On the Evolution of Ransomware

Good article on the evolution of ransomware:

Though some researchers say that the scale and severity of ransomware attacks crossed a bright line in 2020, others describe this year as simply the next step in a gradual and, unfortunately, predictable devolution. After years spent honing their techniques, attackers are growing bolder. They’ve begun to incorporate other types of extortion like blackmail into their arsenals, by exfiltrating an organization’s data and then threatening to release it if the victim doesn’t pay an additional fee. Most significantly, ransomware attackers have transitioned from a model in which they hit lots of individuals and accumulated many small ransom payments to one where they carefully plan attacks against a smaller group of large targets from which they can demand massive ransoms. The antivirus firm Emsisoft found that the average requested fee has increased from about $5,000 in 2018 to about $200,000 this year.

Ransomware is a decades-old idea. Today, it’s increasingly profitable and professional.

Tags: blackmail, cybercrime, extortion, ransomware

Posted on December 30, 2020 at 6:33 AM • 27 Comments

Comments

JonKnowsNothing • December 30, 2020 12:27 PM

@Etienne

This has been tried before in other contexts. It doesn’t work very well in the long run. All you end up with with thousands of headless corpses and basketfuls of severed heads and a lot of blood on the ground.

There are countries today that use this technique regularly. Perhaps you are from one where this is common, but it’s not common elsewhere except for terrorist type attacks on teachers.

Given that the state of the internet The Public Has No Clothes, it might be better to just say that outright.

Use the Tech. Expect All to be Used Against You. Forever and Ever and Ever.

Red • December 30, 2020 1:48 PM

A main driver for the increased frequency and severity ransomware attacks is the increasing profitability of the ransom payments. Cyber insurance enables impacted organisations to pay very large ransoms out of the body of insurance premiums. The increased number of ransomware groups operating will only provide plausible deniability for nation states conducting strategic destructive attacks going forward.

This will probably break from the mostly anarchist internet culture group think, but I think ransomware groups should be treated as terrorist organisations: they are sabotaging critical infrastructure, economic output and are endangering lives.

If implemented pre-existing sanctions and money laundering rules will prevent private businesses from brokering the ransomware payments thus reducing the likelihood the ransomware group will be able to take payment. This is important because the ransomware groups are re-investing their income into improving their tools and tactics. Classifying these events as terrorist attacks ensure that law enforcement invests more then minimal resources in investigating (law enforcement are not currently performing any meaningful investigation in these cases). Calling them terrorist events would also make inaction by a victim countries leadership politically dangerous.

@Chris_Vail – While I disagree with the imperial decline world view I do agree with the piracy on the high seas view. The internet is in desperate need of rule of law. Providing safe harbor for anyone attacking a private vessel at sea should be considered an act of war.

@Etienne – The similarity between Ransomware and Rape is that at one point in time it is acceptable for the majority of the population to blame the victim. Infosec people be like “You were just asking for it with your unpatched VPN and open RDP little lady.”

Clive Robinson • December 30, 2020 2:23 PM

@ Bruce, ALL,

Ransomware is a decades-old idea. Today, it’s increasingly profitable and professional.

The actual root of Ransomware is earlier it goes back to the time when every one thought “cracking systems” was all about “ego food”

It was not. If the crackers had the knowledge of how to monetarize their attacks I assure you they would have done. But back fourty years ago outside of “ego food” the attacks were realy about “revenge-blackmail”. That is insiders setting logic bombs in case they were sacked.

The blackmail side progressed quietly as employers paid up rather than have publicity, and the laws were not there to deal with revenge-blackmail. It was because of this that when anti-cracking law came along it was so broad in scope so that in theory the perps had no wriggle room. Unfortunately the broad scope backfired, contractors who put licence time periods in code to prevent unscruplious companies using their product without paying got hit by such legislation and there have been a myriad of court cases that should never have come to court with more thoughtful and considered legislation.

I used to be an almost lone public voice about the fact that computer crime was at a lull even in the early days of large botnets, simply because the crackers were not making money out of their exploits and this actrd as a natural damper on their activities.

All that has changed since then is stary eyed tenagers have grown up and traditional criminals have moved in and money has started to be made by the crate load. That 5,000 to 200,000 change is due to the lrarning process in money laundering and inyernational law limitations that give vastly incteased safety.

But it’s not the only reason electronic/cyber crime is so lucrative. Another realy important reason there is trillions of dollars lost each year to the various forms of electronic/cyber crime is it makes politicians look good… Yup that sounds backeards but it’s true.

The politicians have “disinsentivised” the various Guard Labour forces from collecting electronic crime figures and making statistics as well as cutting back on funding required to deal with elrctronic/cyber crime. In the UK the police bluntly tell you they can not hrlp and try hard not to give you a crime refrence number. If you push they tell you to go talk to the bank / credit insurance / company / etc who have absolutly no interest in chasing down criminals but find prosecuting private individuals quite lucrative.

But there is another effect, that works in the politicians favour. Electronic/cyber crime is attracting criminals away from more traditional physical crime because it’s a lot lot safer. Thus only those incapable of transitioning stay in risky phisical crime thus the traditional crime statistics drop which is what politicians thinks makes them look good because it gives a lie to the “Hard on Crime” myth politicians love to spout.

So less money out for lower crime figures, whats not to like about it as a politician…

It’s also another reason why there is little or no real action on the inyernational problem. Politicians blaim electronic/cyber crime on another soverign nation in a typicall Orwellian tactic.

