
The No More Ransom Project - esalman
https://www.nomoreransom.org/
======
CalChris
So this is what a ransom note looks like:

[https://d1b10bmlvqabco.cloudfront.net/attach/is23h8nx8ff3jw/...](https://d1b10bmlvqabco.cloudfront.net/attach/is23h8nx8ff3jw/hktxrml0e933lw/iuogsulv5ns4/20161024123233.jpg)

Short, blunt, helpful, clear. Pretty much what you'd like every memo you've
ever gotten to be. Me, I'm a huge fan of ransom notes and Nigerian scam
emails. We can learn a lot from them.

I'm pretty sure that when you get one of these that you're dealing with a
script. You pay .65880 BTC into its wallet, period. There is no negotiation
with a script. What I've also heard is that you can trust the script because
these guys want a good reputation. If it gets out that you paid and you didn't
get unlocked then no one would pay.

If you don't want to pay on the backend then you have to back up on the front
end. You should do that already. You should be able to take a sledge hammer to
your laptop, buy another and not miss a beat. If you could do that then you
could just reformat and reinstall.

Prevention is worth it. Protection is worth it. Paying? Well if you did the
first two you wouldn't be asking that question. But .65880 Bitcoin equals
about 463.97 USD. So you might want to get on the prevention+protection train.

Prevention will help you against viruses, keyloggers, etc that can cause a lot
more economic harm.

Protection, backing up, will also help you in the case of theft or dropping
your MPB out of its sleeve when you get out the car. Done both.

~~~
Houshalter
That's great until the ransomware gets clever and encrypts your backups too.

I'm extremely skeptical of the people that say ransomware is good for the
economy or whatever. Broken window fallacy. Sure it creates an incentive to
protect against hackers. But isn't that a bit circular? Hackers are good
because they create inventive to protect against hackers? Ransomware is by far
the most economically damaging kind (and personally damaging, for all the
people that lose their family photos...)

Theres a lot of blame to go around for this situation. Shitty anti virus
companies that sell a false sense of security and barely work. The broken
security model of windows and most software. How inconvenient and expensive it
is to actually do backups, so because of most basic human psychology most
people put it off... If they are even technically minded enough to know they
should, and most people aren't. Programs that pollute my home folder and
documents with garbage that increases the space necessary to backup (OK that's
just my personal issue.)

~~~
Confusion
I saved my dad from ransomware using the Crashplan backups I set up.
Ransomware can't retroactively encrypt remote (incremental) backups (unless
they hack the service). Admittedly, I now realize they could have deleted
them, so I need to enable the password protection in the app, so nothing can
be changed without the password. However, I don't think it's worth it for the
builders to invest in that: the number of people that could rescue themselves
in such a way is probably negligible.

~~~
Houshalter
The problem is once enough users start using services like that, then it
becomes rational for them to invest in that. It's sort of like security
through obscurity. There is no solution for the general population.

~~~
rini17
It's not so hard for backup service to ensure users can undo any changes (XX
days back) no matter what way files are removed/overwriten.

------
toennisforst
> When [you are infected with ransomware], you can’t get to the data unless
> you pay a ransom. However this is not guaranteed and you should never pay!

What bothers me about their advice is that it is only correct
macroeconomically. For your particular case it could be the best solution to
just pay - as even police departments have done before.

It also ignores that it is in cybercriminals' best interest to let you decrypt
after you paid: They need their victims to trust them, and they have nothing
to gain from keeping the files encrypted after payment.

~~~
hrehhf
In a twisted sort of way, a person could destroy trust that paying the ransom
will actually get your data back. Someone could create ransomware that will
never decrypt, even after the ransom is paid. Once the victims know the
dishonest ransomware is out there, that may ruin the revenue towards the
"honest" ransomware.

~~~
martey
> _Someone could create ransomware that will never decrypt, even after the
> ransom is paid._

This already exists: [http://arstechnica.com/security/2016/07/posing-as-
ransomware...](http://arstechnica.com/security/2016/07/posing-as-ransomware-
windows-malware-just-deletes-victims-files/)

> "Once it executes it, it pops up a ransom message looking like any other
> ransomware," Earl Carter, security research engineer at Cisco Talos, told
> Ars. "But then what happens is it forces a reboot, and it just deletes all
> the files. It doesn't try to encrypt anything—it just deletes them all."

~~~
djsumdog
Makes me wonder if it's just buggy or intentional.

