Be prepared against ransomware viruses..

[mouser]

I got a call a couple of days ago from a relative in a panic -- all of their documents, images, etc. suddenly had new random file extensions and could not be opened.  Did I know what had happened and how to fix it?

Unfortunately it was all too obvious what had happened and there was no easy fix.

They had fallen victim to a ransomware virus -- some variant of CBT, and the only real way to recover the files was to pay the criminals (they wanted ~ $600 USD) to provide a password to decrypt the files.

What made this attack particularly damaging is that this relative, who is pretty computer savvy and a heavy pc user, had a bunch of additional hard drives connected to the pc -- a few backup drives, some download archive drives, etc.

And the virus encrypted everything on all drives. Ouch.


And that's what brings me to this post.

Many of us who perform frequent backups may get lazy and leave our backup drives (with backup drive images, document backups, etc.) connect for prolonged periods.

This is a huge risk when it comes to things like viruses/trojans/ransomware.

While there are lots of things you can do to protect yourself from being attacked, one thing all of us who regularly make backups should do is keep external backup drives DISCONNECTED except when being used to update our backups.

[x16wda]

...and at today's prices, it's nice if you can rotate between an on site and off site copy (if you can, for example, leave a backup drive at the office or at your storage unit  )

[tomos]

... there are lots of things you can do to protect yourself from being attacked ...

-mouser (June 26, 2015, 06:48 PM)

anyone got tips there?

A year of two ago, I got rid of one of the more basic ransomware viruses for a friend (it didnt encrypt any files). He had one of the better rated antivirus security suites installed but it wasnt able to stop it.
Afterwards I uninstalled Java from my desktop pc as a security measure - but have lately reinstalled it.

The tip of keeping external HDDs disconnected is a good one, and easy to do.

[IainB]

@mouser: What virus and/or malware protection did your relative have on his/her PC?

[TaoPhoenix]

... there are lots of things you can do to protect yourself from being attacked ...

-mouser (June 26, 2015, 06:48 PM)

anyone got tips there?

A year of two ago, I got rid of one of the more basic ransomware viruses for a friend (it didnt encrypt any files). He had one of the better rated antivirus security suites installed but it wasnt able to stop it.
Afterwards I uninstalled Java from my desktop pc as a security measure - but have lately reinstalled it.

The tip of keeping external HDDs disconnected is a good one, and easy to do.

-tomos (June 27, 2015, 06:01 AM)

People keep saying they "uninstall Java", but then when I do stuff like that now and then (I can't remember very many specific examples at the moment) specific things say they need Java, so I have to put it back.

My fuzzy memory is suggesting that Netflix needs it... (?)

The alternate version of the tip I tried to use was to disable Java, but then months later couldn't figure out why something wasn't working, and forgot that until some sleuthing with a guy figured it out and we turned it back on. (But it was "silent non-working errors, with no clear clues).

[tomos]

People keep saying they "uninstall Java", but then when I do stuff like that now and then (I can't remember very many specific examples at the moment) specific things say they need Java, so I have to put it back.

-TaoPhoenix (June 27, 2015, 07:29 AM)

I lasted a long time without it - but had the same experience: eventually something needed it, so I reinstalled it. (Here's where I wish I kept a  record of changes made to the system - and why they were made: I already cant remember why I reinstalled it... :-/ )

[SeraphimLabs]

My only encounter with it thus far it came in as an email attachment. A fake PDF that was actually executable and would install malware.

Though in my case I would have survived it just fine. It would have of course encrypted the main network shares on the server, but backups of those shares are taken daily via rsync to another box and then only offered up as read-only so if I need to retrieve something I can.

Still hard to believe anyone would actually send a payment, but a lot of people would have no clue what to do about it and wouldn't want to lose their stuff.

...whoever wrote malware like this should be executed by firing squad.

[TaoPhoenix]

I got a call a couple of days ago from a relative in a panic -- all of their documents, images, etc. suddenly had new random file extensions and could not be opened.  Did I know what had happened and how to fix it?

Unfortunately it was all too obvious what had happened and there was no easy fix.

-mouser (June 26, 2015, 06:48 PM)

Hmm, you're pretty accurate so something here is intriguing me. Only the file extensions changed!? So MouserRulez.txt becomes MouserRulez.zzx? Was the content still there, so if you as a test manually changed it back, it would reappear?

Clearly that's not practical manually, but it was a test. Because if that's all the prog did, I'm thinking something like a Directory Read would have a complete list of every file including the file names, and you could run a program/script just to switch them all back.

However, if what it really means was that it's "encrypted for real, and just happens to have a new file ext", then back to your main point.

As the arms race is getting worse, it's making me wonder if there's ever room for really sideways low-tek additional aids, (certainly only a third line level defense!), using odd tricks that the run of the mill malware programs might not catch. The funniest one I ever did was eons ago when I renamed a file called by a virus to pull up MS Notepad! : )

So translated to this, I wonder if there's a really simple way to save all your files in an unusual fashion that the computer can read quite easily normally, but then the malware virus can't find them properly and tanks.

[ewemoa]

While there are lots of things you can do to protect yourself from being attacked, one thing all of us who regularly make backups should do is keep external backup drives DISCONNECTED except when being used to update our backups.

-mouser (June 26, 2015, 06:48 PM)

I like to keep more than one set of backups (so at any time there is at least one set offline) -- though one set is older than the other.

Perhaps it would also be good to verify that the just-made backups are sound -- and possibly on a different machine (but for many set-ups, may be that's not so practical).  Non-restorable backups don't seem so useful...

After backing up, I disconnect the source drive (so it's now a backup) and start using the drive that's just been backed up to.

