17 April 2016

RansomWare 3,
Recovery


by Leigh Lundin


 WARNING  In part 1, we discussed a nasty type of malware (malicious software) called ransomware and in part 2, we recommended preventive steps. In this final article, we explore options in the event your computer is attacked.

Don’t Pay

That’s the advice of most professionals. Besides filling criminal coffers, a better reason leaps out. FireEye Security and technical advisor Alain Marchant estimate only 60% of payees get their computer back intact. BitDefender estimates even dimmer odds, as few as half of those who pay see their files returned. Symantec hasn’t published figures but they’re also not optimistic about the odds of success.

The poor odds of successfully retrieving files has drastically impacted the ‘business’ of extorting stolen files. TeslaCrypt perps have taken two unusual steps.
  1. They set up a secretive TOR ‘dark web’ message center to facilitate payment.
  2. To prove they can actually decrypt files, they offer to decrypt a small (very small) file of the user’s choice.
Yet, as they try to extract payment, their pages hint at the myriad failures and pitfalls: «If step 2 goes wrong, then attempt this and if that goes wrong then try that and maybe try again in 10-12 hours… which may exceed the allotted time… blah, blah.»

Then consider the matter of who reaps the stunning profits from ransomware. It’s tempting to blame ordinary criminals but in fact, ransomware funds terrorist groups like Daesh/ISIS and al-Qaeda. State-sponsored extortionists include the obvious suspects, China, North Korea, and Russia. Technical authors Gregory Fell and Mike Barlow further accuse Iran and Israel of sponsoring attacks at the expense of the rest of us.

Ransomware is an international problem. The Russian security firm Kapersky Lab was reportedly hit with ransomware and thus turned their attention to addressing the problem. French security consultant Alain Marchant, who goes by the name xépée and cheerfully admits Marchant may not be his real name, has developed a client base of victims ranging from individuals to major companies. Here at home, developers of anti-virus products have trained their sights to the problem.

The Costs

Worldwide, malware sucks more than a half-trillion dollars out of the annual economy. Some target individual countries like Japan (TorLocker) and Russia (Kryptovor), but others are indiscriminate. The US alone loses $100-billion annually.

Cyber crime is lucrative and safe. While one or two man operations bring in as little as $1100-5500 daily, Symantec traced one revenue stream that amounted to $35 000 a day, a number consistent with a study by FireEye Security. At the upper end of the scale, Cisco’s Talos Group calculated the Angler exploit (CryptoWall, TeslaCrypt) each day targets more than 90 000 users, pulling in $100 000… every day.

Losing family photos is one thing, but businesses have lost their files, charities their revenue, hospitals their patient records, government agencies their data, and– in at least three cases– people their lives.[1],[2]

Practicalities

Acquaintances of ‘Mark’, a victim mentioned in last week’s article, casually recommended caving to demands and paying off, ignoring the odds and consequences. Those acquaintances may be well-heeled and untouched by ordinary concerns like money and terrorist funding, suggesting if one can afford it, why not? Fortunately, Mark had a friend to help see him through the worst of a bad situation.

If you are a victim, only you understand your circumstances or desperation, but treat pay-offs only as an absolute last resort. Be prepared for the worst– your payment may go for naught.

Easy Pickings

Chances are you’ve seen web pages or pop-up windows that claimed your computer has been damaged or compromised and to call ‘Windows’ or ‘MacOS’ where ‘professionals’ for a fee will help you stamp out this insidious nuisance, one they created, although they don’t tell you that.

These are usually simple browser attacks– JavaScript on a web page seizes control of your Edge browser, or Internet Explorer, Safari, Chrome, FireFox, etc. The good news is they’re relatively easy to defeat, although getting out of the situation can puzzle an average user.

In these cases, don’t panic and don’t call the toll-free number the bad guys so thoughtfully provided. You may want to call a friend for technical assistance, but you may be able to solve it yourself.

The key to recovery is killing the script, the little program abusing your browser. You may be able to simply close the page, and if so, job well done.

Another approach is to open the browser Preferences or Options and disable JavaScript. Once JavaScript if paused, you can close the web page at your leisure, alt-ƒ4 or the more nuanced ctl-w for Windows, cmd-w (⌘-w) for the Mac. Unfortunately, FireFox made the decision to remove the option to disable JavaScript, but add-ons like QuickJS, NoScript and Ghostery give users that option. For the Mac, typing command-comma (⌘,) normally brings up preferences, but the malicious script may thwart that move.

What happens if you can’t close the web page and can’t disable JavaScript? You have no choice but to kill the browser and restart with a goal of stamping out the offending window. Use the Macintosh Force Quit (⌘-opt-pwr) or the venerable Windows Task Manager (win-shft-esc). You may be able to right-click on the program icon to close it. When restarting Safari and Edge, use finger dexterity to close the offending window– you may have to force-quit and restart a couple of times to succeed. FireFox is helpful here: They provide a dialogue box asking which pages you want to reopen (or not).

