Ransomware

I've never figured out the fuss over ransomware:

Some day soon, you may go in and turn on your Windows PC and find your most valuable files locked up tighter than Fort Knox.

You'll also see this message appear on your screen:

"Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: ********@yahoo.com"

How is this any worse than the old hacker viruses that put a funny message on your screen and erased your hard drive?

Here's how I see it, if someone actually manages to pull this up and put it into circulation, we're looking at malware Armegeddon. Instead of losing 'just' your credit card numbers or having your PC turned into a spam factory, you could lose vital files forever.

Of course, you could keep current back-ups. I do, but I've been around this track way too many times to think that many companies, much less individual users, actually keep real back-ups. Oh, you may think you do, but when was the last time you checked to see if the data you saved could actually be restored?

The single most important thing any company or individual can do to improve security is have a good backup strategy. It's been true for decades, and it's still true today.

Posted on June 16, 2008 at 1:09 PM • 75 Comments

Comments

sooth_sayerJune 16, 2008 1:38 PM

Well this an issue of psychology not CS.

If people loose their data because of lack of knowledge .. that disks do go bad .. they might shrug it off.
If they "think" someone injected a virus into their disks and make it useless .. they get upset .. start reading Bruce.
However if someone else HAS their data .. then they call the cops and get mad.

The problem in all cases is mostly users stupidity.

Nicholas WeaverJune 16, 2008 1:38 PM

The other problem with extortion: collecting the money.

Especially when you want to collect a sum of money from a LOT of people, the act of picking up the currency becomes a very vulnerable point for the malcode author.

Brandioch ConnerJune 16, 2008 1:58 PM

The problem with advocating "backing up" is that most of the software vendors do NOT make it easy to do so.

I'll be talking about Windows here because it is the most common.

I'm talking about a "backup" button on the app (written by the app vendor) that will copy ALL of the settings, files, data, etc to a user-selected directory.

If they're worried about "piracy", the vendor can encrypt the backup with the unlocking "key" that you probably used to install the app with.

Then it writes a script for you to run when you need to restore that backup.

Today, it's almost impossible for the AVERAGE person to backup their data because there is no way for them to know WHERE all their data is. Where's your Quicken data? Where's your iTunes data? Where's your saved game data?

It is unacceptable that the people with the MOST to lose who know the LEAST about their systems are the ones blamed FIRST when something goes wrong.

Computers WILL fail. Yet they are sold without any means for the AVERAGE user to recover from such a failure.

TimJune 16, 2008 2:11 PM

@Brandioch Conner:

I agree with some of your argument. It's not easy for the average user to back up their computer.

However, that's why we have these things called "IT Consultants" or "IT Departments". They should know how to back up your files, and how to restore them. If the information is so critical to the operation of a business, then the smart/prudent business owner, even if he/she doesn't know how to remedy the problem him/herself, will hire someone who does.

Yes, computers are more complicated than a TV remote. But if they weren't, they wouldn't be much use.

ChrisJune 16, 2008 2:11 PM

Backups are useless. Restores are all that's valuable.

As to the "backups are hard" point - get an external USB drive. Most come with built-in software. Just don't leave it plugged in.

Restoring is a pain, no question about it. Easier solutions are available, but they cost more.

JasonJune 16, 2008 2:16 PM

This is an odd situation where a RAID array would not be very helpful in data recovery.

I suppose data corruption of any kind (which this is a type of) would cause just as much trouble.

If the "ransomware" were set to wait for, say 30 days before triggering, then your backups might well be infected, too.

JohnJune 16, 2008 2:21 PM

As touched on above, any backup strategy should have a restore verification process in place. I'm familiar with a case, whose participants I can't disclose to protect the innocent and incompetent, where a ransom attempt involved tampering with the backup device and corrupting backups for 3 months. Had anyone during the 3 prior months verified the ability to restore backups, the bandit would have been much less likely to succeed. (this is also true of un-orchestrated failure, aside from ransom.)

Brandioch ConnerJune 16, 2008 2:23 PM

@Tim
"However, that's why we have these things called "IT Consultants" or "IT Departments"."

But the home users will NOT have paid "IT Consultants" to save their systems BEFORE there is a problem.

Bruce went through that before with the "how do you sell security" bit.

ChrisJune 16, 2008 2:25 PM

Actually RAID only helps in one subset of disasters. Off-site (or at least off-machine) backups should be a no-brainer for any business.

Just think of what you would do if a fire burnt your computer to a crisp.

An ounce of prevention, and all that...

NickJune 16, 2008 2:30 PM

I think its different than a virus that just wipes your hard drive because it is a more easily-reversible process, provided you fork over the money to do so.

Of course, you can't trust these people. They could just as easily write a virus that deletes everything and then claim you'll get it back if you send them money.

Jeff DegeJune 16, 2008 2:45 PM

"Backups are useless. Restores are all that's valuable."

Yep. If you've never done a restore, you haven't really done a backup.

