
The Dever Ransomware Experience - Vaslo
https://www.wilbursecurity.com/2020/02/the-dever-ransomware-experience/
======
dropoutcoder
I commend researchers in this field. Ransomware has a tangible impact on
lives, particularly in cases involving healthcare facilities, for instance.
Such criminals deserve harsh response for the chaos they create.

Also, I can’t help but thinking that the global internet that we’ve created is
highly irresponsible. That criminals with sufficient skill and means can
anonymously pull off these kinds of crimes with little chance for pursuing
justice is indication of some fundamental flaw in the internet’s design. While
people should have the right to be anonymous, there’s simply too much
potential for abuse by such criminals. I wonder if the internet is ripe for
disruption via redesign of core protocols. As I recall, this has been
discussed on hn previously but I’ve lost track of such research..

~~~
dmm
Most property crime goes unpunished in the non-internet world. An anonymous
someone walked off with my bike a few years ago, a crime unpunished to this
day. Does this point to a fundamental flaw?

~~~
eli
Yeah, I think it does point to a fundamental problem in our society. Check out
your local Nextdoor and I think you’ll find people calling for very harsh
punishment of bike thieves.

The difference is how malleable the internet infrastructure is compared to the
real world. Would ransomware have taken off like it has without bitcoin? Is
there some technical change to bitcoin that could make it less attractive to
bad guys?

~~~
paulryanrogers
Do they still use Bitcoin in the face of alternatives like Monero?

~~~
et2o
Looks like it here.

Monero is much harder to purchase in US

~~~
boring_twenties
How so? You can buy it on US exchanges like Kraken and Bittrex, until recently
Poloniex.

------
hanklazard
Fantastic write-up, I really enjoyed all of the details on how the forensics
are done for these cases. Certainly a good reminder to make frequent air-
gapped backups of any mission-critical machines on the network. And even with
those, as the author points out, rebuild time and effort could be horrible.

Steve Gibson has been heavily covering the increase in ransomeware on his
excellent podcast Security Now. From SN I’ve learned some interesting points,
including that Ransomeware-as-a-Service is now definitely a thing. There have
been a few major operations which hand out ransomeware packages to unethical
hackers in exchange for a % of the Bitcoin they collect.

I can only see ransomeware becoming more and more of a problem in the future,
though I certainly hope I’m wrong.

~~~
rectang
As an industry, to mitigate such risks over the long term, we have to move to
continuous restoration, which will require innovation in workflows, tools, and
services.

I also think that we've begun a reassessment of just how much information
needs to be stored, because "Data is a toxic asset." A lot of these systems
have data they don't need mixed in with mission-critical data, which raises
the complexity of restoration.

------
SlavikCA
I had a similar incident at my home lab:

\- I had Windows Server 2016 with few Hyper-V VMs running

\- RDP was exposed to the Internet

I remember I was working on that computer, and the screen got locked, like
someone pressed Win+L. So, I logged in and saw the folder on my desktop
called, if remember correctly "Process Explorer 2" or something similar. The
screen got locked on me again after a few seconds. I immediately realized the
computer got infected. But after a few minutes, I had a very important meeting
and only came back to investigate after about 3 hours.

Results:

\- most of the files on the computer were encrypted. But files, which were in
use (should I say "locked"?) - stayed. For example, VM disk images stayed
unencrypted (but not metadata). That's how I saved one VM, which was somewhat
important for me.

\- I had Synology NAS with btrfs connected via SMB to that Windows Server and
few folders got encrypted. But because I have daily snapshots - I restored
that in few minutes.

After that incident, I reinstalled Windows Server (this time 2019) and started
to pay more attention to the security, installed winlogbeats and found, that
RDP is getting brute-forces at about 400 000 attempts / week from ~55 000 IPs.
So, I installed fail2ban analog for Windows:
[https://github.com/DigitalRuby/IPBan](https://github.com/DigitalRuby/IPBan)
and now I'm getting about 600 failed attempts/week

Here is the screenshot of how the number of RDP attempts decreased after
enabling IPBan:
[https://hsto.org/webt/oq/q1/ir/oqq1irnzeagwsqnbfpe4gbl9f_o.j...](https://hsto.org/webt/oq/q1/ir/oqq1irnzeagwsqnbfpe4gbl9f_o.jpeg)

~~~
SeriousM
So you noticed that the machine was infected and you didn't pull the (network)
plug?

------
sho
Fascinating article. I'm especially concerned about the browser passwords
being vulnerable - how serious is this, really? I would have hoped in 2020
that Mozilla, et al would have something better than plaintext for passwords.

Also the article never really identified how the "patient zero" machine was
infected in the first place. RDP brute force?

~~~
arpa
Mozilla does store the passwords encrypted, but unless you set a master
password, it's more of an obfuscation, as the decryption key is stored in a
key file next to logins file. If you set a master password that is
sufficiently complex, you should be safe-ish, unless you are facing Mossad.

------
SeriousM
"rdp exposed to internet" \- this is the biggest issue. Don't be in the DMZ
with your machines! I have an openssh server running (no password but unique
credentials) and need to connect to my VPN in order to interact with my
machines. Everying else just asks for hackers.

------
jedilance
Amazing article. Introduced many ransomware topics to me.

------
piinthesky
Looks like textbook security services masquerading with whats known, but I
wouldnt like to say which country. Most security researchers are not wise to
the offline tactics employed by the security services which here in the UK
starts when you are school, your school reports, your NHS medical records,
your financial transactions, the motivators of your parents, siblings,
relatives and friends, along with their phenomenal resource and cutting edge
knowledge which they get from University and others leading their fields. Jeez
when will people wake up and realise your lives are more scripted that you can
possibly imagine because your knowledge and expertise is compartmentalised in
mainly one domain, possible two, but never full spectrum domain knowledge,
with an element of pre-emptive action based on genetics and socioeconomic
standing which helps reinforce stereotypes. The spooks do what will never get
passed the ethics boards of university's because in warfare & survival there
is no ethics despite the rhetoric!

~~~
arpa
Woah woah woah slow down there dude

~~~
piinthesky
Why do you say that? You havent been on the receiving end of the UK Security
Services & UK Police which started when I was a primary school. But hey dont
worry, I'm now officially catagorised as F22 Delusion by the NHS, go back to
sleep twat!

