
How My Mom Got Hacked - panarky
http://www.nytimes.com/2015/01/04/opinion/sunday/how-my-mom-got-hacked.html
======
BorisMelnik
This may sound cliche, but ransomeware truly is plaguing the nation. 3 "phone
room" busts here where I live in the last month or so, all of which were the
"tech support" hot lines that you called into after you've paid the ransom to
"fix your PC."

sure, there are many different levels of extortion. Some outfits are very
upfront i.e. "your PC has been locked..." others are much more subtle and
appear to come across as a legit operation and it isn't until you speak to
your techie son-in-law that you find out you've been hit.

IMHO the best way to nab these guys is the phone rooms. More and more cities /
states are requiring these rooms to have licenses and in my city the FBI has
set up a temporary shop to go after these guys.

~~~
sp4ke
The problem is not the ransomware neither the criminals ... it's the way
internet/computer users became completely unaware of what they are using and
blindly trusting everything.

Think of this as a natural balance to the ridiculously insecure internet and
people's tech culture. If we are all going to live in a world where we use
internet and technologies everyday, we should have a minimum of knowledge on
how it works and not blindly trust everything.

One other point, it's useless to try stopping these guys, they are selling the
software on the blackmarket with source code, the more you catch the more room
you give to new criminals and the better breed the virus becomes ...

~~~
jarcane
I think you're right: People are not afraid of computers anymore, and when
they are, it's in all the wrong ways.

When I was younger the internet _terrified_ people. I learned all kinds of
simple "don'ts" in the 90s that it seems all got completely forgotten within a
decade and now no-one learns anything anymore.

I didn't even use my real name online until a couple of years ago. It was like
the first rule of the internet: never put your real-life details on the
internet.

Now we have Facebook.

News stories and Outlook viruses made it abundantly clear that you should
never ever ever click an attachment if you didn't specifically request it and
know exactly what it is (And even then, best to double check).

Now there's a whole bloody black-market industry built on attachment malware.

I was told to never re-use passwords, never write them down, and never give my
password to anyone.

Now we have apps that conveniently collect every single one of your passwords
to provide a single-point weakness where one password unlocks your entire
bloody online identity, and the point of even having separate passwords is
completely lost. And it's somehow supposed to be 'more secure'.

I don't understand the internet anymore.

~~~
andrewchambers
The point of services like last pass is that a website with shitty security
won't compromise all your accounts on websites with decent security.

The point is you only trust one security specialist company rather than many
non security specialist companies.

It's getting to the point where if you don't use something like lastpass, then
reusing passwords to some extent is needed - or do you remember 20 different
passwords for each site you visit, even when you visit them only once a year?

~~~
jarcane
You're right that the password-vault part is the weakest part of the post, I
think, though I'd argue many people probably don't even use (relatively)
secure options like LastPass, and probably default to "password managers"
built in to browsers or OSes.

I just have this weird cognitive dissonance when I see the 'big threats' that
get posted sometimes online. The other day I read a Reddit post about some
Dangerous New Threat to Bitcoiners, that amounted to nothing a slightly-more-
clever-than-average attachment virus. I don't understand how anyone managed to
get as far as even operating a Bitcoin wallet and somehow never learned basics
like "don't click blindly on email attachments".

~~~
DanBC
> I don't understand how anyone managed to get as far as even operating a
> Bitcoin wallet and somehow never learned basics like "don't click blindly on
> email attachments".

Perhaps you're not the best person to be giving security advice if you don't
understand why people - even those who should know better - click on email
attachments?

------
HackinOut
Apparently CryptoWall does a dumb copy of the files before encrypting them and
do not zero-out after deleting. If it still proceeds this way, that makes it
fairly easy to do some recovery.

Source:
[http://www.wyattroersma.com/?p=108](http://www.wyattroersma.com/?p=108)

~~~
wyldfire
Hey, that's really useful/helpful info! I'll endorse TestDisk/PhotoRec as a
mechanism for recovering deleted files, should be appropriate for most (though
you might want a trusted tech savvy person to execute this recovery). The
System Rescue CD includes these packages.

[http://www.cgsecurity.org/wiki/PhotoRec](http://www.cgsecurity.org/wiki/PhotoRec)

[http://www.sysresccd.org/SystemRescueCd_Homepage](http://www.sysresccd.org/SystemRescueCd_Homepage)

------
ColinWright
So the title is "How My Mom Got Hacked" and the only thing it actually says
about that actual title is:

    
    
        The virus is thought to infiltrate your computer
        when you click on a legitimate-looking attachment
        or through existing malware lurking on your hard
        drive, ...
    

