[HN Gopher] The Worsening State of Ransomware
___________________________________________________________________
The Worsening State of Ransomware
Author : tmfi
Score : 102 points
Date : 2021-03-22 17:03 UTC (5 hours ago)
(HTM) web link (cacm.acm.org)
(TXT) w3m dump (cacm.acm.org)
| hn_throwaway_99 wrote:
| The article briefly touches on this, but my belief is the one
| thing that may eventually "take down" cryptocurrency is
| ransomware.
|
| That is, ransomware as it exists today is _only_ possible because
| secure, anonymous, non-reversible methods of payment exist in the
| form of cryptocurrency. Things like bearer bonds were outlawed
| decades ago because of a similar desire to make large anonymous,
| easily transportable payments impossible.
|
| Honestly, if anything, I see ransomware as probably the primary
| use case today for crypto besides speculation.
| bradleyjg wrote:
| Crypto, or at least bitcoin, is not anonymous. On the contrary
| the payment trail is there for the whole world to see.
| Governments could blacklist those coins such that no exchange
| or legitimate vendor would ever take them. They choose not for
| whatever reason but not because the technology offers
| anonymity.
| lucasmullens wrote:
| If there's a centralized government blacklist of certain
| bitcoins that everyone has to follow, doesn't that defeat the
| point of cryptocurrency?
|
| Also a hacker could just buy something with the coins between
| the time the victim sends the money and the time the
| government is notified.
| pinkybanana wrote:
| There are already blacklists and sanctioned bitcoin
| addresses. It might defeat your point of bitcoin, whatever
| that is, but not mine... There is no universally agreed
| "point of BTC".
| bradleyjg wrote:
| Depends on what you think the point of cryptocurrency is.
| I've heard a lot of different explanations over the years.
| I believe the most popular one currently is an inflation
| resistant store of value, which should be compatible with
| blacklists.
|
| As for timing, either blocking spending or tracing the
| transaction back to a person is equally valuable as a
| deterrent.
| GauntletWizard wrote:
| Here's how blacklists destroy your "store of value"
| argument: Transactions don't require the receiver's
| consent. It's easy to find large wallets (wallet balance
| is public record), and then once you've carried out your
| ransomeware attack and gotten paid, your black wallet
| sends to whatever poor schmuck you want to destroy.
| Because sends blacken anything they touch, you've just
| turned a lot of money into nothing, at the cost of
| whatever action it took to get that wallet blacklisted in
| the first place.
| bradleyjg wrote:
| The blacken anything it touches wasn't my argument.
| Investigate everything it touches, yes, but if it turns
| out to be no connection you just confiscate the proceeds
| of a crime and move on.
| pinkybanana wrote:
| It is quite difficult to have global, functioning blacklist
| system. I would guess for example some country in Asia might
| have quite different blacklist compared to let's say to some
| country in Europe.
|
| From criminals perspective they probably have money
| launderers on darknet markets who are willing to take the
| dirty crypto, deduct their hefty fee and offer clean crypto
| instead.
| bradleyjg wrote:
| A bitcoin that couldn't be spent anywhere outside of e.g.
| China would be far less valuable than one that could be
| spent anywhere. At very least this would reduce the
| profitability of ransomware attacks.
| pinkybanana wrote:
| How much less valuable exactly would you estimate? These
| markets for dirty bitcoins probably already exist, I
| would guess. I think someone would swap dirty btc to
| clean with price like 10% or maybe 20%. For criminals
| that would be just the cost of laundering the coins.
| Rygian wrote:
| For this to work, the blacklist should apply to the receiving
| wallet AND CASCADE through to wallets to which that wallet
| issued any subsequent transfers.
|
| Coins used to pay ransomware should effectively taint and
| freeze everything they touch.
| Sebb767 wrote:
| So you want to convert them to a free weapon to freeze
| random wallets? Guess you could use that dor demanding
| ransoms...
| robocat wrote:
| A government could have a "burner" account where all
| tainted money could be sent. A system where you are
| warned of tainted deposits (for example, use a micro-
| transaction from a "US taint detected" account as the
| message). You have x days to pay the received tainted
| money to the burner account, or your account gets tainted
| too.
