[HN Gopher] The ransomware surge
___________________________________________________________________
The ransomware surge
Author : arkadiyt
Score : 55 points
Date : 2021-04-30 18:32 UTC (4 hours ago)
(HTM) web link (www.bbc.com)
(TXT) w3m dump (www.bbc.com)
| rapjr9 wrote:
| Are not the organizations that signed this report the ones who
| should be doing something about ransomware?
| djoldman wrote:
| Can someone tell me where I'm wrong here:
|
| The solution to ransomware is to daily mirror every system to an
| append only backup and then just flash everything back if you get
| hit. You lose a few days...
| edflsafoiewq wrote:
| Your data has still been leaked. A few days ago there was a
| story about a ransomware gang threatening to expose police
| informants if they didn't get paid.
| walshemj wrote:
| Seems a bit risky attacking other criminals - you never know
| if they might have contacts in the hard to extradite
| countries they work in.
| djoldman wrote:
| Yes, definitely that.
|
| But I think a lot of businesses really have a problem with
| the mechanics of just getting their business running again,
| like the one in the article. This seems fairly
| straightforward to defend against.
| toss1 wrote:
| The threat to that is a silent encryptiion on that goes on for
| weeks before the alert/ransom is demanded. Your mirrors are now
| full of encrypted trash, or you need to go back a month or
| more.
|
| This could be managed with a backup that maintains
| 'fingerprint' hashes of all the files, tracks the changes and
| alerts if there are too many, or alternatively, the user/admin
| litters the system with a set of canary files of the same type
| that should never change, and the backup system halts and
| alerts if any of them do.
|
| I'd like to see a utility to just check a set of canary files
| for changes. Anyone know of one?
| [deleted]
| RcouF1uZ4gsC wrote:
| I think it is likely that there will be a real world kidnapping
| where the kidnappers demand a Bitcoin ransom.
|
| Once this happens, Bitcoin will get rapidly regulated out of
| existence by governments.
|
| Imagine if it follows the usual stereotypical news coverage. An
| attractive, photogenic American woman goes to a foreign country
| and gets kidnapped. Later the kidnappers send ransom demands with
| a Bitcoin address.
|
| This would be wall-to-wall 24/7 news coverage on all the major
| channels.
|
| After that, the public would likely support almost any type of
| regulation on crypto-currency.
| amelius wrote:
| Perhaps governments should make it illegal to pay ransom in
| crypto-currencies (or even ransom in general).
|
| This might not stop the kidnappings, but at least it could stop
| large organizations from paying ransomware.
| billytetrud wrote:
| Kidnappers can also demand dollars for ransom. Are governments
| going to regulate dollars out of existence? Or are you saying
| they'll just use it as an excuse to harass bitcoin?
| RcouF1uZ4gsC wrote:
| Dollars are a little different in that transferring large
| amounts anonymously is hard.
|
| Collecting the ransom is probably the point of highest
| vulnerability and that is something law enforcement agencies
| like the FBI have used to catch kidnappers.
|
| However, with cryptocurrency, that vulnerability is mitigated
| a lot, and that completely changes the dynamics.
|
| There is a reason, the ransomware attackers aren't demanding
| suitcases of cash at pre-ordained meeting sites.
| jude- wrote:
| Good thing, then, that Bitcoin is anything but anonymous.
| hi5eyes wrote:
| https://techcrunch.com/2021/03/26/chainalysis-
| raises-100m-do... 2b for a company cexs use to filter out
| dirty crypto
| spaced-out wrote:
| You're at least four years too late.
| https://www.vice.com/en/article/zmvn44/kidnappers-around-the...
| throw1122 wrote:
| They've since moved to more anonymous platforms. https://www.
| reddit.com/r/Monero/comments/ae4keu/kidnappers_d...
| paulpauper wrote:
| the irony is if any of the early victims kept their excess BTC
| they came out ahead
| sneak wrote:
| This is going to be the rationale given for the heavy-handed
| cryptocurrency regulation they're going to bring down on all the
| exchanges that US persons can access.
|
| Pretty soon all you'll be able to legally access as a USian is
| "Bitcoin!(tm)"[1] (like what PayPal is doing), not the actual
| uncut blockchain bitcoin that you can send and receive at will.
|
| [1]: https://www.epsilontheory.com/in-praise-of-bitcoin/
| tootahe45 wrote:
| Already happening with 'unhosted' wallets being blocked or
| heavily scrutinized. My personal experience is as follows:
|
| Sent over 20 transactions from US exchange -> US exchange and
| no problems.
