Tag Archives: Help Net Security

Ransomware – should you pay up?

According to Help Net Security, the 2018 Risk:Value Report from NTT Security reveals some disquieting facts about how organizations deal with ransomware:

  • 33% would pay a ransom demand rather than invest in better security.
  • 16% are not sure whether they’d pay up or not.
  • Just over half would be prepared to invest actively in information security.

For the report, NTT “surveyed 1,800 C-level executives and other decision makers from non-IT functions in 12 countries across Europe, the US and APAC and from across multiple industry sectors.”#

I haven’t downloaded the actual report, as to do so requires registration and I don’t particularly want to be regarded as a potential customer by NTT. And, in fact, while there are evidently lots of other interesting data in the report, I want to focus here on the willingness of so many organizations to accede to the demands of the criminals. Let me refer you to an article by Kevin Townsend from 2016, in which he quoted me at some length (and I discussed those issues at greater length here). Better still, here’s a longer section from the text I originally sent him in response to this question:

“…some figures suggest that 40% of corporate victims pay up. Many AV companies say there is little chance of recovery without the keys. FBI says corporates have a risk decision to make. Europol says simply ‘don’t pay’. Is Europol being realistic?”

[Perhaps it’s a positive that the later report suggests a lower figure of victims that pay up, but there are probably too many variables to rely on that being a definite trend. Anyway, since the question seems to have been put hypothetically, it’s quite possible that respondents would react quite differently if they actually found themselves in the position of ransomware victims, by gritting their teeth and ponying up.]

Anyway, this was my (very slightly edited) response:

 In the abstract, there’s an undeniable argument that if you give in and pay the ransom, you’ve directly contributed to the well-being of criminality. In many cases, it’s a purely economic decision: it’s cheaper to pay up than lose the data. In fact, you’re sustaining a protection racket. On the other hand, if you don’t pay up, you probably don’t get your data back – sometimes there is an effective free decrypter available, but most of the time we can’t provide one – and maybe the damage is so severe that you go out of business. You can’t blame people – or companies – to prefer paying up to economic suicide, any more than you can blame them for giving their wallets to people who threaten them with knives. In fact, since we’re talking about corporates rather than individuals, it might be seen as being more responsible to pay up rather than destroy the livelihoods of all staff, including those right at the bottom of the hierarchy who are generally less likely than the Board of Directors to survive the damage to their finances.

If people and companies didn’t pay up, then ransomware attacks would become uneconomic, which wouldn’t stop criminality, but would force crooks to explore other avenues – or maybe I should say dark alleyways. However, the attacks will remain economically viable as long as people aren’t prepared or able to defend their data proactively. It’s easy for those who have the knowledge and resources to implement adequate defences – not as easy as many commentators point out – to say that it’s ‘wrong’ to give in to ransom demands. Of course companies should implement such defences, and that would impact on the viability of the attacks. If they don’t do so because it’s cheaper to pay up than to spend money on a backup strategy, then that is reprehensible. I don’t know how often that happens, though: after all, sound backup practice is a defence against all sorts of misfortune, not just ransomware.

I was taken to task by a commenter on one of my ESET blogs for implying that paying the ransom is sometimes acceptable, pointing out that (I’m paraphrasing) failing to ensure that all an organization’s data could be backed up and recovered as necessary is essentially a symptom of management failure. I’m inclined to agree, in general, as I think my quoted text above bears out. Do incompetence and clinging to false economy make it unacceptable to pay a ransom? Well, that’s a more complicated question. After all, the people who are penalized if an organization chooses not to pay ransom and therefore loses its data are by no means always the people whose incompetence and penny-pinching put their data in jeopardy. I’ll come back to that.

He also asserted that apart from the fact that payment perpetuates the problem, some of the money paid in ransom goes to fund organized crime and even terrorism. Well, that’s a very good point. And while I don’t think it’s necessarily up to me to decide what is or isn’t ‘acceptable’ behaviour on the part of a victim of ransomware, I would at least agree that a ransomware victim (individual or organization) should take into account that possibility. I don’t know how much money paid to ransomware gangs actually does go to organized crime or to fund terrorism, but I’m certainly not going to say it doesn’t happen.

But does that mean that paying ransom should in itself be a crime? Well, we don’t usually go after people who pay up in cases of kidnapping, protection rackets, and so forth, even though those payments may subsidize all sorts of undesirable activities, so I’m not convinced. The more so since I can think of several scenarios that might be seen as being in mitigation. To quote myself again (again, lightly edited):

  • An individual is faced with losing decades worth of family photos or other irreplaceable data.
  • A healthcare organization faces an ethical dilemma because the medical records of thousands of clients are at risk: if they pay, criminals benefit, but if they don’t, the health of many is put at risk. It’s easy to say it’s the victims’ own fault in these cases, but it isn’t necessarily the case: data might be backed up but unrecoverable for a variety of reasons – a failed or incompetent 3rd-party provider, or natural disaster, for instance.