|
| Of course every jurisdiction would want to be in on the
| "free" bitcoins so lots of complications...
| toss1 wrote:
| And there are plenty of ways to circumvent that, including
| converting it to various privacy coins, using mixer services,
| using it to buy mining power, etc., etc., etc. Heck, crypto
| may have even more ways to launder money than cash, and those
| won't go away with blacklists - which will just make the
| "privacy" coins, services, etc. more valuable.
|
| The only way it could even plausibly work is for every
| visible and darknet service in the world to subscribe to and
| abide by the exact same crypto-wallet blacklist. Good luck
| making that happen when nuclear superpower governments are in
| fact transnational crime syndicates.
|
| Assuming that the tracing capabilities are useful for
| anything beyond taking down the amateurs is overly
| optimistic.
| bradleyjg wrote:
| Nothing is ever perfect. It doesn't mean you shouldn't at
| least try to track down criminals. Which has essentially
| been the West's response to ransomware so far.
| tromp wrote:
| Some cryptocurrencies are somewhat more ransomware resistant in
| that payment requires an interaction between the sender and
| receiver.
| monocasa wrote:
| Bearer bonds aren't outlawed, they're just not explicitly tax
| exempt anymore.
| vmception wrote:
| Ransomware isn't lucrative enough to be the primary
| transactional or consumptive use case of crypto.
|
| Comical world view, to me.
|
| Of course, the nature of cryptocurrency makes both of our
| claims unfalsifiable. I would suggest hanging out in crypto-
| adept communities more, being privy to a 300-participant
| transaction or other things communities get excited about, to
| give you a different view of how people use it.
| thorwasdfasdf wrote:
| Bitcoin is not anonymous. there are strict KYC rules in place.
|
| Bitcoin is not for speculators, it's primary use case is a
| Store of value. There's large demand for a store of value,
| especially now that the bond market is finished.
| rectang wrote:
| > _Not surprisingly, dozens of major ransomware gangs now exist
| worldwide, including in Russia, Eastern Europe, and North Korea._
|
| To what extent should ransomware activity be considered low-grade
| economic warfare by nation-states who can't or won't police
| cyber-criminals, and thus justification for robust national
| responses such as sanctions?
| BitwiseFool wrote:
| This reminds me of privateering during the age of sail.
| alert0 wrote:
| There is actually some talk in the cyber policy space about
| this topic. [1] In a sense, all the spam, ransomware, and
| banking trojans that are thrown by other nation states (or
| their sanctioned criminal groups) raise the noise floor for
| what U.S. and allies need to address. This helps mask high-
| skill high-impact attacks (0days) since everyone is trying to
| figure out how to get their employees to not click spam
| emails. The U.S. is kinda missing out on creating this noise
| for our adversaries to deal with.
|
| 1. https://www.usni.org/magazines/proceedings/2019/october/gr
| an...
| vkou wrote:
| To the extent that you'd be willing to cut off your nose to
| spite your face[1] (Impose economic tariffs on the countries in
| question, thus hurting your own domestic consumers, and
| strengthening economic bonds between the nation in question,
| and their other trading partners), or be willing to kill people
| over money (Go to war with the nation in question.)
|
| [1] This point is debatable, some people feel that tariffs are
| not 'both-sides-lose' games. Depending on the tariff, and the
| situation, I too feel that way - but neither I, nor those
| people hold to an orthodox understanding of neo-liberal
| economics. [2]
|
| [2] Which as of 2021 are the primary drivers of trade policy in
| the Western world. This may, or may not change in the decades
| to come.
| shahar2k wrote:
| to the same extent that Hollywood movies function as cultural
| warfare / propaganda
| [deleted]
| trynton wrote:
| Is it possible to disable the built-in encryption in Microsoft
| Windows?
| chefkoch wrote:
| Yes, but why would that help?
| trynton wrote:
| @chefkoch: "Yes, but why would that help?"
|
| Most/all of these ransomware attacks use the built-in Windows
| encryption.
| jasdine817 wrote:
| No they don't, they usually just use common encryption
| library and encrypt files directly.