It’s one of the reasons the US public only hear about one of four distant cyber-existential-threats at a time from the 5hit List of China, Iran, North Korea, Russia.

It’s ditectly out of the George Orwell 1984 “play” book. And surprise surprise the majority of the US public fall for it. Companies play along as not to do so means lucrative Government budiness goes to their competitors who do play along…

Why do people think the SolarWinds Orian issue startedcso very very quietly with FireEye being so circumsprct about it. They had not been given the nod from the US Government that needed to get it’s lead duck quacking Russia Russia like a broken record.

I have no idea nor does anyone else on the outside who is realy to blaim.

Personally I still suspect that the weaknesses that lead to the backdoor were a lot closer to home than Putin’s Moscow. I think it more probable if it is them that they exploited a mechanism they had found, that somebody else had put into the software. The question realy is who, when and most importantly on Who’s orders/behalf…

BackupNow • December 30, 2020 9:06 PM

The best way to disincentivize ransomware is to backup all your important data.

As my tech guy always used to say, “There are two kinds of people. Those who backup and those who wish they had.”

Clive Robinson • December 31, 2020 5:58 AM

@ BackupNow, ALL,

The best way to disincentivize ransomware is to backup all your important data.

Backing up “properly” is very important, too many don’t backup “properly” and that is where the more experienced ransomware people still walk away with the prize, sometimes more than once.

I know it sounds daft but way to many backups are “write-only” that is “the tape”[1] gets written to then put back in the rack with no checking untill the next backup.

This is a bad idea because a fault in any part of the system could result in no data being written or garbled data being written[3].

Therefore you need to “read the tape” and check it in various ways[4][5].

If you use the same rig for reading as you do writing then if heads drift etc you will not notice, and you will end up with tapes that can only be used in that rig and not others. Having a drive break and all your backups become unreadable is not something you want to experience as an admin I assure you from experience [6].

Likewise but actualy worse many only backup to one tape, you should have a minimum of two copies of a backup one onsight and one offsight in case of fire or other disaster. Your Uni thesis you’ve 90% done with all the depth and breadth sources and experimental data is not valuable to others but to you loosing it can be the death knell of your career.

You would be surprised at just how many people use the “one rig” or “one copy” method and ransomware attackers can easily exploit that.

All they do for the one rig issue is modify your software driver for the hardware rig you use to backup. So that it encrypts the data going to the rig on the write and decrypts it on the read. You being on the otherside of the driver to the rig obviously do not see this encryption of your backups untill the key is deleated and then your backups are just “garbled data”…

So to check your tapes you need a second issolated rig that the ransomware gang can not get access to from outside it’s issolated position. Thus the first tape they encrypt, gets shown up then and there, not 3, 6, 12months down the line when all backups even the “great gandadies” are encrypted and usless without the key the ransomware attacker holds.

Now I know that checking with an issolated system by hand is a right royal pain the solution is to put a serial data diode in to alow the issolated rig to write checksums and the like out as a plain ASCII text report and send that to an administrative machine. Yes the administrative machine could be attacked if you have not issolated it correctly. There are ways to do that by making a data diode in a way such that it checks the data comming across the gap crossing in various ways. I’ve explained how to do it on this blog in the past but it’s a bit long winded.

The important take away is,

Criminals evolve fast or they get taken out of the game.

Be it by rivals, authorities, or your evolving active defences.

Thus relying on static defenses will fail you at some point in time. So you need to do two things,

1, Evolve continuously.
2, Do this faster than your potential attackers.

Sounds simple but it’s not…

This is where you have to think about things in a “Physical Security” not “informational security” kind of way. Your only two real advantages that stays good perpetually are,

1, Your ability to hide information from “new” attackers.
2, Your ability to segregate and issolate parts of your system (as mentioned above).

Yes I know “hiding” is often called “security by obscurity” but you are using it to delay your attackers not to stop them forever. But you get only a short lived advantage, so you also need to maximize it to your advantage by detecting and reacting quickly. Which means putting out active alarms that detect any attacker as they are trying to find out information, then you bring down a fast response on them.

Each situation is different and you need to think about how you change the threshold so the attackers signal stands out well clear of the system noise they are trying to hide in.

[1] I’m using “tape” as a generic way of saying “what ever mutable memory media you are using” which could be as little as a thumb drive to a home user[2] or $100k network / backup storage system or even farm.

[2] I generaly do not recomend USB storage devices for backup or moving data from computer to computer across security or other “gaps” like home computer to Uni Computer etc. The reason is the “Plug-n-Play” nature of such plug in storage. Put simply, the hardware and OS in your computer “reads in and runs/executes” data off of such devices and that is a very good way for malware to spread… Even floppy drives had better security in “sneeker-nets” back in the 1980’s and we know they frequently transported malware easily due to “human error”.

[3] Remember any sort of file compression makes data files way harder to recover if even a single bit gets flipped and compression also makes hiding malware way easier[4]

[4] I usually recommend that all files be made into “human readable” form. That is “plain ASCII text” so CSV and Richtext or markup/markdown for four basic reasons. Firstly it makes repairing any damaged files one heck of a lot easier. Secondly it makes putting them in a searchable archive much easier. Thirdly it makes moving data from one software application to another easier. Fourthly the file formats are much easier to check for format violations, malware writers like raw / binary file formats as thay makes life a lot easier for their malware development. Thus ASCII text only, makes their life quite a bit harder and doing it in a restricted format even harder still.

[5] Remember to pipe all backup files through suitable AV software before writting to tape otherwise your backup can become an infection vector.