Note that you may have to smack down more than one browser window. At least one exploit deploys two pages using one to reopen the other if it’s closed. Both pages need to be killed.

Trust Issues

As with other ‘exploits’ (short for exploitations in professional parlance), you can (and should) take the preventive measure of downloading an alternative browser to your computer, say Opera, FireFox or Chrome. If a bad script has nailed your Safari or Edge browser, you can fall back on an alternative until you can get help.

The other key step is not to download anything you don’t trust. Don’t fall for messages claiming your Java or Flash or SilverLight player needs to be updated. Be extremely shy of web mail that offers to upgrade Windows 10. The safe way to update is not to click on the helpful button, but to locate the official web sites and manually download any updates yourself. Make certain the URL says java.com, adobe.com, or microsoft.com (with or without the www.) and no variation like javaupdate.com.

In the past, professionals have disdained automatic updates and that’s fine for them. Let them micromanage if they will, but for the average user, I break with my colleagues and suggest automatic updates might prove safer. The reason is that if you already trust a program, then its updates are reasonably safe as well. At worst, you may get a message saying that FireFox must be restarted, although if you don’t restart immediately, the updates will kick in after you quit your current session.

Apple and Microsoft occasionally check for updates. While I approve of the automatic mode, I suggest running the update check one time manually so you know what to look for.

RansomWare

Thus far we’ve discussed the simplest form of ransomware that merely subverts your browser. At present, you’re more likely to encounter web exploits than the really nasty kind that takes over your computer by encrypting files and user programs.

True ransomware programs demand payments ranging from $200 to over $2300 ($475 appears average) in untraceable digital payments, up to tens of thousands of dollars when targeting hospitals, corporations, and crippled city and county governments. There is no single flavor of ransomware. At least half a dozen strains are extant plus offshoots and variants. Each makes up its own rules and demands. Early models sought cash transfers via Western Union and later Ukash, MoneyPak, and PayPal My Cash, but nearly all now demand payment in anonymous digital money– BitCoin.

The other characteristic found in most ransomware is the imposition of a deadline, after which the bad guys state they’ll refuse to restore your files altogether and at least one variant claims it will permanently ruin your hard drives, not merely beyond recovery but beyond formatting (a highly dubious claim).

The time limit serves one primary purpose, to apply pressure and rattle the victim, to preclude the user from thinking his way out of the dilemma. A time limit makes it difficult to gather information, tools, and help. The target may not have sufficient opportunity to order recovery tools or a second drive to work from or a create a bootable disc.

Besides your backup, you will need a reinstallation disc. These days, few computers come with installation DVDs. Some computers feature a bootable partition that contain tools and recovery programs. In other cases, you must download a so-called ISO file from the internet to burn to an optical drive (Blu-Ray DVD, etc)– but you can’t safely do that from your compromised system– you either need to boot from a trusted drive or ask someone to download a recovery ‘disc image’ for you.

As far as the threat to permanently wreck a hard drive, it’s hypothetically possible but unlikely. Black hats may alter your boot tracks or drivers, but those can be repaired with a disc formatting program. In the unlikely case that bad guys were to zap your drive’s firmware, they’d have to strike after the time limit they imposed. Long before then, an aware user should have powered down his computer.

Demanding Money with Menaces

British use the term “demanding money with menaces” regarding blackmail, extortion, and kidnapping for ransom. The threat of ransomware is clear: If you don’t pay, you lose your files. But if you do pay, you may still lose your files. Damned if you do, damned if you don’t, the track record is not good.

Beyond the substantial risk a victim will never see his files after payment, there are sound reasons for not paying or attempting to communicate in any way. The victimized may inadvertently expose more information than realized such as passwords and bank account information. My colleague Thrush says paying or trying to reach out tells the bad guys “they have a live fish on their line.”

If a victim attempts to reach his bank on-line, an infected computer can forward passwords and account information to the miscreants. Because the bad guys have control of their subject’s computer, they may be able to extract injurious information. A wise solution is to quickly disconnect from the internet to interrupt the outflow of information.

One-Way Communication

Security consultant Alain Marchant says about 12½% of victims opt to pay, but less than ⅗ of those cases see the return of their files even after payment. He suspects the percentage may be considerably worse because of under-reporting.