| riskable wrote:
| Ransomware only really works due to the lack of diversity of
| operating systems and software. If individuals and businesses
| were all running different stuff it would be nearly impossible to
| target them en mass. You could only target them one at a time.
| ssklash wrote:
| While that is _a_ solution, I don 't think it is _the_
| solution. Another non-solution would be removing all Internet
| access. Ransomware problem solved, a whole bunch of other
| problems created.
| slt2021 wrote:
| and what if employee brings infected USB drive and plugs it
| into computer?
| verandacoffee wrote:
| Probably irrelevant. There would anyway be some number N of
| operating systems, and a number K of computers, and the number
| K will always be very much larger than N. So there would be a
| huge possible 'market' for these criminals, even if they
| targeted just one of the N operating systems, as long as the
| number of vulnerable computers is large enough.
|
| (edit: removed some meaningless words)
| bpodgursky wrote:
| Everyone who downvoted you would upvote articles about the
| risks of monoculture farming, without considering that the two
| are one and the same.
| bena wrote:
| Yes, a complete lack of interoperability would make it really
| hard for criminals to target them.
|
| However, a complete lack of interoperability would make it
| really hard to, you know, interact with other businesses and
| systems.
|
| This isn't throwing the baby out with the bathwater so much as
| drowning the baby in the bathwater.
| naringas wrote:
| "These "investors," who have zero industry skills or expertise,
| take advantage of a [insert economic activity]-as-a-service
| (?aaS) model to gain sophisticated capabilities"
|
| The type of billionaire individuals who by virtue of inheriting
| billions upon billions, don't ever have any real skills (nor the
| need to develop any) and yet, they live in societies
| (subcultures) which expect that they keep having (and making)
| billions upon billions.
|
| Think of descendants of descendants of founders of what are now
| giant corporations.
|
| They fund VC-backed startups, which they then own (by proxy).
| They can barely use an iPhone; let alone understand how it works
| or is made.
|
| Except the business being funded is a criminal enterprise, maybe
| their riches originally come from "shadier" dealings?
|
| My point is that the underlying principle is the same, it's a
| very powerful principle. This is how the market enables societies
| to build super complex stuff. The marketplace abstracts away the
| complexities. This 'principle' is a technology, it's ethically
| neutral.
| toss1 wrote:
| >>Not surprisingly, dozens of major ransomware gangs now exist
| worldwide, including in Russia, Eastern Europe, and North Korea.
| Incredibly, many of these operations look and function like
| authentic businesses. "They rent office space, they have
| development teams, data architecture teams, help desks, phone
| support, and people that negotiate ransoms with targets," says
| Alexander Chaveriat, chief innovation officer at Tuik Security
| Group. "They buy server space all over the world using
| cryptocurrency, change servers as needed, and use virtual private
| networks and other tools to hide their location."
|
| It is getting to the point where the threat is beyond office
| functions and to manufacturing, infrastructure and IOT.
|
| With the threat escalating to that genuine national security
| level, and often under sponsorship or blind eye of criminal govts
| (NK, RUS...), we are not far from the point where the appropriate
| response is to deliver a kinetic response - as in a cruise
| missile through the window.
| dgellow wrote:
| > These "customers," who have zero coding skills or software
| expertise, take advantage of a ransomware-as-a-service (RaaS)
| model to gain sophisticated capabilities
|
| > Incredibly, many of these operations look and function like
| authentic businesses. "They rent office space, they have
| development teams, data architecture teams, help desks, phone
| support, and people that negotiate ransoms with targets"
|
| What a crazy world we live in, where criminal organization have a
| quasi-normal corporate structure and even manage a "customer"
| support team
| pomian wrote:
| what is las Vegas
| IncRnd wrote:
| The Meadows.
| ronsor wrote:
| Crime is still business, so they operate like one. Minus the
| risk of being arrested, there's really no difference between a
| criminal company and a legitimate one.
| api wrote:
| A number of major drug cartels would be at least on the Fortune
| 1000 if they were publicly traded corporations. They have
| management structures, accountants, IT and security
| professionals, logistics, HR practices, and so on...
| exhilaration wrote:
| And navies!
