to me from a customer! I know about viruses but I had to open it just in case it was something important!
Actual quote from my mother ^^
invoice.exe via Skype
And then she insisted to continue using her PC online because "she has work to do!" and also the virus does not seem to do anything then "it should be okay". Only after I told her she can kiss goodbye any credit card or bank account accessed from this computer she eventually got the message. Some people learn only if they absolutely have to.
I don't think it will help much if she resists paying. Maybe it's cynical, but by paying she makes the loss through insecure systems quantifiable. We just need a hotline to collect information of victims and how much they actually paid. Consider following headlines:
To me the first headline sounds like a credible reason to increase spending on security-improvements, the second sounds like some people whining and exaggerating. Maybe it has to get worse before it gets better. (I don't like the criminals earning money either, but I also don't think it's the mothers task to heal the world.)
it's called Copy-on-write (COW) and has been standard in industry for decades but is possible to install at home (using Linux or Solaris).
I am using ZFS on linux, and so far (fingers crossed!!) it has been very stable. The native FS BTRFS for linux is almost ready for use (IMHO).
The point is you don't need to run Linux as your desktop, simply put all your important files on another machines, and using a network filesystem.
Hence, if the cryptoware runs amok on your desktop, you have at least one layer of indirection to prevent the loss of data.
Of course, if you are able to setup a system like this, you probably are more cautious...
I've been migrating from Debian to FreeBSD over the systemd thing at home and work. Devuan is coming, but I've already gone, sorta. Anyway ZFS to the rescue.
If I understand your question correctly, if you're running freebsd on zfs, and if you're doing daily snapshots as some kind of "admin disaster recovery scheme" (hopefully not your only backup or DR plan, either) then running
zfs list -o space -r rpool
I think the used column for each snapshot is the amount of unshared data in that specific snapshot. That would be both a canary to let you know something crazy happened and also rolling back to an older snapshot would quite effectively fix things.
So... make snapshot, change 10 megs, repeat 5 times, you'll have 5 snapshots listed each 10 megs in "used" because exactly 10 megs changed.
I suppose if you estimate you havel 250 gigs of "stuff" and a cron job found today's zfs allocation showed more than 25 gigs changed, then it could freak out.
One obvious problem is the way your "virus" got access to F up your files is probably by owning the OS as root, so you can't trust ZFS. Probably the first thing a competent virus writer would do is wipe all the ZFS snapshots. Then again what if I'm storing my backups of my AFS data on a freebsd box that isn't exploited... Sure own my desktop, puppet will make me a new one in 10 minutes, but owning both a freebsd backup server and a linux desktop simultaneously might be a challenge...
A well written virus would of course only encrypt 1% per day in order of oldest atime, so you wouldn't notice until its too late, and then this strategy wouldn't work.
Another thing you could look into is the immutable flag. I think only root can set it such that root can't mess it up which is what you'd need if you got owned. chflags and the attributes are like simmutable or s_immutable or immutable_s or something don't remember exactly.
I'll just leave this here..How to write a Linux virus in 5 easy steps [geekzone.co.nz] along with the follow up [geekzone.co.nz] that covers the BS excuses those that want to wave a penguin flag will use.
News Flash ALL OSes CAN BE HACKED and the same tricks used to hack Windows users, social engineering, works perfectly on Linux and OSX as well. anybody tells you different? Is using "magical thinking" which is nothing but snake oil and bullshit. Its just the classic "use X and you can't be hacked" with X being anything from routers and VPNs to firewalls and OSes. Its all magical thinking because there is no magical hack free button and if you honestly think Linux will magically protect you? Guess again [slashdot.org] and its not a fluke [slashdot.org] by any means [theregister.co.uk].
She paid as to not face the consequences of her (in)actions, will heed some advice for a few month and then promptly fall back to past behavior patterns. The cycle will eventually repeat anew and she'll more than likely get burned again, perhaps even by the same chaps once they cook up their next little scheme.
What makes you so sure that you would sacrifice so that others' incompetence isn't taken advantage of?
Good and old fashioned defiance, mostly.
Why the hell did they do that? Linux machines targeting MS and Sony - They just had to ask!
I missed the part where the mother was expecting someone else to pay.The mother made a decision to pay the ransom so she would not lose her files.Why should she care about any future victims when they have no reason to care about her? "Reality isn't always a nice place" so fuck the future victims. They can learn from their own mistakes.What makes you so sure that you would sacrifice so that others' incompetence isn't taken advantage of?
