Ransomware Sucks.

A few weeks ago I started receiving resumés from what looked like legitimate job seekers.  The only problems were a) I am not currently hiring, nor have I put out any feelers that might be misconstrued as I am, and b) There was no cover letter – just a quick note like this:

Hi, my name is re: Les Williamson
I have attached my resume for your consideration.
Thank you,
Les Williamson

There was a file attached of course – a .zip file instead of a .doc or ,pdf file.  I deleted most of them, but I kept one (from Les-Williamson@mhs.novell.com.  I am not sure why I kept it – I had a feeling I would find a need at some point.

Sure enough, I got a call from someone one morning saying they had a very disturbing full-page message explaining what happened to his suddenly inaccessible files:

What happened to your files?

All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.  Morel information about the encryption keys using RSA-2048 can be found here: (link)

What does this mean?

This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen?

Especially for you, on our server was generated the secret key pair RAS-2048 – public and private.  All your files were encrypted with the public key, which has been transferred to your computer via the Internet.  Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do?

Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.  If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

The bottom half of the page gave the links for the sites where the customer could pay the ransom.

Why is it called Ransomware?  Imagine the e-mail were to read like this:

What happened to your daughter?

We have moved your daughter to a secure, undisclosed location for her safe keeping.

What does this mean?

This means that your daughter has been taken from you and imprisoned and you will never see her again… unless you follow our clear instructions.

How did this happen?

After seeking out someone who was vulnerable and had everything to lose, we followed your daughter until she was alone and unprotected; we knocked her out, bound her hands and feet, gagged her, and moved her… somewhere.

What do I do?

DO NOT CALL THE POLICE.  If you do then you will never see your daughter again.  If you ever want to see her alive, do exactly as we say and when we tell you.  If you do not – if you delay, if you call the police, if you try to find where she is being held, we will move her, and make it a lot more expensive (and painful) for you to recover her.

Yes, I am sorry to say… your daughter data has been kidnapped, and is being held for ransom.

So what do I do?

My customer had a lot of very good questions about the attack. 

‘If I pay what they ask will they give me my data back?’

It sounds reasonable… but the phrase Honour Among Thieves went out of fashion a long time ago.  There is no morality to the people who hijacked your data, and there is no way to know for sure if you will get your data back.  What is more likely is that once you have used whatever method of payment you use (credit card, bank account, Paypal, etc…) they will go the next step and steal more from you, except this time they will have a direct line to your bank.

Can we just recover my contacts or some of my non-encrypted data?

No.  Here’s the thing: Your data is encrypted because your computer is infected.  Even if we were able to decode the data, your computer is still going to be infected.  And even if we clean out the infection, your data is still going to be encoded.

The image I want you to bring to mind is of one of those hospital shows where everything is fine, and then Patient Zero comes in with a weird cough and rash, and the entire hospital goes on lockdown and everyone is walking around in space suits.  This is some very seriously scary stuff, and I don’t want it anywhere near my live environment, or my lab environment.

Can it be hacked?

In a word: No.  If we had the computing power of the National Security Agency (NSA) in the US, then it is possible that they have a way to decrypt it; but a 2048-bit private-public paired key combination is not something you are going to crack in your basement… it was designed to make sure that the secrets you want kept stay kept.CryptoWall

This is a screenshot of the bottom half of the message… the ‘how to conveniently pay us’ part of the ransom note.  I have altered it so that the personal page of the actual victim is obfuscated, but otherwise this is what you would see.

If you navigate to any of the payment servers, you will see the following:

image

While it is nice and intimidating to see a padlock similar to the one I used on my high school locker, I can assure you that this is not just a screenshot that you can dig in behind and hack.  The parent sites are all registered at reg.ru, and if you navigate to them without using a translator site (like www.microsofttranslator.com) then you will get a Russian language page.  Being fluent in Russian will not get you anywhere… you have to pay up and then maybe you will get your data back.

If you don’t think these criminals are serious about their security and anonymity, I invite you to read up on the TorBrowser.  It is part of the TOR Project, or The Onion Router, which bounces your connection through over 6,000 relays rendering the source virtually untraceable.  A recent NSA document referred to it as “The king of high-secure, low-latency anonymity.”

The Silver Lining

In preparation for this article I wanted to play with the package; I wanted to actually watch it work.  I formatted an air-gapped PC with Windows 10, downloaded the package, and extracted it.  Immediately Windows Defender popped up the warning that it had detected and eliminated malware.  Yay Windows Defender!  However in this case I do not want you to protect my PC… so I disabled Windows Defender and the file extracted properly.

I let it run… nothing.  It popped up a Javascript error (yes, the package is a .js file within the .zip file, and any of you who are willing to open this when e-mailed from a stranger probably deserve a kick to the derriere). 

Windows 10, out of the box, protected my PC from this malware using several tools, not the least of which was the fact that Java is not installed, and scripts cannot run, and all sorts of other good stuff.

The Bad News

Most of you are not running Windows 10 yet.  You are probably running Windows 8, or more likely Windows 7.  I will over the next few days play around with this malware on those systems, but let’s for the time being assume that your computer is vulnerable… unless you use some common sense.

Conclusion

For years I have been warning users against opening e-mail attachments.  It has always been a bad idea; this relatively new threat has escalated the threat and made it very real.  Most malware can be cleaned out, either by Malware removal Tools or whatever.  This new threat encrypts your data, and if it is not properly backed up somewhere then you are going to have a very bad day… and so will your IT Department.

Ransomware really does suck.  It is not just compromising your data, it is holding it hostage.  If you never saw any other reason to make sure your systems (and knowledge and common sense) were up to date, this should be a wake-up call.

By the way, my client was not out in the middle of Asia or Africa… he was in Toronto.  This is a threat here… wherever here is to you.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s