|
| Sent a single transaction from my unhosted software wallet ->
| US exchange, and got my account locked. Questioned on
| everything including my employer's information, had do re-do
| advanced KYC, source of funds etc. (The unhosted wallet was
| funded from an exchange which makes it stupid, and i didn't use
| any coinjoins or anything).
| londons_explore wrote:
| I wonder how exchanges know each other's addresses? Don't
| they tend to use a new address for every incoming and
| outgoing payment?
|
| Do they have private API's to verify addresses?
| pydry wrote:
| They'll hold off on regulating Bitcoin until it starts being
| used to get dirty money _out_ of America.
|
| When that happens they will _suddenly_ remember that its use
| value is strictly limited to illegal transactions and
| speculation.
|
| Might be too late by that point tho.
| oh_sigh wrote:
| Isn't that what happens when extortion gangs from Asia and
| Europe extort American businesses?
| seibelj wrote:
| Will increase the utility of decentralized exchanges like
| Uniswap and DeFi in general. The more CEX gets regulated the
| less people will want / need to use them.
| rawtxapp wrote:
| Yep, that's what people don't understand, you can ban
| centralized entities as much as you want, but you can't stop
| people from running arbitrary code on their devices which
| means it's impossible to shutdown a properly decentralized
| network.
| Nursie wrote:
| If you can't convert back to a national currency, nobody
| will care.
| ipaddr wrote:
| If you can use it as a currency some will care.
| amelius wrote:
| Personally, I don't see the problem. 1. Bitcoin drives up GPU
| costs. 2. Bitcoin makes it ridiculously easy to commit certain
| forms of crime. 3. And Bitcoin's energy footprint hurts the
| planet.
| danuker wrote:
| 4. It snuffs those pesky troublemakers and brings them back
| in line through monetary inflation across generations.
| amelius wrote:
| Monetary inflation can also be a good thing as it reduces
| wealth inequality and income inequality.
| bastiantower wrote:
| It doesn't, quite the contrary. Poor and middle class
| people hold much more of their wealth as cash than rich
| people.
| danuker wrote:
| Only if the newly-created money is distributed, and
| doesn't just belong to the Federal Reserve.
|
| As the system works now, the Federal Reserve prints the
| money and gets to spend it, and I can't imagine a more
| unequal income.
| rawtxapp wrote:
| More like increases inequality [1][2]. If you're rich,
| you have access to rock-bottom interest rates which you
| can then invest. If you're an average citizen, you watch
| all asset values (real estate to start with) soar while
| your income stays relatively stable.
|
| 1: https://www.clasp.org/blog/how-inflation-reinforces-
| economic...
|
| 2:
| https://www.theatlantic.com/ideas/archive/2019/11/income-
| ine...
| dghlsakjg wrote:
| Bitcoin has been around for less than twenty years. Since
| then it has seen massive deflationary periods (when the
| relative value rises, like up until a month ago), and
| massive inflationary periods (when the value drops) In 2018
| bitcoin had an "inflation" rate of roughly 500% (meaning
| that at the beginning of 2018 you could buy a basket of
| goods with an equivalent value of $13.5k USD, at the end of
| the year you had to spend 500% more bitcoin to get the
| exact same basket of goods. Meanwhile you only had to spend
| 2-3% more USD to get those same goods)
|
| The fact that there aren't bitcoin loans is proof that it
| is not a viable store of value.
| operator-name wrote:
| Since nobody has linked it, here is the primary source, the
| report mentioned in the article:
| https://securityandtechnology.org/ransomwaretaskforce/report...
|
| As an aside does anyone know (with citations) the history and why
| reputable news publications like the BBC or reuters never cite
| their sources? It's always seemed odd that even quacks and
| conspiracy cites (mis)use sources whilst well respected
| publishers don't.
| jll29 wrote:
| Timely topic, the current Communications of the ACM has a more
| detailed article on this topic:
| https://dl.acm.org/doi/10.1145/3449054
| korethr wrote:
| Backups.
|
| I cannot emphasize enough the importance of backups. Take
| backups, verify your ability to restore from them, and keep them
| segregated from the rest of your infrastructure. It doesn't
| matter how inelegant and hacky your backup solution is, so long
| as you can restore from it. Any backup you can restore from is
| better than no backup.
|
| You might get a call from one of your application engineers
| shortly before bed on a Friday night that the web front-ends are
| acting weird, and they can't get in to troubleshoot, and then 10
| minutes later come to discover that the latest strain of Ryuk has
| laid waste to 2/3s of the servers and workstations across the
| company. And then all of a sudden, those VM snapshots you'd been
| copying off to another file share with a shell script have become
| your salvation. Yeah, containing Ryuk and the rest of incident
| response mode are going to suck, but at least now you don't have
| to write an apology to your customers that the data they
| entrusted to you has been irrevocably lost.