| dgellow wrote:
| I'm wondering if they also have Scrum Masters and other
| consultants.
| KineticLensman wrote:
| > I'm wondering if they also have Scrum Masters
|
| If you want a really wacky use of scrum, try The Rhesus
| Chart [0] by Charles Stross, in which (mild spoiler) ...
|
| a bunch of newly transformed vampires use scrum to quickly
| figure out how to acquire lots of fresh human blood without
| alerting the authorities by a trail of suspicious murders.
|
| [0] https://en.wikipedia.org/wiki/The_Laundry_Files#The_Rhe
| sus_C...
| djmips wrote:
| Get those crime tasks into Jira!
| nonameiguess wrote:
| Reminds me of my favorite scene from The Wire when the
| New Day Co-op is having a meeting and Stringer Bell grabs
| his secretary's notebook and screams at him "you're
| taking notes at a criminal conspiracy?!"
| doctor_eval wrote:
| Jira itself is a crime
| throwawaytemp27 wrote:
| I seem to recall a SalesForce scandal where a people
| trafficking operation was using SalesForce to manage
| their operation, and SalesForce may or may not have been
| aware / helped them configure etc
|
| Edit: link:
| https://www.bloomberg.com/news/articles/2019-03-27/fifty-
| wom...
| arrosenberg wrote:
| One of the best episodes of Archer touches on this topic - El
| Contador.
|
| https://archer.fandom.com/wiki/El_Contador
| MattGaiser wrote:
| Is this any different from the mafia in many places?
| lordnacho wrote:
| I would think organised crime orgs would have a special money
| laundering department, but apart from that yeah, why would it
| not be a hierarchy structure like any other large org?
| novok wrote:
| Once you work in a large corp and see parallels with
| government, you start to realize it's just organizational
| theory all the way down, except some use physical violence,
| others don't.
| mikepurvis wrote:
| Wait, are we talking here about the state or organized
| crime?
| katbyte wrote:
| Both?
| IncRnd wrote:
| Yes.
| [deleted]
| greggturkington wrote:
| "If you were to hold a McDonald's organizational chart and the
| crack gang's organizational chart side by side, you could
| hardly tell the difference."
|
| From "Why Drug Dealers Live With Their Moms" By Steven D.
| Levitt and Stephen J. Dubner
|
| https://www.latimes.com/archives/la-xpm-2005-apr-24-oe-dubne...
| Thorentis wrote:
| My prediction: Ransomware will be the scapegoat that leads the
| way on making the use of encryption a criminal offence. This is
| exactly what many governments want. Up till now, the best
| argument against encryption is "we can't see what criminals are
| doing", but that isn't very tangible for many people. Just wait
| until a powergrid or water treatment plant in the US is down for
| weeks due to being "attacked with encryption" (yes, that will be
| the spin), and you'll have tons of people ready to vote for the
| outlawing of any and all encryption without a
| license/backdoor/etc.
| echelon wrote:
| This is one of the reasons crypto sucks. I'm building a list:
|
| - Attacks sovereign currencies and ability of countries to set
| fiscal and monetary policy. Instead, it rewards "crypto
| geniuses" that got in early. I'm not sure these are the people
| that should have power over our elected governments.
|
| - A waste of human and resource capital that could be spent
| solving more important problems
|
| - Hugely bad for the environment
|
| - Lack of KYC that enables money laundering, terrorism, and
| other illicit activities. Including randomware attacking
| hospitals
|
| - Rewards pump and dump and crazy schemes like NFTs that don't
| contribute to innovation or the economy
|
| - Relies on cryptography to remain post-quantum safe
| dgellow wrote:
| Let's say you outlaw encryption, what would be the impact on
| ransomware criminals? They will continue not following the law
| and do their criminal things, using "illegal encryption" (aka
| non-backdoored encryption).
| tw04 wrote:
| I doubt it, my guess is it will (understandably) be used as the
| scapegoat to kill cryptocurrency and/or put it under a central
| authority controlled by governments.
|
| Ransomware was basically non-existent before criminals had a
| way of being paid anonymously.