So, there's really nothing about how his mom got hacked.

Don't get me wrong, it's an interesting article, interesting to read about the
process that ensues once you've been hacked, and I've up-voted it, but I'm
disappointed not to see anything about how it happened.

~~~
navait
Jesus. The publisher is the New York Times, writing a story about a real
threat to ordinary people. It's not a great headline, but neither is it really
misleading either. It effectively communicates what the article is about to
SNYT readers.

Apparently anything that is not 100% dull now is clickbait.

~~~
ColinWright
It's not about being dull, or exciting, and it's not about click-bait or
otherwise. It's about accuracy, reporting, and expectations. The heading was
"How My Mom Got Hacked" so I expected to see something about how her mom got
hacked.

But I didn't. It was a great story about what happened _after_ her mom got
hacked, and it was interesting, and mildly engaging, but it simply wasn't what
it said.

Calling it something like "Paying the hackers" or something like that would
have been accurate and just as intriguing.

Is it too much to ask reporters to title the article with something that
actually refers to what is in it?

~~~
navait
Is it too much to ask that you use some imagination rather than blandly parse
a headline?

~~~
ColinWright
Sorry, but I really don't understand that comment. I read the article, and
commented that the title doesn't match the content. In what sense do you then
claim that I've just blandly parsed a headline?

------
gringe
> Welcome to the new ransomware economy, where hackers have a reputation to
> consider.

It's not new for organized crime to consider its reputation.

In fact you could argue that organized crime exists _solely_ based on its
reputation, and I would certainly argue that for CryptoWall. If nobody trusted
that paying them would work, they would lose virtually all reason to do what
they do.

I'm not going to defend digital extortion, but it exists because people pay
it, and articles like this are part of the problem by making it known to
Googlers that paying works.

It's complicated and I think we should think hard about where where we point
fingers if we want to fix this.

~~~
joosters
I don't see any complications or deep thinking required before pointing
fingers. It's the criminals who are to blame.

No amount of educating end users will magically fix these kind of attacks,
whether or not people write articles about their ransom payments.

~~~
gringe
I beg to disagree. If you effectively made everyone realize that not paying
utterly destroys the extortionist's business model, that does "magically fix
these kinds of attacks" overnight. Not that I'm saying educating people about
this is practical or even possible.

One thing that I think is destructive though is "blaming the criminals", since
a) we don't even know who they are, b) their business model depends entirely
on them being promoted as a legitimate threat you can pay to fix, and c)
blaming them distracts from finding a real solution.

~~~
phaus
I'll have to find the article later, but I read somewhere that about 1.7% of
victims actually ended up paying money to the original cryptolocker guys, yet
this seems to be enough to keep them in business. For your plan to work, you
would need pretty much 100% compliance, which simply isn't going to happen.

------
arethuza
My wife's father died about a month ago - two days after he died his widow got
a call from some bunch of scoundrels saying "we need to fix your late
husband's PC so you can get at his tax records"....

Fortunately, he never had a PC (he was in his mid 80s) so it was obviously a
scam but we were all appalled at the cheek of such an approach and the for the
fact that a lot of people, particularly the elderly in a moment of stress,
would fall for such as scam.

~~~
mjklin
This is an update of another scam, wherein scam artists prowl the obituaries
and send "brown package material" with embarrassing contents to the surviving
family member, claiming the deceased had ordered it.

Their hope is that the surviving member will pay up to avoid embarrassment.
Yeah, you have to be a sicko to think this stuff up.

------
kazinator
The article doesn't seem answer the question raised in the title. How _did_
Mom get hacked? Actually it's buried in there:

> "So what can we all do to protect ourselves? Keep our computers backed up
> [...] and most of all, Beware the Attachment."

Ah, so the Attachment is what got Mom!

You know, the above should really be "Beware the Attachment processed on a
Microsoft Windows box using the default and/or most popular handlers for its
file type."

Also: "beware of letting naive users use the same Windows PC's for Internet-
based consumption activities net surfing and e-mail, and for
production/retention of important content."

~~~
acdha
That's effectively saying that non-experts should only use something like iOS
or maybe ChromeOS. The same class of attacks works against any user using any
operating system which allows them to install arbitrary code - Mac, Android,
Linux, etc. all have past examples of successful attacks which started with an
email attachment, browser drive-by, etc.