[6] I experienced this not due to rig failure but car seats on a cold day… The senior sysadmin used to take the “off site” copy of the backups in his car on the front passenger seat. When an onsite backup check showed one of the tapes was faulty he said no probs, he would get the offsite copy and duplicate it. It too was faulty but a lot worse so he checked other offsite tapes then all of them he was not a happy man to put it politely, seismic data for oil exploration is not just very large it is also extreamly valuable and back then frequently purged from computer systems due to storage costs. The fault was the electric heating in his car seats, it demagnatized the tapes sufficiently to make them trash data wise.

Internet Individual • December 31, 2020 4:52 PM

@Clive

Good advice, I wish I would have seen it yesterday! Sometimes it important to learn the hard way I suppose. I would wager many of these attackers with fancy tools they didnt create, using vulnerabilities they didnt discover wouldnt stand a chance being attacked by the very same tools and techniques they are using. In my opinion the real challenge is defense. Because you cant stop zero days and targeted attackers every time, I learned not to keep anything important connected to my computer.

You mentioned bring a fast response on an attacker before they find out that they have been discovered. What might someone do to respond? What happens if it turned out that they were authorities of sort? I wonder how many lines someone might cross looking for trouble. Someone once told me, its not about what you know, Its about what you can prove. Unfortunately, as ive found out the hard way. Sometimes data has a way of disappearing , and once your credibility is gone. Very difficult to get back.

Maybe my tinfoil hat is on too tight, but it appears to me moral turpitude is on the RiSE

Clive Robinson • December 31, 2020 6:06 PM

@ Internet Individual,

You mentioned bring a fast response on an attacker before they find out that they have been discovered. What might someone do to respond?

Well you have to basic choices to make Attack or Defend.

Attacking has all sorts of problems. As Cliffod Stoll pointed out in his book those attacking you like to hide their tracks… Thus even getting on for four decades ago, attackers used multiple proxies to hide behind when they could. So the problem with “attack back” is that you would in all probability be attacking someone who was unaware they were being used. And as you note,

I wonder how many lines someone might cross looking for trouble. Someone once told me, its not about what you know, Its about what you can prove.

The law does not allow you to attack back in most Western Countries. So if you did you could be in a whole world of legal hurt.

The other problem is even if you had proof, is it the right sort of proof, and has it been collected and stored in legaly accepted ways?

The answer is almost certainly not which is the same as “no evidence” if there ever was a case. That is if you ever did catch up with the perps and identified them, then got them into your country/jirisdictiom and got the authorites to even do anything…

To be blunt with “attack back” the risk is many times greater than any pay off be it civil damages or criminal fines / incarceration.

Which leaves you “defend”. There are basically three things you can do,

1, Watch what they do.
2, Covertly thawart them.
3, Slam the door shut on them.

The last is in theory easy you just pull the plug out the wall. Unfortunately that alerts the attackets and they may already have left a “deadmans switch” and nasty payload behind to blow things up to cover their tracks or make later reentry easier.

In his book Clifford Stoll mentions generating line noise with a bunch of keys, by jingling them on the frame room terminals. Whilst that won’t realy work today, there are equivalents of throwing the attacker in a tar pit or maze. Thus slowing them right down whilst you make your mind up what to do next. This is an important decision because you don’t know what they have already done.

Which leads on to watching what they do. With luck just watching what they are doing will tell you what they might have done which will give you the opportunity to undo anything they have done.

But what ever they do eventually you are going to have to kick them out, clean up, and patch if possible the way they got in.

But realistically the best form of defending yourself is not to be reachable. An external attacker can only cause you harm if they can reach you. So,

“If an attacker can not get to you, they cannot attack you.”

I know it sounds trite, but at the end of the day, the less an attacker can reach, the less attack surface you have, and the harm they can do to you is stopped or reduced.

To many employers let their staff have internet connectivity they do not in anyway need. In short that is temptation not just for the employee but for external attackers as well. So not giving staff access they don’t need, also reduces your attack surface.

None of this is “magic bullet thinking”, just common sense.

Any way the deafening noise of fireworks tells me it must now be 2021 here so a happy new year to one and all, and hopefully a much better year all around.

bcs • December 31, 2020 8:07 PM

I wonder what effect it would have if a bunch of major powers started holding countries responsible for international criminal activity by there residents if they refuse to deal with? A kind of “Someone is to blame. And if you don’t treat the direct tperpetrators as to blame, then you are to blame.” I’m guessing it would improve some things, but that it would also incentives manufacturing scape goats.

Another appealing solution (that also creates problems): I wonder what would happen if the perpetrators started going out for the night and waking up in a justification that wanted to prosecute, with no memory of how they got there. Heck, rumors of that happening might be better than it actually happening.

Internet Individual • January 1, 2021 1:57 AM

Fair points. One of the issues that makes the attribution more difficult is the whole cloak and dagger bit. Especially with all of the personal information freely available on the internet about anyone. Watching and making assumptions about a person to potentially connect the dots, and to make matters worse many times that information is only half accurate. In the scenarios you mentioned much efforts, grief and time wasted cthat could have been avoided if people were willing to communicate, rather than play James Bond. It stands to reason an innocent/unwitting person might be more than willing to assist, at the very least to set the record straight. If it were me i’d sure want to know who might be putting me in harms way. An old personal enemy or a random person from yet another country.