Marchant’s stats are highly consistent with FireEye reports. He attributes failures to restore hostage files to a number of factors.
  • There may be no hidden server that can unlock the files. The victim has only the criminal’s word such a server exists. Maintaining servers exposes the bad guys to risks they may not be willing to take.
  • Perpetrators may simply not bother. A one-man operation can easily bring in a minimum of thousands of dollars (or euros or pounds) a day, millions a year without lifting a mouse-finger. An extortionist whose biggest problem is hiding money from authorities may feel no obligation to release hostage files.
  • Hidden servers, if existing at all, may be taken down by its ISP, by government raid, by weather, by a denial-of-service (DoS) attack, by power failure or other outage, or by the bad guys themselves to evade detection. Perpetrators, particularly those on the move, may rely on laptops that are on-line only for brief periods. A perpetrator who can’t connect can’t repair the damage.
  • Because of a restricted ability to test malware, perpetrators’ programs may be bug-ridden and unable to recover the data. FireEye reports that files encrypted and then decrypted by TeslaCrypt turn out corrupted.
  • Perpetrators may not have the sharpest grasp of time zones, which may cause a premature trashing. Problems are exacerbated within one time zone of the Greenwich meridian and worldwide during daylight savings time changes. Ransomware does not take into account weekends, holidays, and banking hours.
  • Perpetrators may not have the sharpest grasp of exchange rates. For example, a ransom page may demand $300, but with worldwide reach, may receive $300 Canadian instead of US dollars and therefore not release the files.
  • Victims’ machines may be knocked off-line by the same problems above that affect perpetrators’ servers.
  • Victims’ drives may be so badly damaged, that recovery becomes impossible. Moreover, perpetrators may encrypt the very keys or tokens victims need to communicate with their bank.
  • Victims usually don’t possess a clear understanding of bitcoins. Some attacks require users to install modified TOR browsers to arrange payments. While these measures help perpetrators hide from authorities, victims lose time and possibly their files while trying to figure out the process.
  • Victims’ anti-virus software may belatedly catch and delete the ransomware program making recovery impossible.
  • Multiple malware infections may collectively interfere with each other. Victims may inadvertently exacerbate the problem by researching malware on the internet, triggering secondary infections that make recovery impossible.
  • Victim’s computers may reinfect themselves as drives are brought on-line.

Recovery

Clearly the odds of recovery are better with anti-ransomware programs, assuming data hasn’t been deliberately damaged beyond encryption. If at all possible, create and work from an external drive. You may find better success removing the computer’s hard drive and hooking it up to a clean computer. The idea is to keep the virus dormant while attempting to remove it and correct the damaged files.

At the end of the countdown period (typically 72 or 96 hours), some malware strains sabotage the rest of the hard drive, erasing boot tracks and directories. Marchant suggests it might be possible to turn back the clock in a PC BIOS by several hours to extend the period of analysis and recovery. For this to work, the computer must remain disconnected from the internet.

If there is an extant key, it may not reside in a remote server at all but could be buried in your machine. That can help assist programs in decryption.

Following are a few Mac and Windows resources to help in preventing and recovering from ransomware.

Be safe out there!

11 comments:

Paul D. Marks said...

Thanks, Leigh. Your 3 part series is really helpful...but very scary.

Leigh Lundin said...

Thanks, Paul. It's threats like these that make me wish I was still doing software forensics and design. The challenge is clear: so much intelligence wasted on evil intent. This is the true material for spy thrillers.

janice law said...

Really interesting.
To think I used to complain about the manual typewriter!

Leigh Lundin said...

Interesting point, Janice. The more 'intelligence' we give a machine, the more vulnerable it becomes.

Herschel Cozine said...

I have gotten to the point where I hesitate to open attachments on e-mails from folks I know. Their names can and have been hijacked. I have been bitten by one, (fortunately not too difficult to correct). Very helpful if scary piece, Leigh. Thanks.

A Broad Abroad said...

I'm with Thrush – keep quite and don’t respond in any form or fashion. It would be as dangerous as unsubscribing from junk mail.

Thanks for the articles – we can't say we haven't been warned!

Vicki Kennedy said...

Thanks for all the info, Leigh. I get emails all the time saying they are from friends, but if there's only a link in the email and no note or indication it's really from that friend I hit delete. It's a scary world out there. Greed abounds and greed has always been the driving force of true evil in the world.

Leigh Lundin said...

Herschel, you’re right about getting phony emails from friends and family. Emails can contain two potential pitfalls, misleading embedded links and reactive ‘payloads’, as attachments are sometimes called. Last week, I mentioned how easy it is to be fooled by malware disguised as perhaps a photo, say MomAndDad.jpg, which is really MomAndDad.jpg.exe in disguise. A the visible text of a link in an email (or a web page) might read MyBank.com, but the hidden HTML might contain nasty JavaScript or a link to PhonyBank.com, simulating your bank’s web page, hoping you type in your ID and password.

You’re welcome, ABA, and thanks for letting me know. I’m also glad you took your backup! Keep doing that!

Vicki, you’re correct. If you see an email from a friend with an unexpected link and nothing else, there’s a good chance it’s up to no good. Sad to say, some cretins on the internet love to fool others. It’s possible to look at email headers and trace back where the email really came from, but most email browsers hide the headers by default.

Anonymous said...

Another article  underscores the advice.

http://finance.yahoo.com/news/what-to-do-ransomware-hackers-011857871.html

vRD said...

Crypto Ransomware Attacks Have Jumped 500% In The Last Year

Leigh Lundin said...

This Mac ransomware has no intention of restoring files after payment.