WannaCry Ransomware

Criminals go where the money is, and cybercriminals are no exception.

And right now, the money is in ransomware.

It’s a simple scam. Encrypt the victim’s hard drive, then extract a fee to decrypt it. The scammers can’t charge too much, because they want the victim to pay rather than give up on the data. But they can charge individuals a few hundred dollars, and they can charge institutions like hospitals a few thousand. Do it at scale, and it’s a profitable business.

And scale is how ransomware works. Computers are infected automatically, with viruses that spread over the internet. Payment is no more difficult than buying something online ­—and payable in untraceable bitcoin -­- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin. Customer service is important; people need to know they’ll get their files back once they pay.

And they want you to pay. If they’re lucky, they’ve encrypted your irreplaceable family photos, or the documents of a project you’ve been working on for weeks. Or maybe your company’s accounts receivable files or your hospital’s patient records. The more you need what they’ve stolen, the better.

The particular ransomware making headlines is called WannaCry, and it’s infected some pretty serious organizations.

What can you do about it? Your first line of defense is to diligently install every security update as soon as it becomes available, and to migrate to systems that vendors still support. Microsoft issued a security patch that protects against WannaCry months before the ransomware started infecting systems; it only works against computers that haven’t been patched. And many of the systems it infects are older computers, no longer normally supported by Microsoft—­ though it did belatedly release a patch for those older systems. I know it’s hard, but until companies are forced to maintain old systems, you’re much safer upgrading.

This is easier advice for individuals than for organizations. You and I can pretty easily migrate to a new operating system, but organizations sometimes have custom software that breaks when they change OS versions or install updates. Many of the organizations hit by WannaCry had outdated systems for exactly these reasons. But as expensive and time-consuming as updating might be, the risks of not doing so are increasing.

Your second line of defense is good antivirus software. Sometimes ransomware tricks you into encrypting your own hard drive by clicking on a file attachment that you thought was benign. Antivirus software can often catch your mistake and prevent the malicious software from running. This isn’t perfect, of course, but it’s an important part of any defense.

Your third line of defense is to diligently back up your files. There are systems that do this automatically for your hard drive. You can invest in one of those. Or you can store your important data in the cloud. If your irreplaceable family photos are in a backup drive in your house, then the ransomware has that much less hold on you. If your e-mail and documents are in the cloud, then you can just reinstall the operating system and bypass the ransomware entirely. I know storing data in the cloud has its own privacy risks, but they may be less than the risks of losing everything to ransomware.

That takes care of your computers and smartphones, but what about everything else? We’re deep into the age of the “Internet of things.”

There are now computers in your household appliances. There are computers in your cars and in the airplanes you travel on. Computers run our traffic lights and our power grids. These are all vulnerable to ransomware. The Mirai botnet exploited a vulnerability in internet-enabled devices like DVRs and webcams to launch a denial-of-service attack against a critical internet name server; next time it could just as easily disable the devices and demand payment to turn them back on.

Re-enabling a webcam will be cheap; re-enabling your car will cost more. And you don’t want to know how vulnerable implanted medical devices are to these sorts of attacks.

Commercial solutions are coming, probably a convenient repackaging of the three lines of defense described above. But it’ll be yet another security surcharge you’ll be expected to pay because the computers and internet-of-things devices you buy are so insecure. Because there are currently no liabilities for lousy software and no regulations mandating secure software, the market rewards software that’s fast and cheap at the expense of good. Until that changes, ransomware will continue to be profitable line of criminal business.

This essay previously appeared in the New York Daily News.

Tags: , , , , , ,

Posted on May 19, 2017 at 6:10 AM72 Comments

Comments

Vicente Aceituno May 19, 2017 6:29 AM

Bruce, I would argue Backup is first line. Having a copy of your data will protect your from the consequences of ramsonware, and many other threats. Second line would be AV (which will protect you about many viruses, but not all), and the third would be patching, for viruses that AV can’t catch….

Santa Claus May 19, 2017 6:35 AM

wrong – first line of defense is don’t click on attachments or links from anyone

Joachim May 19, 2017 6:45 AM

It’s mirai and not MURAI! 🙂

I’d say awareness first, backup second and protections such as anti virus third

PJWillie May 19, 2017 6:47 AM

Backups of your data is fine but I have backups of my operating systems ; thats why I use open source. If needed I can just erase the disc and reinstall my OS & data.

Steve B May 19, 2017 7:12 AM

Cloud backups: if the contents of “my documents” is synchronised to a cloud supplier, if the files are then encrypted on my PC won’t the synchronisation software simply copy the encrypted files up to the cloud?

Ben May 19, 2017 7:12 AM

Backup is always first-line, because it’s defence against everything, not just ransomware. Anti-virus doesn’t fix a broken hard drive.

brian May 19, 2017 7:16 AM

@PJWillie how is open source different than MSFT & Apple OS for backup of the OS? You can do the same on open source and non for backup of the OS.

Andrew May 19, 2017 7:19 AM

True, the backup should be versioned, not synchronized.
If the malware encryption driver shows you the files “clean”, you may overwrite the good files on synchronization, although they are encrypted.

Andrew May 19, 2017 7:21 AM

I just realized that I might be wrong (or it may depends on situation). If the malware detects copy on a USB stick, it may leave it encrypted or not…most likely encrypted.

Bruce Schneier May 19, 2017 7:23 AM

I put backup as the last line of defense because it happens late in the process: it doesn’t prevent, but allows for recovery. But I’m willing to accept arguments that I should have reordered the list.

And, yes, I should have added “don’t click on strange attachments.”