Imagine for a minute that a suspected perpatrator happens to geniunely be clueless and innocent. But their lives might get turned upside down, reputations ruined, etc. While not having a clue about whatever is suspected. It makes you wonder the level of integrity and discipline others in positions of privledge. Especially in an international setting, as it wouldnt be hard to imagine someone thinking “who cares what might happen to some random person in another country if a mistake was made.”

One thing I do know, at least in America. There are literally thousands of criminal laws to enforce. Last I checked roughly 4500 federal, plus your state and city. Infact, its been said the average person commits 3 or more felonies (serious crimes) per day. At least according to one author that may or may not know something about the topic. hxxps://www.harveysilverglate.com/about-harvey All it takes to wind up on the wrong side of things is rubbing someone with authority the wrong way. Quiet literally everyone is a probable criminal.

Its for this reason that im always nice and agreeable with everyone. Nor would I ever suggest a person or their ideas were based from some degree of idiocy. 5g towers cause covd? Hey whatever you say buddy. An order for 500 navy ships? Maybe if we build them half the size we can build twice as many! No stimulus or unemployment checks for millions of people because its a socialist idea? Excellent calculation, the poor are sure to not spite Capitalism and those benifitting the most now. Focusing on exploration of mars rather than clean our own planet? Its probably nicer over there on mars anyways. On second thought being a person of reasonable mind and temperment, ill admit its possible I could have caught someone on a bad day with some well intentioned but perhaps poorly delivered critiques. What can I say I shoot from the hip.

Clive Robinson • January 1, 2021 4:29 AM

@ bcs,

I’m guessing it would improve some things, but that it would also incentives manufacturing scape goats.

It’s also bullying.

Over something like two thousand years, we have realised that “Might is right” is actually not just wrong, but very counter productive for all involved unless they are smart enough to play of others by their belligerence and stupidity if not cupidity.

That is if I attack “you” in a way that looks like it’s come from “your business rival”, what are you probably going to think?

Nation states when you study them through history are on average worse than the collective sense of their own people, which is why excercising propaganda on your own citizens is a necessary part of not just excercising power but staying in power.

To be blunt to many of the people that seek power are doing it out of pure self interest knowing the further they rise up the hierarchy the more power and status they get, and the fastest way up is via “dead men’s shoes”. You even see such rivalry in “hobby clubs” where the power and status is not realy anything to crow about.

In organisational structure you normaly have a “head” and a “deputy” to in theory act as check and balance. What tends to happen is the head becomes outwards facing and seeks power from other organisations. The deputy is thus inwards facing and supposadly keeps the organisation functional. All to often the deputy attacks the internal organisation to build their own power base so they can align with others both inside and outside the organisation to engineer a “dead man’s shoes” elevation to being the head of the organisation. This happens at many levels which is why meritocracy is rare and usually fails to an insider attack, often by an external organisations plant though the plant is often what Stalin called a “usefull idiot”.

We have seen this happen in many FOSS organisations…

So now consider your idea again but thinking about “power struggles” and what those with power and status do with it and why?

The way to deal with cross border crime, is infact quite simple you “remove the borders” that is you extend the abilities of police forces to co-operate and thus investigate to collect evidence to present to one or more courts.

Unfortunately the way we currently try to do this is a compleate mess as it was built by politicians who almost always have their eye on some other prize… Or to be more blunt, they want more power and you to have less power, they then wrap this in some lie to get a legal binding of such a change in power status…

It’s why there used to be three sets of laws,

1, Those inside your boarders.
2, Maratime law.
3, The laws of war.

It sort of made sense and a vague level of stability arose with regards crime, because moving from Nation to Nation was difficult when power and wealth was based on holding land and the control of the title of that land in effect belonged to the hand of the monarch. Who usually got the job through hereditary with each generation practicing “might is right” in one way or another, and keeping out what they saw as undesirables by having what was in effect “A closed Stud-book breeding” programe of “blood purity laws”. The down side as we now know was what they saw as strengthening the blood actually weakened not just the body but the brains and eventually fertility.

Back when there were monarchs and nobles there were two basic roads to power and status for those not in the closed stud. The first was through the church, the second through the creation of the guilds from the power of trade.

Have you ever wondered why religions back then did not alow the officers who had power to be married and infact required them to be celibate?

Well it was to stop any closed stud breeding arising and hereditary power taking over.

For a while when power came through the holding of land the churches more than equalled most monarchies so shared power.

However trade became formost and land holding does not give much power these days. So the church has lost power and those guilds became steadily more powerful untill they effectively replaced the churches. Hence the power the church had got divided as monarchs got encroached upon by first powerful nobles (The Lords) then those who sort church like power but without the restrictions so royal advisors became councils (the peers) then parliments and so power got spread to others (the Commoners). Liquid wealth to buy armies and weapons became the well spring of power as the land could no longer provide it.

So the guilds first became more powerfull than the Lords which is one of the reasons for the existance of “The corporation of London” and it’s political representative and other special privileges. But similar happened in all villages, towns and cities where the councils were filled with “the great and the good” who were basically land owners going down, and guild representatives on the up.

It’s got to the point now where corporates have more wealth and power than many small countries and are steadily gaining more power in what some see as “A godless soulless way”. Which is why over the last half century or so religion has been buying it’s way into politics to gain power again. In some places it is now a struggle of corporations versus church driven politicians.

Neither gaining real power over the other will result in a stable situation for the majority to live in. As Churchill once noted,

“It has been said that democracy is the worst form of government except all the others that have been tried.”

And,

“Socialism is a philosophy of failure, the creed of ignorance, and the gospel of envy, its inherent virtue is the equal sharing of misery.”