|
| In case you're wondering, no, that did not literally happen to
| me. But it is a mild fictionalization of someone I know.
|
| Keep backups, and test your restores regularly, people.
| likecarter wrote:
| A crucial point you missed:
|
| Ransomware gangs often destroy your backup infrastructure. So
| it's important to create pull-only backups or backups that
| cannot be deleted / overwritten.
| varispeed wrote:
| > backups that cannot be deleted / overwritten
|
| That gets complex if your database contains PII. If a user
| asks for their account to be deleted...
| tomrod wrote:
| Would it be sufficient that the delete accounts script be
| managed and merged at restoration time?
| korethr wrote:
| I thought this was sufficiently implied with "keep them
| segregated from the rest of your infrastructure," but yes,
| you are correct. It is important to have a set of backups
| that can't be destroyed by the attackers. You might get lucky
| that your hand-rolled solution is so hacky that a ransomware
| gang overlooks it. But better to not rely on that luck.
|
| In the past, this was achieved by having a set of tapes
| offsite. Today, one might configure Veeam to lie when issued
| a delete command, and instead send the data off to an Amazon
| glacier instance that requires different credentials to read,
| write, and delete.
| thorwasdfasdf wrote:
| I think we should make every sysadmin watch Mr.Robot, at the
| least the first season. That may drive home the point: secure
| backups are important. ;)
| the_duke wrote:
| I sometimes do infrastructure consulting.
|
| One of the first questions I ask is if they have at least one
| fully independent, full/incremental off-site backup that can't
| be corrupted from the main infrastructure, and if they have
| ever checked if they actually work and are restorable.
|
| I'm continuously surprised how often the answer turns out to be
| no after dinner digging, even in larger companies with
| otherwise well-run IT.
|
| No, the automatic 7 day RDS snapshots or turning on S3
| versioning is not a sufficient backup. Neither is mirroring to
| a S3 Glacier bucket in the same org, or rsyncing to a a backup
| server in the same datacenter.
|
| Backups are annoying and unglamorous. Nobody wants to do them,
| or do the tedious work of validating them or setting up
| something like an automated restore test.
|
| Until the day you lose your data.
| nicbou wrote:
| This applies to average people too. I wonder who among us can
| say they meet your (reasonable) standard.
|
| Like you said, backups are annoying and unglamorous. Yet, the
| data on my laptop is the only thing I could not replace. It's
| more important to me than my passport or my birth
| certificate. Its preservation is certainly worth a bit of
| thought.
| disabled wrote:
| > Like you said, backups are annoying and unglamorous.
|
| It's called having a network attached storage (NAS) device.
| I have a Synology NAS, which I backup to, continuously at 5
| minute intervals.
|
| Warning: Microsoft image and file backups sometimes do not
| work.
|
| I recommend Acronis True Image instead, which comes with
| antivirus. It pretty much always works, never falter never
| fail. Get the version that allows you to back up to the
| cloud with blockchain features. You will be happy you did.
| tomrod wrote:
| > No, the automatic 7 day RDS snapshots or turning on S3
| versioning is not a sufficient backup. Neither is mirroring
| to a S3 Glacier bucket in the same org, or rsyncing to a a
| backup server in the same datacenter.
|
| Why?
| tooltower wrote:
| Because they share the failure domain. In all of those
| cases, there's a single point of failure.
| danielheath wrote:
| A few reasons come to mind.
|
| If you lose control of an aws root account it can take
| weeks to get it back. That's probably enough time for the
| hackers to clean out the backups.
|
| Billing issues can lead to aws wiping out an account.
|
| For $work the backups are in AWS but using a different
| payment method, account owner etc to prevent cross
| contamination. Honestly, they should be outside aws
| entirely, but separate accounts is a good start.
| kemonocode wrote:
| Modern ransomware gangs focus more on data exfiltration rather
| than actually locking down data, and it lets them remain
| undetected for longer too. That said, yes, correct, having good
| and reliable backups is vital.
| ericalexander0 wrote:
| Why do you sweep?
|
| https://ericalexander.org/post/devops-and-ransomware/
| tomrod wrote:
| You know, I'm curious how large cloud providers handle this.
|
| Obviously EC2 for AWS, but what about managed services?
|
| A bad ransomware attack on a large cloud provider could cripple
| a significant portion of the internet.
| paulpauper wrote:
| Exchanges are good at blacklisting BTC ,so this means it will be
| hard for hackers to cash out. Just converting BTC into XMR is not
| a trivial process, as it needs to go through an exchange.