Garrett May 19, 2017 7:24 AM

@Joachim</> I saw that too, but wasn’t sure off the top of my head. Mirai is Forever in Japanese. Malware naming is funny – when I used to write some, it’d always get a name. Though it’d probably have a different one from software vendors as they usually pick a significant string from the disassembly (not that I ever released mine)

I think the /security/ model for your typical desktop should be different; it’s not been adopted yet. Mostly speaking to Windows.

First, virtualize everything – app level is fine (see: sandboxie). Processes get their own storage spaces and are isolated to them. If they need more access, you can grant that. (Imagine a commdlg hook that created a OpenFile permit rule upon opening. Have a few advanced options that let you specify fusion and type of the grant (rw/ro). They can only communicate with certain hosts (based off of a security manifest). “Etc”. So, executing a random .js file cannot nuke your entire /Users/ directory (unless you say yes to that liberal rw permission upon install or execution)

Attack surface area of drivers should be reduced; UMDF can help that. Get stuff like SMB and HTTP out of the kernel. Seriously, it doesn’t need an RSS reader!!! The Service Accounts in 8+ is FINALLY getting rid of everything being LocalSystem.

Beyond that, ditch sig based virus detection. I think that a service that acts as an ETW logger, combined with a strong detection engine, could detect most ‘funny business’.

Finally, a heuristic firewall at the edge of your network. Rules set up via a protocol similar to UPnP, except you have to permit it (nice little popup on your desktop, via broadcast notification.). Internet Access by default is bad, especially on any port, to any port, to any host! To make this easier to manage, multiple SSIDs, to make ‘IoT’/’Guest’/’Internal’ networks by default.

ygonzar May 19, 2017 7:24 AM

Monitoring the filesystem activity could be considered as another line of defense. It could be thought as a very reactive solution, true. It also depends on the user understanding what the monitoring tool annoying pop ups are trying to convey. But maybe is worth a look.

Marc Espie May 19, 2017 7:38 AM

I commented so on the HP keylogger, but I’ll do it again, we need more openness!
Liability is fine, but basically, a lot of this can happen, because a lot of that shit is closed: closed processes, closed source.

This is exactly the same as cryptography. Good cryptography happen after peer-review. But right now, you can’t even review most of your electronics and computer software.

I’m not clamoring for fully open source. I have no problems with copyright law per se. But source code should be visible, and auditable by anyone. Likewise, audit trails for processes leading to creating software.

There are a lot of organizations in the opensource world that are fully open, including buildbots, test infrastructure, shipping infrastructure, so it is possible. I don’t even think it costs more, because this saves some important costs later.

The conversion of existing codebases would be awfully costly, in many cases because there is no technical documentation, and a lot of stuff has been lost.

But once you make it mandatory for any new stuff, you’ll be surprised at the amount of awful stuff companies can no longer do. If you’re out in the open, you tend to publish less crappy code, because it becomes part of your reputation.

Dirk Praet May 19, 2017 7:50 AM

… but organizations sometimes have custom software that breaks when they change OS versions or install updates. Many of the organizations hit by WannaCry had outdated systems for exactly these reasons.

Identification of such systems is an intrinsic part of the job description of whoever is in charge of asset and risk management. If there is no budget to upgrade such systems, a full report of the risks associated with not doing so not only should be presented to the board of directors (and signed off by them), but a mitigation strategy should also be put in place as an integral part of the company’s disaster recovery plan (DRP) and business continuity planning (BCP), both of which need to be compliant (and successfully tested) with acceptable downtimes as previously set forth by department managers in a company-wide business impact analysis (BIA).

Whatever technical controls you have in place (backups, anti-virus etc.) will fail when disaster strikes if such controls are not part of a comprehensive IT strategy defined in appropriate policies and procedures corresponding to your company’s specific risk profile. If you have no idea what I’m talking about, you’re probably doing it wrong 😎

Clive Robinson May 19, 2017 7:53 AM

Regular backups are the main recovery mechanism.

But do people check them?

Generaly no, and that’s a real problem.

Aside from the usuall faults mechanical / software / electronic, there are other nasties awaiting you. Some years ago when data ransom was something manually done by disgruntaled SysAdmins etc, I mentioned that backups were vulnarable to a malware attack where the backup software got modified to encrypte the backups and then “forget the key”. I’ve not seen it happen yet, but it’s the next logical step for attackers…

Vasili May 19, 2017 7:54 AM

Regarding updates, MSFT did its best to repel users from this choice.

Last year they ran aggressive Windows 10 update campaign using WSUS channel.
From my experience, it repelled many of non-IT users from running updates automatically.
Yes, this campaign is over, but guess how many users restored automatic updates – almost none.

Another thing, Windows Update implementation is plain awful.
At least on my laptop Windows Update database gets corrupted regularly and WSUS starts to eat a lot of CPU and battery.
So, what I do in this case – correct – I disable WSUS service. Of course, I’ll enable it someday when I find free time to fix the problem, but, at least couple of weeks my laptop will stay not updated.

And, sometimes updates just fail to install with some cryptic error code.
In my case, this happened to April Security rollup update, which contained WannaCry fix.
There was no error message about this – just a line in Windows Update log.
Last Saturday when I checked is my laptop is protected from WannaCry – it wasnt.
So, instead of enjoying weekend I was trying to download this fix from almost DDOSed MSFT web site.

With its update service, MSFT confirms the idea that the biggest trade secret of closed source software is the quality of its code 🙂

Clive Robinson May 19, 2017 8:07 AM

@ Bruce,

Whilst I might agree backups are the first step to recovery, the first step to defence is not patching / AV / etc.