But perhaps most importantly,

“At the bottom of all the tributes paid to democracy is the little man, walking into the little booth, with a little pencil, making a little cross on a little bit of paper-no amount of rhetoric or voluminous discussion can possibly diminish the overwhelming importance of the point.”

As long as we are not as stupid as our ancestors who gave up their birth rights for a little temporary comfort, then we will be able after a fashion to control our collective destiny for better or worse.

Better comes via honest education, worse comes by propaganda be it from the self appointed despots, polititians, corporations or churches seeking power via peoples ignorance…

Winter • January 1, 2021 9:54 AM

“Over something like two thousand years, we have realised that “Might is right” is actually not just wrong, but very counter productive for all involved unless they are smart enough to play of others by their belligerence and stupidity if not cupidity.”

Over the ages we have learned that Law Enforcement should be done within the law, and punishment should go through the courts. This also holds for cyber-crime or ransomware.

There is no shortcut for doing forensic analysis, and plain legwork. If a country of suspected origin does not want to cooperate in the investigations, that is the same as that country not cooperating in investigating other crimes and terrorist activity. If Russian agents poison British subjects and the Russian state does not cooperate in getting these agents in court, then there are established ways to react as a country. Starting to drop bombs is probably never an appropriate solution.

Potential victims should be aware of the dangers, and prepare accordingly. There is no simple solution. Yes daily, rotating backups with offsite storage are good. But that costs money and has its own risks and might not be enough. For instance, after a breech, the APT can simply mess up the backup procedure and wait a year.

Victims can only be blamed if they did not have considered the risks and costs. It is very well possible that the costs of adequate protection are much greater than the damage of the attacks. Given the state of the internet and the lousy quality and absurd costs of software&services, I can see why some institutions simply cannot afford to adequately protect themselves.

Clive Robinson • January 1, 2021 1:09 PM

@ Winter,

Over the ages we have learned that Law Enforcement should be done within the law, and punishment should go through the courts. This also holds for cyber-crime or ransomware.

Yes, and nations should do more to make this happen, but they don’t and won’t whilst they think they can get an advantage out of it… Which is the major problem currently.

But,

Victims can only be blamed if they did not have considered the risks and costs. It is very well possible that the costs of adequate protection are much greater than the damage of the attacks. Given the state of the internet and the lousy quality and absurd costs of software&services, I can see why some institutions simply cannot afford to adequately protect themselves.

Because they’ve also been sold on the worst possible way to use the Internet.

As I’ve noted there is Managment mantra comming mainly from spoon fed MBA’s that the Internet is “magically good”. The fact they can not actually state a real business cas for “connect all” should tell every one it’s a tsunami of disaster building to come crashing down on just about everybodies heads.

The best protection from the myriad of ills of the Internet is not to be connected to it.

Thus each and every connection needs a very clear business case and should be properly issolated from any internal systems. This used to be standard practice for both Sys Admins and Net Admins. But it nolonger is. To cut costs everyone gets vanilla flavourd custard in the same plastic bowls and same plastic spoon to be fed with. Every biological process known to mankind does not work that way for very good reason “total wipe out” would result.

Given a little more time SolarWinds Orion could have been the snowball that brought down the life extinguishing avalanch. It may still do so if it’s been used to sow backdoors in everything Orion touched…

As @Anders has noted what if all the Microsoft updates have been got at in some way? That in turn would give access to nearly everything else world wide. Orion could if it had remained undetected become “The one Ring to Rule them All”…

But only if those seeking power could get at the systems they wanted to. Air or Energy gapping systems kicks such attacks to the bottom of the near insumountable cliff.

People will start waking up to this and thus be able to disconnect and keep a more focused and observant eye on where history shows the real nasty threats are the traitorous insider threat.

lurker • January 2, 2021 1:00 PM

@Clive，@All

Thus each and every connection needs a very clear business case and should be properly issolated from any internal systems. This used to be standard practice for both Sys Admins and Net Admins. But it nolonger is.

I was a minor sysadmin when the internet came to our office. [It was like the Common Market coming to Stanton Drew] The (local) boss laid down who could get email accounts and set data caps, because it came out of the dept. budget. Then his secretary discovered cat gifs, or somesuch. I suggested that her machine that connected to the client database should not also connect to the big bad world. A second machine was out of the question given the price of hardware back then. My plea for help from upstream netadmins got the cryptic ★nix-like reply: “Your payscale may depend on your decision.”

Since then I’ve watched the changing nature of attacks, the who, what, why. The where and when seems much the same. Those who haven’t learned from history include lawyers who still ask for stolen or wrongly delivered e-documents to be returned. But ransomware, like artillery, is often fired from a distance, and the attacker doesn’t need to know too much about what is happening inside the victim’s system.

The emphasis for ransomware, and for Solar Winds, seem to be on having good backups and using them for recovery. But shouldn’t the emphasis be on stopping intrusion before it happens? And if they do get in, don’t have stuff lying around for them to pick up and take when they leave.

Clive Robinson • January 2, 2021 5:09 PM

@ lurker,

Ahh you have run into the inverse of “above my pay grade”. Yes it can be annoying, and you have two basic choices,

1, Accept the fact and find a better job as fast as you reasonably can or hope like hell it’s not you on the stand when the brown stuff gets spread around.

2, Document as best you can why you think it is “not a good business case” then goto (1) above.

But as you note,

The emphasis for ransomware, and for Solar Winds, seem to be on having good backups and using them for recovery.

Not sure that’s actually going to get the ill prepared any relief.