| Trustless cross chain transactions are still in infancy .
| londons_explore wrote:
| Is this really true? All it takes is for someone to set up a
| new exchange without a blacklist, and in the first few days all
| those blacklisted coins will be converted into other currencies
| and the blacklisted coins will end up in the wallets of other
| innocent users.
| benmller313 wrote:
| Then why do the hackers keep asking for BTC?
| paulpauper wrote:
| becase BTC is the most common and there are still ways to
| obscure the audit trail, but the efficacy of such methods is
| declining.
| hi5eyes wrote:
| most recently the twitter hacker was arrested after failing
| to use a btc mixer
|
| https://ciphertrace.com/twitter-hack-update-blockchain-
| analy...
|
| https://www.theverge.com/2021/3/16/22334421/twitter-
| hacker-b...
| ipaddr wrote:
| Less to do with bitcoin and more to do with random data
| you would not expect to identify you.
|
| "(KYC) data associated with the accounts--such as ID,
| birthday and address--revealing their true identities"
|
| Once the coins entered the mixing services they were
| gone.
|
| It looks like they got the info from the Texas exchange.
| danuker wrote:
| > Trustless cross chain transactions are still in infancy .
|
| They can technically exist?
| jMyles wrote:
| > They can technically exist?
|
| Do you mean in the specific case of ring signatures? Or at
| all?
|
| There are already threshold-signature-based schemes for doing
| this with ECDSA (though they're very gas heavy at the
| moment). But none has emerged for ring signatures yet beyond
| the paper stage.
| seibelj wrote:
| Yes and are being actively developed by multiple teams
| https://eprint.iacr.org/2020/1126.pdf
| jude- wrote:
| Ransomware wouldn't be a problem if the software industry took
| quality assurance seriously (or was regulated to do so), like
| every other engineering industry. There's little difference to me
| between an insecure program that allows hackers to hold your data
| for ransom, and a defective home appliance that occasionally
| starts electric fires.
| g_p wrote:
| In the case of ransomware though, this really is pointing
| firmly at the operating system. It's not (generally) insecure
| programs that lead to ransomware succeeding - ransomware works
| so effectively (and is a force multiplier for malicious actors)
| specifically because it runs with normal user privileges, and
| isn't needing to "exploit" anything.
|
| It runs as a user, and just makes do with the access that user
| has to files.
|
| Before we hold application software to account (and we really
| do need to), we need to start with the fundamentals - operating
| systems need to move beyond a "software runs as the current
| user" model. Otherwise I don't see how we can fix this with
| assurance/regulation - the root issue seems to be inherent
| design flaws in modern GUI/desktop operating systems. The tools
| are there to protect yourself (binary whitelisting, applocker,
| santa etc.), but they are seen as more inconvenient to use than
| doing nothing... Hence most companies do nothing, as that's
| cheaper.
| Bukhmanizer wrote:
| I mean I disagree completely. A lot of ransomware occurs
| completely incidentally to the programs.
|
| Not to mention a lot of actors getting hit with ransomware
| aren't software companies. They're governments, schools, and
| hospitals. Never mind taking QA seriously, these institutions
| don't even take IT seriously.
| thatguy0900 wrote:
| Well every home appliance could easily start a fire if random
| malicious actors got to fuck with it while it was plugged in.
| You'll note that other engineering disciplines would also fall
| apart if hostile actors were constantly throwing explosives at
| the things they make 24/7.
| akiselev wrote:
| Yeah but software engineers _know_ that hostile actors come
| with the territory any time they expose a networked device or
| service. It 's no different than corrosion or any number of
| other inevitabilities that engineers have to deal with.
|
| When's the last time a civil engineer designed a bridge
| without accounting for corrosion or the fact that people will
| be driving over it?
| thatguy0900 wrote:
| How is wear and tear equivalent to hostile humans
| purposefully trying to fuck it up? Even military
| installations needs armed guards to stop people from just
| cutting through the fence. Wear and tear is more equivalent
| to keeping your site from going down to high traffic. Show
| me a road that's still safe when three guys with guns are
| standing in the middle of it shooting at passing drivers.
| akiselev wrote:
| How about a skyscraper in downtown New York that can
| withstand a nuclear blast? [1] Or a bunch of nuclear
| blast shelters built all over the world? Or every fighter
| jet or other heavy duty piece of military equipment
| literally built to withstand guys shooting at them?
| Engineers design stuff to withstand adversaries all the
| time, when it's required. Designing with adversaries in
| mind is always required for connected systems in our
| field.