Tyranny of the default, which I think was coined by Steve Gibson, means that the default environment must be secure because the vast majority of users don't ever touch the settings. They don't customize or adjust hardly anything. This is why there was such a kerfuffle over the Do Not Track header. Advertisers knew if it was on by default, it would stay on because no one goes into the settings and considers it. If it's off (or undefined) by default, no one will go into the settings and consider turning it on.
If your environment required the user to take over after install and actively participate in the security of the machine, you've just created a guaranteed fail state some time in the future. Most users can't be trusted to do this, and don't NEED to be given this level of trust to accomplish their work.
Well, mainstream badware for Linux has kind of been long in the coming now.
Because its harder to do.Its not enough to get the executable on your disk, you have to mark it executable as well.You might be able to do this with a running process in a browser, or a script in a pdf, but, like I mentioned, you have to break the sandbox to do that, all the low hanging fruit has been trapped out.
If you are running Security Enhanced Linux, you can prevent anything in the user's directory from being executed. Same with Mac ACLs.
The problem comes with script languages. With scripts, all you have to do is launch the script handler, and point it at the script. Many of these scripting languages do not require the execute bit set on the script itself:
echo "echo Hello World" > helo sh helo
This kind of thing still relies on browser sanboxing to protect against.
Stick a 32GB drive at the back and: http://windows.microsoft.com/en-us/windows/set-change-automatic-backup-settings [microsoft.com]
Won't help if PC gets badly zapped/burned up but still better than nothing.
Gets mad at you because she is lazy. Every user ever.
As of 2013 Linux people were claiming not to have heard of anything happening to Linux: http://www.everydaylinuxuser.com/2013/12/16-ways-to-beat-cryptolocker-and.html [everydaylinuxuser.com]
I found this but it's just someone's browser being locked up; mv .mozilla .mozilla.save fixed it: http://forums.linuxmint.com/viewtopic.php?f=90&t=143453 [linuxmint.com]
It's just the cost of doing business with Micro$oft.
I'll give that an unanimous yes. Reality isn't always a nice place, for that matter it usually is anything but. People should learn their lesson, practice safe computing or perish (computers are almost inseparable from real life nowadays, and people should begin treating them as such). If I were to get burned due to my own incompetence or neglect I wouldn't expect quarter from anybody either - because it's my fault at the end of the day.
I bought her a brand new 32 GB, Corsair Flash Voyager, then offered to teach her to how to use it to perform backups. She just got angry with me.
I figure she wants me to back up her computer for her. "Mom, I'm not always going to be around to take care of your computer for you. Hard disks drop dead all the time, you'd lose everything you've ever done on it."
Taint the money?
There are alternatives to Windows, Mac OS X and Linux..
In the end there needs to be some competence behind the screen regardless of OS.
The protection needs to be at filesystem level not block level to be really useful. Or you need to restore the whole filesystem image.
How is these binaries supposed to be installed "directly" ..?
Compartmentalized system could perhaps work with existing systems that have multi-core CPUs and use IPC ..? Or some proven microkernel. Because one needs to lock down hardware like harddisk and network to a specific core which could be corrupted at boot (or by spy-bios).
So victims should sacrifice for the greater good? Easy to say when your ass isn't on the line.
Well, mainstream badware for Linux has kind of been long in the coming now. It wouldn't surprise me if you're 100% right.
Solution: Wipe winblows off the hard drive...
Fun fact: The 100,000+ machines that DDOS'd Sony and Microsoft were all exploited Linux machines.
Probably because said entities are in bed together, or at least filling their piggy bank. Joe Schmo doesn't mean jack to them.
What's really been frosting me over the past couple of weeks is this sudden interest the US government has in such things when *Sony* becomes a victim.
I have spent YEARS of my life cleaning crap like this up without so much as a peep from the FBI, FTC, etc.
By paying the ransom you've show these folks that their buisness model does indeed work and have further contributed to its continued prevlance, ensuring that many more will fall victim to this very sham in the future. Godspeed to you people.
Hugh Pickens is the new Roland Piquepaille [wikipedia.org], he pumps this shit out as click bait for his own blog and his paid clients.
He's a cross dresser. Oops, I mean cross poster.
