
Newly evolved ransomware is bad news for everyone - Dodonut
http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyone/
======
dr_zoidberg
Petya ransomware is known in the infosec community to be specially simple to
solve because instead of using an AES cypher it applies XOR to the MBR/GPT and
MFT of the filesystem (cyphering the MFT was the new method here).

If you know what a filesystem begins with and other common filesystem
signatures (NTFS FILE records, for example), then you can derive the XOR key
used and reconstruct everything without paying the 0.99 bitoins they demand.

Even then, if it just affected the MFT, you can do file carving and recover
most of the files (there are always those pesky important files that will
rebel and be fragmented or disappear completely). This last part is
speculation of mine, I haven't been able to work on a Petya-infected system
yet.

~~~
21
One thing future malware might do is to encrypt the drive using the BitLocker
API/command line, since BitLocker already knows how to do this reliable and
with minimal system impact.

Or change the key if it's already encrypted.

~~~
dr_zoidberg
Don't know if that's possible, I haven't worked in the details of BitLocker,
but... It derives the key from a secret that is stored in hardware (a trusted
key platform module I think it's called) or somehow related to the user (MS
account? password?), so I don't think it'd be posible to encrpyt something
through BitLocker that can't be unlocked by the legitimate user.

Then again, I'm a bit sloppy on BitLocker mechanisms.

------
rwmj
Ransomware demands money. The electronic money transfer services are amongst
the most surveilled and spied-upon of all electronic services. So why doesn't
law enforcement follow the money and arrest the culprits? (Unfortunately I
think I know the answer: because they've got their priorities wrong)

~~~
21
Ransomware typically uses Bitcoin, which is rather hard to track if you do it
properly.

And it's not like solving a $1K ransom is a high priority case for LE, so you
are partially right.

Like the saying goes, there is a lot of bike stealing because LE doesn't
really care about stolen bikes.

~~~
tptacek
LE doesn't care about stolen bikes because their constituency doesn't care
about stolen bikes. Do some back- of- the- envelope math about what it would
take in terms of person/hours to seriously investigate a single bike theft,
then multiply that by the fully loaded cost of a single police officer.

If a municipality decided to take bike theft seriously, by paying increased OT
or expanding the police department employment rolls, law enforcement would be
all over it.

A similar problem exists for ransomware. Ransomware attacks are less frequent
and more targeted, but _drastically_ harder to investigate. We could spend
many billions more to build an infosec investigative capability in state
governments, and that would help, but we would rather spend those billions on
other things.

~~~
ufmace
Kinda OT, but this made me think of what would be involved in really cracking
down on bike theft. You'd probably have to start by registering bikes and
putting license plates on them, just like cars, and aggressively enforcing the
maintenance of those registrations and license plates. So you'd start off by
hassling legitimate riders first so that in the future it would be easier to
spot a stolen bike and prove that it's stolen. Probably more trouble than it's
worth, considering how many kids and low-income people use bikes for
transportation.

Similarly, getting serious about tracking Bitcoin movements would probably
involve a lot of new regulations around the use of Bitcoin, and somehow
enforcing them worldwide.

I suppose the point was more that the police are likely to be very interested
if you rip off one company for $50k, but it's harder to get them interested
when you rip off $1k from 50 people spread around dozens of jurisdictions.

~~~
ScottBurson
The point I've seen made about bike theft is that although the reward from a
successful bike theft is small, the risk -- the probability of being caught
times the likely consequence if one is caught -- is extremely small in most
places. So the reward/risk calculation easily supports committing the theft.

But if a municipality devotes even a small amount of resources -- an officer
or two, full-time, I guess -- to prosecuting bike theft, that can raise the
odds of getting caught for a single theft, I don't know, maybe three orders of
magnitude -- from 10^-6 to 10^-3, let's say. Someone who steals hundreds of
bikes a year is then looking at a real chance of getting caught for one of
them.

