> The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff. There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.
I think this is an important take-away. I found it strange that so many media outlets and IT departments were jumping on the "do not open suspicious emails" bandwagon even although there hasn't been a lot of evidence of such phishing emails. That is: screenshots of infected devices have been popping up all across the world, but almost no examples of a particular entry email have been shown.
Of course, it might be easier for an IT dep. to state: "it must have been unleashed by someone clicking on some email they got" rather than "oops, we still had unpatched Windows machines exposed to the public internet". Why go through the trouble of sending out emails when your worm already contains a replication/infection mechanism. Just use a botnet to scan those 1 million IPs and see if SMB is open.
That being said, it does not surprise me to see yet again an issue in SMB. This has been a particularly weak point in Windows for decades now. I remember "hacking tutorials" from 15 years ago where you'd just go out and nmap public IP ranges to see if you could access hidden shares (e.g. like so: http://www.madirish.net/59). Also there was this issue of Windows keeping weak NetBIOS password hashes around which could be trivially unhashed (https://vuldb.com/?id.13824), years ago.
A fair amount of ransomware is distributed via email, so it's not such a bad idea when this issue is front and centre and all over the news to reinforce good behaviour amongst users.
It's not like 'stop clicking random shit in emails' is bad advice.
I do remember when ILOVEYOU was making the rounds...and to paraphrase, it's not like 'stop clicking random shit in emails' is useful advice.
Yes, it would help - but do you see fewer people clicking random shit? Me neither: "Ugg click attachment for dancing hampsters, now Ugg virus, halp!" is still the prevalent vector, two decades later.
What if they click the link, run the downloaded invoice.EXE, and enter their password when prompted? At a certain point, the user needs to be educated enough to avoid this.
Because when your run content in executables, in the case of Ransomware its usually Word macros or js files, those programs run with your user rights, which have read/write permissions for your files. Now you lose your files and you expect the IT department to fix everything for you, instead of doing what the IT department says or using common sense.
Funny how that works. You want all the power but none of the responsibility. This is like saying "Why can't I drink bleach, stop criticizing me doctors!"
>It's a friggin email and data transfer
and guns are just tubes which throw lead around, but I certainly don't want to be on the receiving end of one. What's your point? Its incredible to me how many people refuse to believe we live in a world of risk when it comes to information technology and its not all fun and games.
Word disabled macros by default. You can set JS and MHT files to open with something harmless (like notepad) instead of being executed too. We don't have to let "executable" files execute if we don't want them to. There's no reason to take the decision away from the user by default.
Agreed. We took the name "e-mail" from regular mail. There has only been one case in history of everyone being told to be careful about opening their mail: the anthrax threat. Still remember a bunch of mail arriving with very brittle paper and burnt edges...
So, the big mistake was to use a real world analog in naming e-mail. We should have called it:
"Russian roulette with packages* anonymously tossed by strangers in your direction".
The analogy is broken and creates cognitive dissonance in users.
* Re: data vs. executable: the analogy could be for letter vs. package. A box is big enough to contain a mechanism for action unlike most letters.
One of the things that I personally think is "data" is "software", and I believe that all data should be something that is able to be transferred via e-mail. A sufficient set of random clicks from an e-mail currently can--and in my world view absolutely should be able to--lead to arbitrary code execution without any form of security vulnerability.
The sets Arbitrary code execution and Security vulnerability have a significant overlap; and much of the decision "do I want the program to do what it's about to do?" is in the eye of the user (e.g. the excellent tools by Nir Sofer could be used for Good or for Evil: "Does the user actually want to list their WiFi network passwords, or is this an evil code the user was tricked into running?" The code has no way of deciding.).
However, I see some hope in https://www.qubes-os.org/ - alas, setting it up is not quite as convenient as "meh, open everything everywhere to everyone."
I'm surprised by how carefully the worm seems to be coded. They make sure they have an internet connection, they check for disk space in order not to run out while encrypting, they save a backup copy of the "tasksched" executable before replacing it, they shutdown databases (I assume in order to prevent corruption?) etc...
I guess they want to make sure the decryption process will work without any issue so that the victim will be more likely to pay other ransoms or spread word of mouth that it does actually work.
I wish all software devs were as thorough as these people...
I would guess the shutdown of apps are not of good intent, rather to release file locks so they can delete the unencrypted database and exchange files.
1. New address per machine (easier to detect payments made, hides profit total.)
2. Deterministic wallet stores all profit in a simple 12 word seed "password."
3. Phone numbers directly to bitcoin vendors. (people running insecure systems love phones.)
4. Phone number to tech support company that bills your credit card to walk you through paying the ransom.
5. Delayed symptoms. Secretly encrypt backups (windows efs might be able to do it nonobviously) Then once all your backups are secretly encrypted, it encrypts the key, and now you can't use backups to save yourself.