|
| The computer equivalent to "three guys with guns are
| standing in the middle of [a road] shooting at passing
| drivers" would be three gunmen gaining physical access to
| a datacenter - game over. We don't try to protect against
| that attack vector any more than civil engineers protect
| against terrorists when designing some intersection,
| except maybe we encrypt some data at rest and they put up
| some bollards and CCTV.
|
| You're getting hung up on the agency aspect when the most
| important thing is the attack by attrition. It doesn't
| matter whether it is a force of nature like corrosion or
| all the bad actors in human civilization, the point is
| that it is a known quantity that will eventually degrade
| and break every nontrivial system.
|
| We don't know which future zero day exploit will break
| our systems any more than civil engineers know which wave
| or car will cause the ultimate collapse, but we know that
| it is inevitable. That's why we have defense in depth. It
| is the nature of the beast.
|
| [1] https://en.wikipedia.org/wiki/33_Thomas_Street
| throw1122 wrote:
| Things that are exposed to an adversarial environment are
| usually engineered with that in mind. Locks are (usually)
| designed to be hard to pick, for instance.
| nicbou wrote:
| We can do this, but it has a price the market is not willing to
| pay, except in rare cases.
| Traster wrote:
| There's this point in Civilization (1) where you get Knights and
| your attack is 4 and mostly you're going against Phalanxes who
| are defense 2, and even with various advantages you still have a
| massive edge. That's where I feel we are with a lot of computer
| systems. It's far easier to attack than defend, and with Bitcoin
| it's easier than ever to transfer wealth anonymously. In the case
| of the knights eventually the defence got the edge again with the
| advent of firearms, but that could be a long time coming.
| louwrentius wrote:
| > "The hackers were the Ryuk ransomware gang and they demanded we
| pay them 45 Bitcoin, which was about half a million dollars.
|
| Make no mistake: this ransomware surge is 100% enabled /
| facilitated by Bitcoin and possibly other cryptocurrencies.
|
| This would not have been so bad if cryptocurrencies would
| actually provide anything of really significant value to our
| societies, but no.
|
| Aside from a mixture of Ponzi scheme, Pyramid scheme, and MLM +
| the energy waste, this ransomware is yet another terrible effect
| on our world.
|
| It is time we effectively ban cryptocurrencies. Let's end this
| madness. Please.
|
| I am dead serious. I think cryptocurrencies and blockchain
| technology is the asbestos of the software world.
| seibelj wrote:
| Crypto also risks the ability of central banks to print
| infinite amounts of money
| unyttigfjelltol wrote:
| Crypto is like an unregulated bank with no depositors'
| insurance. Those were forbidden (in most places) for a reason!
| What if a crypto software network goes all ... Geocities ... on
| owners? Or pick any other discontinued web or software service
| out of the wreckage of tech disruption. There isn't a M&A
| strategy to rescue these things....
| tootahe45 wrote:
| I don't get why everybody cares so much about the
| ransomware/cryptominer part, but not the data being exfiltrated
| and sold/used for criminal activity part..
| g_p wrote:
| My cynical suspicion is because exfiltration/sale doesn't
| prevent the business from continuing to operate, pretending
| nothing is wrong, and gaslighting their users via reassuring
| language if anyone finds out or is approached.
|
| When the data is encrypted and locked up, the company itself
| cries foul (not out of care for people's data) as it can't keep
| doing whatever mundane things it was doing day-to-day.
| Craighead wrote:
| Mundane... like providing health care?
| johnvaluk wrote:
| This attack is most effective against victims without backups
| who are desperate to get back their data. If you have backups,
| you basically shrug it off, restore your data, (re)train your
| users and use forensics to mitigate any obvious weaknesses. In
| most cases, it takes less effort for the attackers to move on
| to the next victim instead of trying to extract value from any
| data they may have exfiltrated (probably none in a lot of
| cases).
| [deleted]
| danuker wrote:
| March 31st was World Backup Day. Hope you guys have backups.
| megous wrote:
| April 31st is the world backup day for most people.
| roody15 wrote:
| " increase regulation of cryptocurrency services"
|
| Hmmm.
| darkhorn wrote:
| Interestingly they target mostly Windows users. If you are Linux
| or BSD user you are less likely to be targeted.
| davethedevguy wrote:
| The difficulty with ransomware attacks and the like, is that it's
| less a technical problem and more a people problem.
|
| IT departments will never have enough money/time/staff to keep
| systems up to date with the latest OS (look at the number of
| people still running critical systems on Windows XP).
|
| Users will always open attachments from people they don't know,
| click links, or even pick up random USB sticks.
|
| The perpetrators know this. They don't need to be more
| sophisticated than the InfoSec people at a given organisation,
| they just need to trick one user in that organisation in to
| letting them on to the network.