~~~
nom
Considering that the operators must actively keep the backend alive and
support the users, it's more likely they abandoned it for whatever reason.

------
mikemoka
About prevention there is something more that I am not sure has been
mentioned, some tools are taking a new, broader approach to the problem, which
is to constantly monitor for encrypted files and stop the associated
processes, this way often limiting the loss to a few files, these are the
links:

Criptostalker
[https://github.com/unixist/cryptostalker](https://github.com/unixist/cryptostalker)

Ransomwhere (macOS) [https://objective-
see.com/products/ransomwhere.html](https://objective-
see.com/products/ransomwhere.html)

Some theoretical information on this approach:

[http://www.cise.ufl.edu/~traynor/papers/scaife-
icdcs16.pdf](http://www.cise.ufl.edu/~traynor/papers/scaife-icdcs16.pdf)

~~~
Houshalter
In principle it's super easy to detect, encrypted files look like random data
and it's unlikely users would be replacing every file with random data on
purpose. Its a never ending war though. If you got enough users to do this,
the hackers would then switch to encryption that mimics what normal files look
like to fool the detector.

~~~
noja
Most users never start writing to all the files on their disk, why can't a
rate limiter and warning kick in if that happens?

------
noonespecial
I've had plenty of people lose vital files on borked hard disks and pay
_thousands_ to get those files back via drive recovery firms. I've only had
one person ask me about ransomed files whom I advised to pay the $400-ish
demanded.

I told him that most of my clients pay 10x as much to learn how important
backups are.

 _All_ data storage devices _will fail_. What will you do when yours does?

~~~
IndianAstronaut
The worst place I have seen this is in scientific labs. Professors and
graduate students are terrible about keeping backups, making data easy to
understand to others, and maintaining data.

My old professor lost more than 2 years of work when one grad student in our
had a car crash and his laptop was destroyed in the crash.

~~~
sliverstorm
I've observed the same. It's baffling, and I don't understand why. Maybe they
are in a nasty spot of workers who are non-techie but 100% reliant on tech?

------
michaelbuckbee
The guy that made HaveIBeenPwned.com (which I'd urge everybody to use) has a
solid free course on Ransomware essentials at:
[https://www.varonis.com/learn/introduction-to-
ransomware/](https://www.varonis.com/learn/introduction-to-ransomware/)

It's not the ideal thing for people here on HN, but it's pretty much the ideal
thing to send to your non/semi-technical boss or stakeholder at your company
who isn't taking ransomware seriously.

------
metafunctor
Is there any case where versioned backups wouldn't completely solve a
ransomware situation?

Assuming, of course, that the ransomware doesn't somehow spider out and
compromise all your past backups as well. Let's assume your past backup
versions are safe.

~~~
Houshalter
Are the versioned backups physically separated from the infected machine?
Otherwise what stops it from just encrypting your backups hard drives as well,
everytime you connect them?

~~~
colejohnson66
What about a versioned filesystem (like ZFS)?

~~~
syrrim
If they had root access they could probably encrypt the whole drive,
filesystem and all.

------
tgb
For protection, I put all my files I care about on Dropbox. Is that enough?
It's enough for backup for most things, but I worry attackers would be smart
enough to kill it and also the old revisions that Dropbox stores.

~~~
varenc
Dropbox has a help article on ransomware:
[https://www.dropbox.com/help/8408](https://www.dropbox.com/help/8408)

For mass deletes that are cumbersome to recover using Dropbox's interface,
that article mentions you can contact customer support to get assistance
recovering from mass deletion events.

~~~
tgb
Great thank you.

------
hatsunearu
I like the message but it ticked me off that the prevention methods they
introduce (backup to cloud and/or use physical media) is coincidentally
somewhat related to the sponsors: AWS and Barracuda.

------
tarr11
Is using a VM to surf the web a reasonable answer? Are there any VMs (for my
MBP for example) that are reasonably fast, don't take a lot of battery, and
not clumsy?

Can't this be built into the OS so I don't actually have to do it?

~~~
codedokode
Something like this is built into Android and iPhone. As all major desktop
OSes are only good in protecting one user from another mobile OSes run every
application under its own user account. So vulnerability in an image viewer
would not give an attacker access to other apps' data. But the system is not
perfect, for example the kernel can still be attacked (and as we know a lot of
vulnerabilities were found in Linux in recent years) and on Android the files
on sdcard partition are not protected at all.