| blackearl wrote:
| Social engineering scams manage to get millions wired
| (https://variety.com/2018/film/news/pathe-loses-more-
| than-21-...). Crypto may be more convenient and less risky,
| but I don't see a crypto ban stopping ransomware completely.
| Plus there will always be someone wanting to do it for laughs
| or infamy.
| 7786655 wrote:
| Ransomware provides a useful service and should be legal.
| Businesses with poor security practices deserve to be punished
| for their negligence.
| hyakosm wrote:
| When you're blaming the victim and defending criminals
| pretexting "security practices". No one deserve to be punished
| excepting by the Law.
| detaro wrote:
| Kidnapping provides a useful service and should be legal.
| Schools, kindergardens and parents with poor security practices
| deserve to be punished for their negligence.
| bena wrote:
| It also ignores the perverse game being played.
|
| Defense has to work every time. Attackers just have to get
| through once. That's a game that favors the attackers.
| ChainOfFools wrote:
| just as fences must be erected to encircle the entire
| property they guard, rather than just one or two small
| segments erected to block specific approaches.
| 7786655 wrote:
| Game 1: Every time offence scores, they get $100 of
| defense's money.
|
| Game 2: Every time offence scores, they get $100 of _my_
| money. Defense loses nothing.
|
| Neither is fair to defence, but game 2 is unfair to _me_ ,
| and that's what's important.
| [deleted]
| bena wrote:
| But what you are advocating for is a game in which if you
| aren't perfect, you are harshly punished.
|
| I just hope no one ever holds you up to the standards you
| demand of everyone else.
| djmips wrote:
| It's a wonder our own immune systems work as well as they
| do...
| pyrale wrote:
| The thing is, it doesn't.
|
| Also, the thing is, our immune system isn't exempt from
| false-positives. I'm not sure we want a society with as
| many false-positives.
| 7786655 wrote:
| Schools, kindergartens and parents have a legal
| responsibility for children under their protection. However
| it has been repeatedly proven that businesses who allow
| enormous amounts of user's personal and financial data to be
| leaked will suffer no meaningful consequences. See: Yahoo!,
| Target, Experian, etc.
| detaro wrote:
| "I don't like how these people aren't punished how I want,
| so let's sanction crime against them" is a ... questionable
| concept, to phrase it nicely. Lot's of nasty precedents.
| Are you sure kindergardens are punished reliably enough for
| lapses of security?
|
| Also:
|
| Ransomware gangs also target companies that do not have
| "enormous amounts of user's personal and financial data".
|
| Since too many companies didn't pay ransomware gangs now
| have taken to _stealing_ data in addition - are you fine
| with a ransomware gang selling your personal data then,
| because they are "helping"?
| 7786655 wrote:
| No, but the alternative is that they would have stolen
| the data anyway. So it's either neutral or positive.
|
| >let's sanction crime against them
|
| If it were legal it wouldn't be a crime.
|
| >Are you sure kindergardens are punished reliably enough
| for lapses of security?
|
| Given that I rarely hear about children being kidnapped
| out of kindergartens, I would assume so. I'm not well
| educated on this, though, since I don't have a personal
| stake in the matter.
| detaro wrote:
| > _No, but the alternative is that they would have stolen
| the data anyway._
|
| No it's not, but because random data stealing is a lot
| less lucrative than ransoming.
| deftnerd wrote:
| I get that you're trying to say that Ransomware is a kind of
| evolutionary pressure to force IT ecosystems to adapt and
| improve, but that's far from saying it should be legal.
|
| It's like trying to justify armed robbery as a method of
| convincing people to take self defense lessons, or burglary as
| a method to get people to upgrade their windows to lexan.
|
| The middle ground, which is always a bit in flux, does already
| exist. It's known as Bug/Security bounties, similar to what
| HackerOne tries to make above-board.
| nicoburns wrote:
| > Gangs also have begun encrypting backup systems, including
| cloud storage services such as Office 365 and Drop-box. Although
| 56% of the firms surveyed by Sophos regained control of their
| data through backups, that window appears to be closing.
| "[Cybergangs] have realized that the ransom demand becomes
| powerless if you have a full backup set in place and you can
| revert to it,"
|
| This is why our backups at work write to a storage bucket with
| permissions such that they can create new files but not delete
| old ones. I'd definitely recommend this approach to everyone who
| can afford the storage space.