Me? I'm a fan of removable hard-drives. Backup your system, pull your live drives, put in some blank drives, do a restore.

Whether your plan is to do reinstall OS, reinstall apps, then restore data files, or to restore everything, OS+apps+data, if you've never done it, the only safe assumption is that you'll not be able to do it, when the time comes that you'll need to.

Me, I'm reasonably confident. The system I am currently running on is the product of a successful restore. (That is, I restored to a bare drive, and then booted off that drive. Didn't seem any reason to swap back to the original drive, so I've been running on the restore ever since.)

The thing is, I was reasonably confident before, when I had done backups and not tested the restore, and that confidence was later demonstrated to have been misplaced.

Of course, the thing with viruses is that it could be some time before you recognize that you have a problem. Long enough that you've cycled through all your backup media.

There are a lot of people who think that the old-school sysadmins' insistence on multi-level Tower of Hanoi backup strategies was a tad obsessive. A virus with a long incubation period could change their minds.

SkorjJune 16, 2008 2:48 PM

RAID should never be confused with backup.

All modern versions of Windows come with backup application. Just run "ntbackup" to launch the GUI, or use it as a comand-line app if you're that kind of geek.

Of course, it costs money for storage to backup *to*, but storage is getting cheaper every day.

The ntbackup app is the most-overlooked useful Windows component, probably because it's not in the Start menu by default.

bobJune 16, 2008 2:55 PM

This seems similar to the "50% vs 100% gain risk taking compared with 50% vs 100% loss risk taking" issue.

In one case (virus deletes your files) you are guaranteed a loss but in the other you have a chance of winning it all back (pay the ransom and they give you the PW).

I think a cool idea (from the attacker's perspective) would be to modify explorer so that it reports the files unreadable but hasn't actually done anything to the files themselves. Much faster; and if you get caught (unlikely) you can claim no crime occurred. Kind of like holding up a liquor store with a gun that's not loaded.

As a side note I wish it was (much!) easier to do a virus scan from a standalone boot disk. MS makes almost no provision for that.

MilanJune 16, 2008 3:11 PM

For individuals, the threat here should be limited. With an external hard drive, keeping a backup is very easy - especially if you are running a version of Mac OS with Time Machine.

Anybody unwilling to put in the expense and effort to maintain a backup isn't serious about protecting their data. After all, hard drives fail all the time for non-malicious reasons.

David ThomasJune 16, 2008 3:14 PM

@Nicholas Weaver

"Especially when you want to collect a sum of money from a LOT of people, the act of picking up the currency becomes a very vulnerable point for the malcode author."


Although, you probably only need to collect from relatively few for the scheme to pay for itself. This would allow the author to be far pickier than in, say, a kidnapping case, as they could back out on a collection at the first sign of trouble without losing much.

PhilJune 16, 2008 3:20 PM

Trouble is, all modern operating systems and all the applications store their data and configuration settings all over your computer. Restoring a few files or settings can be next to impossible. This would be a good idea for a standard...

The best I have come accross is taking a clone of your hard drive, which I do about once a week, That way you backup and restore everything. But it can be a pain if you only have to do a restore of a particular file or setting.

Stanley JobsonJune 16, 2008 3:26 PM

>"Your files are encrypted with RSA-1024 algorithm. To recover your files you need to buy our decryptor."

I once cracked 1024 bit encryption in my head. In 60 seconds. While getting a blowjob. And with John Travolta holding a gun to my head.

I'd like to see Bruce try that.

aliceJune 16, 2008 3:30 PM

@bob
"Kind of like holding up a liquor store with a gun that's not loaded."

Right. You should try this some time to see how well that "no crime occurred" explanation works out.

the other AlanJune 16, 2008 3:42 PM

@bob

Even pretending to have a weapon is still considered armed robbery.

Davi OttenheimerJune 16, 2008 3:51 PM

I guess on the lighter side of ransomware stories you could consider them a public service announcement for those Windows users who still do not backup their files.

Bruce, I expected you to mention your psychology lecture series on this topic; people in some environments have a hard time reducing risk unless they sense immediate threat or have a fear of impending disaster.

By the way, backups only reduce the value of assets at risk and thus might not be the single most important thing. You still need to reduce the vulnerability of the assets and/or the threats. If you do not, the backups alone do not reduce risk significantly or at all. In other words, if you backup your files to a different folder on the same system, they can still be destroyed by a failure or primitive infection like ransomware...

Pat CahalanJune 16, 2008 3:54 PM

> It's not easy for the average user to back up their computer.

I would disagree with this statement. There are tons of readily available backup utilities. Many removable disks come packaged with software with a decent wizard that will back up everything at the push of a button on the external drive.

I would agree that it is not easy for the average user to have a real backup *strategy*, but that's not the fault of the software community for the most part, it's sort of inherent in the fact that most people built their computer usage knowledge database by trial and error.

