Jump to content

Ransomware Question


Recommended Posts

I've been wondering about this in relation to a computer having been attacked and shutdown with a ransomware attack. I have heard about two hospitals and a police department having to pay to get their systems working again.

Let's just take a home personal computer that has been attacked and no longer able to fully start up. If that person has a DVD backup ... Ghost comes to mind or it could be any of the other programs that will store a backup to a disc or USB flashdrive. Would that type of backup get the computer started again?

I can't find an exact answer to that question ... maybe there are various versions of ransomware that could be defeated that way ... maybe not.

...

Edited by monroe
Link to comment
Share on other sites


Usually ransomware that target personal computers doesn't break your OS in any way, but instead encrypt your files (documents, images, videos etc...) and offers decrypting them after paying ransom. Most often you have to be able to boot up your PC in order to receive an instruction, how to pay and decrypt your files. If for some reason, ransomware breaks your PC and you have rescue CD/OS backup of any kind, you end up with running system and HDD full of encrypted files (in worst case - useless files). So best solution against the ransomware seems to be regular backup of your data, on a drive that is not permanently connected to your workstation and accesible. All data.

Of course, ransomware can be different, f. e. PETYA, but most of them are another variations of popular kidnappers like CTBLocker/Cryptolocker/Teslawall etc. My humble personal guess is that hospital systems were bootable, but they lost access to data files with necessary information.

I managed to found this article about Hollywood Hospital ransomware attack:

https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/

That's not in-depth analysis, but at least names the germ - ransomware Locky:

https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/

Edited by Mcinwwl
Link to comment
Share on other sites

@Mcinwwl is right: For those who have a sound backup strategy (viz., say, data and OSes separated, independent backups of each, forensic grade known-good images for OSes and file-based backups for data) ransomware is irrelevant. If it happens to get in, just sanitize and redeploy the backups.
So, truth is: only the improvident can be victimized by it. Then again, the above solution cures any kind of malware incident, regardless of the type of malware involved.

Link to comment
Share on other sites

Mcinwwl ... OK, I guess I did not fully understand how ransomware works. I thought a person could not get into their computer ... but I guess it makes sense that the person would have to know the amount to pay and how to send the money.

In that first link about the hospital ... there is this paragraph about another hospital.

"Earlier this month, Methodist Hospital in Henderson, Kentucky was struck by Locky as well, an attack that prevented healthcare providers from accessing patient files. The facility declared a “state of emergency” on a Friday but by Monday was reporting that its systems were “up and running.” Methodist officials, however, said they did not pay the ransomware; administrators in that case had simply restored the hospital’s data from backups."

As you say den ... stay sharp and be prepared with good data backups.

...

Link to comment
Share on other sites

11 minutes ago, Tarun said:

Backups are things we should all have no matter what happens.

An additional word of warning (just in case).

Once upon a time backups were made on external, removable media (CD's, Zip disks, DVD's, tapes), which had all kinds of reliability problems BTW, but that are effective in the case of cryptoware/ransomware.

Nowadays a lot of people I know - while still doing regular backups - have an "automated" setup that consists in a NAS (or however a USB or network connected external hard disk) that they periodically "sync" with the contents of their "main PC". This setup is NOT a good one for these cases because normally the device is connected and mounted to a drive letter at all times.

Ransomware will see these devices exactly as what they actually are,  connected, mapped volumes and proceed to encrypt them as well.

So you need to have these devices either switched off or disconnected (or unmounted) at all times and switch them on/connect them/mount then only when you are actually copying data to them to be "safe".

jaclaz
 

Link to comment
Share on other sites

Tarun ... the first I have heard about Malwarebytes 3.0 ... I see it just came out a few days ago. It will be a yearly subscription for people or companies that would need this product. I still will use the older Malwarebytes, if they will still be providing updates. Will have to read some reviews as people try it.
 

"With the combination of our Anti-Malware ($24.95), Anti-Exploit ($24.95) and Anti-Ransomware (free, beta) technologies, we will be selling Malwarebytes 3.0 at $39.99 per computer per year, 20% less than our previous products combined and 33% less than an average traditional antivirus. But don’t worry, if you are an existing customer with an active subscription or a lifetime license to Malwarebytes Anti-Malware, you will keep your existing price and get a free upgrade to Malwarebytes 3.0. If you have both an Anti-Malware and an Anti-Exploit subscription, we will upgrade you to a single subscription to Malwarebytes 3.0, reduce your subscription price and add more licenses to your subscription. More on that below! As always, we will be keeping malware remediation absolutely free."

