ransomware again, really?


Malware logo Crystal 128.
Malware logo Crystal 128. (Photo credit: Wikipedia)

Some days ago a friend of mine reported me that his company has been affected by a ransomware cryptoloker style. I keep hearing people infected by this kind of infection and I am starting to wonder if people has really understood what a cryptomalware really is and how it works.

 

here from Wikipedia:

Ransomware is a type of malware that restricts access to a computer system that it infects in some way, and demands that the user pay a ransom to the operators of the malware to remove the restriction.

Some forms of ransomware systematically encrypt files on the system’s hard drive (cryptoviral extortion, a threat originally envisioned by Adam Young and Moti Yung) using a large key that may be technologically infeasible to breach without paying the ransom, while some may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a trojan, whose payload is disguised as a seemingly legitimate file.”

 

now let first try to understand what this means in practical words:

a ransomware is a malware“, this should make clear that this is something bad.

that restricts access to a computer system” , this clearly means that the aim of this kind of malware is to make you hard to log in to your computer andor data.

those days the most common form of this malware type is the cryptomalware, a malware that specifically deal with your data encrypting them. this basically means that your data are not deleted or moved but, simply, the malware make them unreadable. if you want to get access to your data again it requires of a ransom to be paid , if you are lucky.

now let us try to understand why this kind of malware is so popular, the reason are basically 2:

  1. it is easy to get infected
  2. it allow a quick access to money

let try to understand why it is easy to get infected by a cryptomalware:

To Crypt or not to Crypt.

Unlike we commonly think, encrypting a file is really easy and need really low permissions: you just need the right to edit the file.

you don’t really need to create special algorithm all you need is deeply documented in literature, beside crypto API are present everywhere and it’s an easy job to reach needed libraries.

So the encryption technique is still hard to be understood by IT managers, not for bad people.

if encryption is easy likewise is easy to have enough right to encrypt a file, you just need your ordinary rights on a file. you do not need administrator right, privilege escalation or esoteric techniques, your right to edit (Write) is enough.

Just remember:

If you can save it, then you can change it

Now this kind of rights are common for any user in any O.S. Even in the most security savvy organization if you can’t open a file or edit you can’t work on it.

On the other end the number of applications, programs, apps or whatever that are able to read and write with your same rights are simply almost all the one present in your system.

this means that a ransomware has:

  • consolidated technology to rely on

  • greatest attack surface (basically any app, browser)

  • low rights needed

a heaven.

another interesting aspect of the ransomware is that the activities it does are almost standard inside the OS, does not open weird ports, does not change configuration settings, does not create users…it just write… as an ordinary user or app.

This makes the identification quite difficult for any antimalware system, since the operation is a normal one, and there are thousands of write operation on file every moment.

A good cryptomalware, moreover, does not need to target sensitive system files, that can require specific access permissions. due to its aim (allow the attacker to make money) it just need to target normal documents: .PDF, .DOC, .XLS, .PST …..

and those are the documents you commonly use, edit and save.

I want you to understand a critical point:

if your antivirusantimalware didn’t detected the ransomware on the infected machine, there is no way that other AVAM can detect the operation against normal readwrite operation on files, since a good ransomware just access what the user can access and do what the user usually do.

So what you need to be infected? All you need is your browser or the access to an infected application and you have an open windows to the world of encryption.

But I have antivirus on servers…..

good for you, good security practice to avoid infection spreads across your networks, almost useless against cryptomalware activities coming from an infected machine.

Got infected, and now?

It is easy to get infected, it is a different story to get rid of it.

Basically you need the key and the algorithm used to encrypt the file to decrypt it. This can be done usually in two ways, but neither of the two gives guaranties:

  1. you pay the ransom
  2. you ask support to an antivirus company

let try to understand option 1.

there is no guarantees that once the ransom has been paid you got your key. the reason can be different, and not necessarily related to the “ethic” of your attacker (please feel some irony in the previous statement).

there are a lot of old ransomware in the wild coming from old attack campaigns that are no longer monitored, and may be there is no one ready to accept your payment in bitcoin or any other virtual currency.

this is a more common issue than you think, a ransomware attack is not meant to last for ever, but the infected sources can remain infected for a lot of time even after the attack.

the attacker can been already been arrested or simply consider to risky to accept the payment.

and I didn’t mentions other unlucky condition, like been a collateral damage of a target attack to someone else, just so unlucky to find a test code to prepare an attack ……

so pay is an option but without guaranties…

let consider option 2

If nobody gives you the code you can try to analyze the encrypted files to find out if there are “fingerprints” resembling some known attack, in this case you can try to guess the encryption key somehow once you understand what is the cryptoware that makes the damage. luckily to avoid too much resource consumption usually keys and algorithm are not the most resource intensive, so some reverse engineering is still possible.

antivirus companies have samples and technology to try to save your data… try is the key.

there are no guaranties.