As I understand it the claimed Level III capability of the perpetrators, means that the could almost have certainly but in a permanent back door at the firmware level in any number of Flash ROM devices in the motherboard, I/O, Hard drives. Thus they may have the equivalent of “termites in the structural members”. In which case take the furniture out, burn the house to the ground then in a nice new home check each peace of furniture is not just termite but dry rot etc free, before pitting it in.

But shouldn’t the emphasis be on stopping intrusion before it happens?

You think that, I think that, and I suspect many others here do as well. But we are not the ones trying to make next quaters figures to get the bonus the following quater.

That is unless some one at the top choses to listen and act we might as well be in the parking lot with a bottle of water glycerine and detergent blowing soap bubbles to make pretty rainbows…

And if they do get in, don’t have stuff lying around for them to pick up and take when they leave.

The funny thing is with “Physical Security” this is obvious to even the bloke that empties the recycling bins. Yet with “Information Security” it’s all about performance and getting the job done fast, so security is either not seen or totaly ignored…

So my overal advice is play the game and move on.

That is talk up something that will bring “major benifit” get the budjet get the staff and about one third of the way through the project “jump ship”.

Write it up big on your CV and do the same at your next job.

The thing is if the project succedes after you’ve left you claim it was your insightful planning and mastery and clear guidence that those left behind just followed. If it fails as it probably will –90% of major projects actually fail[1]– you again claim insightful planning and mastery and gave clear guidence, but XXX went against it thus it failed. Either way you win, and go on to a better job.

[1] For some reason this simple fact suprises people but it applies almost across the board of all endevors. The important thing is to work out what needs doing in small increments. This way you get to see problems whilst you can still fix them, and also you remain responsive[2] to any external or other factors you can never control. Major almost always fails due to trying to do too much at any stage.

[2] The thing most do not realise is the “Phoenix Effect”, from every disaster if you are quick and don’t mind singed fingers you can grab something usefull out of the flames before it’s all ashes. I can not tell you just how many projects I’ve managed to pull something acceptable out of the pyre of grand ideas simply by downgrading the scope from major to minor early enough that a little diversion ment a success of sorts was achievable. Because at times I think every project I ever worked on at some point[3] felt it was on the brink of a precipice due to changes you had no control over. After a while you get a hinky fealing about how to structute things so dealing with doom is just a twiddle here and a fiddle there and just a few bumps.

[3] One of the most important thing is “put time in your pocket” to use later. That is always over estimate how long something will take and don’t give ground on it. Also never let those above you know you are realy further ahead than you claim to be. That way when the brown stuff flys into view as it always does you have time you can pull from your pocket[4] rather than your unpaid time sensible people use for home / social life and sleep.

[4] Always always remember your boss does not own you, you do, and if they are unreasonable[5] ensure you have the documentation to shove up their arse and leave for a new job at the worst possible time for them. Which means always always have six months or more of “drop dead money” in the bank or in a shoe box out of sight, and live without debt and well within your means. Because it gives you the confidence to not be cowed and turned into a serf scared to look up. And I’m sure there are quite a few out there who’s careers have been negatively impacted by COVID and a years worth of “drop dead money” would kind of be handy right now.

[5] Often the first trick an unreasonable boss pulls is the “I can sack/break you” line or similar, if you back down you are dead meat. Call them on it and wait just long enough before you go to see if they can think and learn. If they can’t you were on a loosing wicket anyway, if the can then you have a choice to make. Oh and never ever take anything personal to work that way you can just walk out the door with your hands in your pocket whisteling, not having some mut stand over you deciding if it’s yours or not then giving you the walk of shame with a cardboard box in your hands and an ogre from HR walking behind[6] gloating.

[6] The last time some one tried this stunt on me was a quater of a century ago, and the very nice HR lady got the security guy who was also a friend to carry it down to her car. The three of us then went off and had a celebratory lunch. I had a few days with my feet up then went to a new very nice job, whilst my old employer carried on paying me for three months. Much to the shock of my ex-employer I came back to haunt them. They tried to persecute another employee who was disabled, who called me in as their representarive (as I had represented them before). The senior HR person and the Chancellor were horified as was their Barister on staff. They got a couple of brief warnings of where it was heading which they ignored and they then capitulated on the court steps and got stung badly. I was told by others that the senior HR person took early retirment and the Barister left for new horizons. Then for some reason at the behest of MI6 MI5/Special Branch raided the place over some bloke called David Shayler,

https://www.davidshayler.com/about/

Life can be strange at times…

Anders • January 2, 2021 5:25 PM

@Clive @SpaceLifeForm @MarkH @ALL

People often overmystify the ransomware like there
haven’t been any risks so far and now we are really
screwed.

Truth is that ransomware in no special thing. Same result
can happen via HDD crash, human error, buggy device driver
that slowly corrupts data etc etc etc.

Remember the guy Marco Marsala who via an accident deleted his whole company?

OK, we need a backup.

There’s well known 3-2-1 rule, but it is very unclear.
Should we 3 copies of the data in addition to our original
data or with it? Some source clarify and say that WITH our
original data, so we should have 2 backups, one offsite.

I say it won’t work. I say we need 3 backups in addition
to our original data.

Let’s say ransomware attack hit us and all our production
data gets encrypted. We have 2 backups, one offsite, far away,
so on site we have only one copy. How we know that data is still
consistent, media has not rotten and we can safely restore from it?
We don’t. If any error occurs we still need to drive for that
second offsite copy. If we have second on site backup in addition
to third offsite copy we can compare data against any corruption.