> Yep. If you've never done a restore, you haven't really done a backup.

Absolutely. This is one of the reasons why people don't build a real backup strategy; in order to make sure it actually works, you have to actually take the time out to pretend you have an absolute failure of some sort. That's a pain in the acres.

I have a rather complicated backup scheme for my personal files, myself. Mirrored RAID on the home desktop to protect from single drive failure. Automated backup to external USB disk using SyncBack (freeware). Yearly burns of the photo archive to DVD, because they fit in the fire safe and the USB drive doesn't (and I don't trust mechanical media for archival purposes anyway). Everything but the music archive is replicated somewhere else.

GrahameJune 16, 2008 3:56 PM

I don't back up my system, only my data. I reinstall so regularly due to system cruft that it doesn't matter.

But I agree that OS and application vendors seem intent to make backing up your data as byzantine as possible.

DaveJune 16, 2008 4:00 PM

Think of it as enhanced phishing.

People who would ignore ordinary phishing attempts would sometimes submit to these.

Devils-AdvocateJune 16, 2008 4:00 PM

@ Bob's repliers

Yes, even 'pretending' to have a weapon in this day in age during a robbery is the same as having the fully loaded weapon. He was making a point, quite different from the letter of the law.

Just sayin'.

Brandioch ConnerJune 16, 2008 4:21 PM

@Pat Cahalan
"I would agree that it is not easy for the average user to have a real backup *strategy*, but that's not the fault of the software community for the most part, it's sort of inherent in the fact that most people built their computer usage knowledge database by trial and error."

While it is not the "fault" of the ISV's, they are the ones MOST capable of solving the problem.

At least as it relates to their individual products.

It's easier for SoftwareCompany X's CEO to mandate an easy and OBVIOUS backup process for their products than it is to educate a million users on what they "should" be doing.

MichelangeloJune 16, 2008 4:26 PM

I miss the days of actual destructive viruses and such. It's been way to long sense we had one that erased your HDD or similar.

Or, better yet, a modern version of an old one I once saw - open up all the excel files you find, and randomly shift the numbers in them by 1%.

Right now, people are way to dismissive with malware - they don't see it as a huge impact on them. Maybe a few versions that are loudly and visibly destructive would get people's attention....

AntonJune 16, 2008 4:35 PM

The first thing I do before i seriously start using a program is locate all the settings and data for that program and write a backup script for that program.

If that can't be done, the program is not work using. Must say, sadly, Microsoft and Adobe are the exception to this rule. It is nay impossible to find all the settings for these programs.

Do all you clever guys back up the backup scripts?

Todd KnarrJune 16, 2008 4:46 PM

@Phil: Actually, only one modern OS stores application configuration data all over the system. All the others that I know of store it in a very limited number of places. I've transferred Unix systems between boxes many times, and for the modern ones there's only 3 directories I'm normally interested in and 2 of those only require saving a few files/subdirectories out of them. The bulk of it's stored directly under the user's home directory, and the entire home directory tree can be backed up and restored verbatim to the new system.

Windows is the only system that's more complex than that, to the point that I've found no easy way to transfer a system to new hardware. The backup programs out there always seem to assume they're restoring to the same hardware and thus don't need to accommodate a completely new/different Windows system installation (different drivers, etc.), which is usually an invalid assumption.

Concerned CitizenJune 16, 2008 4:51 PM

Regarding backup and restore:

rsync works just fine on Mac and Linux

Restoring is just reversing the order of the 'to' and 'from' right?

I've done it once...how could you check to see if your latest backup 'is restorable'?

Pat CahalanJune 16, 2008 5:03 PM

@ Brandioch

> It's easier for SoftwareCompany X's CEO to mandate an easy and
> OBVIOUS backup process for their products than it is to educate a million
> users on what they "should" be doing.

You can't exactly put the worms back into the can.

Let's say that Windows had a "Schedule Backups" Wizard that launched when someone kicked up the machine for the first time. What if you don't already have backup media? How often does it nag you if you cancel? Can you turn the nagging off? When the wizard runs, how does it differentiate systems files from data files? Users can write files in places other than where the system might expect. More to the point, even if users are well behaved, installed software may put data files someplace odd (very common for open source packages). The difference between a config file and a data file can be ambiguous. What if you want to do a system-wide backup? Do you have the rights to back up other users' files? Do you have to run this as root/Admin?

Having a real backup strategy requires you to know something about how people are going to use the computer. That can be only a short hop from *dictating* how people *will* use the computer.

Even if it isn't, it's not impossible (I'd actually say that it is likely) that saying, "This is the Canonical Backup Wizard That Will Save Your Files" will lead people to a false sense of security about what is being backed up.

Jeff DegeJune 16, 2008 5:33 PM

"Do all you clever guys back up the backup scripts?"

You need the backup scripts, and the restore scripts, and the backup and restore instructions, in your backup set. Otherwise, you won't be able to do a restore.