No the first step is asking why the systems are connected to a network in the first place? If you need a network connection the second is to ask if the scope of the network is to broad both in the machines connected and the types of daya carried.

The simple fact is a small network with no external connections is not exactly an easy target for malware in the first place.

For some reason that has never been clear there is an assumption that firstly the Internet is a requirment for all users, the second that things like EMail should be “media rich”. In most cases these are both false assumptions.

Jason May 19, 2017 8:15 AM

“And you don’t want to know how vulnerable implanted medical devices are to these sorts of attacks.”

Yep- for example, your article just gave folks with pacemakers a heart attack. 😀

Matthew May 19, 2017 8:29 AM

There is another solution. Individuals have to pay, the British NHS can call MI-6 and GCHQ and have the James Bond types put a bullet through the head of one or more of the people propagating such malware.

The internet has always made it easy to steal $50 from a billion people such that law enforcement tells everyone “sorry, it’s too small a loss for each individual for us to care.”

Governments have no such issues – and a few bullets would solve a lot of these problems by changing the risk / reward payoff for unleashing malware.

TheDoctor May 19, 2017 8:32 AM

Clive Robinson nailed it (as usual):
– If it has no brain and can’t talk its the best device/car etc.
– If it has a brain but no line to talk, its good enough

  • If it has a brain and needs to talk, then be aware of your risk.

By the way AntiVirus, lovingly called snake oil as well….
…did ANY of it caught/stopped WannaCry before well after the fact ?

kunal hatode May 19, 2017 8:51 AM

Bruce makes a very important point here. Many have agreed or passively disagreed to change the order things to look at. But the most important point is that all recommendations point inward on how to take a secure stance moving forward. He is not talking about SIEM tools, UEBA, EDR, architecture etc etc, but some very basic steps that individuals and organisations take on a basic level.

Truth be told May 19, 2017 9:22 AM

@Thomas

Migrate/convert to Linux and all these problems are gone 😉

That does help mitigate but unfortunately not eliminate such problems. We have not yet solved the political problem exemplified by that monolithic start-up daemonic monstrosity called “systemd” which was forced over the entire Linux community and is anything but secure.

Either dump it — probably too late at this point — or do a complete re-write, compartmentalizing the functionality by using correct object-oriented programming principles. The rock-star brogrammers’ attitude and their menschliche “feelings” have to go.

Max May 19, 2017 10:39 AM

Idea for the hard drive people: make a write-only (enforced in hardware) backup drive. No worries about malicious or accidental erasure of backups!

Max May 19, 2017 10:39 AM

Cool article. I agree with other commenters that backup is the first. I do it for around 20 years to my external HDD. But the new versions of my favorite acronis product try to move me to the cloud. I’m pretty conservative and sure that external HDD is the only reliable option! So I hope acronis will leave the option to backup to external HDD.

Dirk Praet May 19, 2017 10:46 AM

@ Clive

… the first step is asking why the systems are connected to a network in the first place?

That’s already part of the (technical) mitigation strategy. The first step really is identifying vulnerable systems and what kind of risk they represent to the company.

Impossibly Stupid May 19, 2017 10:46 AM

@Bruce
“I put backup as the last line of defense because it happens late in the process”

Then you really should have the choice of OS as the first line. Don’t be one of those security people that pretends that all systems are designed to be equally safe. Time and time again Microsoft has shown that it should never be the choice of anyone who is interested in having a secure system. That headline always seems to get buried, but every time a big exploit like this happens my first question is always “Why are you still running Windows?”

AJWM May 19, 2017 10:47 AM

Not that regular readers here need this reminder, but backups to a local device (USB drive, NAS, etc) are only copies as long as that device is accessible to your computer, not backups.

If you can instantly access it, so can malware.

(I learned my lesson a long time ago, not from malware, but from a power supply which failed in such a spectacular manner that the controller electronics built into my hard drives fried (as did the rest of the mobo). I recovered one by swapping the controller, but didn’t have an exact replacement for the other. But even before that…ever see the tape from a 9-track, 2400′ reel get wrapped around the drive hub? Not a pretty sight.)

Vesselin Bontchev May 19, 2017 10:51 AM

@Santa Claus, that “defense” is useless in this particular case, because this worm does not spread via attachments.

@TheDoctor many anti-virus products stopped this thing before it encrypted the files – but mostly because it is crappily written. At least 3 products stop the exploit it uses to replicate; i.e., they would stop any worm using this replication mechanism.

AJWM May 19, 2017 10:55 AM

@Truth be told

There are still a few Linux distros that use a sane init system rather than systemd. (And while systemd may have been one step forward as originally conceived, it is three steps backward because of binary logging, opaque configs, and sheer pervasiveness.)

But perhaps a better choice would be to move to one of the BSDs, which will never have systemd, but will (depending on the specific flavor) generally support a Linux-like userland if that’s what you’re used to.

Manic Bonobo May 19, 2017 10:58 AM

For particularly sensitive content, air-gap your systems or at least compartmentalize / sandbox them (e.g. QubesOS). In other words, don’t download torrents with cracked versions of Grand Theft Auto onto the same box you use to store your clients’ credit card details…

Cassandra May 19, 2017 11:06 AM

In this particular case, having a versioning file system could help somewhat. Rolling back to the last unencrypted version of files. Unfortunately, not that many people run VMS on their personal computers.