Media is nowadays very cheap. So have 3 backups.

JonKnowsNothing • January 3, 2021 12:46 AM

@Anders @Clive @SpaceLifeForm @MarkH @ALL

re: Number of backups and time frame for security

Truth is that ransomware in no special thing. Same result
can happen via HDD crash, human error, buggy device driver
that slowly corrupts data etc etc etc.

Whatever you had in mind, it isn’t enough. Not enough copies and not a long enough time frame.

RL anecdote tl;dr

I had the occasion to be in-between a dispute with a vendor of customized software and the client. The vendor had been providing the software for many years and the customer had paid for lots of upgrades and enhancements over the same time frame.

When the company was sold to another entity, the vendor demanded a new software license for a substantial amount of money. The new owners didn’t want to pay for a variety of reasons, one of which was they planned to replace the systems and software within a short time period after acquisition.

(can you see it coming yet?)

Since it was end of year and the company was shut down for the holiday (pre-COVID-19 of course) and on the new year, the CFO began to look at some of the data from the system for EOY accounting. The CFO noticed something odd and immediately stopped all activity and shutdown the computer.

(good thing some people can read…)

It turned out that the vendor had inserted a great number of time bombs and logic traps intended to prevent customers from running the software without a new license. Once tripped the logic bombs would erase good data, replace it with bad data and randomly delete records.

(got it yet?)

The new owners, ponied up the price and I had to verify that the backup data was not further damaged by sitting shiva with the vendor while he undid the logic bombs and disabled tripped traps and reset other trap triggers. It was an amazing amount of stuff to actually see being used in practice.

I asked how he avoided triggering the traps for the previous n-years he worked with the customer. He said he made a Courtesy Call every year to reset the timer and no one noticed when he logged into the mainframe.

(see N-years of borked backups)

Also, nearly every business that experiences a catastrophic failure such as a dead mainframe, lost data, natural disaster and acts of war, goes out of business soon thereafter. You cannot recover enough A/R to keep things afloat. Folks will notify you if you owe them money (A/P) Payroll) but rarely does anyone notify you that they owe you money (A/R Billing). Lost production, facilities, supplies can put you out of business fast too. Not every company can double up the supply order when a tornado spews the existing items around the countryside.

If you ever tried to restore data from something “simple” like a Windows PC, it’s not just the time to do the physical restore, it’s getting things to work at all that is the time-sink.

Backup is good. Verified Backup is better. Multi-generation backup better yet.

Hope for the best and expect the worst.

Clive Robinson • January 3, 2021 5:14 AM

@ JonKnowsNothing,

Hope for the best and expect the worst.

And plan for war…

It’s human history in a single phrase.

As too many find out the hard way, favours only get repaid when you are rising, they slow to a stop if your trajotory slows and disapear if you stall or fall.

That is after all why the supposadly more sensible people realise that loyalty is best maintained by purchase through the threat of their downfall via blackmail. The more goods you have on someone and the less they have on you the more compliant they will be to your wishes.

I used to be occasionaly asked why I did not enter politics, well I think that might partially answer the question.

Anders • January 3, 2021 9:33 AM

@JonKnowsNothing

Sorry, but isn’t the time bombs illegal?
I don’t know in which jurisdiction your client are,
but there’s lot of cases where things end up in court
for using them.

https://en.wikipedia.org/wiki/Logic_bomb

Deliberately deleting/corrupting client data is something
that should end up in media so other possible customers
could avoid this kind of “vendor”.

JonKnowsNothing • January 3, 2021 11:52 AM

@Anders @All

re: vendor controlled data access

All vendors have the right to remove access when the license expires. The methods used vary but generally they cripple the ability to run the program.

Being able to read:
* Your License to use this software has expired

followed by
* Continuing to use this software without a valid license is …

with this as the kicker
* If you continue to use this software without a license, accessing data may cause corruption.

That CFO saved the company’s arse by reading the Big Read Warnings.

As for the legality, in the case of the backups, legality isn’t the issue. Without a working software license all backups would be unrecoverable because the procedure was done and implemented by the Vendor. Years of backups required the Vendor’s software to restore them.

@Clive, mentioned this aspect recently, in context of having encryption/deception working on a single backup system/target but if you hauled the data to a parallel system that did not have those same routines the backups are worthless.

This is what the customer learned after years and years of backups. They were worthless without the Vendor supplied decryption program.

If your company is hanging on a hook and you cannot bill your customers for service and you cannot enter new service for future billings etc etc etc, you pay the software license fast.

It that ransomware? Maybe.

Anders • January 3, 2021 12:13 PM

@JonKnowsNothing

Yes, i see here similarities with the ransomware.
Pay, or you lose your access to the data. Same
kind of extortion.

It all goes down to the point how to choose software
your business depends on. Testing, evaluating, comparing,
selecting, negotiating your own terms if possible.
Business continuity.

ps. original VisiCalc still works today.

JonKnowsNothing • January 3, 2021 1:02 PM

@Anders @All

re: original VisiCalc still works today.
and
Who Owns the Data problem

Your point is good one and brings up a techy-touchy subject:

* Who and What owns your data?

Because you can use a vintage program to access your data, you may consider this to be safe but is it?

The data residing inside a spreadsheet, word processing document etc etc is bound and altered by the “commands and format” accessed on the surface level of the program. Sum = A1+Z99

But underneath all of that surface stuff is a bunch of structural statements much like what @SpaceLifeForm and others are complaining about with the new blog software. Hidden markup/markdown and internal structures that make What You Think Should Happen – Happen. These defined structures are not YOUR DATA and without them Sum = A1+Z99 is not going to happen.