6. Advertise affiliated antivirus (I hear this is what cloudflare does by hosting bad actors, they inflate their demand from protection from bad actors, just a rumor though.)
7. Infect a friend. Get a discount on your ransom if you infect a friend and they pay.
It doesn't seem reasonable that 300k infections= less than 1 in 1000 payments. Are peoples files really so worthless, or bitcoin really so hard, or people so untrusting of unencrypt. I imagine they could have sold their 0 day idea for more money to a whitehat perhaps? Maybe more generalized bug bounties could be deployed to offer financial incentive to harden systems and be non evil.
I don't know a single person who would pay upwards of $300 to get their files back if they got hit with ransomware. Hell, I've got something like 10 years of personal files on my machine and I wouldn't pay that much for them. I would bet a lot more people would be willing to pay if the fee was more like $50. That takes it out of the category of 'a lot of money for computer files' for a lot of people and puts it in the category of 'minor inconvenience'.
I sometimes fix friends & older family members computers as a favor and I've noticed that they usually don't really have any files anyway. I always make a backup before reformatting them and usually it includes their bookmarks and maybe 2-3 random files scattered in their 'Documents' folder, none of which are important. Their machines are more like just gateways to the internet than anything.
Through machines moves over the years I'm sure I have multiple copies of the most important ones anyway (keys, etc). If not oh well, life goes on. Shoulda made backups in the first place if they were that important to me.
> Their machines are more like just gateways to the internet than anything.
I've been in the same boat and how absolutely right you are. Generally everything they do online is tied to their webmail-based, ISP-supplied email address too, making for a total nightmare when they want/need to change ISP.
Sounds like it would be more profitable to just lock out the device than encrypt the files, for its internet browsing value may exceed its file storage value.
Hmm, I'd certainly consider it, most based on not wanting to deal with the consequences of formatting the machine and starting again (installing programs, set up various setting/configuration options, etc.)
If I got ransomwared I would definitely reformat the drive and reinstall the OS. There's no telling what kind of malware garbage they leave behind. Seems like it would make a lot of sense for the criminal to add you to their botnet, even after decrypting your files.
This is a good point I hadn't really considered - for the massive attacks typically there are pretty thorough write ups about exactly what it does, etc. so that maybe reassurances enough.
"Are peoples files really so worthless, or bitcoin really so hard, or people so untrusting of unencrypt."
I think that is super small subset. Average people use a ton of cloud software nowadays: google docs, dropbox etc. Let alone use a desktop for anything besides work. The files they super care about (photos) are usually on their device or scattered all over facebook. Work files/computers, well they don't care about, that is some IT's guys job.
So the probability to get paid = [their ability to get bit coin] * [inability to have it already backed up] * [value of file[s]]. That does seem like a high bar. I also don't see an IT guy convincing a corporate attorney / accountant that wiring money to obtain bitcoin as an easy feat.
I think its funny that your real last name is Ransom. I wonder if someones last name influences what they focus on in life. In my case, I guess not, I've punished my heart with cheeseburgers more than I care to count, hehe. Maybe I've just focused on it the wrong way.
"although you certainly can securely hand out child keys with no risk to the parent key, and you can hand out master public keys with no risk to the master private key, you cannot do both at the same time. " https://bitcoinmagazine.com/articles/deterministic-wallets-a...
I always say that visual studio 6 was the best version they ever made. At least somebody out there agrees with me.
"As noted in our attribution post last year, use of Visual Studio 6.0 is not a significant observation on its own – however, this development environment dates from 1998 and is rarely used by malware coders. Nonetheless, it has been seen repeatedly with Lazarus attacks."
1998 was still a great year in Windows world. In 1999 the DotNet vision made lot's of things kind of legacy - kind of, because despite all odds Win32 and shell32/Explorer are still thriving where as DotNet Framework is now officially legacy tech. And UWP hasn't caught on, as mobile is dead end for MS and their Store is incredible bad.
True Visual Studio was really great. And like many, one had a VS6 and VB6 install still around. Even if VS6 C++ is really outdated nowadays, it doesn't contain this spy-home feature that shipper with VS 2015 and VCredist 2015 (RTM, patch 1, patch 2). Back in the 1990s MS was a good company.
I think the OPs context for "good company" is "good company _for coders/hackers_". You can have a company behaving in an anti-trustworthy way, but their software still be _good_.
Also, their antitrust violations was due to the Windows OS and anti-competitive behaviours, if i'm not mistaken? If so, then this is not really relevant to their software or OP's post, but more their business approach of locking out competition, which is a question of legality and economics.
That averages out at $800 per infection compared to about $0.30 per infection from WannaCry. I suspect there are other factors at play here (was all the revenue from ransoms? were that target systems different? are people hardening in their resolve not to pay these ransoms?).
It's easy to find out the total. There's even a twitter bot[1] reporting it. At the moment the total is 44.98BTC = $80,925.