~~~
lotu
That actually may be a very good idea. It's not that non-experts should be
forbidden from using these thing it is that we should stop handing people guns
that they end up using to shoot themselves in the foot with.

~~~
acdha
Agreed – I'm not cheerful about the implications of making things less user-
serviceable but … it's not like we don't know how well that's worked out.

If you haven't already read it, SwiftOnSecurity's “A story about Jessica” is
rather good for illustrating how badly we've failed as an industry to produce
devices which are safe for non-experts to use:

[http://swiftonsecurity.tumblr.com/post/98675308034/a-story-a...](http://swiftonsecurity.tumblr.com/post/98675308034/a-story-
about-jessica)

~~~
kazagistar
Thats a cool article.

On the other hand, WTF is up with that blog?!?

~~~
acdha
It started as a parody Twitter account
([https://twitter.com/SwiftOnSecurity](https://twitter.com/SwiftOnSecurity)
and e.g. [https://imgur.com/a/1PDRJ](https://imgur.com/a/1PDRJ)) but got more
serious over time. The author really came into their own around the time of
last summer's celebrity iCloud attack when so many people were jumping to
blame the victims for assuming that big tech companies were good at security.

------
alexggordon
Has anyone ever done a serious technological evaluation of one of these
programs? I'd be very interesting in learning more specifically about its
encryption mechanism. For example, To be able to decrypt (edit: used to say
encrypt) the files, it has to store the private key (and obviously the public
key) somewhere on the computer, whether in memory or elsewhere to decrypt the
files. In addition to this, if this is a variant like mentioned in the
article, where you can "decrypt one file for free", then the software
obviously has to access both keys to decrypt that, meaning with the right
tools you should be able to capture those keys if you can capture the program
in the action of decrypting a file.

While an obviously viable solution to this is good backups and educating
people about computer security, that won't put these people out of business,
which is what would really stop this.

Either way though, if anyone here knows of any material delving into hacking
ransomware like this let me know, I'd love to read about it.

~~~
peeters
> To be able to encrypt the files, it has to store the private key (and
> obviously the public key) somewhere on the computer

Why do you say that? The very purpose of public-key crypto is so that you can
send only the public key, have the other end encrypt with that, while you hold
onto the private key which is the only thing that can decrypt it.

No guarantee this uses public key for the crypto though. From what I know, a
symmetric key is more suitable to encrypting huge amounts of data. Could be
wrong about that though.

~~~
alexggordon
My mistake. I said encrypt when I should have said decrypt. You are correct
though, symmetric key encryption would be better for this, and utilizing the
answer giving by kolinko below, I wouldn't be surprised if they did use a
different key for each file.

~~~
HackinOut
You only need to decrypt once the payment has been received, so the private
key doesn't need to be sent to the infected machine before that.
Encrypt/Decrypt, it seems to be a moot point.

The "decrypt one file for free" feature seems to be specific to CryptoWall
which, some have reported, do not use symmetric encryption like CryptoLocker.
CryptoLocker stores symmetric keys for each file on the infected machine,
encrypt those with a public key and when the payment is received, send the
private key from the C&C Server. I would say it's very unlikely CryptoWall
would store remotely a private key per file. That could mean a lot of
information to be transferred over the wire. Probably because of using only
asymmetric (slow) encryption, CryptoWall apparently only encrypt small files
completely, and only a piece of the larger ones. One way the "decrypt one file
for free" feature might work is by actually uploading the file (or the the
encrypted piece of file) to the C&C Server, decrypting it remotely and sending
it back. But the feature is definitely worth investigating.

