[BreachExchange] Got ransomware? What are your options?

[Audrey McNeil]

https://nakedsecurity.sophos.com/2016/03/03/got-ransomware-what-are-your-options/


As you can imagine, one of the most common questions we get asked about
ransomware is, “What do I do now?”

It’s easy to be wise after the event: could’a, would’a, should’a.

Could have ignored the instructions to “Enable Macros”; would have been
smart just to delete the email in the first place; should have bought that
USB backup drive last week when they were on special at $45.

But what if the worst has happened, all your files are encrypted, and
you’re staring down the barrel of a pay page where the crooks are calmly
demanding $300 in Bitcoin for the key to unlock your precious files?

We’re assuming that you have no offline backups, and that the only copies
of the files you want to preserve are sitting there in scrambled form on
your hard disk, so near but yet so far.

Can you get your files back without paying?

As usual with IT-related questions, the answer is, “It depends.”

Shortcuts to recovery

Sometimes, the crooks make programming mistakes and there is a sneaky
shortcut to recover for free.

For example, in the first ever ransomware attack, back in 1989/1990 (true!)
the crook behind the scam wanted you to send a bank draft for $378 to an
accommodation address in Panama.

However, he took the cryptographic shortcut of using the same encryption
key on every computer, so free tools to unscramble the malware, known as
the AIDS Information Trojan, soon appeared.

Similarly, in a recent case of Linux-based ransomware, the programmers
chose a unique sequence of encryption keys for each server that they
attacked, so that even two identical copies of a file would end up
scrambled differently.

But they generated their keys using an algorithmic sequence known as a
pseudo-random number generator, or PRNG, that was kickstarted using the
timestamp of the first file that was scrambled.

Therefore, with a little guesswork, you could reconstruct the list of
decryption keys yourself.

There are other ways you might be able to get some or all of your data back
without a proper, offline backup, for example on a removable disk or in the
cloud.

For example, Windows lets you make shadow copies of your files: a sort of
rolling, on-line backup that keeps earlier versions of files handy.

Shadow copies are stored in aptly-named Volume Snapshot Service (VSS) files.

VSS files may therefore provide a quick fix against some ransomware, but
that’s not very likely these days, because most ransomware deliberately
triggers system commands to remove all your VSS files before scrambling the
data that’s left.

So, if you’ve been hit by ransomware, and you can identify the malware
strain involved, it’s worth asking around just in case there are any
shortcuts that might let you recover without paying.

Nevertheless, we have to be blunt here, and tell you, “These days, it’s
unlikely, so expect the worst.”

Longcuts to recovery

When a legitimate program modifies an existing file, it usually makes a
copy of the file first, modifies the copy, and only then deletes the
original.

This is a handy programming precaution to give you a chance of recovery in
case something goes wrong and the program crashes in the middle of
processing the file.

If the crooks use this sort of process when scrambling your files, there’s
a slim chance of undeleting some of your old files, assuming that the
crooks used the operating system’s regular file-deletion function.

That’s because most operating systems don’t overwrite deleted files
immediately: to save time, they simply label the disk space occupied by the
old file as “available for re-use”, so that it’s often possible to recover
old files, at least for a while.

But undeleting files is a hit-and-miss operation.

To do it properly may require spending both time and money on a data
forensics expert, and even then, you might end up with disappointingly
incomplete results.

Calling in forensic experts is probably what would happen in a really
important case, such as a murder investigation.

But after a ransomware attack, you might as well assume that data recovery
will end up much more expensive than the ransom the crooks are demanding.

Of course, ransomware crooks don’t want you to recover without paying, so
they don’t need to be so careful in their coding.

They typically just overwrite your files in place, aiming to leave as
little as possible of the old content behind.

In theory, however, even rewriting a file in place might not actually
overwrite the disk sectors in which the original content was stored.

Some operating systems, and some disk devices, deliberately shuffle writes
around on the disk to perform what’s called wear levelling.

Solid state disks that use flash memory actually degrade with use due to
wear-and-tear right down at the electron level, so writing over and over to
the same memory cell can shorten the life of the device. Thus, wear
levelling.