Like I said - you have to do it for real, in order to know it will work. Put a bare drive in your machine, the clean off your desk of everything except a backup set.

What do you do first? Do you remember what you're supposed to do, first? Will you remember, if you haven't touched your backup scripts in three years?

Boot off your OS restore CD? Do you have a copy of your OS restore CD included in your backup set? Do you have a copy of your OS restore CD included in each of your offsite backup sets?

I save my backup/restore instructions in the filesystem I do backups to, which means they're copied to the off-site DVDs I burn every 32 days. I don't have a copy of the OS restore CD stored alongside my off-site DVDs, and I don't have printed instructions.

This conversation has made me realize that my "fairly confident" may be overstated. I will be adding a copy of the OS restore CD to my offsite sets, along with printed instructions sufficient at least to boot the OS, and to access the written instructions included on the backup DVDs.

Complacency strikes again...

Rich BrownJune 16, 2008 5:56 PM

"Dear ********@yahoo.com,

Your email messages have been encrypted with RSA-1024 algorithm. To recovery your email you need to buy our decryption services, at $25/message.

Sincerely,
yahoo.com"

Brandioch ConnerJune 16, 2008 6:51 PM

@Pat Cahalan
"Let's say that Windows had a "Schedule Backups" Wizard that launched when someone kicked up the machine for the first time. What if you don't already have backup media?"

How about if we stick to what I had originally stated about having a button?

"When the wizard runs, how does it differentiate systems files from data files? Users can write files in places other than where the system might expect."

Simple. It backs up what it knows about. If the user is putting files someplace else, then that user is responsible for those files.

If you want to make it nicer, you'd have the backup routine offer to search other drives (selectable) for files with foo.x extension. Or you'd have it ask you to do "deep" inspection where it would look at the binary itself to find the bits that identify it as the format your app uses.

"The difference between a config file and a data file can be ambiguous."

If they're "ambiguous" on your app, then you need to hire real programmers.

Here's an exercise for you. Find any of the "free" hex editors available and open up a .com file and a .exe file and .mp3 file and a .jpg file and a .txt file so you can see the differences in them.

"Do you have the rights to back up other users' files?"

If there are other users on my machine then I had better know about them, right?

"Do you have to run this as root/Admin?"

Most likely. Because it would be copying files that were (most likely) installed as root/Admin. If the install program requires X rights, then wouldn't you expect the backup program for that to require the same rights?

"That can be only a short hop from *dictating* how people *will* use the computer."

Really? When I could just ignore the backup button? Fascinating.

"Even if it isn't, it's not impossible (I'd actually say that it is likely) that saying, "This is the Canonical Backup Wizard That Will Save Your Files" will lead people to a false sense of security about what is being backed up."

I'm talking about the apps themselves. That's why I used "Quicken" in my example.

I don't care if the OS is recoverable as long as all the apps and the data associated with them are recoverable.

And I wouldn't even care about the apps if they didn't require unlocking keys and such junk.

Heavy Metal ITJune 16, 2008 7:17 PM

I do IT field service work for a machine tool company. I've told customers to replace their hard drives every year (machine shop environments are brutal on hard drives). I've told them to make backups since hard drives are cheap and data are priceless. I got a phone call today from a customer who lost their hard drive. They lost all of their data. They refused to make a backup. The last backup was from 2004 and might work. They've lost configurations that will take months to recover.

How much will they lose while the machine is down? Two-four thousand dollars per hour of down time. How much does a cheap IDE hard drive (less than 100GB) cost? Less than $70. How much down time while they make backups? Less than 1 hour.

All this does is to make sure I have both current and future employment. In a way it is quite sad that people who are otherwise rather intelligent, lack the foresite to head off an easily preventable disasters.

Heavy Metal ITJune 16, 2008 7:17 PM

I do IT field service work for a machine tool company. I've told customers to replace their hard drives every year (machine shop environments are brutal on hard drives). I've told them to make backups since hard drives are cheap and data are priceless. I got a phone call today from a customer who lost their hard drive. They lost all of their data. They refused to make a backup. The last backup was from 2004 and might work. They've lost configurations that will take months to recover.

How much will they lose while the machine is down? Two-four thousand dollars per hour of down time. How much does a cheap IDE hard drive (less than 100GB) cost? Less than $70. How much down time while they make backups? Less than 1 hour.

All this does is to make sure I have both current and future employment. In a way it is quite sad that people who are otherwise rather intelligent, lack the foresite to head off an easily preventable disasters.

Pat CahalanJune 16, 2008 7:29 PM

@ Brandioch

> How about if we stick to what I had originally stated about having a button?

Okay, sorry, I didn't read your top post. We are (or rather, I was) talking apples and oranges here. In the application itself... I don't see that scaling well. Who would want to back up a few dozen individual applications? (Any manual backup process is probably doomed to failure anyway, in my experience if you don't automate it, it's not going to get run regularly). Software developers embedding such a button would be adding something that fairly few people would use.