But desktop OSes don't do anything at all to protect the user. They allow the
user to run a program by just clicking a link in email or web browser and this
program has full access to all their data as does the PDF viewer or Java
plugin in a browser. The desktop operating systems still use security models
from mainframe era.

~~~
ndesaulniers
> So vulnerability in an image viewer would not give an attacker access to
> other apps' data.

By having separate user's per app, apps can't read each others' files by
default. If one app has a vulnerability that can be used to acquire root, that
app can read all files after disabling SELinux.

~~~
codedokode
> If one app has a vulnerability that can be used to acquire root

To get root privileges you need to attack the kernel (or the application that
has those privileges). Having a bug in an image viewer is not enough.

You can try to make obtaining root privileges more complicated only by
reducing the attack surface with restricting system calls each application is
allowed to make or with redesigning the kernel so that less code is executed
in ring 0 (microkernel architecture).

But recent vulnerabilities like Dirty COW or rowhammer could work even in this
case.

------
rwallace
Remember if your backup solution is a USB drive, you actually need at least
two USB drives, with at least one of them disconnected from your computer at
all times. If you only have one, the virus will encrypt that one along with
your computer. That needs to be spelled out, because people intuitively think
backing up to a single USB drive is sufficient.

------
Paul_S
If you are willing to pay the ransomware demands who are you going to pay when
your HDD fails? I'm not saying ransomware isn't a problem in itself but from a
user's perspective it's indistinguishable from HDD failure and should be dealt
with by using backups.

~~~
Houshalter
Ransomware can infect your backups to though. HDD failures aren't contagious.

~~~
rini17
Ever heard about bitrot?

------
edem
How can a ransomware infect my computer when I visit a website? This site
claims it can happen. I understand how the attachment version works but not
this one. I'm a security newb.

~~~
shoghicp
Some websites can use security vulnerabilities in different parts of the
browser (rendering, image format parsers, Javascript, PDF, fonts, and
everything else supported by the browser) to run code on your machine.

~~~
aweinstock
For a concrete example of what exploitation of a JS engine bug looks like,
PlaidCTF2016 had a challenge that allowed people to run JS in a patched
version of V8 that deliberately introduced a bug in array index checking, with
the goal being to run x86 machine code.

The patch to v8: [http://lpaste.net/317342](http://lpaste.net/317342)

An exploit:
[https://gist.github.com/sroettger/d077d3907999aaa0f89d11d956...](https://gist.github.com/sroettger/d077d3907999aaa0f89d11d956b438ea)

While this bug was artificial, there were (and can still be) bugs with similar
consequences in actual engines (see [https://www.cvedetails.com/vulnerability-
list/vendor_id-1224...](https://www.cvedetails.com/vulnerability-
list/vendor_id-1224/product_id-17734/Google-V8.html) or
[https://cve.mitre.org/cgi-
bin/cvekey.cgi?keyword=spidermonke...](https://cve.mitre.org/cgi-
bin/cvekey.cgi?keyword=spidermonkey) for historical examples).

While a bug in most of the components you mention are bad by themselves, their
impact is magnified by the presence of javascript, which allows an attacker to
interleave calculations and interactions with the buggy components, bypassing
many mitigations.

------
happy-go-lucky
My mini Ask HN:

Do you trust makers of security software?

~~~
perlgeek
Not the big ones that are well-known names in the PC market. There are quite
some shady security software vendors out there, and a handful very competent
ones that I trust if I have to.

~~~
andrewl
Can you expand on that? Who are the good ones, and the bad ones?

~~~
perlgeek
The bad ones are typically well-known desktop anti virus scanners that try to
score by showing you a high number of threats they allegedly defeated. If you
look at those threats in detail, they turn out to be browser cookies, or
bookmarks, or something similarly trivial.

Identifying good vendors and products is generally harder. I've heard good
things about canary.tools and bromium, for example. Both explain what they do
in terms that don't make a techie roll their eyes (too much at least):
[https://canary.tools/#how-it-works](https://canary.tools/#how-it-works) and
[https://www.bromium.com/advanced-endpoint-security/our-
techn...](https://www.bromium.com/advanced-endpoint-security/our-
technology.html)

A good (but not exhaustive) test is to look at what the vendors promise. If
they promise you full protection of your machine or network, you know they are
full of shit. If they talk only about one aspect (identifying attackers,
reducing the attack surface on a browser), things start to look better.

------
philfrasty
OT question: is there no way to flag that bitcoin address in any way (so it
gets locked / they cannot withdraw anything)?

