Data for Ransom

  • Comments posted to this topic are about the item Data for Ransom

  • The editorial covered what is probably the greatest risk: that we do not backup all that we need to. As our systems get more complex so do the tasks that govern the maintenance of them. In fact, as suggested, we do not even need to utilise the complexity of our subsystems before we have to consider them in installation, backup, security, etc.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • We've been hit with CryptoLocker 5-6 times already. Each time it's been a network share in one of the branch offices that's been affected.

    The Infrastructure guys here have become very proficient in restoring whole file servers. They've even gone down the route of not sending backup tapes offsite until the following day :crazy: :crazy:

    We've also just started using SQL Server 2012 Filetable functionality. The filetable record is linked to a database record using a regular foreign key. With the foreign key in place, if a file is deleted via the file system, its "rolled back" due FK violation.

    Would be interesting to see if these ransom-ware apps would create a new encrypted copy of the file and then delete the original file, or read the content, encrypt it, then write it back.

    Don't even want to think about encrypted database scenario you outlined. I have enough nightmares thanks :unsure::crazy::Whistling:

    --------------------
    Colt 45 - the original point and click interface

  • I think the government needs to do the right thing and get involved in the hospital's operations for awhile. It should start with a fine for not having things backed up. It should then proceed to having the hospital hire monitors so that they don't get caught in the situation again.

    Simple reality is that one can't stop all malware. Thus, one must have data stored in such a manner that it can be read by a clean system. And the companies need to regularly run tests. (Daily automated tests may even be called for.)

    There are at least a couple underlying things that are evident if one thinks about it:

    1) The hospital's records had to have been exposed to outside parties in violation of HIAPPA laws.

    2) The hospital could have lost records that by law it must maintain.

  • This might be a naïve question, but how can a ransomware victim be assured of receiving the key after making payment?

  • Walter Levy (2/23/2016)


    This might be a naïve question, but how can a ransomware victim be assured of receiving the key after making payment?

    I think that it is a combination of desperation on the victim's part and business sense on the blackmailer (in the long term people will not pay up if they hear that no one gets their data back anyway).

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • kiwood (2/23/2016)


    I think the government needs to do the right thing and get involved in the hospital's operations for awhile. It should start with a fine for not having things backed up. It should then proceed to having the hospital hire monitors so that they don't get caught in the situation again.

    Simple reality is that one can't stop all malware. Thus, one must have data stored in such a manner that it can be read by a clean system. And the companies need to regularly run tests. (Daily automated tests may even be called for.)

    There are at least a couple underlying things that are evident if one thinks about it:

    1) The hospital's records had to have been exposed to outside parties in violation of HIAPPA laws.

    2) The hospital could have lost records that by law it must maintain.

    A CryptoLocker infection doesn't necessarily mean that the network is exposed to the outside. CryptoLocker is basically a malware trojan that get's executed when someone attempts to download what they think is a legitimate software install from the internet. It automatically scans mapped drives and encrypts data files using a key that only the hacker has. The hacker doesn't need to access the infected network; they just passively sit back and wait for one of the million victims to contact them, at which point they provide the decrypt key in echange for bitcoins.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Very scary scenarios, Steve. It sounds more like a JJ Abrams movie plot, rather than potentially real. WOW, I hope it doesn't happen here.

    Kindest Regards, Rod Connect with me on LinkedIn.

  • (Reply to Walter's post) Oddly enough, probably because criminals have to be "honest" about their threats.

    If the victim didn't get the key there would be no impetus for anyone to ever pay again in the future.

    "Trust us... We're honest criminals."

  • philcart (2/23/2016)


    We've been hit with CryptoLocker 5-6 times already. Each time it's been a network share in one of the branch offices that's been affected.

    The Infrastructure guys here have become very proficient in restoring whole file servers. They've even gone down the route of not sending backup tapes offsite until the following day :crazy: :crazy:

    We've also just started using SQL Server 2012 Filetable functionality. The filetable record is linked to a database record using a regular foreign key. With the foreign key in place, if a file is deleted via the file system, its "rolled back" due FK violation.