Solution: Wipe winblows off the hard drive, install one of the flavors of Linux, stop browsing porn websites.
Not really. The best solution is to have data in more than one place, at one time, and with different versions when you can't entirely trust your computing environment. Online backup can remember different versions. This was 7 days from the notice, and I've set up 30 days for individual files as a policy before. I don't think the encryption can be any more damaging than a disgruntled employee, so you can easily get your data back even if heavily modified data is sent repeatedly during those 7 days. Took me 3 minutes to restore all of the employee's data, profile, emails, etc. along with what they deleted off the shared folders.
Of course there's an associated cost with this, but you do get the benefit of cross platform backups and zero knowledge storage. In order to prevent hijacking of the backup software possessing the encryption keys, I run that externally as another server accessing my data over the network. Although typically, anything really important and sensitive is stored on NAS and not on local storage in the first place.
Overall, I think moving towards well protected journaling file systems (the online backup is just ZFS with a custom manager) that are possibly set up at the hardware level to only record changes will be the only way to do it. This way attackers are just simply unable to prevent access to older copies. Once we get there it's not all that much to add some logic and firewall rules preventing any number of changes over X files with an average timestamp delta of Y coming from domain Z without escalating privileges. We've had these abilities with database platforms for some time, and it seems like it would be appropriate to apply some of that knowledge when we can't really trust our systems anymore. If that much data is going to be changed, is it not appropriate to raise a modal dialog box (like UAC) and ask the user to commit the changes? You screw up on a well implemented and maintained database you can just go back through transaction logs and rebuild to the last known point with no corruption. No extortion required, just competent IT.
It may come down to just how much effort we really want to spend to store and work with data. We could take a page from Intel and start creating true multicore systems with shared distributed memory where we get to compile and install our own binaries into them directly. I imagine something like USB storage on the board, and to provision your system you physically add your encryption keys to one module, memory core to another, file system to another, etc. Under normal conditions an attacker could never hope to control your data since they might wait months or a year before somebody swapped out the storage firmware. Let's finally separate out all the components of a system (probably sacrificing some performance) and have them run physically isolated with their own kernels and memory, but able to modify shared resources. You could even create the whole thing like a key that needs to be inserted into the motherboard to load your OS, and modifying your key requires loading a special OS from the key (physical switch) solely designed for updates from authenticated repositories and adding code modifications with it's built-in IDE. I would like to see storage abstracted away into a suped up secure version of iSCSI targets with the codebase and processes running it completely inaccessible to the module accessing it. Right now, the same processor is running the iSCSI drivers that is running userspace.
We could try it all virtually, but there are known weaknesses where encryption keys can be weakened in one guest OS from another guest OS through side channel attacks against the host. I'm not convinced this will ultimately be as secure as a system with modular bare metal security, or that such bare metal security is not well suited for it's own virtualization environments that have truly separated resources.
since we are smaller - at least post first!
Probably no karma penalty, it was on target and mildly funny to boot.
However, that said, I've heard it alleged that there are versions of this encryption virus that can affect linux. Don't know how it works, but you have a running process either in a pdf reader, or a browser, and if you can break the browser's sandbox (not that hard, I've been told), you would be off to the races, at least for that user's directory.
Stop opening random attachments to email?
The encryption software these people use operates in the background, as a slow process, so you don't notice its happening. (It avoids system areas, at least initially).
Forgot to AC up. That's... gonna be some karma burn there.
Well, as I understand it, Debian is the easy to use Linux distro especially made for tech illiterate moms on the go. I mean, most distros will clog your hard drives (or as the people from Debian call them, "the computer") and clutter up your life in general with unnecessary things like log files, debugging tools, and annoying options like "bypassing the start screen". Who has time for THAT, am I right?
Not no more. With Debian, your days of having those things available is over!
I never open attachments or click links in email, and even when I get unexpected attachments from people I know, I only look at them on Linux.And then only with tools I trust.
Neither the summary nor the story explained how she got hacked, but we can guess: Windows. Never saw a link or an attachment she didn't click.
She was ahead of most. She actually had a 6month old backup.
Is there anything out there that would stop something from encrypting your data? I know data has to be read, and written, so how would something go about seeing if a file were being encrypted instead of just written to?
Not an answer I can think of but there are far better minds out there than mine when it comes to this.