> Here's an exercise for you. Find any of the "free" hex editors available and
> open up a .com file and a .exe file and .mp3 file and a .jpg file and a .txt file
> so you can see the differences in them.

Knowing the difference in the files isn't the problem. If you don't know *where* the files are, you have to search for them. Since you don't know where they *might* be, you have to search for them every time you do a backup, to make sure new locations aren't in use. Now that people are buying 1 TB desktop drives, this is not a trivial problem. When do you schedule it? If you're a user, having a backup run while you're doing work is probably performance-annoying, do you let them cancel it?

But I see where you're coming from - you're asking for the ability to backup an application (on one machine) and restore it (presumably on another machine) in a way that enables you to avoid the process of reinstalling it, getting your app, config, and data all restored in one fell swoop.

That would be great if it was standardized and you could schedule your app backup process to somehow do them all for you on some sort of schedule. If you had to configure those backups independently, or run them manually, the average computer user wouldn't get a benefit out of them anyway, because they simply won't do it.

You might as well say that they should learn how to do proper backups themselves.

SteveJune 16, 2008 7:53 PM

Backups of data files are relatively easy, although many Windows users likely have no idea where their data is stored. It's the setup files (cfg, ini, etc) that are way too difficult for the average user, who probably doesn't even know they exist, let alone where to find them. Restoring the data is one thing, but the program may look dramatically different...

Porn BackupJune 16, 2008 8:42 PM

Backing up your files couldn't be any easier. You just drag and drop. Put the files you want to keep in a folder. Click the folder. Copy it to an external USB drive.

Wow. Really complicated.

Keep the files you want to keep on a partition other than your system partition. Then just drag and drop routinely.

Keep an image of your system and restore routinely. Keep files on one partition and operating system on another.

How could it be any easier? What's with this automated backup nonsense? Why automate something so ridiculously simple?

My system is almost totally immune to this type of attack, not only because it's hardened against this, but because of my backup and encryption strategy. I keep 4 backups for every file I've ever had in my possession. Even physical access to my system will be almost useless to an attacker. No, it's not hubris. It's a fact.

2humanORrobotsJune 16, 2008 9:09 PM

A lot of you seem like chatterbots. Sorry about the turing test.
There are so many dots to connect here about ransomware, that this article and others ignore. Sorry, I'm not up to writing it all up.
The worst are full of passionate intensity, while the best lack all conviction....
UICTA, would make some backups even more problematic.

Use two custom BSD systems, on different archs, with different drives, with backups drives...and have spare hardware.

Backup FreakJune 16, 2008 10:35 PM

Automatic backups are the best.

Just let a backup program do the work for you automatically so if something happens, then you are good to go.

Most people forget to do a backup and when something happens, they just freak out.

An automatic full backup once a week of all your important files is a good idea.

An automatic incremental or differential backup on a daily basis of all your important files is also a good idea.

The trick is figuring out what to do the backups on and how to keep all of that important information secure and safe.

Mark JaquithJune 16, 2008 10:57 PM

I've never figured out the fuss over ransomware

I think it just feels more personal... like a targeted crime vs a random mugging. Even if the result is the same.

John CampbellJune 16, 2008 11:01 PM

A Backup Strategy is fine... but what about a Restoration Stratagem?

When you want to restore files, you want it to be as painless as possible... and, somehow, avoid restoring the malware, as well.

Windows and Malware go together like Trailer Parks and Tornadoes.

Backup FreakJune 17, 2008 2:28 AM

@ John Campbell

Restoration can be a problem depending on why the computer is being restored.

If some monster installs ransomware on your computer and locks some of the files asking for ransom, then all a person has to do is delete the ransomware infected files and replace the files again from the most recent backup.

That is why automatic daily backups come in so handy.

If the whole computer becomes infected beyond repair or crashes then reformat the hard drive and re-install the operating system and miscellaneous programs.

After that put the backed up files back in the computer.

Maybe wiping the hard drive would be a good idea to play it safe.

I have never found an easy way to restore the system back to the way it was from a complete backup copy.

Norton Ghost may do it if the backup is done in DOS, but it can get tricky if a person has operating system encryption installed and passwords are required to restart the system, and so forth.

Plus a complete backup of the hard drive requires a lot of hard drive space, so be prepared to have an enormous hard drive to do regular backups to.

Backup FreakJune 17, 2008 3:01 AM

@ John Campbell

Forgot to mention that if the operating system, programs and files are run from an external hard drive, then backing up the external hard drive to another external hard drive would be a complete mirror copy of the first external hard drive.

However it would require a 2nd computer to do the backup and connecting the hard drive cable to the other computer and then reconnecting the cable again to the first cable.

That kind of backup would be a real pain if done on a daily basis and unorthodox.

Otherwise, you may want to consider getting a server if you want a complete mirror copy.