Having backups that are either offline, or WORM is also a good strategy, although as Clive points out, the backup software is susceptible to being patched to silently encrypt backups and silently decrypt restores until until a full backup cycle has been performed, at which point it discards the key, deletes the online files and demands a ransom. I think he’s read the same things I have.

Note that many modern disk-drives offer built-in AES encryption and have firmware that could be compromised in just this fashion i.e. the disk driver/firmware can be patched, not just the backup software. Losing all your online files and all your backups in one instant is entirely possible. In other words, always check you can restore your backups on an independent system.

mark May 19, 2017 11:39 AM

But wait, it’s worse! Krebs had an article a month or two ago, that ransomware distributors have been overwriting the who-to-pay message with their own way to pay, meaning that even if you pay, the person who actually infected you didn’t get paid, and you’re hosed.

Y’know, there are lots of lampposts that need decorations, say, by the folks who did the UK’s NHS, and may have caused deaths.

My Backup Solution May 19, 2017 12:03 PM

“If your e-mail and documents are in the cloud, then you can just reinstall the operating system and bypass the ransomware entirely. I know storing data in the cloud has its own privacy risks, but they may be less than the risks of losing everything to ransomware.”

I’m amazed at the sheer stupidity of compromised half-baked solutions by so called technical experts. But rather than just complain I’m going to offer a low-cost, low-risk solution that avoids pitfalls.

Realize that (just like you heath) no one really cares about you or your data. Become proactive and anticipate the obvious coming trouble. What can I do to the requires the least effort?
‘Just’ reinstalling Windows and all the applications can take several days!

Saving a Boot Drive Image
First data or multimedia files should NEVER be kept on a boot drive.
Second save data to a removable, separate USB stick, external hard drive, local USB 3.1 docking station or Network Attached Storage (NAS). These disks are normally OFF except when backing-up!

Windows backup programs take a snapshot of the entire boot drive using a feature called shadow copy. Time: 10-15 minutes with reliable and verified https://www.macrium.com/reflectfree

Linux drives cannot be mounted when creating a backing-up. So USB boot with the (somewhat crude) Clonezilla backup program and then make an image of the unmounted boot drive. http://clonezilla.org/show-live-doc-content.php?topic=clonezilla-live/doc/01_Save_disk_image
It takes about 12 minutes to back up (and verify) to a local USB 3.1 docking station. https://www.amazon.com/Plugable-10Gbps-Upright-cables-supports/dp/B01E80N2E8

Linux Pulls Ahead
One extremely important Linux advantage is a single master Linux boot image can typically be restored onto other computers using different hardware. The only limitation is the boot drive has to be the same size or larger than the drive when the image was created. My new motherboards have an NVMe slot they all use the $75 superior SSD https://www.amazon.com/MyDigitalSSD-80mm-Express-PCIe-120GB/dp/B01MCZ4QTK/

The disk images are then backup-up again to a read-only NAS folder. Of course the NAS drives can also be backed-up to older off-line hard drives too. This backup system is still vulnerable to an Electro Magnetic Pulse.
I always check the ext4 format drives for errors before and after writing with Gparted. I use the cool running WD $200 8TB Helium My Book Desktop External Hard Drives. For the 40TB NAS, they are removed from the case http://www.lian-li.com/en/dt_portfolio/pc-q25/ Motherboard: https://www.amazon.com/dp/B01M3TUOW4/

This is an almost bulletproof inexpensive, lifelong complete backup and streaming solution. Keep a copy in a safe deposit vault too!

Dirk Praet May 19, 2017 12:30 PM

@ My Info

I’m amazed at the sheer stupidity of compromised half-baked solutions by so called technical experts.

So am I at that of yours. Where’s the restore part? Once again: you have NO backup until you have a full written and field-tested procedure on paper that can be carried out by a trusted 3rd party following just the instructions in that manual.

Fred P May 19, 2017 12:36 PM

“And you don’t want to know how vulnerable implanted medical devices are to these sorts of attacks.”

I mostly work with medical devices, so I have a pretty good idea. Until HIPAA, I saw nearly no movement towards security. The companies I’ve been working with for the past roughly year are trying to get their acts together as far as new development is concerned, largely due to regulatory pressure from the FDA.

That said, this relatively new pressure will likely have little impact on older designs, some of which may be sold for decades.

Iggy May 19, 2017 12:57 PM

All excellent points. My first thought when I read:

“And many of the systems it infects are older computers, no longer normally supported by Microsoft –­ though it did belatedly release a patch for those older systems. I know it’s hard, but until companies are forced to maintain old systems, you’re much safer upgrading.”

Is “this is the sort of accident that major money makers, legal and illegal, love to exploit. Now, via third parties, plausible deniability, law enforcement and litigation firewalls, Microsoft et al. can brute force all MS system users into “upgrading” whenever they feel like calling that tune. Ingenious, ain’t it?

The next time you hear some captain of industry cry “don’t regulate us, we’ll lose money (BS, they pass along the cost to the livestock), it’ll kill business (BS, they’ll use the livestock’s money on more marketing to the livestock), my kids will starve!” (lol) just remember this latest episode of “The Money Hoarders Will Always Better Than Survive, They Will Thrive.”

As a classic liberal, I hate government regulation. But since we’ve empowered our governments to regulate who we can and cannot deal with ourselves as we see fit, then more regulation on them it will be.

And the band plays on…..

Kevin May 19, 2017 1:05 PM

I’m surprised at how many people advise “awareness” as the primary defense. Poppycock.

Sure, you don’t want users doing things that are actively stupid, but even well-informed users can make mistakes. A perfectly implemented awareness training program will reduce your malicious link click rates from 50% to, say 10%. Great. But still nowhere near good enough. It is certainly not the first place I would spend my scarce IT Security budget.