[https://blog.fortinet.com/post/cryptowall-another-
ransomware...](https://blog.fortinet.com/post/cryptowall-another-ransomware-
menace)

[http://stopmalvertising.com/malware-reports/cryptowall-
behin...](http://stopmalvertising.com/malware-reports/cryptowall-behind-the-
scenes.html)

------
0x0
Could the "one file free decrypt preview" feature be used to sniff out the
crypto key required to decrypt all the other files? Or does the virus need to
check in with the backend for every single file for unique keys?

~~~
logn
> does the virus need to check in with the backend for every single file for
> unique keys?

As it's based on CryptoLocker, all the files would be encrypted with the same
key. After CryptoLocker was busted by law enforcement, "Fox-IT and fellow firm
FireEye introduced an online service which allows infected users to retrieve
their private key by uploading a sample file, and then receive a decryption
tool"
([https://en.wikipedia.org/wiki/Cryptolocker#Takedown_and_reco...](https://en.wikipedia.org/wiki/Cryptolocker#Takedown_and_recovery_of_files))

edit: technically the files are encrypted with different keys but those keys
are stored on the victim's machine and encrypted with a single key --
[http://www.welivesecurity.com/2013/12/19/cryptolocker-2-0-ne...](http://www.welivesecurity.com/2013/12/19/cryptolocker-2-0-new-
version-or-copycat/)

~~~
HackinOut
I wouldn't be so sure this would help: CryptoLocker was using symmetric
encryption (AES) for the files while CryptoWall apparently solely use RSA
(which creates problems for the pirate, like slow encryption, thus encrypting
only small files (.jpeg, .doc...)?). Only the public key seems to be
downloaded when the malware installs. ([http://stopmalvertising.com/malware-
reports/cryptowall-behin...](http://stopmalvertising.com/malware-
reports/cryptowall-behind-the-scenes.html))

If this is the case, I would surprised if they would download the private key
for the one free decrypt feature. If they encrypt only small files they might
do the decryption on the remote C&C Server?

It's worth investigating anyway.

------
venomsnake
And that is why I have the "if you don't have backup, I won't bother to help
you with your lost files" policy when friend or family come crying. I make
only one exception from this rule.

Cryptolocker is not the problem. The lack of reliable backup is.

15 years into the internet age, and 5 into the cloud you have no excuse.

~~~
Sir_Substance
I would genuinely rather lose all my critical data to cryptolocker than put it
in the cloud. Given a choice between my data being accessible by no-one or
everyone, I will pick no-one every time.

Data in the cloud /is/ available to everyone that matters.

I'd also like to remind you that it can be impractical to back up some forms
of data, especially in the cloud. High definition video (weddings, funerals,
holidays) is impractically large.

The problem /is/ Cryptolocker. Anyone with an ounce of practicality will take
mitigating steps against it, I have no sympathy for anyone who ignores the
risk, but the solution is not massive scale global data duplication, that is
treating the symptoms. The solution is to dissuade criminals from this path.

Widescale international cooperation in finding these people would be a start.

~~~
JCole
You don't need to backup to the cloud, have people forgotten about physical
hard drives?

~~~
r0m4n0
Yep, a good mitigation plan is a 2tb time capsule. All my precious cat photos
are backed up on the regular, encrypted and within reach.

~~~
TeMPOraL
As long as you remember to keep that drive unplugged - otherwise it'll get
cryptolocked with everything else.

------
doah78
I work for a school district in the US and we see this occasionally. We just
wipe the computer and restore files to the Users network drive from backup.

I personally think getting into a good backup regimen is a better use for the
money than paying some scumbags.

------
Kiro
Great article but I'm sad that it didn't cover what I thought the headline was
referring to; how she was hacked to begin with.

------
ExpiredLink
> “Whoever these yahoos are, they have some little shred of humanity.”

Not really. Their "business model" is extremely restricted. 99.99 of their
victims cannot handle the Bitcoin thingy.

~~~
phaus
>Their "business model" is extremely restricted. 99.99 of their victims cannot
handle the Bitcoin thingy.

Its actually pretty interesting how this developed. Some of guys running
variants of cryptolocker realized how much money they were missing out on and
established customer support channels to help their victims figure out how to
pay.

------
fencepost
I don't see any mention here, but as someone who deals with front-line
response to users regularly, take a look at CryptoPrevent from FoolishIT (yes,
really,
[https://www.foolishit.com/vb6-projects/cryptoprevent/](https://www.foolishit.com/vb6-projects/cryptoprevent/))
and HitmanPro.Alert
([http://www.surfright.nl/en/alert](http://www.surfright.nl/en/alert)) with
CryptoGuard. The first does a bunch of local policy setup to restrict where
executables can run along with some optional subscription signature
watching;the second does more watching for encrypting behavior including on a
host sharing files via SMB.

I also recommend making sure that shadow copies are turned on and allocated
plenty of space - including on a separate partition or drive if the user in
question regularly comes close to filling the drive. It's not a backup, but it
is much faster to restore from a shadow copy than from an offsite backup.

edit: added links

~~~
HackinOut
CryptoWall apparently delete shadow copies with a simple vssadmin command.