What I've seen argued, and I seem to recall there's even experimental evidence
to support this, is that that's enough to reduce the reward/risk ratio to the
point where bike theft as a career, at least, is uneconomic. You might still
get occasional opportunistic thefts -- leaving a bike unlocked would still not
be recommended -- but the bulk of the problem would go away.

Coming back to the topic, the same principle probably applies here. You don't
have to even try to solve all the ransomware crimes; you just have to solve
enough of them, and come down hard enough on the perpetrators, to change the
reward/risk calculation. That will probably be a lot harder to do, though,
since they're unlikely to even be in the same country as the victims.

~~~
mistermann
Get caught stealing a bike (maybe 2nd offense, whatever), you get 3 months in
a labor camp. 2nd offense, one year.

2 years in run the stats and see if there's been an effect.

------
pmoriarty
There is a silver lining to ransomware and other forms of malware. The more
people get bitten by them, the more security-conscious they'll become. This is
the social piece of the technology/society security puzzle falling in to
place. Pity it comes at the cost of so much misery.

~~~
21
From the OS point of view it should be pretty obvious when massive number of
files are suddenly being re-written.

Maybe the OS could put a dialog up, along the line "Excuse me, I've noticed
that a large number of files are being modified/deleted. This could be an
active attack going on. Do you know about this, is this something that you are
trying to do?"

Of course, malware will fight back by maybe encrypting only the file-system
index (like some recent one does), or by slowly encrypting files over a
period.

But still, changing large number of user files should be noticeable.

~~~
userbinator
It's unfortunate that SSDs and the disappearance of HDD activity indicator
lights has made it harder to notice things like this. Massive filesystem
activity 10 years ago would be immediately recognisable from all the drive
noise, the slowdown, and a solid indicator light. Now it's maybe a barely
perceptible slowdown.

~~~
unclebucknasty
Good point. I remember specifically discovering a drive-by download this way
back in 2004-ish. Hard drive started going crazy on my desktop when I visited
an A/V review website that otherwise seemed benign enough.

------
microcolonel
As good a time as any to switch my workstation to OpenBSD.

------
reustle
I find myself caring less and less about ransomware on my laptop because
everything is in the cloud. I wonder if that is exactly what they (insert evil
cloud provider here) want me to think? (removes tinfoil hat)

~~~
cm2187
Like dropbox? I would expect the malware to encrypt it like any other folder,
you will just have encrypted files in the cloud. Unless your provider gives
you incremental backups.

~~~
reustle
No, like google drive. The files do not exist on my computer, only in my
browser.

~~~
absorber
IIRC there is a Google Drive application which allows the users to have a
similar "virtual folder" functionality as Dropbox has.

------
utefan001
systems-admins-we-need-to-talk

[https://offensivetechblog.wordpress.com/2016/03/29/systems-a...](https://offensivetechblog.wordpress.com/2016/03/29/systems-
admins-we-need-to-talk/)

------
lukaslalinsky
What I don't understand is how can any malware get installed on a server
storing critical hospital data? And why is it running Windows? Do hospitals
store their data on workstations used by employees?

~~~
masklinn
> And why is it running Windows? Do hospitals store their data on workstations
> used by employees?

You are aware that there are server editions of Windows right? And that they
don't exist for the fun of it?

~~~
lukaslalinsky
Yes, but I could not imagine some admin installing the malware by mistake.
Reading more on it, I stand corrected. The malware gets installed thanks to a
buggy version of JBoss allowing remote execution access to the server.

~~~
masklinn
Yes, and the malware may not even have to be installed on the server, there
are many companies and systems with dodgy security practices (either just
because, or because a legacy application needs that, or whatever). If the
hospital has its stuff on a NAS, any infected computer with write access to
that NAS will be able to hit it.

------
mynewtb
This is just linkbait.

~~~
21
Why do you say that. The article is pretty informative, despite the title.