The problem is how much time you need to free your data form this unwanted encryption. it is a matter of time or, if you like more, processor power. even if well equipped even antimalware companies have limitation in terms of resources, so it is not always possible to encrypt your data.

I am sorry but this is the sad truth, in a world with unlimited resources we would not be affected, but we are not in this kind of world.

What should we do?

I wrote about this in the past (same subject actually). the very first step should be:

  1. isolate the infected machine
  2. report the incident to the local authorities
  3. report the incident to your antivirus software company
  4. start a recovery and mitigation activity.

1. isolate the infected machine

a ransomware can encrypt easily so it can spread easily: shared folders on servers are an easy target. before you can realize it your user can have create a lot of more damage. and if your antivirus didn’t catch it and you use the same antivirus on the servers there are no reason to expect a different behavior on your fileservers.

2. report the incident to the local authorities

believe it or not, police enforcement units can be of great support, you can be victim of a running ransomware attack that they are already monitoring or simply they can track down the attacker and get the key. Keep in mind that a ransom, unless is organized by a government in form of taxes, is never legal.

 3. report the incident to your antivirus software company

like for the previous point you can be lucky enough and they have a solution, as I wrote before it is not sure but is a possibility. beside reporting an attack that has not be detected makes possible to write protection signatures. don’t even think for a moment that since you got hit ones you are safe for the rest of your life. this is not like “chicken pots”  , you can’t be immunized.

4. start a recovery and mitigation activity.

this is the harsh point right?

what means recovery and mitigation?

well let be clear: till you do not have forensic proofs on how the infection strikes you, you can’t say you are safe. the malware that fucked you once can be still there lurking in the dark inside your network.

you should take all the needed precautions rising up the level of monitoring, checking for unusual write activity and alert your users on what are the steps to follow.

the target is to lower the kind of damage the ransomware can do again till you are not sure you are clean, and the incident is solved.

about recovery, well it is clear here that the king of the lab is a good backup policy. This means to have a system that can allow you to recover your data to a previous state, when data were not affected. this will lower the amount of damage you are going to face.

there are thousands of articles on how to manage correctly backup so I will not spend time here. just if you think backup is obsolete you probably didn’t understood what backup means (and what are the current available technologies).

just want to mention a couple of things:

disaster recovery and backup are two different things, so do not think you can use one instead of the other

some vaulting system, versioning , journaling and other technologies can be useful to mitigate and recover from this kind of accidents.

sometimes would be enough to plan correctly what you already have in your OS to survive this kind of problem, versioning and journaling of files are technologies present in windows and Linux, you just have to carry out them knowing what you are doing (possibly).

 

to the next, cheers.

Related articles

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

ransomware again, really? was originally published on The Puchi Herald Magazine

I’m at Lacchiarella! October 11, 2015 at 05:31PM


http://4sq.com/hyYzZX
via IFTTT

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

I’m at Lacchiarella! October 11, 2015 at 05:31PM was originally published on The Puchi Herald Magazine

I’m at via g d’annunzio 29,vistarino! October 10, 2015 at 10:53PM


http://4sq.com/HdQWvE
via IFTTT

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

I’m at via g d’annunzio 29,vistarino! October 10, 2015 at 10:53PM was originally published on The Puchi Herald Magazine

Managers role, leaders and VW


logoOne of the things that make me think about the Volkswagen Diesel gate is the role of the management inside a company. All Diesel gate is a demonstration of how dangerous is to have bad managers in a company. It is supposed that managers have the responsibility to take decision and drive the company to reach the goals, this is the justification for their paycheck at the end a manager have to

  • take decisions
  • take responsibility

but is this actually the truth?

My experience as trainer, consultant and coach alas told me that the truth is quite different, and we can find clear example everywhere. Every time something goes wrong there are always good excuses (laws, government, economical outlook, competition, price …) great justifications (I didn’t know, I can’t look at every detail, my people should have dealt with this…) but seldom sincere apologies and acts of responsibility.