I'd argue ofc it's more because there are some variations of the worm that's not being accounted by many yet.
Earlier reports I'd heard said that this group was unprepared or poorly prepared to handle the incoming ransom. Many of these ransomware campaigns use a fully automated mechanism to deliver keys upon payment, this group did not.
I was listening to an NPR report on this and their explanation for the low amount was that the group wasn't handing over the keys after payment. Which I guess implies people who get infected are first researching what to do before paying.
Last time I checked none of the coins were ever moved and in general ransomware earnings are not moved. They're just waiting for fungibility on Bitcoin.
Isn't it curious that folks like kim dotcom who do not hold hospitals or anyone to ransom earn global notoriety, are raided by swat teams and face the full force of the law while those that hold hospitals to ransom can operate with impunity with people reduced to tracking their bitcoin earnings on twitter.
Is it the job of NSA and all the global security services with their overarching reach, resources and power to warn, track and disable these activities or is to spy on citizens?
Half or more of these activities are used by agencies to shut down or sabotage unfriendly interests and I suspect that's the only reason these shady figures are allowed to exist, treated with kid gloves, operate with near impunity and rarely see consequences. They serve as 'assets' to provide cover. Without consequences these activities will spiral.
Things like ddos ultimately benefit companies like cloudflare. And the preponderance of these kind of worms force people to move their data to the cloud or give up more control to large companies who promise security. This is a subtle form of extortion. We don't know the extortionists but we do know the beneficiaries.
This slowly but surely disempowers individuals and takes control away and shifts it to large companies.
Holding a hospital ransom whatever its security policies is a serious crime and treating it as just another hack rather than extreme criminality and blaming the victims is an extremely self serving technical perspective.
Isn't it curious that folks like kim dotcom who do not hold hospitals or anyone to ransom earn global notoriety, are raided by swat teams and face the full face of the law while those that hold hospitals to ransom can operate with impunity with people reduced to tracking their bitcoin earnings on twitter.
It's a very classic and widespread law enforcement problem: They catch those who are easiest to catch. There's an anecdote that so beautifully displays this fallacy.
A police officer sees a drunken man intently searching the ground near a lamppost and asks him the goal of his quest. The inebriate replies that he is looking for his car keys, and the officer helps for a few minutes without success then he asks whether the man is certain that he dropped the keys near the lamppost.
“No,” is the reply, “I lost the keys somewhere across the street.” “Why look here?” asks the surprised and irritated officer. “The light is much better here,” the intoxicated man responds with aplomb.
> Isn't it curious that folks like kim dotcom who do not hold hospitals or anyone to ransom earn global notoriety, are raided by swat teams and face the full face of the law while those that hold hospitals to ransom can operate with impunity with people reduced to tracking their bitcoin earnings on twitter.
Isn't it curious that people who are known to the authorities are arrested, whereas persons unknown are not? That's your question?
Quote: "The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff."
Would it be easy to find it if the initial attack vector uses some semi-obscure torrent? Would people find out quickly?
Notable that he calls the "kill-switch" a "mistake". For example, Chrome does the same thing. When it starts it checks for some presumably non-existant domain name.
Yes, this sounds right. It has been a while since I looked at it. Is it just one name? I have a faint recollection it tried more than one.
Anyway, how is the difference significant?
A localhost cache can point at a custom root.zone. The user can make her own authoritative nameserver assignments for any given zone or domain. Zone files can contain wildcards.
Responses can also be rewritten on the fly.
The end user can exercise full control over what is and is not a "valid" domain name. She can prevent her applications from ever receiving an "NXDOMAIN" response.
Maybe I am missing something but this "test" seems brittle; it only tests ICANN DNS.
Did these happenings had any effect on windows market share? Hope somebody will blog on that too.
I hope many people have understood to not have public windows servers at least. It could most probably affect their business in the long run (Not saying that GNU/Linux is safe. But it is safer).
I think this is an important take-away. I found it strange that so many media outlets and IT departments were jumping on the "do not open suspicious emails" bandwagon even although there hasn't been a lot of evidence of such phishing emails. That is: screenshots of infected devices have been popping up all across the world, but almost no examples of a particular entry email have been shown.
Of course, it might be easier for an IT dep. to state: "it must have been unleashed by someone clicking on some email they got" rather than "oops, we still had unpatched Windows machines exposed to the public internet". Why go through the trouble of sending out emails when your worm already contains a replication/infection mechanism. Just use a botnet to scan those 1 million IPs and see if SMB is open.
That being said, it does not surprise me to see yet again an issue in SMB. This has been a particularly weak point in Windows for decades now. I remember "hacking tutorials" from 15 years ago where you'd just go out and nmap public IP ranges to see if you could access hidden shares (e.g. like so: http://www.madirish.net/59). Also there was this issue of Windows keeping weak NetBIOS password hashes around which could be trivially unhashed (https://vuldb.com/?id.13824), years ago.