| gizmo686 wrote:
| Implicit in this comment is the assumption that current
| technology is pretty much the best we can do?
|
| > IT departments will never have enough money/time/staff to
| keep systems up to date with the latest OS (look at the number
| of people still running critical systems on Windows XP).
|
| Why is it that even slightly old systems are so buggy that they
| are trivially hackable for a moderately well funded group?
|
| Modern security is based primarily on security through
| obscurity. As long as you stay up to date, all of the bugs you
| have are sufficiently obscure that knowledge about them is
| probably too expensive for the type of hacker that would target
| you.
|
| > Users will always open attachments from people they don't
| know, click links, or even pick up random USB sticks.
|
| Why is any of that a problem? A user should not be able to
| threaten an organization's IT system even if they were outright
| hostile (unless they were put in a specific position of trust
| within IT; but even then the amount of damage they should be
| able to do from their personal work computer should be
| limited).
| throw1122 wrote:
| >Why is it that even slightly old systems are so buggy that
| they are trivially hackable for a moderately well funded
| group?
|
| Because there's not enough money in making things bug-free
| from the start. It _is_ possible (see seL4 and They Write the
| Right Stuff), but the incentives aren 't there.
|
| Some kind of liability or minimum standard (similar to
| building code) would help, but I'm not sure just how it would
| be best implemented.
| JasonFruit wrote:
| That money would have to come from somewhere, though, and
| that's the pockets of consumers. Do they, in general, care
| enough? Is the security of software worth enough to them to
| spend the extra money? You don't just get what you pay for;
| you get what you're _willing_ to pay for. And does the
| consumer have the expertise to evaluate the costliness of
| the threat or the security of the software? For that
| matter, I doubt the majority of developers have that
| expertise.
|
| You're not wrong about why it doesn't exist, but I'm not
| convinced the market conditions exist to rectify that.
| Wowfunhappy wrote:
| I for one would pay a lot just to not install updates all
| the time, if nothing else.
| fnord77 wrote:
| > Why is it that even slightly old systems are so buggy that
| they are trivially hackable for a moderately well funded
| group?
|
| because software is tremendously complex with a large surface
| area to attack. And many OS features were designed when wide-
| scale hacking was not a problem.
| Veserv wrote:
| Then that means the software is hopelessly inadequate for
| the current environment where wide-scale hacking is a
| constant problem. To echo what they said, why do we accept
| and deploy systems that catastrophically fail in
| circumstances that we know are going to occur? Why is it
| acceptable to take systems that were not previously
| connected and actively make a decision to connect them to
| internet if they are completely unfit for that environment?
| And not just that, they are so unfit that they not only
| fail in the new environment, but they enable total
| organizational collapse in a way reminiscent of the exhaust
| port on the Death Star.
| temp8964 wrote:
| Is it true that hack any random staff / computer of the company
| can lead to the ransomware attack of the machine holding the
| crucial data of the company?
| _wldu wrote:
| It is probably more true in "Corporate America" where MS
| Windows Active Directory is in use and all the computers are
| domain joined and have read/write access to file servers.
| temp8964 wrote:
| It sounds like a problem the IT department should solve.
| No?
| g_p wrote:
| It is, but solving that problem would entail re-training
| staff, reduce "productivity", and moreover, cost money...
| Many companies have cut their IT provision below what is
| needed to simply stand still.
|
| IT is a cost to their business, not a revenue source.
| They don't consider the counter-factual of "well, what if
| we didn't use IT and computers and the internet" when
| valuing what IT is bringing to their business. If they
| did, they'd perhaps be willing to spend more.
|
| MBAs don't like spending money on something that doesn't
| yield them more sales though...
| curiousgal wrote:
| > Users will always open attachments from people they don't
| know, click links, or even pick up random USB sticks.
|
| One bank I interned at sent people an email about the weather
| or something to that extent and each link had a unique
| identifier. Shaming each individual user is the best way for
| them to learn.
| _wldu wrote:
| 100% agree. It's a trick that criminal con-men have been using
| forever in the physical world. There's no reason to kick a door
| down (draw attention to yourself) when you can convince someone
| inside to open it.
|
| _" My puppy just got hit by a car! Can I come in and use your
| phone to call for help?"_
| g_p wrote:
| Absolutely this - most ransomware attacks are pretty
| unsophisticated. You don't need privilege escalation, or an
| exploit. You can carry out the attack using just basic user
| permissions. You are exploiting a basic "problem" of most
| modern OSs (that apps run "as" the user executing them) - the
| user/group permission model ceases to work in 2021 with non-
| expert users. Portal-based access to individual files via
| secure OS-provided portals (i.e. like on Android/iOS/flatpak)
| help to prevent apps needing access to every file on the
| filesystem, but until those are widely adopted, it will be
| increasingly difficult for "normal" organisations to prevent
| ransomware attacks.