There might be an argument for criminalizing ransom payment where a company could access backups but chooses not to because it’s cheaper to pay up, but that’s still penalizing the victim for the actions of the criminal.

David Harley

IoT resource/news updates

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

(1) Brian Krebs talks about the asymmetry in cost and incentives when IoT devices are recruited for DDoS attacks like one conducted against his site: Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K.

He observes: “The attacker who wanted to clobber my site paid a few hundred dollars to rent a tiny portion of a much bigger Mirai crime machine. That attack would likely have cost millions of dollars to mitigate. The consumers in possession of the IoT devices that did the attacking probably realized a few dollars in losses each, if that. Perhaps forever unmeasured are the many Web sites and Internet users whose connection speeds are often collateral damage in DDoS attacks.”

Some of his conclusions are based on a paper from researchers at University of California, Berkeley School of Information: the very interesting report “rIoT: Quantifying Consumer Costs of Insecure Internet of Things Devices.

(2) Product test specialists AV-Test conducted research into the security of a number of fitness trackers (plus the multi-functional Apple watch: Fitness Trackers – 13 Wearables in a Security Test. On this occasion, the results are fairly encouraging.

(3) Bleeping Computer: 5,000 Routers With No Telnet Password. Nothing to See Here! Move Along! – “The researcher pointed us to one of the router’s manuals which suggests the devices come with a passwordless Telnet service by default, meaning users must configure one themselves.”

(4) Help Net Security: Hacking for fun and profit: How one researcher is making IoT device makers take security seriously  Based on research by Ken Munro and Pen Test Partners.

David Harley

Office 365 ransomware

I just came across an article for HelpNet by Jeff Erramouspe (Spanning Cloud) on How to protect Office 365 data from ransomware attacks.

Not a technical article, but not bad advice, and I haven’t publicized a how-to article on ransomware for quite a while.

“Ransomware, in particular, has introduced significant risks for Office 365 users. Cerber ransomware, for example, targeted Office 365 and flooded end users’ inboxes with an Office document that invoked malware via macros, and the now infamous WannaCry attack was engineered to take advantage of a Microsoft vulnerability. And now we have an even more insidious ransomware strain with ShurL0ckr – designed to evade the built in malware protection on OneDrive and Google Drive.”

David Harley

Windows 10 Controlled folder access

Microsoft describes the new Windows 10 feature ‘Controlled folder access in Windows Defender Antivirus’ in the article Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile. The article specifically mentions ransomware as one of the threats against which it is likely to be effective.

The article states that ‘Controlled folder access monitors the changes that apps make to files in certain protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt. You can complement the protected folders with additional locations, and add the apps that you want to allow access to those folders.’

It’s not clear what criteria are used to blacklist an application: as I read it, it may simply use Windows Defender’s scanning engine to determine the status of an app. I guess I’ll wait for more information before deciding how much additional protection this really provides.

Zeljka Zorz comments for Help Net Security :

Whether this security feature will be enough to stop ransomware remains to be seen, especially if ransomware can get a whitelisted application to bypass the protection and offer a way in.

I wasn’t really thinking of this in terms of whitelisting until I read that, but the feature does, in fact, allow the user to add protected locations apart from the default folders, and also to ‘ Allow an app through Controlled folder access’.  Which opens the door to social engineering as well as subversion of apps, but then that’s a persistent issue with whitelisting applications.

David Harley

Decrypter for Locky-imitating PowerWare

Zeljka Zorz reports for Help Net Security: Decrypter for Locky-mimicking PowerWare ransomware released – Palo Alto Networks’ researchers have created a decrypter for the variant of the PoshCoder ransomware that imitates the Locky ransomware. Josh Grunzweig’s decryptor is a Python script available here.

Zeljka points out ‘They can try following these instructions on Python.com on how to run a Python script on Windows, or ask someone more knowledgeable to help them clean their machine up.’

Added to the relevant resources page here.

David Harley

FLocker: Android Ransomware meets IoT

An article for Trend Micro by Echo Duan illustrates one of the complications of having an operating system that works on and connects all kinds of otherwise disparate objects: FLocker Mobile Ransomware Crosses to Smart TV.

Of course, embedded versions of operating systems such as other versions of Linux, Windows and so on, are not in themselves novel. FLocker, however, seems to lock smart TVs as well as Android phones, as long as they’re not located in one of a number of Eastern European countries. It claims to be levying a fine on behalf of a law enforcement agency. Apparently another of these agencies that prefers its fines paid in iTunes gift cards. As Zeljka Zorz points out for Help Net Security, this doesn’t say much for the credibility of the criminals, but if your device and data have become unavailable to you, knowing that they’re criminals and not the police doesn’t help much.