We’ve all seen ridiculously clever scams that would fool just about everybody. And what happens if everybody was suddenly twice as careful? The scammers have an incentive to become twice as good.

It’s an arms race, and like any arms race, it can’t be won. We need better technical solutions.

Evil Code May 19, 2017 1:12 PM

So the best way to stop someone evil running arbitrary code on your computer is to allow microsoft to run arbitrary code on your computer.

seems sensible, i’m sure after the many times they’ve been shown to be nefarious they are now totally legit.

Santa Claus May 19, 2017 1:56 PM

through Bayesian math 50% down to 10% across all controls is better than nothing…it’s called defense in depth

BSaaS May 19, 2017 2:06 PM

Redstars want their software for free, including pentest and forensics. This is the end result of it.

As for the “NSA leaks”, maybe we should excise the Consulate and shut down the State Dept. They are busy causing problems, not solving them… VOLAG and PRM refugee dumping then using outliers to backdoor or jack every IT security mechanism. Given Langley and Sigint, nobody would notice the loss.

Just to throw an idea out there: I was browsing forensic software, realized you probably get listed for the purchase, some of it actually bogus or incomplete. Maybe the price should be high for pentest software and exploit kits, getting listed also. There needs to be some ownage here. You need to buy your tools if you call yourself a security analyst. This idea might be the future. There is also a Linux subculture that needs to go away and die like a bad habit. Sure, viruses always exist, some probably deployed by the industry or state-sponsored. You still need a buy-in. It’s seems too easy.

bitmonger May 19, 2017 2:09 PM

I also think backups should be first. This outbreak was almost a 0day and if so, staying patched would not have helped the first victims.

I don’t think ‘do backups’ is enough. You should make sure you have some offline backups. It could be a RAID-1 SAN where you pull a disk. Or a usb / e-SATA cable where one periodically starts a ‘fresh drive’ every so often. I don’t think a cloud backup counts here, unless they the user knows what they need to do to get their data after being completely compromised. For example, if there is there and printed paper code in a safe place which can always be used to restore something in past n-days (even if an attacker had the backup credentials), then it counts. Otherwise, it’s not on a path to an actual solution to this problem.

Another good idea is compartmentalize. Different devices. Different credentials, don’t jump between them insecurely, IOW, don’t expose password to both A and B when accessing B from A. Or use something like Qubes.

Some people are capable of doing this right, we should put the options in front of them, rather than say: patch and use antivirus and you can stop worrying when we as professionals often do much more effective things than we recommend.

Keep the Loop Smallest Possible May 19, 2017 2:20 PM

Dirk Praet,
The post was already too long and had typos…
The Restore is trivial. Notice the verify operation that checks after the image is created is pretty close to an actual restore. However I’ve built up confidence building five new computers with several images. I also experiment with other flavors of Linux like Fedora on the older computers (Security-Enhanced Linux is too much trouble!) https://en.wikipedia.org/wiki/Security-Enhanced_Linux

The only time I’ve ever had an issue restoring is with Samsung notorious Magician spy-ware (a low level SSD cheater program.)

Major Windows Dilemma
Will Microsoft allow consumers to JUST download the WannaCry security patch and manually install it?

No More Game Playing
I quit enabling Windows Security Updates years ago when MS surreptitiously added spy-ware into the security updates. I even took the NTFS boot drive and renamed folders in Linux to circumvent ‘Trusted Installer’ and disable the crappy Windows Defender.
Like Google and Uber, Microsoft is a very competent adversary and should not be underestimated. They always push the envelope.

My two locked-down legacy Windows computers have an Ethernet kill-switch and only connect to the Internet momentarily and for a few specific reasons. But never for surfing or email.

In conclusion I would manually install just the WannaCry patch but can’t.
Ruthless MS would most definitely take advantage to install or re-enable spying programs.
Besides I have my guaranteed restores right?

No Need To ‘Upgrade’
Do you know how nice its to have stable, stress free, reliably running year-after-year computer?
I can sleep at night because I have boot-image backups that can be restored in 15 minutes!

An All too Common Situation
Increasingly the best technical solution is seldom discussed. Must consumers always keep the pushy data-sharing high-tech corporations profitable?

obelix May 19, 2017 2:25 PM

So, when the CIA/NSA infiltrated hardware companies and implemented backdoors in hardware, they helped to (their own) hackers to misuse the internet of things to hack million devices all over the world? They can’t stop the internet but they can infect and stop million devices at once, in one week, they could stop 30% of all/world devices connected with the internet. They don’t need to damage the internet network/infrastructure, they can damage devices.

Considering they blamed North Korea for this WannaCry virus, it is clear that the NSA hackers are behind this virus, they misuse virus to make money and to make war propaganda against Korea. Amateur spies.

BSaaS May 19, 2017 2:29 PM

BTW: who actually got this malware? People who are broke and stupid. Don’t care.
I don’t have a problem with Windows any more than Linux.

Find me an OS that doesn’t use library injection. Problem number one. Don’t give me this QubesOS. Rutkowska almost got herself arrested with her choice of words on BluePill. The vulnerability history doesn’t look any better for Linux. The real bonus is to build a stripped down iso. That’s about it; nothing Zen about how Linux functions.

mrfox May 19, 2017 3:25 PM

I, for one, would rather have a quarter million devices bricked by WannaCry than a quarter million unpatched and insecure devices connected to the ‘net doing who-knows-what. Nuking insecure systems is good for overall security.