612ce929df63ee64b6ecf12219fea743Take as an example the Volkswagen affair. Volkswagen CEO resign, with a millionaire paycheck, after making such a mess of the company. But the rest of the managers? In a hierarchical structure there should be a mix of direct responsibility and delegation, 11 million cars not compliant can’t be done without anyone knows.

Someone has approved some bad choices, and someone has to be responsible. The CEO and at least all the management chain that deal with the production share a big part of this responsibility, and so they should pay part of the costs. And believe me the magnitude of the damage is big, and it will be clear in the next years. Once you lose the trust of the people you loose one of the most important asset of your company, something that a lot of managers are not able to understand. Alas it is easier to talk how to rise RoI through savings than how to keep value trough brand, company and personal ethics.

I am sorry but big paycheck means also you have to pay the price for your mistakes. Alas this is not what happen in today big infrastructures. Higher level often means the less responsibility for the bad performances. The responsibility is always pushed down till the lower levels.

funny%20cartoon%2015

This is something that is quite clear to anyone worked in a Big Company. The problems are always someone else ones,  and when managers take “difficult” and “painful” decision, as large layoffs, they, basically, turn the problem and the cost of their bad choices to the lower level,  but you know:

someone has to pay.

When I train managers I usually try to explain them that their role is not to give orders but take responsibility.

Unlike personal contributors a manager inside the company has responsibility towards the lower levels and towards the upper level, being a manager means to manage resources in the proper way to meet the result the company need.

Managers

There are a lot of good reasons to want a manager do this.

If a manager is just a mere executor is actually  useless for the company: a paycheck without a brain is not something I would bet my money on. So what a manager should do?

Towards lower level a good manager should try to remove obstacle in order to allow them to reach their goals, and not expecting that the obstacle being remove by hisher people. This should be reflected in hisher KPI. If the team does not reach the goal all the company suffer, and a manager is the primary responsible.

Diapositiva2

I always criticize managers that told me that they want solutions and not problems from their team. If they are not a part, proactive part, of the solution they are, basically, part of the problem.

Being part of the solution does not means to tell someone “do it” but means to analyze the steps required to solve the problem and use all the instrument available to solve it. This could means asking for new resources, change plans and escalate to upper levels the problem if resources are not available.

If the management structure is flat this means a manager couldshould share the resource request directly with hisher peer, in a more hierarchical structure the manager have to ask resource to hisher upper level who will find the correct way.

Of course all those activities should be done inside a framework of policies and indications that allow the correct monitoring and managing of the resources.

If in Volkswagen there was anyone who approved the actions that caused this mess then, heshe is the responsible. But also the rest of the management chain share the responsibility, since they didn’t put in place the correct procedures to avoid this.

Mistake or not this is anyway a management problem, and management should take the responsibility for that, not only the CEO.

All this has nothing to do with leadership but is related to management. there is always a big confusion between the two roles: a leader and a manager are not the same thing,

of course a good manager should have also some leadership skills, but mainly it has to be a good manager.

of course a leader should have also some management skills, but a leader can be just a personal contributor inside a company, not necessarily a manager.

Alas there are roles that need both, a CEO is one of them. As CEO of a company you should prove great management skills as well as leadership ones, same request for the board level.

But where a leader and a manager differs?

Well a leader should be able to inspire people, track new paths, being an example of ethics. A leader should be able to do that “step more” that managers can avoid to do.

But a leader can’t be necessarily a manager or highly successful entrepreneur, we should be wise enough to know the difference.

If you think to the nowadays industrial world there are some “leaders” that are able to inspire: people like Steve Jobs, Bill Gates, Warren Buffet, Richard Branson, Jeff Bezos to name a few well-known names.

Are they perfect? I don’t think so

Are they leader? yes they are

 

Why they are leader? The simplest answer is because people recognize their leadership and … have you noticed that all those examples “create” their company and brand?

There are also other leaders, may be not under the media’s spotlights, but those should be known mostly by everyone (well may be my mum would have some problem).

Then there are great managers and great entrepreneurs that are important as well, but are a completely different thing.

There are also a lot of companies that lives (or sometimes survive) without leadership but just with good management (sorry for the great management, leadership is needed).

Just to be clear there are also companies that lives also without leadership and good management may be because of the past glories but sooner or later have to pay the price (and I have some example in mind now).

What kind of company was VW in your mind?

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Managers role, leaders and VW was originally published on The Puchi Herald Magazine