CharlesJune 17, 2008 3:47 AM

The problem I keep finding users running into with automagic backup systems is they expect the magic to just work, and get awfully upset when something unexpected happens. My favourite disaster is the 'lots of large temporary files' or variation thereof. The most common way of triggering this is using somewhere like ~/Desktop to store the set of recovery iso images overnight due to running out of disks...

However, there would be no linux if Linus had backed up his minix partition (or not tried to auto-dial it...)

swsJune 17, 2008 4:31 AM

I am in the process of creating an app for a startup company. We have a button on our app, a big green button actually, that says backup on it. You click backup and select a directory and it copies all the data files the app needs to that folder. There is also a restore button, point it at the backup folder and the app will restore from the backup.

Even making it this easy, the users still don't use it... :(

What can you do ?

ItsObviousJune 17, 2008 4:39 AM

"The single most important thing any company or individual can do to improve security is have a good backup strategy"

The next most important thing is not to use any version of Microsoft Windows.

Backup FreakJune 17, 2008 6:36 AM

What John Campbell is looking for is a way to backup everything in the computer so if major problem happens, then he can simply go to the backup and be back where he was..........

I have not found anything that works that way without always having a complication.

For those not so lucky with ransomware, Kaspersky has instructions how to undelete the encrypted files created by ransomware:

http://www.viruslist.com/en/viruses/encyclopedia?virusid=313444

Jeff DegeJune 17, 2008 6:59 AM

>Even making it this easy, the users still don't use it... :(

I set up a system once, for a customer, where the backup program ran automatically, every night. It even popped the tape for them. All they needed to do was to take it out and put in the next tape in the backup sequence: M,T,W,Th,F1,F2,F3,F4.

Naturally, when their HD crashed two years later, it turned out that they'd just been pushing the same tape back in, every day, and their most recent full backup was 18 months old.

They dragged me in on an emergency support call. When I told them there was nothing I could do, they said that if they couldn't get the system running, they'd be out of business.

>What can you do ?

I told them I'd make sure they got my bill before they did.

bobJune 17, 2008 7:01 AM

I don't understand something. 1024 bit encryption is typically only used as a key-encryption key because it is too slow to use for a traffic encryption key. Yet these guys are using it to encrypt an ~entire hard drive? Wouldn't you notice your computer going apeshit, coming to a standstill and sounding like it was scraping the oxide off the HD platter for 3 hours while it was doing this?

AnonymousJune 17, 2008 7:02 AM

It's worse than deleting because at least you can get deleted files back. Is a part of the encryption process deleting the files? If so, then I guess it's no different, but if the same filespace that the file occupies now is copied over by the encrypted version, then you're kind of screwed. Of course good backups are important, but until that's a simple and fast process thats' practically automatic, normal people aren't going to do it.

john campbellJune 17, 2008 8:25 AM

Restoration of a smoked machine is a lot easier if you have a Mac... though I don't know if the "target mode" is available on the intel-based Macs. It would take little to re-image a Mac, really, and does not depend upon having a working OS on the machine, so a virgin install is almost painless.

That being said, I have a linux box as my main server that basically has approximately 1TB of RAID5'd space, so taking snapshots of the various laptops isn't that hard... but restoration of the non-Linux boxes are problematic, though I can do that through non-writable SAMBA shares. (Backups get done via a Linux Live CD, tar/cpio piped through ssh, which is, sadly, exceptionally invasive of a Vista/XP box, but, then, I haven't tried to install CYGWIN on the box, simply because I do not trust the underlying OS further than I can read its source code.)

And, of course, if something destroys the flash-resident BIOS, the machines are toast, any way.

Bare metal restores of Windows boxen are, to me, an exceptional pain in the patootie, and, if my wife's laptop gets smoked by malware, she's gonna be running KUbuntu instead of Vista when I restore her files. (This is simple because she is already comfortable with Open Office since she uses that on Vista, so her end-user experience won't change that much... except, dammit, for iTunes, which Vista keeps breaking, any way.)

I'll admit that there are some things we cannot yet do with Linux-- usually when dealing with proprietary S/W, like iTunes, which is forced on us by Apple doing some funky encryption on the iPods-- but, for the most part, Linux works well, here, but, then, we don't play games on these 'puters... that's what the PS3 and Wii are for.

I'll admit that my restoration strategies are likely "wanting" simply because I *assume* any exercise will be a bare metal restore... something problematical for Windows boxes, and, with daily backups, what happens if you have malware with a long incubation period?

John CampbellJune 17, 2008 8:38 AM

As a side note, has anyone here followed the OOXML saga over on groklaw.net?

It can be argued that M$ has been delivering ransomware for some time, now, though the "guerilla upgrading" they force (one person upgrades Office because they can't get the "current" version) and then others _have_ to just to be able to read the documents produced) people through.

It does not help, of course, when they abandon their older file formats so that you can't read older documents...