But is this not precisely The Problem?

If you are restoring Vendor A to Vendor A, then maybe you are OK. Anyone who has worked on migration details know that going from Vendor A to Vendor Z ain’t so easy.

Without either Vendor A or Vendor Z… Where is your data? What is it you are trying to preserve? Does the process of backing up do anything more than just gloss over the inherent problem that Your Data is worthless without a program behind it?

consider:
(this is a snippet of the internal structure from an RTF document, in case the aforementioned markup/down doesn’t work.)

{\rtf1\ansi\deff0{\fonttbl{\f0\fnil\fcharset0 Courier New;}{\f1\fnil\fcharset0 Calibri;}}
{\colortbl ;\red0\green0\blue255;}
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\lang1033\f0\fs22\par

Clive Robinson • January 3, 2021 2:11 PM

@ Anders,

ps. original VisiCalc still works today.

Yup I can confirm it still works on my original hardware as well.

(or it did last year in September when I demoed it).

internet individual • January 4, 2021 10:26 AM

It appears I may have jumped the gun on the whole moral turpitude bit. I can’t be sure though. Its difficult to know who to trust. Its easy to say no one, but how does one accomplish anything alone? Im not able to determine the difference between a friendly skills/knowledge test, or if its a devious attempt. Ive had a few of those lately.

I did however learn the amount of information that can be collected about a person from their browser. And that its basically an open window right into your computer.

Either way, I was defeated. Still so much to learn, infact im not even sure what I should be focusing on. Wandering all over the place. Isn’t ISO-8859-1 8-bit? Oh well back to the books!

Anders • January 4, 2021 10:54 AM

@JonKnowsNothing

If you have an experience and choose your software
wisely, you own your data.

Believe me, there’s no data format that can’t reverse
engineered and converted. I have done this, it’s one
time problem since after that you are a lot wiser and
choose software that support open formats.

But often the solution is even easier. Run old sofware
that saved that odd format on real HW or under VM,
open the data and save it on some open format.
Even very ancient software can be still run. I converted
for the client texts that were saved with very first PC
text editor EasyWriter for example.

Yes, between different vendors can surface different
problems like different encodings. Do you know how
much different Russian encodings exists? This is
also something that comes with time and experience.
Now everything is a lot easier, head to this url
for example:

hxxps://2cyr.com/decode/

In the past i wrote my own converter.

I see only one problem – your data is on some ancient
media and your reader broke down. For example i still
have here on my shelf 8″ floppy from DEC PDP 11 with
some of my software i had written (and there’s also the
first original Tetris game). I have no means currently
to read out that data. However i think even that is
resolvable since there’s still running PDP’s somewhere
and i just need to ship my floppy to them.

Clive Robinson • January 4, 2021 6:25 PM

@ internet individual,

Still so much to learn, infact im not even sure what I should be focusing on.

That’s fairly easy to answer,

Firstly as you would for just about everything else, use common sense to find the foundations and then build from there. That is bottom up.

BUT!!!

Remember we are talking ICTsec type training, which requires a special twist from normall common sense. Which is do the exact opposit start at the top and work down…

I know it sounds mad but that realy is the way the industry works. It’s so top heavy it’s impossible for many to learn the basics and fundementals. Thus they build strange mental models of how they think it all works… Only to find out that the next top level item works on an entirely different paradigm / logic…

As for ISO-8859-1… The standard says 191 8bit chars or “typographical glyphs”[1]. Well it’s not quite true 2^8 is 256 so there are 65 other chars of which only 32 are control chars inherited from 7bit ASCII and whilst some of those effect the way charecters are displayed they are not as such printing glyphs.

Also you realy do not get to use ISO-8859-1 much… Whilst all the versions of HTML prior to 5 are supposed to use it most websites do not (maybe about 1% currently do). Which is why HTML 5 uses “Windows-1252″…

I’m not going to go into the history of “dingbats” as they have been around almost since the printing press was invented. And look like they belong in what many think are the gutters, but they don’t.

But as I said common sense says go bottom up ie establish the foundations and build up… But with all the UTF nonsense most texts go top down, which is why you might feel madness creeping up on you…

[1] A glyph is normally a symbol that as a single picture represents a word or descriptive phrase, not individual alphabet characters, numerals etc… Thus we have “Typographical glyphs” which are not just word/phrase symbols but numerical, alphabetical, and alphabetical with modifiers…

Goat • January 4, 2021 6:55 PM

Why dont websites use iso chars?

For me the reason is that my language is not supported so I use utf 8 but that’s not true for most while utf 8 gives other chars like emoji as well why even use windows 1252 when you can use unicode??

JonKnowsNothing • January 4, 2021 9:57 PM

@Clive @internet individual

re: glyphs

One of my favorites is called “18-Rabbit”…

There’s a famous story about Richard Feynman and a Mayan codex…

ht tps://en.wikipedia.org/wiki/Maya_numerals
ht tps://en.wikipedia.org/wiki/Maya_script
ht tps://en.wikipedia.org/wiki/Uaxaclajuun_Ub%27aah_K%27awiil
Uaxaclajuun Ubʼaah Kʼawiil (also known by the appellation “Eighteen Rabbit”)

ht tps://en.wikipedia.org/wiki/Richard_Feynman
(url fractured to prevent autorun)

On the Evolution of Ransomware

Comments

Leave a comment Cancel reply