~~~
bendoernberg
The original purpose of Bitcoin was to create digital cash. It is possible to
track the transaction history of funds in a bitcoin address, but there is
currently no central authority who can blacklist/lock addresses, and most of
the major participants in the bitcoin system (users, miners, exchange
operators, darknet drug markets) are not interested in changing that.

------
BWStearns
So a thought on why attackers make "flawed" ransomware. They want to get paid
as soon as possible, and a target pays a potentially heavy opportunity cost
for noncompliance (waiting for someone to break the rw). The opt-outs are
already not going to be "customers", and the "customers" you do get would pay
even if they were only going to be locked out for 3 months. You get no extra
money for making unbreakable ransomware

Edit: this may be similar economically to the Nigerian prices' aversion to
English class.

------
executesorder66
How likely are you to be infected with randsomware if you run a rolling-
release Linux distro and update almost daily?

I also use uBlock Origin, but I don't disable javascript for any websites.

------
haberman
Do Google Drive / Dropbox cloud backups help in this situation? Or do the
encrypted versions propagate into the cloud and irreversibly overwrite the
plaintext versions?

~~~
johannesg
Google Drive keeps old versions of every file for 30 days. Enough time to
recover the plaintext versions.

~~~
BJanecke
I recently had to help someone out, and the randsomware was smart enough to be
able to mess wit gDrive revisions :/

------
franciscop
I started writing about this but just a personal safeward. Yesterday I dropped
my phone by accident, it cracked and doesn't work anymore. But besides the
monetary loss, everything was backed-up from the day before so no problem.

------
shmerl
Hm. I first thought it was an effort to pool resources to repeal patent
trolls.

------
handonam
Would a NAS like QNAP/Synology be sufficient, with proper maintenance
(updates, antivirus scanning, credentials)? Trying to think of what I could be
mindful of here.

------
benshu
Seems more like a way for the involved parties to collect data on new
ransomware popping up on the web than a genuine effort to help victims.

------
debt
I had no idear this was such a massive problem. How often are nefarious purps
holding people's private data hostage?

Seems overblown.

~~~
y80
It's a very big problem, Cryptolocker in 2013 was able to score it's creators
around $27 million. That was 3 years ago, it's a pretty dangerous and
persistent threat.

------
nodesocket
This is a Windows phenomenon only right? I'd just restore from Time Machine
and go along on my way.

~~~
Klathmon
I don't know of any Mac specific variants off the top of my head, but there is
no reason why Mac would be immune to it.

And the "good" versions of these do things like encrypt or outright delete
things like time machine before encrypting the rest.

~~~
mastax
You may remember an incident with Transmission recently. That was a bundled
mac ransomware.

[https://blog.malwarebytes.com/cybercrime/2016/03/first-
mac-r...](https://blog.malwarebytes.com/cybercrime/2016/03/first-mac-
ransomware-spotted/)

------
rhapsodic
I'm afraid to click the link. Anyone care to provide a tl;dr?

~~~
elorant
Anytime you're in a similar dilemma just disable JavaScript. There are even
plugins that allow you to do that with one click.

~~~
gregoor
The better advice is imo to keep your browser up-to-date. JS exploits have
been come increasingly rare these days, mostly due to Chrome's excellent
example of patching quickly and paying good money for exploits (e.g. Pwn2Own).
JS 0days are imo far too valuable now to waste them on normal users. So no,
disabling JS wouldn't make much sense, if your have an evergreen browser.
Disable Flash & Java and try to minimize downloads is the security advice I
give nowadays. Also don't install anything unless you absolutely have to
(there are plenty of good in-browser options for programs we used to install,
e.g. for file conversion).

~~~
hhmc
What do the JS 0days get used for nowadays?

~~~
startling
Attacking high-value dissidents:
[https://blog.lookout.com/blog/2016/08/25/trident-
pegasus/](https://blog.lookout.com/blog/2016/08/25/trident-pegasus/)

------
bikamonki
Anyone else wants to do the static-site server-less dance with me? Or you
rather keep playing cat and mouse on a broken Internet?