That is especially true for systems that hold my financial or health care data. Who knows, maybe a few companies learned from their mistake. Who am I kidding… the consumer/taxpayer will pay for the cleanup, and life goes on.

ab praeceptis May 19, 2017 3:44 PM

Bruce Schneier

I fully agree with you(r original approach) on backup.

A backup does in no way protect one from viruses, ransomware or similar. In fact, even the “but with a backup I can get my system back in a clean state” line is more wrong than right. For one, it was that clean state in which ones system got infected. Unless we believe in magic restoring the system will do no good and we’ll get infected again.

In other words: A backup is only helpful iff we a) know how we got infected and b) are in a position (i.a. of knowledge) to avoid further infections.

Another reason to dislike having backup high up on the list is that it might enhance ignorance (“I have a backup. Nothing bad can happen to me, so let’s just click on that pron lottery image …”).

But it goes deeper. What good does it to restore a backup with an infected system?

A backup is certainly good to have – along with proper understanding and a sensible worst case procedure. The priority, however, should be to avoid or mitigate the problems and circumstances (like carelessness) that lead to the infection in the first place.

Kartoshka May 19, 2017 4:14 PM

Payment is no more difficult than buying something online ­– and payable in untraceable bitcoin -­- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin.

Bitcoin is not at all untraceable – the blockchain is a public ledger! In fact, the scammers may have a hard time realizing their profits as I’m sure their coins are now blacklisted from major exchanges.

You can actually see the wallets of the scammers and the transaction paid to them:

Wallet 1
Wallet 2
Wallet 3

Anura May 19, 2017 4:48 PM

@Kartoshka

Simply creating a different address for each compromised machine/network means it becomes nearly impossible to trace without actually getting their keys from the C&C network. Google tells me this is a feature of the ransomware, although apparently it’s usually hard-coded.

Clive Robinson May 19, 2017 6:43 PM

@ BSaaS,

BTW: who actually got this malware? People who are broke and stupid. Don’t care.

That realy is a sad view on life, and it totaly misses why many computers got hit.

When we look at the NHS case we find the root cause was “political mantra” and “brown nosing” by UK Minister of Health Jeremy Hunt MP. Because it was he who against all advice decided not to renew the extended contract with Microsoft. The cost of the contract was less than 9 pence per user of the NHS, and as the press reported Jeremy Hunts personal “unearned” income in that time was several times the contract price. So the real reason the NHS got hit was because Jeremy Hunt to look good to his political masters did not renew the contract with Microsoft in 2015. Further having being repeatedly warned, he did not alocate or alow to be alocated any other money to replace systems or provide better security for the many known to be insecure PCs and servers… So just to prove to his political masters that he had a pair of steel he has directly caused harm that some estimate are going to cost twenty to fourty times as much as the price of the Microsoft contract. And that sum, does not include the human cost in shortend lives and the attendent cost to the economy… All for the sake of political machismo.

The point is though, that there are many people making such decisions where there is little or no blowback from their choices. So for reasons that do not make sense after such an event they chose to gamble very recklessly because in the short term there was no downside and in the longterm they would normally have moved on so it would have been somebody elses problem. Both Politics and Corporate governance are rife with such short term thinking, and it has nothing what so ever to do with either stupidity or being poor, in fact it has every thing to do with very short term thinking and not assessing risk beyond that short term. Thus the behaviour becomes totaly skewed to the point politicians and executives quite deliberatly and knowingly take a choice that has a very short term low value benifit, and as deliberatly ignore the longer term hit that they know will be extraordinarily costly.

@ ab praeceptis,

Unless we believe in magic restoring the system will do no good and we’ll get infected again.

It’s a point that very few see untill it’s pointed out to them.

Now “you’ve let the cat out of the bag”, I’ll have to take it off my “simple interview questions” list.

You might be surprised to know that nearly every recovery plan I’ve ever looked at has this basic mistake, and as I jokingly say when I point it out to people “Now you know why consultants get the big bucks” and grin chearfully. It generally makes a nice little ice breaker befor getting down to the many other back up issues, some of which can be quite subtle.

@ Robinhood,

Don’t use computers, don’t contact anyone, don’t use electricity.

I know it sometimes sounds like that is what I’m saying but I’m not, I’m actually saying people have to make rational choices when they put an infrustructure in place. I have had a lot of dealings with Industrial Control Systems (ICS) that have to be not just “safety critical” but work indefinitely in “Hazardous Environments” where the risk of explosion etc is very high and for many reasons the equipment has to run without fault or stopping for upwards of 100,000 hours (ie more than 11years). I’ve also worked on the design of implantable medical electronics that is expected to work safely for upwards of a quater of a million hours. I suspect that there are very few readers here that would want to guaranty their work for those times…

After all as @Bruce has noted,

And you don’t want to know how vulnerable implanted medical devices are to these sorts of attacks.

They have caused me sleepless nights, especially when you consider that none of NISTs approved encryption algorithms, or security related advice/standards have lasted that long…

Ben May 20, 2017 4:06 AM

@Bruce
Cloud data storage may worsen things.
I know from experience with clients. Onedrive by default syncs data from local to cloud storage. Local gets encrypted so.. In cloud as well.

Especially a risk in shadow IT (not even knowing until it is too late)

Hopefully your cloudstorage includes version in or backup. Should be on your assessment list of cloud services. This is where the shadow it risk plays a role.

Also a word on backup. Not just backup but offline backup (online to a folder will do you no good,may worsen things since that share gets encrypted which possibly involves backups of other systems as well)

And a word on backup.
Think backup policies:eg version information of backups, how much generations, when to execute etc.