|
| You can prevent ransomware fairly simply by following best
| practice, and taking some steps that most companies will feel
| are excessive (but effective), such as whitelisting binaries,
| preventing running of any binaries not on that whitelist, and
| keeping that whitelist up to date on a regular real-time basis.
| Nobody wants to spend the time doing this, so they leave it a
| "free-for-all".
|
| Exploiting user-level access is just the natural escalation now
| that getting good exploits is more costly and difficult. Now
| attackers will "make do" wiht what they have. IT can win the
| battle, but with inconvenience, friction, and increased costs
| in IT.
|
| There's important businesses that are "critical infrastructure"
| still using Windows 7 on their corporate day-to-day let-me-
| check-my-emails-and-browse-the-web laptops, without extended
| support. Organisational inertia and a lack of recognition that
| they need to pay for the technology that enablers their
| business leads them to this position.
| londons_explore wrote:
| I would like to see rate-limiting built into OS's.
|
| Eg. an application is only allowed to touch 100 files per
| second or 1000 files per hour.
|
| When it reaches those limits, it gets paused and a popup asks
| the user if this application really should be doing X.
|
| Then at least ransomware can't run through stuff too quickly.
| contingencies wrote:
| Behavioral heuristics are best learned in-situ; you need to
| know _how_ the software is used with _which_ data to
| correctly profile normal behavior. Some users and workloads
| hate sandboxes, though, and a 'Run as Adminstrator'-esque
| familiar-escape thus demanded by users will no doubt
| destroy its utility. Ultimately, someone must correctly
| articulate what the system is supposed to do, and this
| requires knowledge.
| jcpham2 wrote:
| Had to troubleshoot Windows software from a MAJOR
| shipping provider that popped up a "you must do this
| thing" on a fully up to date Win10 system today.
|
| "The thing" would not work as an unprivileged user
| account and would only work as a right click run as
| administrator situation :-)
| Wowfunhappy wrote:
| Okay, but these particular heuristics aren't rocket
| science. Is a process rewriting 25% of my hard disk,
| and/or 10% of one of my backup drives? Time to send an
| alert to the user, and an IT admin if this isn't a
| personal devices. There are very few legitimate use cases
| for that.
| g_p wrote:
| Indeed - I think Windows Defender dabbled in offering this
| as a feature. I at least recall seeing programs prevented
| from creating files in the Desktop or Documents folders.
|
| A rate limit, with group-policy controllable "automatic
| response" would perhaps help - you need the GPO integration
| though so that an IT admin can say "never allow file system
| rate limit to be exceeded".
|
| If you enforce a rate limit locally, and on the network,
| and move to copy-on-write filesystems, it would be a whole
| lot harder to cause straightforward harm (at least while
| migrating to a newer, safer OS architecture paradigm, where
| code doesn't run as the user).
|
| In the post-Covid world, I think MS and others have a whole
| host of these kinds of issues to think about - Windows in
| an AD environment is still (as far as I know) not something
| really geared for working off-prem. It still relies heavily
| on LDAP and CIFS etc. A re-write to get a desktop OS ready
| for the "web first" world (where everything is sent to the
| AD domain TCP/443, using HTTPS, with client certificates
| rather than passwords, stored locally via hardware-backed
| secure storage, and trusted CAs used by the DC) would be a
| big first step towards this. Yes, I know you could use
| Direct Access or whatever MS has butchered into the system,
| but in a world moving to zero trust, MS needs to move to
| zero trust.
|
| Rate limits would be a great starting point, as would some
| proper platform-level protections around preserving shadow
| copies, using copy-on-write, and locally preserving
| versioned user files as a priority. As soon as a ransomware
| attack touches the network, IT should be able to handle it,
| as their backup regime should take effect. At that point,
| if you don't have backups sufficiently separate from user-
| writable files (or you never validate them, and thus don't
| realise you're backing up transparently encrypted
| ransomware'd files for months), you're on your own!
| csydas wrote:
| My business involves working a lot with such situations,
| and frankly speaking, none of the above would help in the
| least bit.
|
| Cost cutting is probably the biggest threat to most
| businesses. The mythos of the hyper-converged
| infrastructure, with the datastores and repositories for
| backups being hosted on the same physical device, are
| some sort of infection that just cannot be wrenched from
| people's heads.