While the malware locks the screen, Trend tells us that the C&C server collects ‘data such as device information, phone number, contacts, real time location, and other information. These data are encrypted with a hardcoded AES key and encoded in base64.’

Unsurprisingly, Trend’s advice is to contact the device vendor for help with a locked TV, but the article also advises that victims might also be able to remove the malware if they can enable ADB debugging. How practical this would be for the average TV user, I don’t know.

Back in November 2015 Candid Wueest wrote for Symantec on How my TV got infected with ransomware and what you can learn from it, subtitled “A look at some of the possible ways your new smart TV could be the subject of cyberattacks.” Clearly, this particular aspect of the IoT issue has moved beyond proof of concept.

If cited this before, but it’s worth doing again. Camilo Gutierrez, one of my colleagues at ESET (security researcher at the Latin America office) notes that:

… if the necessary precautions are not taken by manufacturers and users, there is nothing to prevent an attacker from seizing control of a device’s functionality and demanding money to return control. Perhaps this is not a threat we expect to see much of in the near future, but we shouldn’t lose sight of it if we are to avoid serious problems later.

Just as I was about to post this, I noticed additional commentary by David Bisson for Graham Cluley’s blog. He notes that there’s an interesting resemblance between FLocker’s interface and the earlier ‘police’ ransomware he calls Cyber.Police.

David Harley

Ransomware updates (1)

I can’t say that the ransomware landscape hasn’t been busy for the past week or two, but so have I, on entirely different issues. I have been adding links etc. to resources pages, and they’re not all referenced here, but here’s an update on some stuff I’ve added today.

(1) Cylance’s analysis of AlphaLocker. (HT to Artem Baranov for drawing my attention to it.) Useful stuff, despite the customary AV-knocking.

(2) Help Net Security posted a useful update referring to commentary from Kaspersky – New ransomware modifications increase 14%. Points made in the article include these:

  • The (sub)title refers to 2,896 modifications made to ransomware in the first quarter of 2016, an increase of 14%, and a 30% increase in attempted ransomware attacks.
  • According to Kaspersky, the ‘top three’ offenders are ‘Teslacrypt (58.4%), CTB Locker (23.5%), and Cryptowall (3.4%).’ Locky and Petya also get a namecheck.
  • Kaspersky also reports that mobile ransomware has increased ‘from 1,984 in Q4, 2015 to 2,895 in Q1,2016.’

(3) Graham Cluley, for ESET, quotes the FBI: No, you shouldn’t pay ransomware extortionists. Encouragingly, the agency seems to have modified its previous stance in its more recent advisory. The agency also offers a series of tips on reducing the risk of succumbing to a ransomware attack. Basic advice, but it will benefit individuals as well as corporate users, and reduce the risk from other kinds of attack too. I was mildly amused, though, to read in the FBI tips:

– Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

It’s a bit tricky to back up data without connecting to the system used for primary storage. I think what the FBI probably meant was that you shouldn’t have your secure backups routinely or permanently accessible from that system, since that entails the strong risk that the backups will also be encrypted.

The tips include a link to an FBI brochure that unequivocally discourages victims from paying the ransom, as well as expanding on its advice. And it is clearer on the risk to backups:

 Examples might be securing backups in the cloud or physically storing offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization. Backups are critical in ransomware; if you are infected, this may be the best way to recover your critical data.

David Harley

Identifying 52 shades of ransomware

There is no simple or universal answer to a ransomware attack (apart from taking all possible precautions in advance, and there are no guarantees even then). However, the site ID Ransomware does seem to offer a way for victims to (maybe) identify the ransomware that has attacked their system. (I haven’t tested it myself.)

As I understand it, the site works like this:

  • It allows a victim to upload a file displaying ransom/payment information or one of the encrypted files, and attempts to use the uploaded file to identify the malware that implemented the attack. It currently claims to detect 52 varieties of ransomware.
  • If there is a known way of decrypting the encrypted files without paying the ransom, it directs the victim towards it.

The site doesn’t offer to decrypt files directly itself, and doesn’t want samples of the actual malware.

Hat tip to  of Help Net Security, where I first saw the site announced.

David Harley

Ransomware Attacks on Hospitals

Help Net Security’s article Crypto ransomware hits German hospitals, based on this article from DW, also includes links to its story about the attack on the Hollywood Presbyterian Medical Center, and another story about a New Zealand hospital  hit with Locky. [Added later: Commentary by John Leyden for The Register here. And I’ve just caught up with an article from My News LA about an apparent attack on the Los Angeles Department of Health.]

As far as I can make out there is no firm indication of links between all these attacks, or that hospitals are being specifically targeted by specific malware, but the clustering is worrying.  If nothing else, it is clear that hospitals, like any other organization, survive such attacks better if they have suitably-protected backups and other well-administered security precautions in place.

David Harley