Announcing Malwarebytes 3.0, a next-generation antivirus replacement

https://blog.malwarebytes.com/malwarebytes-news/2016/12/announcing-malwarebytes-3-0-a-next-generation-antivirus-replacement/

...
 

Link to comment
Share on other sites

6 hours ago, monroe said:

Tarun ... the first I have heard about Malwarebytes 3.0 ... I see it just came out a few days ago. It will be a yearly subscription for people or companies that would need this product. I still will use the older Malwarebytes, if they will still be providing updates. Will have to read some reviews as people try it.

Versions 1 and 2 offered lifetime licenses. 3 no longer has those, however if you had a lifetime license you can use it in MB3. If you had a lifetime license and cannot locate it, contact support and they will help you. It's very worthwhile to upgrade to 3.0. tested it since the internal betas and the speed and new features make it a very valuable asset in the fight against malware.

Link to comment
Share on other sites

7 hours ago, Tripredacus said:

I will disagree here. The best solution is to not to the dumb thing that allowed a virus onto your computer in the first place.

You got me here :> Still, even the best can make mistakes.

But, actually, when you run hospital it infrastructure, you cannot hand for all the personnel not doing stupid things.

13 hours ago, jaclaz said:

Nowadays a lot of people I know - while still doing regular backups - have an "automated" setup that consists in a NAS (or however a USB or network connected external hard disk) that they periodically "sync" with the contents of their "main PC". This setup is NOT a good one for these cases because normally the device is connected and mounted to a drive letter at all times.

Ransomware will see these devices exactly as what they actually are,  connected, mapped volumes and proceed to encrypt them as well.

So you need to have these devices either switched off or disconnected (or unmounted) at all times and switch them on/connect them/mount then only when you are actually copying data to them to be "safe".

Keeping the volume mounted and accessible for everyone isn't the best backup strategy for sure :> in the meantime, It made me wonder whether all-time connected backup storage can be made safe with only a proper access policy. Let's think of a simple home-PC scenario:
- PC owner uses admin account only when needed, and sticks to the account with user privileges;
- Backup Storage connected all the time;
- Write access to the backup storage is allowed only for an accounts with admin rights;
- System has somehow scheduled backup routine, that runs with admin privileges;
- When owner needs to make something on admin account, might temporarily disconnect backup before hands.

While I think this might work, I'm doubt if I made some deadly bad mistake in this 'model' on the foundations level. I don't mean malware that uses escalated privileges or anything like that. I'd be glad if anyone can guide me to the straight roads.

Not mentioning that in home environment simply plugging in the storage for the backup is easier ;)


 

Link to comment
Share on other sites

Well, particularly with Powershell (which is IMHO a rather wide attack surface) I don't think that there are really-really safe ways (short of physical disconnection from network) if not limiting the access to the network share,  I seem to remember that network accesses/credentials are normally cached, so you need to have *something* that deletes those right after the backup has completed (and that re-connects with the appropriate credentials right before next backup session).

jaclaz


 


 

Link to comment
Share on other sites

Both USB and Ethernet are hot-pluggable/unpluggable. Best solution is to plug/backup/unplug by hand. Do it yourself (= don't delegate) and it sure shall be there whenever needed. Eliminate PEBCAK by trusting no one but yourself. Works for home. Big orgs like hospitals and, worse still, multi-office 24x7 enterprises are a never-ending nightmare, because PEBCAK chance grows uncontrollably. That's life, folks!

Link to comment
Share on other sites

A not-so-stupid solution might be connecting the NAS through a "hub" (what is now a "switch") with the power adapter connected to a remotely operated/switched mains socket that is switched on only at backup time, or use *something like* this:
http://www.digital-loggers.com/lpc7.html

to switch on/off directly the NAS (es), as if we go for the good ol'way, you would need three separate NAS/network disk drives .

Once upon a time you had three diskettes (or three Zip disks, or three tapes):
#1 marked Monday, Wednesday, Friday
#2 marked Tuesday,Thursday, Saturday
#3 marked 1st of the month <- only used once and then replaced by a new media

Since only one media was inserted in the backup device, the other two (even if maybe a bit older) were never at risk of being overwritten/damaged.

jaclaz
 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...