One generation may not be good enough. Could be a while before an infection is detected, especially in large environments. A couple of backup generations can be partly crippled already. Been there..

Torsten Werner May 20, 2017 4:28 AM

What will happen if a criminal is not interested in money? Such as a cyber terrorist?

Clive Robinson May 20, 2017 7:03 AM

@ Torsten Werner,

What will happen if a criminal is not interested in money? Such as a cyber terrorist

Originaly, the mass encrypting of files to deny the data user access to the data was for revenge, not money.

A sysadmin suspecting that their job was going to get terminated or had suffered termination in the past for some reason, decides that they need “protection”. Thus if they have the time they put in place a number of time delay payloads and sometimes tripwires or duress type passwords.

The plan was often to make themselves indispensable in some way, such as by making the systems fragile such that they behave in a hinky way, that only the sysadmin can keep keep under control.

The smarter ones make things “part of the security process” that they get documrnted managment sign off on. Thus when the inevitable happens the sysadmin can say “it was authorised by managment”. Thus the company gets the leagal advise that their legal options are minimal and will be at best uncertain, expensive and worst of all protracted, thus paying up promptly is their best hope of business continuity and minimising share holder impact.

Criminals only started doing “cyber-kidnapping” after they worked out how to do things from seperate jurisdiction, and at a value sufficiently low to make it not worthwhile LEOs trying to track them down and go through the case building and extradition process.

The reality is that the criminals have taken two non ICT “traditional” crimes kidnap/ransom and distance fraud (think share pump-n-dump etc) and have combined them and added an ICT element that makes things harder to investigate.

The reality is that “cyber-crime” is mostly not original, the cyber element just replaces part of the traditional crime.

It’s like the traditional crime of blowing safes, back in the old days nitroglycerin was used for various reasons. However over time laws about having/making explosives has made nitro’s possession let alone use way to much of a risk due to mandatory sentencing etc. So now some people have done a bit of sideways thinking and changed the criminal process slightly from using nitro to using a flamable gas from an over the counter boat / camping / garden center shop canister which is much much less suspicious to have in your possession, and less likely to get you a ten-twenty year prison term just for possession. So still the traditional crime just changing the process to lower the risk involved.

Ed DeJesus May 20, 2017 8:11 AM

There are storage solutions that enable organizations to “roll back” their files to just before they were encrypted. This helps organizations to recover their files and move forward without having to deal with the encryption or ransom demands at all. One such provider is Nasuni.

Think May 20, 2017 1:39 PM

Personally I don’t think the point was to extract money at all, this was written help educate the Public on the merits of legitimate software use with the side effect of highlighting proper patching techniques. It could also be considered an act of terror considering its target. The “Kill” switch being vestigial code and misinterpreted by the mainstream media.

The money as bitcoin is relatively easy to trace and I’m surprised it isn’t receiving more media attention, usually “follow the money” is law enforcement’s mantra.

See:

“Danish Police Arrested Drug Dealers by Tracing Bitcoin Transactions”

https://darkwebnews.com/bitcoin/denmark-bitcoin-traced-drug-dealer-arrests/

Attribution is very difficult when there are so many that would be motivated to perform such an act. I agree with @Clive on many points.

Agencies that report apprehensions also have an agenda and we may not ever know the actual objective truth about what really happened in some cyber security incidents. Sometimes its good to have a European pimple jockey get caught, sometimes a script kiddie from the Russian Mafia. Sometimes the truth is stranger than fiction.

Instead, why couldn’t it be a programmer from Microsoft directed to help consumers and enterprises understand that it is NOT OK to pirate software and steal their hard worked for intellectual property. I read an online BBC report on this incident that used an old Bitcoin explanation video that was somewhat misleading.

We all understand software piracy on the internet but anyone that travels outside the US sees all the software and movies that have been cracked and copied thousands of times sitting on the side walk for sale at a fraction of the retail cost. For those that use this avenue to make a living it is disgusting. (I am in no way advocating acts such as this – but motivation is motivation).

So many virus incidents of the past have created havoc, but have not carried through with the ultimate kill when they had full control of the machines.

Almost as if they were put out there to help enterprises and government ‘feel the pain’ but not take them out.

Patch that vulnerability before your ship sinks.

Garrett May 20, 2017 3:47 PM

Adding another fun anecdote to the mix – I visited a water treatment plant last week. It generated 6M gallons of water that day.

They showed us the PLCs they run, the pumps, the systems that control the additives.

The fun part was when we got to the SCADA system – their eyes, ears, and control. I cringed when I saw that it ran Windows XP. They went on to illustrate that they can connect to the other facilities via pcAnywhere if they want to view/control something over there. I hoped (but didn’t have the heart to ask) that those machines had a dedicated link to the other facilities rather than operating over the internet. They must have, because they also said that their internet has been down for a few days. Not sure if otherwise air-gapped..

BSaaS May 20, 2017 4:28 PM

@Clive
Yeah, my view really is sad and it shouldn’t have to be that way.

I look at it from this perspective: I call it “Silver Paste Theory.” In about 4 or 5 years, silver paste is dried up. OEMs still use it and there are a ton of citizens that do not realize or know how to replace it. Since the inception of non-metallic compounds that Arctic and Antec offer, the continuing existence of silver paste is a bad joke. If your computer makes it to ten years, it probably means you don’t do any heavy media with it. When was XP introduced? Win7 was 7 years ago. We could cull the weak on this. Basically, when Microsoft cuts off the security updates, it’s a sign. That means buy some fresh tech regardless of what it is.

