
The Frightening Power of Ransomware Done Right - elorant
http://nautil.us/issue/66/clockwork/the-100-million-bot-heist
======
dmos62
I've recently learned that OpenZFS has effective counter-measures for
ransomware and data corruption in general. Quote from here [0]:

> As a copy-on-write file system, OpenZFS provides efficient and consistent
> snapshots of your data at any given point in time. Each snapshot only
> includes the precise delta of changes between any two points in time and can
> be cloned to provide writable copies of any previous state without losing
> the original copy. Snapshots also provide the basis of OpenZFS replication
> or backing up of your data to local and remote systems. Because an OpenZFS
> snapshot takes place at the block level of the file system, it is immune to
> any file-level encryption by ransomware that occurs over it. A carefully-
> planned snapshot, replication, retention, and restoration strategy can
> provide the low-level isolation you need to enable your storage
> infrastructure to quickly recover from ransomware attacks.

[0] [https://www.ixsystems.com/blog/combating-
ransomware/](https://www.ixsystems.com/blog/combating-ransomware/)

~~~
amelius
I suppose that snapshotting will cause old versions of the data to be thrown
away, once the old versions start taking up too much disk space. Then I
suppose the ransomware can take advantage of this and simply perform so many
writes that the unencrypted versions of the data are thrown away. And isn't
this what happens anyway when a disk is nearly full and you start encrypting
its contents?

~~~
contravariant
It would be weird for a system to throw away its backups automatically at
arbitrary times.

~~~
Wowfunhappy
What would you have the software do when it runs out of space? IMO, not making
new backups would be worse than deleting old ones.

~~~
namibj
It's actually not allowing you to write new data at all. So it prevents the
user from assuming there is more space to store his data, as there is not
sufficient space with his indicated/configured data retention wishes.

------
turc1656
_" If Bogachev had been more careful about not using his real name when
registering for accounts, he might not now be the FBI’s most wanted
cybercriminal."_

I'm not sure he cared about being discovered given this information... _"
Bogachev lives in the resort town of Anapa on the Black Sea, where Russian
officials have declined for years to arrest him or extradite him to the United
States. In fact, the Russian government has benefited from his criminal
activity."_

Friends in high places never hurts, especially if they are corrupt. He
basically gets to live life like a Bond villain so I'm reasonably confident he
never intended to hide his name or activity for the long haul.

~~~
Misdicorl
It still makes him 100% reliant on those friends, who you've already noted are
corrupt. He's likely already been squeezed out of 99% of this money.

~~~
meowface
Quite possibly, but he's probably still a millionaire. Not a bad deal for him.
He still gets to make millions and commit fraud scot free, with the protection
of the Russian government. He also gets to have fun working on sophisticated
malware and novel C2 infrastructure architectures, continuously honing his
skills.

If I were him (and also had no morals) I'd probably be pretty happy with my
life.

------
Wowfunhappy
Something I've long wondered about—shouldn't Ransomeware be relatively easy to
detect with a heuristic? There aren't all that many† legitimate use cases for
rewriting 30%+ of the data on your hard disk. Seems like a good time for the
OS to pause the process and notify the user before continuing. If ZFS
snapshots or similar are in use, there are even fewer cases where you'd want
to rewrite 30% of data _and_ delete all snapshots.

† Note, "not many" ≠ zero. I realize this would sometimes result in false
positives, but I imagine the trade-off would be worthwhile, _especially_ if
the protection was user controlled.

~~~
technion
Windows admins have been running heuristics with File Server Resource Manager
for a few years. We had users disabled and SMB access immediately denied for
users that created certain file types, and email alerts get sent. It was
surprisingly effective.

------
humbermetallic
An interesting read, thanks for sharing. At the end ransomware WannaCry was
mentioned. Is it in any way related to Bogachev's operations or is it
confirmed to be an effort by North Korea? The part where he uses his real name
for a yahoo account does sound stupid, but maybe he really felt safe that
Russian authorities won't cooperate with an international arrest order.

------
Damogran6
Another thing to look at is dedupe percentage...if things all of a sudden stop
compressing really well, it's an indicator of text files being converted to
encrypted, random looking, noise.

------
mettamage
To know a bit more about one of the researchers see:
[https://syssec.mistakenot.net/](https://syssec.mistakenot.net/)

He gave a lecture about it in one of the classes I followed at one point.

------
nailer
> there was no way to predict which domains the DGA would come up with for any
> given week.

Wouldn't there be a seed on each infected machine used to determine the
current C&C domains to use? Why couldn't we predict them?

~~~
deft-code
Why would taking down the C&C for one week kill the botnet? Or for that matter
even a few months. I assume the bots can just keep trying to find the C&C
until it finally gets through.

~~~
brokenmachine
I don't think it did kill the botnet.

From the article: "on July 11, 2014, the Justice Department reported that the
number of computers infected with GOZ malware had been reduced by 31 percent
thanks to law enforcement intervention."

Also they were blocking the autogenerated domains on a weekly basis, but that
would only work if the infected machine was in the US I believe.

------
tim333
>spent lavishly on a fleet of luxury cars, two French villas, and a large
yacht ... lives ... on the Black Sea, where Russian officials have declined
for years to arrest him

It's a shame the Russians aren't a little more cooperative with stopping this
kind of stuff.

~~~
j0hnml
Why would they? The RU government is likely directly involved with these kinds
of attacks/campaigns

~~~
rdtsc
The article even mentions that allegedly the bot network was used to launch
attacks beneficial to the Russian government.

If there is any criminal organization powerful enough in Russia, and their
leaders haven't been assassinated or imprisoned, it's safe to assume they work
closely with the government.

~~~
acct1771
Obligatory: US/West is precisely the same.

------
demygale
I wish articles had dates on the byline

------
brokenmachine
Wouldn't they be able to trace who registered the C&C domain every week?

