Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 7 submissions in the queue.

Ransomware Attack Paralyses St Louis Libraries as Hackers Demand Bitcoins

posted by on Wednesday January 25 2017, @09:51AM   Printer-friendly
from the we-don't-negotiate-with-terrorists dept.

Fnord666 writes:

Apparently it's the library's turn to pay a fine.

Libraries in St Louis have been bought to a standstill after computers in all the city's libraries were infected with ransomware, a particularly virulent form of computer virus used to extort money from victims.

Hackers are demanding $35,000 (£28,000) to restore the system after the cyberattack, which affected 700 computers across the Missouri city's 16 public libraries. The hackers demanded the money in electronic currency bitcoin, but, as CNN reports, the authority has refused to pay for a code that would unlock the machines.

As a result, the library authority has said it will wipe its entire computer system and rebuild it from scratch, a solution that may take weeks.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Ransomware Attack Paralyses St Louis Libraries as Hackers Demand Bitcoins | Log In/Create an Account | Top | 33 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by number6 on Wednesday January 25 2017, @03:56PM

    by number6 (1831) on Wednesday January 25 2017, @03:56PM (#458510) Journal

    [Assuming the target is a computer running a Windows OS]

    If I had backups of these files from the system drive (generated once a week by a scheduled task):

        - The master file table (MFT)
        - The master boot record (MBR)
        - The system Registry hives: "DEFAULT | SAM | SECURITY | SOFTWARE | SYSTEM"
        - The userprofile Registry hive: "NTUSER.DAT"
        - The system file: "BOOT.INI"

    Is it always possible to recover from ransomware attacks?

    If it is not always possible to recover from ransomware attacks, then what am I missing to make this (simple) system recovery strategy resistant to ransomware?

     
    I went to Wikipedia and had a look at the article on Ransomware (.https://en.wikipedia.org/wiki/Ransomware) and noticed that the more vicious strains of Ransomware like to encrypt the filesystem.

    Technically, what exactly does "encrypt the filesystem" mean? What files or objects or things are being touched? How exactly does this process cascade? Is there some simple way of mitigating the process (apart from cloning the drive)?

    The simple strategy of backing up those system files I mentioned above has actually saved me many times.

    However, if I was an organization or I gave more of a shit about this, I would also be installing the program "Deep Freeze" (www.faronics.com) which would roll the system back to a snapshot state on every reboot.

     
    --

    Q: "So how do you back up all those system files while your OS is running, how do you overcome 'access denied' messages"?

    A: I use this command-line tool which copies raw sectors off the disk, bypassing the operating system handles:

    RawCopy
    (c) Joakim Schicht  -  https://github.com/jschicht/RawCopy
     
    This a console application that copies files off NTFS volumes by using low level disk reading method. It lets you copy files that usually are not accessible because the system has locked them. For instance the registry hives like SYSTEM and SAM. Or files inside the "System Volume Information". Or pagefile.sys. Or any file on the filesystem. It supports input file specified either with full file path, or by its $MFT record number (index number).
     
    Example for copying the pagefile off a running system
    "RawCopy.exe C:\pagefile.sys E:\output_folder"
     
    Example for copying the SYSTEM registry hive off a running system
    "RawCopy.exe C:\WINDOWS\system32\config\SYSTEM E:\output_folder"
     
    Example for extracting the $MFT (master file table) by specifying its index number
    "RawCopy.exe C:0 E:\output_folder"
     
    Example for extracting MFT reference number 30224 and all attributes including $DATA, and dumping it into 'C:\tmp' folder:
    "RawCopy.exe C:30224 C:\tmp -AllAttr"

    --

    Q: "What other tools do you use"?

    A: These are useful to have in the kit:

    BOOTICE
    www.ipauly.com - modify, backup and restore the Master Boot Record (MBR) and Partition Boot Record (PBR) and Partition Table from local drives or USB flash drives. Works in GUI and Console modes.
    MBRFIX
    www.sysint.no/mbrfix - Console tool - easily back up the master boot record (MBR). Example: "mbrfix.exe /drive 0 savembr C:\output_folder\MBR.BIN"
    WRR
    (WindowsRegistryRecovery) - www.mitec.cz/wrr.html - GUI tool - load, read and explore Windows registry hives and extract information from them; you can also export selected items to REGEDIT formatted files.
    WizTree
    www.antibody-software.com - GUI tool - Disk Space Analyzer, Filesystem Viewer, MFT Viewer, Master File Table Dump, View Hidden-Special System Folders and Files - VERY FAST! WizTree reads the master file table (MFT) directly from NTFS formatted volumes (similar to the way 'Everything' program works).
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by Scruffy Beard 2 on Wednesday January 25 2017, @04:50PM

    by Scruffy Beard 2 (6030) on Wednesday January 25 2017, @04:50PM (#458525)

    "Encrypt the filesystem" means that they scramble all of the files the user has access to in a specific way that only the attacker knows how to reverse.

    This can include online backups.

    • (Score: 0) by Anonymous Coward on Wednesday January 25 2017, @05:05PM

      by Anonymous Coward on Wednesday January 25 2017, @05:05PM (#458532)

      That is why I pull backups, not push them.

      • (Score: 2) by Gaaark on Wednesday January 25 2017, @05:24PM

        by Gaaark (41) on Wednesday January 25 2017, @05:24PM (#458540) Journal

        I always pull back.
        But then i push forward again.
        Then i do it again. And again.
        It's fun.

        Wait. What are we talking about?

        --
        --- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --

      • (Score: 1) by Scruffy Beard 2 on Wednesday January 25 2017, @08:04PM

        by Scruffy Beard 2 (6030) on Wednesday January 25 2017, @08:04PM (#458625)

        I think pushing via sneakernet can be secure.

  • (Score: 2) by tibman on Wednesday January 25 2017, @06:55PM

    by tibman (134) Subscriber Badge on Wednesday January 25 2017, @06:55PM (#458591)

    For backups i would suggest you focus on your actual data and not operating system files. Reinstalling windows is no big deal and something that has to be done periodically anyways. If you want to preserve your OS then i'd suggest doing a full-disk backup and not selective OS files. If you get some kind of malware then you really should format and reinstall. The malware could have put in a rootkit that you can't even see. Linux is a little different, imo. If you can verify they never had root and couldn't escalate then a clean-up is fine. I still reformat though : )

    --
    SN won't survive on lurkers alone. Write comments.