| voiper1 wrote:
| Similar, rsync.net has historical ZFS snapshots that only cost
| the diff of the files.
| ChainOfFools wrote:
| hopefully the cost of reverting full diff (which would be the
| result of a ransomware attack) won't obliterate the
| subscription tier a victim is on. the ransom cost might be
| cheaper!
| WalterBright wrote:
| > with permissions
|
| Even more secure would be _hardware_ write only storage. CD-
| ROMs fit in this category, but they aren 't big enough.
|
| But all we need are hard disk drives with a physical write-
| enable switch. Turn it on, write your backup, turn it off. No
| software can then alter it.
|
| A stupidly simple idea, and yet every time I mention it in HN
| it gets dismissed, denigrated, etc. Apparently people like
| malware, ransomware, etc. :-(
| nicoburns wrote:
| Perhaps, but I once had two hard drives die on me within the
| space of a few days (different brands), and since then I like
| to have a copy of my data in the cloud somewhere. Non-
| writeable doesn't help much if you can't read it either!
| tgb wrote:
| I want this on a simpler scale: an external drive that has a
| physical switch. In normal operation the switch is in "append
| only" mode and the drive ensures that nothing can be erased.
| Only when the switch is temporarily hit to a "unsafe" mode
| would it allow deleting to make more space. I don't know how
| easy or difficult this would be (I assume external drives don't
| typically know about filesystem-level information like this),
| but it would be a nice product for people with simpler needs
| than yours. If the backup system can write only incremental
| changes then the storage requirements would likely be fine for
| many users.
| [deleted]
| temp0826 wrote:
| Yep, not a new concept-
|
| https://en.wikipedia.org/wiki/Write_once_read_many
| [deleted]
| netflixandkill wrote:
| There are USB drives that do vaguely similar things but it's
| all in software. It's difficult to do that unless the
| filesystem has append only functionality, metadata blocks are
| rewritten all the time even if data isn't.
|
| For anyone who has serious (I.e. $$$) need of that they
| already have tapes and optical WORM media though.
|
| You can do something conceptually similar with any sort of
| NAS that provides immutable snapshots as long as the
| management and control is effectively out of band.
|
| The out of band part is the key. Our SAN data has snapshots.
| The backups are written to another storage device that only
| has an API key to write them to B2 storage. An attacker would
| effectively need to completely compromise multiple admins in
| the organization to get at all the stages of data
| duplication, and frankly there is no additional line of
| defense for total compromise if the attacker is willing to
| wait for physical tape or disk swaps.
|
| Fortunately for ransomware, time is money for them too.
| EvanAnderson wrote:
| Are there any NAS devices with out-of-band management
| actually available, though?
| benjohnson wrote:
| Spin up a FreeBSD box, enable ZFS snapshots and disable
| SSH? You'd only be able to destroy the snapshots from a
| monitor and keyboard under normal circumstances.
| WalterBright wrote:
| > There are USB drives that do vaguely similar things but
| it's all in software.
|
| Sigh. When are people going to accept that _software_
| switches are inherently not secure? How many times must
| these fail?
|
| > It's difficult to do that unless the filesystem has
| append only functionality, metadata blocks are rewritten
| all the time even if data isn't.
|
| There's no reason to continue writing anything to a hard
| drive once the backup to it is finished.
| rsj_hn wrote:
| GDPR may require active online systems to delete data in
| response to a stream of realtime requests, so while the
| availability solution is to make deletion a hard, manual
| process or a process controlled only by an isolated
| infrastructure team, as you automate GDPR deletion requests
| you will need to start exposing deletion APIs accessible to
| end users. This is why a lot of the comments about making
| read-only backups or offline backups are very challenging for
| firms to do if they are taking GDPR seriously.
| jl6 wrote:
| This is one reason I still do manual backups as well as
| automated backups. The manual backup is to HDDs that sit on a
| shelf, offline, unplugged.
| WalterBright wrote:
| Yeah, but to read the backup you've got to attach it to your
| compromised system. Boom, it's corrupted.