So it does not take encryption to ransom your data... and, sometimes, it is a matter that you must, with each upgrade, load/save ALL of your documents/spreadsheets/etc to keep them in the "current" supported file format.

Pat CahalanJune 17, 2008 12:24 PM

@ Jeff

> All they needed to do...

Any backup system that relies on a non-IT person to do *anything* is within epsilon of probability=1 for ultimate failure :)

Michael ChermsideJune 17, 2008 1:30 PM

@bruce:

I can't explain why people make such a fuss over ransomware -- but I CAN explain why they SHOULD be so concerned.

Ransomware is far more dangerous than the kind of virus that just deletes your hard drive. The data wiping virus can have devastating effects even though it's just something thrown together by a "script kiddie" or juvenile delinquent. But consider what happened when spam began returning a profit (and only a MINISCULE profit): a whole industry sprang up (closely associated with organized crime) and things rapidly escalated to the point where the vast majority of all emails are spam. [http://www.itp.net/news/516775-the-spam-report-april-2008]

If ANYONE pays up, ransomware returns a profit (and it has the potential to have much larger profit margins than spam does). Unless the rate at which authorities catch miscreants is high enough, it will create a vast industry (populated by professional programmers, not adolescent vandals) which will unleash a veritable storm of vicious attack vectors.

CyberbomberJune 17, 2008 2:09 PM

I'd restore a backup, then mailbomb ********@yahoo.com back into the Stone Age. xD

ruin your dayJune 17, 2008 7:27 PM

When real ransom-ware is shown to be marginally profitable, imitations with lower production costs will flood the market. Imitations will simplify the code of the malware in order to increase the rate at which variations can be produced and distributed.

Imitation ransom-ware will overwrite your files with random data of a size that makes it look like your cleartext is encrypted, but it's not really encrypting anything. It will also write real extortion files with a real address to send your ransom. However, there won't be an RSA 1024-bit key and there won't be a response from the ransomer, because the imitation ransom-ware is just a PRNG that overwrites files.

JasonJune 17, 2008 10:52 PM

For those complaining that it's impossible to backup Windows since programs spatter stuff all over the registry and filesystem, Vista actually has an impressive "Complete PC Backup" feature that makes a perfect image of a hard drive (while the machine is running, no less.) It stores the copy as a Virtual PC image, so presumably you can even boot off of it.

bob: the viruses that do the RSA-1024 typically use the RSA key to encrypt a symmetric file key. They often then append the encrypted key to the end of each encrypted file (so in effect your files would grow by 128 bits or so if it was using AES as the symmetric algorithm.)

Backup FreakJune 18, 2008 3:03 AM

@ Jason

I checked up on Vista Complete PC Backup at the following links:

http://www.bleepingcomputer.com/tutorials/tutorial145.html

http://www.microsoft.com/windows/products/windowsvista/features/details/backup.mspx

I did not see anything about automatic backups in the articles.

Maybe some third-party software will allow Vista Complete PC Backup to do it automatically.

I still suggest that people make an incremental or differential backup everyday. Incremental backups require less hard drive space.

John Campbell mentioned something interesting about some types of malware having long incubation periods.

With those kinds of attacks a person may be in trouble with the backed up data that was created after the malware was installed.

Kaspersky does have a solution for removing one form of ransomware, so a person could hopefully recover some of the lost files:

http://www.viruslist.com/en/viruses/encyclopedia?virusid=313444

bobJune 18, 2008 9:28 AM

@Jason: Thought so. So I dont need to brute-force the 1024 bit KEK, just the 128 or 256 bit TEK (per file I assume)? Seems far more feasible (more so every day).

We could even start a "breakkey@home" project where people put a locked file and a corresponding clear text on a website and spare CPU cycles are donated to find the key.

Jeff DegeJune 18, 2008 2:00 PM

>I did not see anything about automatic backups in the articles.

>Maybe some third-party software will allow Vista Complete PC Backup to do it automatically.

There's no reason to add scheduling to a Windows backup program, when Windows Task Scheduler will run it on any schedule you like.

If running the backup software every night, creating a backup in the same place every time, was adequate, we'd have the problem solved. Problem is, that's not adequate.

Backup FreakJune 18, 2008 4:30 PM

@Jeff Dege

Task Manager may work for some people, but does it create incremental/differential backups after the first initial master backup?

I like backing up my data to an encrypted external hard disk drive.

Then I make regular backups of the encrypted external hard drive to other encrypted external hard drives and keep those backups in safe places.

Plus I only make those backups from a secure computer that is not connected to the Internet.

Before transferring any information from the Internet computer or from any CDs, DVDs and so forth I do a virus and anti-spyware scan.

I liked John Campbell's concern about creating a complete mirror image backup copy of the hard drive and Jason's imput how to accomplish that without complications during a restore.

It looks like now I am going to have to get larger external hard disk drives (500MG or 1TB) to do complete mirror image backups and secondary incremental/differential backups.