    Would be interesting to see if these ransom-ware apps would create a new encrypted copy of the file and then delete the original file, or read the content, encrypt it, then write it back.

    Don't even want to think about encrypted database scenario you outlined. I have enough nightmares thanks :unsure::crazy::Whistling:

    Yikes. let's hope my scenario is just an idea that never gets implemented.

  • kiwood (2/23/2016)


    I think the government needs to do the right thing and get involved in the hospital's operations for awhile. It should start with a fine for not having things backed up. It should then proceed to having the hospital hire monitors so that they don't get caught in the situation again.

    Simple reality is that one can't stop all malware. Thus, one must have data stored in such a manner that it can be read by a clean system. And the companies need to regularly run tests. (Daily automated tests may even be called for.)

    There are at least a couple underlying things that are evident if one thinks about it:

    1) The hospital's records had to have been exposed to outside parties in violation of HIAPPA laws.

    2) The hospital could have lost records that by law it must maintain.

    If you read the article, part of the issue is that some of these embedded systems in use in hospitals don't have good interfaces for backups. I think this is both a vendor, and an IT issue.

  • My 6 year old niece managed to download some ransomware onto her mother's tablet in an app aimed at children. That's just vile.

    Going after hospital records is beyond the pale. Aside from the birth of your children a trip to hospital is not one of life's pleasures and the thought that your medical history might be unavailable due to malign activity is worrying. It's on par with attempted murder.

  • David.Poole (2/23/2016)


    My 6 year old niece managed to download some ransomware onto her mother's tablet in an app aimed at children. That's just vile.

    Going after hospital records is beyond the pale. Aside from the birth of your children a trip to hospital is not one of life's pleasures and the thought that your medical history might be unavailable due to malign activity is worrying. It's on par with attempted murder.

    Like I presume the majority will think, I wholeheartedly agree. Unfortunately, they do it because they choose to not because they can.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • David.Poole (2/23/2016)


    My 6 year old niece managed to download some ransomware onto her mother's tablet in an app aimed at children. That's just vile.

    Going after hospital records is beyond the pale. Aside from the birth of your children a trip to hospital is not one of life's pleasures and the thought that your medical history might be unavailable due to malign activity is worrying. It's on par with attempted murder.

    A couple of years ago, I was using a website called www.listentoyoutube.com to download MP3 audio recordings of YouTube videos. The way it works is that the user pastes the URL for a video into a web form, and then the website dynamically does the conversion and returns back to the user a link to download an MP3 file having the same name as the original video. At first the service seemed to work great. However, after successfully convert serveral videos, I noticed it suddenly returned a link to an EXE file instead of MP3. The EXE had the same file name as the video, just a different extension. This was an obvious attempt by the website to fool users into running some sort of install for adware or a trojan.

    I stopped using the service at that point, but then the very next day when I logged into my laptop, all my document folders were missing. I also found a TXT file in the root of C: drive informing me that the files were encrypted and providing instructions on how to send bitcoin payment to receive a decryption program. Doing some searching, I learned this was the CryptoLocker trojan or a varient. My suspicion is that while using the above mentioned website I must have clicked on one of the EXE downloads and didn't realize it.

    So heads up that this is at least one method hackers use to distribute the trojan install. I would also be very wary when using other websites that provide links to shareware and open source application downloads. I've seen other cases where presumably legitimate websites like CNET Downloads will contain embedded links to 3rd party downloads which disguise themselves as a "Download" link. I'll give CNET the benefit of the doubt and assume that they have no editorial process in place to weed out malware adds, but it is very unprofessional that they would allow a 3rd party to abuse their service like that.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • WOW, Eric! That's pretty bad. Up to this point we've been talking about corporate systems. Now you're mentioning a personal computer. I've heard of people being stung by ransomware, but you're the first one I've known who actually experienced it. If you don't mind saying, how did you handle it? And what AV was being used at the time?

    Kindest Regards, Rod Connect with me on LinkedIn.

Viewing 15 posts - 1 through 15 (of 28 total)

You must be logged in to reply to this topic. Login to reply