|
| A _physical_ read-only switch is required.
| pitay wrote:
| Booting to a Live USB/DVD/CD and then doing the backup
| while in the booted Live OS would minimize the chances of
| corruption of the backup, either reading from it or writing
| to it.
|
| Not ironclad but pretty good. Issues with it that first
| come to mind are the live operating system image was
| already compromised when it was written to say the USB
| disk, or compromised firmware, and of course user error
| (nothing to do with ransomware in this case). I am not
| familiar with this stuff so I may be missing something very
| important, if so tell me about it.
| benhurmarcel wrote:
| For absolute safety yes, but in practice with that simple
| solution you're fairly well protected. With most ransomware
| you'd find out quickly that you are infected (since all
| your files would be inaccessible) and wouldn't plug the
| drive.
| benjohnson wrote:
| There are USB to SATA controllers that default to read only
| - typically used for forensics reasons. About $250 if I
| remember correctly.
| mikewarot wrote:
| How is it that Operating Systems don't default to a configuration
| that can't ever be changed by a rogue application process?
|
| Why can't the OS be write protected? Why can't the configuration
| also be write protected?
| WalterBright wrote:
| Embedded systems can have their software burned into ROMs. It
| can't be corrupted. But nooooo, people put it into EEPROMs with
| a software write-enable switch.
| PeterisP wrote:
| The OS, files and configuration which can be unchangeable are
| trivially replaceable and thus does not really need to be
| protected.
|
| The configuration and data which gets changed all the time is
| valuable (the effort that was made in making those changes) and
| the prime target of ransomware, and it can't be write-protected
| because, well, it needs to get changed. I mean, if "reimage all
| these computers to the default configuration" would be a viable
| solution, everybody would just do that instead of paying large
| ransoms.
| mikewarot wrote:
| >The OS, files and configuration which can be unchangeable
| are trivially replaceable and thus does not really need to be
| protected.
|
| Precisely the wrong way to think about this.
|
| If the OS can't protect itself, you've got a system with zero
| security.
| PeterisP wrote:
| Well, that's true, OS being able to protect itself is
| useful and necessary, but my point is that it's nowhere
| near sufficient (as your parent post seems to imply) for
| preventing consequences of ransomware attacks, because by
| the time standard OS protections (which are reasonable) are
| broken because attackers have privileged access, they can
| also do worse things than just attack the single computers'
| OS, and if they can't get privileged access, well, then the
| OS is effectively write-protected anyway unless you're
| using something totally outdated. IMHO if the OS and its
| configuration would be securely write-protected (perhaps
| from media that's physically read-only?) that wouldn't help
| much if at all.
|
| It won't prevent lateral movement through the network
| (that's often memory only, no need to write to disk), it
| won't prevent persistence through theft of credentials or
| kerberos tickets (and possibly make it harder to rotate
| credentials), and of course it won't prevent the
| exfiltration, encryption and/or destruction of the actually
| valuable data.
|
| If we look at an advanced ransom attack (e.g. as many
| described in this article - manually operated after initial
| access like many Emotet attacks, not some purely automated
| malware) then I struggle to imagine what parts of the
| attack would be thwarted if the OS and config would be
| write protected - do you have something specific in mind?
| mikewarot wrote:
| >do you have something specific in mind?
|
| First - protect the AD and authentication infrastructure
| from a black start event.
|
| I'd have an offline physical machine, no matter how old,
| that was a viable backup domain controller. I would have
| a stack of hard drives for it, and a copy of clonezilla.
| Every so often, clone the hard drive, boot the
| replacement, and sync it with the domain, then turn it
| off.
|
| For the truly paranoid, do this in each location. Keep
| the machine and drives in a safe.
|
| Test the black start backups on a temporary network built
| from spare hardware. Note that if you boot a Windows
| machine, it might adapt itself to the hardware and cause
| issues, so discard that image, and regenerate it.
|
| In a black start event, you could turn off all the
| outside networks, and start with the old AD server, and
| restore from backups.
|
| --
|
| Any Virtualization or SAN layers should have
| administrative credentials that are unused for anything
| else, and only written down on pieces of paper, never
| scanned or typed in.
