Fighting Ransomware

No More Ransom is a central repository of keys and applications for ransomware, so people can recover their data without paying. It's not complete, of course, but is pretty good against older strains of ransomware. The site is a joint effort by Europol, the Dutch police, Kaspersky, and McAfee.

Posted on January 15, 2018 at 6:43 AM • 19 Comments

Comments

Erin McJJanuary 15, 2018 7:29 AM

Do you mean that a given piece of ransomware always uses the same cryptographic key? I'm a little surprised by that; should I be?

AlejandroJanuary 15, 2018 8:41 AM

I'll just say it: I don't trust McAfee or Kaspersky at all.
Then dialing in Europol and the Dutch police?

What are they getting in return for their seeming generosity?

Clive RobinsonJanuary 15, 2018 9:06 AM

@ Erin McJ,

Do you mean that a given piece of ransomware always uses the same cryptographic key? I'm a little surprised by that; should I be?

It depends on the malware writers skill levels.

They could use a symetric encryption system like AES which comes in the CPU and easy to find libraries. Generate a simple random number which they encrypt with a "known key" to display as the unlock code, then deleate the known key. Then encrypt part or all of the used mass storage with the random number.

They could also use a public key of a PubKey pair to encrypt the random number to use as the unlock code.

The first method has a short window of opportunity for grabing the secret "known key", the second does not. The first method also gives deniability if you are caught with the "known key" the second does not.

Also to be secure PubKeys have to be big, atleast eight times that of an effective AES key. Further the code to use them large and easy to get wrong if they write it them selves. Oh and they still also need to use symetric encryption to encrypt the data for not just speed reasons. So the temptation to use the first method might be high to run of the mill malware writers... Who also might just be "Hex Editing" in their code over the payload of somebody elses malware which kind of happens when you want to get an exploit whilst it's still fresh.

However there is also the random number generator issue, that many people realy don't understand. True entropy can be very hard to find in sufficient quantities with malware so there might only be just a few bits of real entropy in the secret encryption numbers generated by home grown random generators. Further any "spreading function" if they include it might also end up being reversable. As hash code is likewise big and difficult to get right if likewise home grown. Oh and there is lots of "brownie points" if not fame for some one who either stops or cracks ransomware, so some very smart people will get to look for weaknesses in the malware very very fast.

So yes ordinary people do get lucky sometimes if the ransomware writers are not sufficiently skilled in those esoteric skills needed for Ransomware to be realy effective.

Petre PeterJanuary 15, 2018 9:25 AM

Impressive. It would be nice to also have the phone book equivalent for public keys by trusted publishers.

echoJanuary 15, 2018 10:01 AM

This is good basic advice. I'm slowly organising things so I have both on site and off site (aka in the cloud) encrypted backups.

https://www.nomoreransom.org/en/prevention-advice.html

Is application and folder whitelisting an effective block for ransomware/malware or is this security swiss cheese and only really useful for protecting against casual meddling with computer systems in the corporate environment?

https://www.bleepingcomputer.com/tutorials/create-an-application-whitelist-policy-in-windows/
https://social.technet.microsoft.com/Forums/windows/en-US/cf440dba-6272-4d8a-a843-dce6a0e670d6/cfa-how-to-whitelist-applicationfolders-in-controlled-folder-access?forum=win10itprosecurity

Capability bits are a bigger thing and not embedded within mainstream systems. Would these help or would systems still be vulnerable?

sjJanuary 15, 2018 10:19 AM

There's two things:

1. People should make decentralised backups
2. When people have backups and their stuff gets encrypted, just wipe machine, install anew, restore backup - no need to pay

meJanuary 15, 2018 10:49 AM

@Petre Peter
we have it! it's the CA (certificate authority) system used by web browsers.
how do you excange a key (secret) with schneier.com (that is on https) if you have never met schneier itself or called him by phone?
ca root is trusted and sign his key so that you know that what he gave you is actually the true key.

@echo
Application whitelisting is the best[1] thing that you can do, but is a nightmare to setup and mantain.
i'm using virtual machines (virtual box or qubes os) to limit the damage that a bad exe can do.

also of course backups that are not accessible by the pc (or the ransomware will encrypt backup too)
other super nice thing that you can do is to set up a firewall and block outgoing connection for every app except the one in whitelist. this will block also unknown virus (example keylogger: it can log, but can't send what it logged).
firewall will not work against ransomware as is the only virus that can work also offline.

[1] according to this: https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

Ray RedbadJanuary 15, 2018 12:06 PM

"There's two things:
1. People should make decentralised (sic) backups
2. When people have backups and their stuff gets encrypted, just wipe machine, install anew, restore backup - no need to pay" -sj

Yeah, sj. Because people who read Schneier need that kind of advice.