So, trying to dig down to the disk sector level, or even to the disk
device’s firmware level, to look for data that was overwritten logically
but not physically, is technically possible.

Once again, however, it would be much more uncertain, and very, very much
more expensive, than just swallowing your pride and paying the crooks.

Cracking the encryption

The last way to cut the ransomware crooks out of the equation is to crack
the encryption they’ve used.

As mentioned above, they sometimes make programming blunders, or choose
weak ciphers, or use strong ciphers incorrectly, and therefore leave behind
cryptanalytical backdoors.

But if they’ve done the crypto correctly, cracking it is as good as
impossible, and here’s why.

A lot of ransomware, such as CryptoWall and Locky, uses a technique like
this:

Connect to a server run by the crooks and download an RSA public key unique
to your computer.
Generate a random AES key for each file (keeping it only in memory) and
encrypt the file.
Encrypt the AES key with the RSA public key and save the encrypted
file-decryption key along with the file.

Don’t worry if you have to read that a few times to get the picture of what
it going on.

The trick is that the RSA encryption algorithm relies on two keys, not one:
the public key locks your data, and thereafter, only the private key can
unlock it.

In other words, if the crooks generate an RSA public-private key pair in
the cloud for each infected computer, and only ever send out the public
keys, then the crooks really are the only possible source of the unique
private key needed to unlock the AES keys that in turn unlock your files.

Why not just encrypt the files themselves with the RSA public key, and
leave out the AES part?

That’s because RSA is so slow that it’s only practical to use it to encrypt
small amounts of data, such as randomly-chosen keys for much faster
algorithms such as AES.

Why use a different key for every file?

That’s so every file encrypts differently, even if it has the same content,
so you can’t use decryption hints from one file to decrypt any others.

In other words, decrypting all your files without paying is equivalent to
one of these feats:

Cracking the RSA public-private encryption algorithm and thus recovering
all the per-file AES keys.
Cracking the AES encryption algorithm, once for each file.

We don’t want to discourage you, but we think that’s a much harder and much
less certain undertaking than paying the crooks.

What to do?

It sounds as though we’re advising you simply to pay up.

For the record, we recommend that you don’t pay, on the grounds that this
means sending money to criminals.

Indeed, if you get hit by ransomware and you decide to take it on the chin,
write off all your files, and start over, we say, “Power to you,” and we
salute your fighting attitude.

What we are saying is that if you really need your files back, and you
haven’t taken any precautions such as backing up, then you don’t really
have any choice but to pay.

We’d rather you didn’t pay up, but if you do, we understand and respect
your choice. (It’s easy to be high and mighty when it’s not your data on
the line!)

We really wish things weren’t like that, but we thought it would help if we
explained your options in an uncompromising sort of way.

In other words, “Prevention is better than cure!”

Useful ransomware precautions

- Backup regularly and keep a recent backup copy off-site. There are dozens
of ways other than ransomware that files can suddenly vanish, such as fire,
flood, theft, a dropped laptop or even an accidental delete. Encrypt your
backup and you won’t have to worry about the backup device falling into the
wrong hands.
- Don’t enable macros in document attachments received via email. Many
ransomware attacks arrive in documents, and rely on persuading you to
enable macros (embedded document scripts). - Don’t do it: Microsoft
deliberately turned off auto-execution of macros by default many years ago
as a security measure.
- Consider installing the Microsoft Office viewers. These viewer
applications let you see what documents look like without opening them in
Word or Excel itself. In particular, the viewer software doesn’t support
macros at all, so you can’t enable macros by mistake!
- Be cautious about unsolicited attachments. Crooks who send malware in
documents are relying on the dilemma that you shouldn’t open a document
until you are sure it’s one you want, but you can’t tell if it’s one you
want until you open it. If in doubt, leave it out.
- Don’t give yourself more login power than you need. Most importantly,
don’t stay logged in as an administrator any longer than is strictly
necessary, and avoid browsing, opening documents or other “regular work”
activities while you have administrator rights.
- Patch early, patch often. Malware that doesn’t come in via document
macros often relies on security bugs in popular applications, including
Office, your browser, Flash and more. The sooner you patch, the fewer open
holes remain for the crooks to exploit.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160303/8827f63f/attachment-0001.html>