[http://stopmalvertising.com/malware-reports/cryptowall-
behin...](http://stopmalvertising.com/malware-reports/cryptowall-behind-the-
scenes.html)

~~~
fencepost
Good to know; I've only dealt with a couple and they were on workstations that
encrypted files on mapped network shares - vssadmin wouldn't have any access
to remove shadow copies on the file server, and in all but one of those cases
we had both shadow copies locally on the file server and offsite file backups
in place (backups only for the last).

~~~
HackinOut
Yes, I meant _try_ to delete... My first impression about CryptoWall is that
it was hacked together quicker than CryptoLocker. It doesn't bother with
generating a symmetric key per file but rather seems to use a single
asymmetric key. It also apparently make a copy of the file before encrypting
and doesn't zero-out after deleting the plain text file (see another of my
comment in this thread)

~~~
HackinOut
* asymmetric key pair

------
gambiting
" The main difficulty in stopping cybercriminals isn’t finding them, but
getting foreign governments to cooperate and extradite them."

Sorry, but no, fuck off please. US extraditing people from other countries is
an abhorrent practice which should not be happening, ever. Imagine if you got
an extradition request from Saudi Arabia, because you broke some of their laws
on the Internet. Every single country in the world would tell them to sod off.
Yet when US does this it's somehow ok? Absolutely not.

------
tim333
You'd think Putin might be persuaded to take action against some of the guilty
parties. I know that has not been the Russian tradition but things could
change.

~~~
genwin
The guilty parties (where known) are local heroes. The US has a bad reputation
in much of the world.

------
mrmondo
I'm surprised that no one has fingerprinted the patterns that these apps take
to encrypt the files, then created an antivirus definition for them. Surely
they can't be that polymorphic that no one can catch them?

~~~
acdha
The problem is that the signature-based antivirus model assumes 1980s-speed
networking where an attacker releases a single program which has months or
years to spread around the world. In the Internet era, the attacker receives
the same AV updates when you do and can tweak an executable until it's no
longer detected locally before immediately deploying it. This approach can
even be automated both to permute the executable until it passes and to stop
spreading it after it starts being flagged.

------
known
Install/configure
[http://wiki.debian.org/iptables](http://wiki.debian.org/iptables)

------
johansch
Isn't this a pretty strong argument against Bitcoin and other
cryptocurrencies? (I am being serious.)

~~~
mseebach
Not really. Most useful technologies can be used in crime and we'd get nowhere
if we allowed that fact to be used as an argument against the technology.

Pre-Bitcoin, the scammer would have her call an expensive foreign premium-rate
phone number or mail cash to a foreign address.

~~~
johansch
How about when in a few years time there's a scalable, functioning market for
hits/murders with bitcoin as payment?

I love the elegance of the bitcoin protocol, but I am worred that the
civilized world will have to clamp down on it. You just can't have a place
where anyone with enough money (a few k EUR/USD) can perform murders without
any reasonable risk of being exposed. This will effectively turn us into a
bandit country like Russia. I also think it will become harder to effecticely
clamp down on cryptocurrencies as time passes, so time is of an essence.

~~~
mseebach
> You just can't have a place where anyone with enough money (a few k EUR/USD)
> can perform murders without any reasonable risk of being exposed.

Your 'reasonable risk of being exposed' is when you plan and execute the hit.
It's pretty difficult to do. Also, when your target winds up dead, the first
investigation is into whether anyone might want that person dead (motive), not
the money trail.

Any hitman worth his salt will already today know to get paid in cash or
similar liquid assets. As opposed to the ransom situation, the payment of a
hit can be arranged long before investigators start looking, so you can easily
ship a boxful of cash to a dead drop and avoid ever meeting the hitman in
person.

And even if there was a money trail, you couldn't hope to get to a hitman by
following it unless you have the other end to start down - ie. you know the
"customer", who's the bigger criminal anyway.

> This will effectively turn us into a bandit country like Russia.

No, the availability of anonymous payments is not the defining difference
between Russia and 'us'. The rule of law is.

------
dghughes
It would be fun if one of these extortionists was a victim and had his files
locked by a rival.

------
jokoon
my neighbor also had this. was not really able to fix it. felt pretty bad.