|
| All servers should have saved images in offline,
| unencrypted hard drives, in a safe.
|
| --
|
| The main thing then is to get periodic offline
| unencrypted backups of the systems and data in a safe.
|
| --
|
| So, if the system is breached, there is at least a way to
| restore to the last backup, and you have some confidence
| it actually works.
| slang800 wrote:
| Users need to be able to edit the same files that ransomware
| encrypts, and differentiating between a legitimate user and a
| ransomware program is difficult.
| kemotep wrote:
| Especially since the user is the one being tricked into
| executing the ransomware.
| mikewarot wrote:
| Why does the user have access to the backups?
| kemotep wrote:
| I was speaking in the context of the files, not the
| backups.
|
| How is this program to know that a file edited by the
| virus to encrypt is legitimate or not when the edit is
| being made by a user that created and owns those files?
| The backups themselves can be contaminated months before
| the encryption and ransomware attack is sprung. Restoring
| from last week or last month's backup might still lead to
| your system being encrypted.
|
| Additionally, as the other user pointed out the goal
| would be to gain access to the appropriate user with the
| level of permissions, such as an admin or root account,
| and use those credentials to carry out the attack.
| chefkoch wrote:
| If you are an enterprise, they will try to get admin
| credentials so they can crypt everything, even domain
| controllers.
| mikewarot wrote:
| If the backups are made by the system, and the user can't
| access them, and the system protects itself (and the backups,
| obviously)... ransomware shouldn't be possible.
|
| No matter what the application does, it can't access the
| backups in such a system.
| chefkoch wrote:
| > If the backups are made by the system, and the user can't
| access them, and the system protects itself (and the
| backups, obviously)... ransomware shouldn't be possible.
|
| And if the gang get's admin rights on the box your backups
| are gone.
| Ajedi32 wrote:
| That's a much higher bar to clear, particularly if end-
| users don't have admin access to their workstations.
| Isinlor wrote:
| > Some, including the U.S. Treasury, have promoted the idea of
| making it illegal to pay a ransom, though the idea has not gained
| widespread support.
|
| That's probably the only solution, besides the obvious ones like
| actually protecting the systems.
| intrasight wrote:
| I'm not sure how such a rule could be enforced. But let's
| assume that it could. I think this would cause a huge shift in
| IT. For example, companies would be more eager to switch from
| Windows to something more secure. Or if they continued to use
| Windows, it would be in the form of ephemeral VMs, perhaps on
| AWS, that lack an attach surface area.
|
| But I would hope that financial pressure - like insurance
| companies not insuring unprotected systems - would have the
| same result without the need for regulation.
| xen2xen1 wrote:
| Funny that nightly tape backups, a very old and established
| technology, would pretty much fix the problem.
| GnomeChomsky wrote:
| Except then you're losing hours and hours of data during a
| restore. CDP, on the other hands, results in data loss of
| seconds only. Particularly powerful when combined with
| archiving in, say, AWS with tiering and object locking for
| immutability.
| wrycoder wrote:
| Not necessarily. From the article:
|
| _The encryption process ensues over days, weeks, or months,
| normally progressing through hard drives, attached drives, and
| network devices. The C &C server decrypts files as they are
| needed. Along the way, crooks place a ransom note in every
| folder that has encrypted files; they might also plant other
| types of malware on systems. During the final stage of an
| attack, the ransomware uninstalls itself, the thieves remove
| the encryption key from the infected system and the victim sees
| a ransom note on the computer screen._
|
| If the encryption goes on over a long enough period, recovery
| would be a nightmare or even impossible, especially if the tape
| rotation period is exceeded.
| chefkoch wrote:
| No they don't if you own a tapelibrary. If the gang thinks
| you're a big enough target they will make sure your backups are
| wiped if possible. The only thing that's going to Help is to
| seperate the backup infrastructur and pull the backups mit push
| them.
| hsbauauvhabzb wrote:
| For now. If it becomes a common mitigation strategy, malware
| will start detecting and corrupting those backups.
| sodality2 wrote:
| Write only setting perhaps
___________________________________________________________________
(page generated 2021-03-22 23:03 UTC)