How are people getting this again? A cookie or attachment? Where are they going to get it? Bruce said MS released a preemptive patch. That sounds suspicious enough.

Somebody else remember if this happened to 95/98 when XP was introduced.

T May 22, 2017 1:35 AM

I don’t get this–the recommendation to update Anti Virus software doesn’t seem to apply to Mac and Linux users. It’s stated so damn often that I feel like I should be doing something, but I currently don’t use a windows system.
I know Mac and Linux are also vulnerable to hacks, but nobody ever gives us advice on what to check for. Some of us know which logs to look at, but honestly, we don’t always know what backdoors lurk, or what patches we might need, to avoid being vulnerable.

The best thing I know to do, which is rife with carrying vulnerabilities forward unfortunately, is to keep regular backups on a removable device. That way you can easily re-install the malware on your next full install. :/

Or, get just lucky enough to save off some old photos before the whole thing blows.

I really don’t want to ever post a political post ever again in my life, but really? am I the only one who tries to avoid windows?
I miss Linux, I miss Unix, I make do with Mac.
Windows is a nervous breakdown viral load waiting to happen. okay, I promise, I will never say another world about windows.
T

Clive Robinson May 22, 2017 1:59 AM

@ T,

I don’t get this–the recommendation to update Anti Virus software doesn’t seem to apply to Mac and Linux users.

It should.

You have to look at malware as two parts. The actual malware that does the damage, and the way it gets into a system.

It’s the latter part that is the big problem. For arguments sake lets say you have a *nix box as you gateway/firewall/services host and a LAN with a mixture of boxes with different OSs. For the gateway box you need not just AV for it’s OS but also for all the other OS’s because of the “services” it provideds. Thus if a service the gateway box provides is as the Email Server, then you should AV scan all the incoming Email to stop the malware there and not alow it to get into say a Mac box who’s user then forwards onto a windows box etc.

Dirk Praet May 22, 2017 4:55 AM

@ Clive, @ T

For the gateway box you need not just AV for it’s OS but also for all the other OS’s because of the “services” it provides.

Exactly. You don’t want your Linux/MacOS boxes to become Typhoid Maries. Pretty much every Linux distribution comes with Clamav/Clamd/Freshclam, which you then integrate with Postfix and Cyrus (or whatever other mail setup you prefer) using Amavis combined with Spamassassin. You can throw in additional virus scanners, if you like. Same approach is recommended when you’re using your Linux box as a (Samba) file server.

The downside, however, is that Clamav/Amavis – like most antivirus stuff – is quite the memory hog. Even a few Amavis processes can easily consume over 600 Mb., so you better prepare for that unless you want your system to slow down to a crawl. Alternatively, you can go for a Comodo antivirus and email gateway, which they offer for free on Linux. Caveats apply, though, as Comodo has earned itself a bit of a dodgy reputation over screwed up certificates and MITMing stuff.

As a general rule of thumb, the same advice applies to Linux (and MacOS) as it does to Windows: keep your boxes up to date (BIOS/EFI, OS and apps), harden them with AppArmor, SEL, PaX and the like, disable Intel ME/AMT if you don’t need it, disable or remove unnecessary services, LUKS your home and data partitions, have a restrictive condom firewall setup (ingress and egress), get the necessary privacy and security add-ons for your browser(s), don’t run ordinary stuff as root, obscure your DNS traffic with dnscrypt-proxy and reroute any network traffic you deem necessary through Tor.

Daniel May 22, 2017 3:38 PM

Bruce, great points as usual.
“Commercial solutions are coming, probably a convenient repackaging of the three lines of defense described above. ”
We have actually been working on providing exactly what you described in an affordable package at https://shield.ly any feedback is greatly appreciated.

Impossibly Stupid May 22, 2017 6:05 PM

@Dirk
“Exactly. You don’t want your Linux/MacOS boxes to become Typhoid Maries.”

I say that’s exactly backwards. It is fundamentally wrong to expect anyone else to pay to provide you any safety. It’s wrong to bog down all Macs trying to protect PCs. It’s wrong to think you can rely on a gateway filter to keep your whole LAN safe. There are just too many pathways that malware can follow to reach a target machine. The only thing that can really keep your computer safe is your computer itself, and so it is the only thing that should carry the burden of doing that. Stop buying Windows if you don’t like facing that reality.

BSaaS June 15, 2017 1:49 PM

@Dirk Praet

ClamAV for Windows – slow and horrible; questionable to catch anything. I stopped using years ago after experimentation. They attach alternate data streams to every file checked on NTFS. I discovered this over time because I could not rectify differences in free space. I do not know if they still do this, but I would never trust Clam or small AV companies to be on the leading edge of anything.

Comodo – The shortened history goes something like this: I was testing their firewall which seemed to provide a really nice realtime tasktray icon. The problem is that they did persistent outbound “update” as a third party firewall replacement. Originally, you could block it with a rule. They figured out what people were doing and recoded the firewall to always allow outbound persistent update. Later on, some Italian hacker jacked their CA system with MitM. Comodo blew away my test laptop. Magical. Today, I am still wondering why anyone would use Comodo for CA, just on reputation. Maybe that’s not fair, but I was also judging character on how they coded the firewall.

So, the question is this: will AV company X still do sig updates for Win7 machines? You would have to visit every company and see if they have press release on Win7 support and what their expectations are about this.

I am remorseless because time and time again, you hear stories of all businesses and govt agencies lacking the ability to budget IT in the long term. Those words scare admins because people get fired for showing bosses the big picture.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.