Be the hope in the internetJanuary 15, 2018 3:09 PM

@Ray Redbad

"Because people who read Schneier need that kind of advice."

With some luck, maybe someone new will discover this blog and recourse. Everyone is new at some point, I hope lots of new security researchers discover this idea. With some luck, a student will read this comment in a high school computer lab, thus being enlightened in the ways of security.

Anyhow,

"By sending your money to cybercriminals you’ll only confirm that ransomware works"-The website

Ransomware works because people think they stand a good change to get their files back. Once users stop believing they can get their files back, and few continue to pay, ransomware will decrease. Its easy to focus on the technical ransomware, but the No More Ransomware is playing the long game.

ThaCripJanuary 16, 2018 3:10 AM

While the site in the topic can be nice for many people who get hit with Ransomware I figure it's best to stop it before it even hits your system in the first place.

this seems to be a good program (which is free) for blocking Ransomware in the first place as all it does is stop Ransomware... https://ransomfree.cybereason.com/

I have been using it since Dec 2016 as it's light on resources and so far does not interfere with anything I do. basically it detects Ransomware based on the way it behaves and not by definition updates and supposedly is able to block 99%+ of Ransomware and future Ransomware. so the only updates it gets are for a occasional program update and that's it.

with that said... I am generally cautious on what I install on my computer etc so I have not got hit with any Ransomware but I like that as a additional layer of protection outside of the default Windows Defender with Windows 10.

WinterJanuary 16, 2018 3:36 AM

"also of course backups that are not accessible by the pc (or the ransomware will encrypt backup too)"

There are two "simple" solutions to this:
1) Set up the backup system to never overwrite backups, use "versioning"

2) If that is too much data, put a delay in deletes, like the common cloud suppliers do (Google, Dropbox, etc.)

Ad 1) can eat up storage fast

Ad 2) can be preempted by the ransomware by sitting out the delay before making the encrypted data inaccessible.

echoJanuary 16, 2018 5:30 AM

@Winter

I have a Google account and opened a Zoolz free "cold storage" account (which I may upgrade to a paid account). I'm slowly exploring preferably cross platform encrypted backup and incremental backup solutions with both backup and ransomware/malware in mind. I haven't got much further than Paragon HardDisk Manager and Acronis backup. I've discovered these lists.

http://www.linuxandubuntu.com/home/10-best-linux-backup-solutions
https://www.techrepublic.com/blog/10-things/10-outstanding-linux-backup-utilities/

Most of my critical regular backup needs are small. I could keep a whole lifetime of document backups. What about more sophisticated ransomware/malware which stealthily corrupts data so backups are filled with junk? Are there any tools to monitor files for changes and detect this?

mike ackerJanuary 16, 2018 6:20 AM

I would add a note of caution: there is no guarantee that the hacker's decrypt will be 100% accurate.

ArclightJanuary 17, 2018 12:20 AM

A NAS volume with snapshots and off-site replication is an excellent way to keep data off-host and in an easy to recover state. I rescued a customer who had all of their CAD files on the server encrypted by an infected client. FreeNAS ZFS snapshots with hourly raync off site made the recovery process. 30/minute job. The PC got nuked from orbit.

justina colmenaJanuary 18, 2018 4:44 PM

I do not like Europol.

Like the "I.I.I." (Insurance Investigation Institute), Interpol is a mostly fictitious quasi-law enforcement organization from the "Hardy Boys" children's book series.

They fight a lot of crime, but in that fictional world, sex crimes simply do not exist, because that is children's literature.

Whereas in real life, compelling prostitution and sex slavery in particular are rampant in Europe (Sweden's rape numbers go to show, in particular...) but the typical attitude of European law enforcement that women, (womyn, womxn, etc. — in reality, certain female subjects of interest) are and must be afforded total unconditional blanket immunity to criminal prosecution in such investigations does not really help fight that sort of crime.

Anyways, Europol, a.k.a. Interpol, has a social democratic political agenda that is particularly strong in four general points

  • pro-marijuana, pro-recreational-drug in general;
  • pro-"voluntary" prostitution;
  • anti-gun, anti-"violence" with a broad, capricious, and varying definition of "violence;" and
  • pro-civil-commitment "mental health."

As always, "mental health" is nothing but a false pretext for gun control, and I'm sorry, but German, Swiss, French and other white nationalist European drugmakers are pushing "atypical" antipsychotics, antidepressants, mood stabilizers, benzodiazepines, and other such "mental health" nonsense like never before in history. It's gas mask time in Europe.

DroneJanuary 19, 2018 4:18 AM

Pffft... Sites like "No More Ransom" simply trigger the malware authors to build in trip-wire mechanisms.

hmmJanuary 19, 2018 2:14 PM

"As always, "mental health" is nothing but a false pretext for gun control,"

If only that were so, we could maybe begin to address either problem.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.