I have secure backups going back as far as 1996 so malware with a delayed incubation period will hopefully not create a total disaster.

If a computer crashes or if some form of malware kills the system or locks it up, then what can one do except lose the data or pay the ransom for the lost data between the last good backup and the time the computer failed.

PaeniteoJune 19, 2008 6:10 AM

@bob: "So I dont need to brute-force the 1024 bit KEK, just the 128 or 256 bit TEK (per file I assume)? Seems far more feasible (more so every day)."

Both tasks are practically infeasible.
1024 bit is an *asymmetric* key and breaking that might even be easier (in a purely relative sense) than breaking a single 128 bit *symmetric* key.

Jeff DegeJune 19, 2008 7:25 AM

"Task Manager may work for some people, but does it create incremental/differential backups after the first initial master backup?"

That's where it gets complicated. Pretty much any backup tool can be used to make incremental or differential backups. And pretty much any backup tool can be used to output its backup files to different media. And Task Scheduler (or cron) can be used to run different backup tasks on a set schedule.

But planning which backup tasks should be run at which times, onto which media, takes forethought. It's not really that complicated, but it's not amenable to a click-a-single-button solution.

Backup FreakJune 19, 2008 6:42 PM

@Paeniteo

I use DriveCrypt 256-bit AES encryption by SecurStar. There have been no reports of anyone successfully attacking their product using brute-force. I could change to triple AES for even more security.

I also use strong long passwords, so that should make it impossible with today's technology. If I am wrong, then please let me know.

@Jeff Dege

I do have a backup program called Acronis, but doubt it can do a total restore without complications. Using that program to make automatic daily backups has been very successful.

I only use Acronis to backup important files and not the registry or operating system, however I do like your advice about using Vista Complete PC Backup, but I am still not sure if it is as flexible as Acronis.

Maybe Acronis will do a complete restore, but my experience with backup programs makes me believe it will not without complications.

The RockJune 19, 2008 10:02 PM

This problem is way harder than people are expressing in these comments. Critical data that changes often is difficult to backup properly.

Backing up to an external device is great, but when the original data becomes damaged via "ransom ware" or when the external storage device is targeted for deletion or also encrypted/"ransomed", then what? Also, if the original computer is compromised the hacker is going to have access to any external backup mechanism - no matter what it is.

Automating backups requires moving the backups to external media, then rotating the archives out of circulation through manually moving the tapes ("libraries" they are called). Another solution is ftping the data to an external ftp server, then from the backup server move the scripts out of ftp directory since anyone with access to the source computer will be able to access the external device/ftp server, etc. this won't work obviously for huge amounts of data.

It is a difficult problem to solve.

There is a reason companies pay big money to manage their backups. Anyone that thinks about the problem understands there is a bit more to it than dragging and dropping some files to a thumb drive every once in a while.

John CampbellJune 20, 2008 11:05 AM

What I would like is an external RAID5 array that connects to a system via either FW800, FW400 or USB2.0 ... especially if you can expand the number of drives in the array.

(Hmmm... a RAID controller implemented to look like an over-sized USB hub, perhaps? allowing more and more drives to be slapped into the tree?)

Backup FreakJune 23, 2008 3:30 AM

@The Rock

In an earlier post I mentioned that I have a separate computer for the Internet and another computer not connected to the Internet.

Before transferring any data from the Internet computer to the other I do a virus and anti-spyware scan. That also includes any CDs, DVDs, and so forth that may be infected.

After reading your most recent post I started thinking that if my virus and anti-spyware definitions do not cover some form of malware yet to be discovered then the scan may not be effective in preventing a ransomware infection with or without an incubation period.

It now seems to me that any data from the Internet or from any external media should be handled very carefully and backed up on some form of media separate from the master computer in order to prevent an infection that could have disastrous consequences.

Actually, it would be like having two companies; one for the master computer and one for data coming from outside sources.

The scary part is sharing data from external sources with the master computer and then having hidden malware infect the secured master computer and all of its master backups.

There are some products on the market that go beyond what the normal run of the mill virus and anti-spyware products offer, such as behavior-based software that will detect abnormal things happening in the operating system.

If someone has more advanced advice, then I sure would to hear about it.

Large servers that are exposed to the conditions I described above must have a heck of a time avoiding being infected.

I sure wish I knew how they do it.

bluecollarpcJune 25, 2008 4:49 PM

I agree with the detachable USB Plug and Play Drive which I have at just under 150 dollars (80Gigs) US (Plug - "Z-Disc"). It has one touch back up INCLUDING your licensed copy of the Windows OS. Wipe the drive and plug it in and hit restore - done deal. Point is detachable memory is very common and much, much cheaper now. But one preferable direct reponse should be to contact the Authorities immediately without touching anything. They will indeed have the person arrested and immediately have the unlocking code sent out to release the victims. What's the point of wiping the disk everyday ? Put the culprits behind bars as very dangerous greedy bums that they are and where they belong to protect the public.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.