|
| IT Professionals (not managers, not hapless non-techies,
| actual persons with a cornucopia of certs and accolades
| on their linkedin) are in denial as to how to design a
| proper infrastructure to respond to ransomware. At this
| stage and for the foreseeable future, Ransomware is an
| inevitability; not "if" you get attacked, "when". But the
| countless number of conversations I've had where
| basically a group of people from the IT department
| theorycrafted a perfect defense only to get attacked
| because one of them clicked on a random excel document
| from a spoofed email is too high.
|
| When clients ask me "what do we need to do to protect
| against ransomware" and I explain what airgapping means
| (tape, removable drive arrays), we're either ignored, or
| they say they accept and the clients just don't have the
| discipline to follow the required practices.
|
| Modern IT prefers cargo-cult security, and IT
| professionals love their checklists from some
| organization, regardless of the fact that most of the
| checkboxes are useless to protect against ransomware. But
| the professional can eschew responsibility because "hey,
| I checked all the boxes."
|
| Until technical professionals as a whole start to take
| security seriously and exhibit the discipline that is
| required for such security right now, Ransomware is going
| to continue to be prevalent. No amount of rate limiting
| from vendors will help, because users will simply just
| not use such versions, will disable such limits, will
| work around such limits, or any of dozens of workarounds
| to avoid it because such limits would be inconvenient
| (neverminding such limiting tooling probably will just be
| exploited)
|
| We need discipline first, not tooling to try to correct
| for lack of discipline.
| mikewarot wrote:
| >The difficulty with ransomware attacks and the like, is that
| it's less a technical problem and more a people problem.
|
| The cause is _definitely technical_ , it is a huge gaping hole
| in the design of modern operating systems that you sail the
| Ever Given through without incident.
|
| Your operating system does not confer to the user the ability
| to delegate only X resources to the opening of a file, email,
| etc. They (the users) have no ability to limit side effects.
| Blaming them for your bad system isn't ever going to help fix
| things.
|
| The missing system of limiting side effects is known as
| Capability Based Security. We all have a practical example of
| it in our wallet or purse. We can remove a unit of currency,
| hand it to someone else for a purchase, and that is the
| _maximum_ we can lose, unless something extraordinary happens.
|
| We all have outlets, which limit the amount of power they will
| supply, and some even check to make sure it isn't supplied
| through us, or into a system that has arcing issues. We never
| have to worry that turning on a lamp will take down the power
| grid.
|
| Imagine if there were no circuit breakers or fuses, would
| blaming people for not being careful enough help make the
| system safer? No, of course not. Neither does blaming the user
| for your defective Operating System.
| paulpauper wrote:
| Why do twitter scams work so well? Because the margins are high
| enough from the few ppl who still fall for the scams. Awareness
| only does so much. You spread malware to millions of ppl, just
| a few conversions makes it worthwhile.
| sillysaurusx wrote:
| It's interesting that twitter isn't automatically filtering
| those. It's basically a solved problem, they're just not
| doing it.
|
| I'm not saying it'd be easy to do, but rather that it'd be a
| nice thing for the world if they did.
| syoc wrote:
| I agree with what you are saying, but calling it a people
| problem makes it harder to solve. If you organization is large
| enough than your users will always click on phishing links and
| download sketchy malware toolbars. You should also expect to an
| lesser extent that your internet facing infrastructure will
| have vulnerabilities that will be exploited before you are
| aware of them.
|
| These are facts of life and need to be expected. Not saying
| that security training is wasted money, but it is in no way a
| solution to for example phishing. Accept that you will have
| compromised clients and internet facing servers and start
| making a strategy with that scenario in mind.
| marcosdumay wrote:
| There is no technical reason for allowing any random user to
| delete their data, or at least not requiring some specific
| capability that most processes don't have.
|
| In fact, there were systems built this way in the 70's.
| ericalexander0 wrote:
| Surprised at how much focus there is on backups as the solution.
| You'll never fully recover from those backups. Backups won't help
| you avoid fines, lawsuits, lost customers, and lost time.
|
| I run an open data set on data breaches. The vast majority of
| ransomware incidents start with a phishing email, to beach head,
| to find domain admin, to game over.
|
| The root problem is domain admin population size. Reduce it to
| zero with privileged access management to avoid ransomware.
|
| https://ericalexander.org/SecurityBreach/#/
| networkimprov wrote:
| A second root problem is the insanity of public SMTP on today's
| Internet: allowing anyone, claiming any identity, to send you
| any content without limits.
|
| I started an open source project to enable a new email network,
| on a new protocol.
|
| More: https://mnmnotmail.org/
___________________________________________________________________
(page generated 2021-04-30 23:00 UTC)