[Giampy]

A personal additional note.
There are not ransomware only: I also fear the theft of my computer and its peripherals. This is why I do backups even in USB keys and then I wear them when I leave my house. I feel me rather safe from ransomware and thieves too.
(an alternative is the "cloud" of course, but I don't like it)

[mouser]

Only the file extensions changed!? So MouserRulez.txt becomes MouserRulez.zzx? Was the content still there, so if you as a test manually changed it back, it would reappear?

no no. the extension change is just a symptom, the actual file contents are strongly encrypted -- so there is no way to retrieve the contents without being told (by paying the culprit) the secure passphrase used.

For more information see http://www.2-viruses...rypt-encrypted-files

[Stoic Joker]

I wonder if there's a really simple way to save all your files in an unusual fashion that the computer can read quite easily normally, but then the malware virus can't find them properly and tanks.

-TaoPhoenix (June 27, 2015, 07:37 AM)

Run an automated backup that uses a UNC path to a hidden network share, that you user account does not have file/share permission to access. Run the backup job (it's just a scheduled task) under the context of an account that can access said share.


Side note: Wasn't there a thread here just recently about a new group of Crypo Virus rescue utilities?

[xtabber]

There is some frequently updated information on the Microsoft Malware Protection Center about ransomware, including which types are currently most active and recommendations about dealing with certain specific ones.

Some of the older ransomware can be defeated, although most of the newer ones cannot. Nonetheless, before panicking, you should try to find out as much as possible about exactly what you are dealing with and follow up on any information you can get about it.

[xtabber]

I wonder if there's a really simple way to save all your files in an unusual fashion that the computer can read quite easily normally, but then the malware virus can't find them properly and tanks.

-TaoPhoenix (June 27, 2015, 07:37 AM)

Cryptoware cannot encrypt everything since that would simply disable the victim's computer. Instead, it targets specific file types that are associated with documents, media and other data.

All the cryptoware I am aware of uses file extensions to determine the files it will encrypt, which means there is in fact a simple way to protect most data:

Use 7-Zip, RAR, or some such program to create an encrypted archive of the files you want to protect, then change the extension to something not likely to be targeted.   Cryptoware will not target .exe or .dll files since that might disable the system, but something like .cryptic is likely to be just as good.  The archive should be in some format like rar or 7z that provides good security and is less likely than zip to be identifiable by a header scan, if the bad guys get a little more ambitious about identifying data.

[TaoPhoenix]

I wonder if there's a really simple way to save all your files in an unusual fashion that the computer can read quite easily normally, but then the malware virus can't find them properly and tanks.

-TaoPhoenix (June 27, 2015, 07:37 AM)

Cryptoware cannot encrypt everything since that would simply disable the victim's computer. Instead, it targets specific file types that are associated with documents, media and other data.

All the cryptoware I am aware of uses file extensions to determine the files it will encrypt, which means there is in fact a simple way to protect most data:

Use 7-Zip, RAR, or some such program to create an encrypted archive of the files you want to protect, then change the extension to something not likely to be targeted.   Cryptoware will not target .exe or .dll files since that might disable the system, but something like .cryptic is likely to be just as good.  The archive should be in some format like rar or 7z that provides good security and is less likely than zip to be identifiable by a header scan, if the bad guys get a little more ambitious about identifying data.

-xtabber (June 27, 2015, 11:12 AM)

This is close to what I was after, as a part.

To me an interesting next step is a plugin for something (if not Word, what about LibreOffice or something?) that just chains the compression utility into the native "save" command of the software, so maybe with a few more seconds, your document is always saved and loaded from compressed form?

[mouser]

Does anyone know of any mainstream security software that uses a "honeypot" approach of watching for certain files being modified?  i.e. which tries to catch these kinds of ransomware evils by catching and killing them as soon as they try to modify a document that the security software knows should never be changed/deleted.

[x16wda]

Does anyone know of any mainstream security software that uses a "honeypot" approach of watching for certain files being modified?

-mouser (June 27, 2015, 01:22 PM)

Our largest client got hit several times with Cryptowall, and another one got hit on a large file server -- that took over 24 hours to encrypt. After I thought about that, I sprinkled several test files (jpg, doc & xls) with known checksums in various places in the shares, and wrote a script to look for flag files (HOW_DECRYPT etc) and compare the checksums. If it finds any flag files or modified honeypot files, it looks at the owner of the flag files (since that's whose box is doing it) and spits out emails to get the box pulled and start remediation.

Mainstream stuff ought to be watching file creation, and as soon as it sees a flag file created it should shut down the remote client and start ringing alarm bells.

[TaoPhoenix]

Are there any fast global checks? Like are the ransomed files renamed to some bizarre file extension, or just ".zip" (that happens not to be unzippable)? So then you could put a list of all sane file extensions somewhere, and then some kind of deep background process that says "hey, if you find yourself creating anything evil, stop all activity and holler"?

[Giampy]

With regard to the last comments: what you ask is just what any antivirus should do...

[TaoPhoenix]

With regard to the last comments: what you ask is just what any antivirus should do...

-Giampy (June 27, 2015, 02:12 PM)

So maybe I walked into that one! But in a bit of odd logic, since this thing happens and the AV's aren't working, I was wondering if a low level script could help, unless the malware hijacks the file creation registry first or something?

In some ways I'm thinking of things like a Rootkit Revealer upside down, where that takes some kind of raw dump of whatever bypassing normal Windows thingies, (which is how rootkits get to hide), and hopefully it would notice a malware performing similar nasty tricks when the script checks in and goes "hey! user! you were fine an hour ago! What did you do?"

[x16wda]

Hey, you need to keep in mind that encrypting a file is a valid process. All you're doing is changing a file's contents. You could pull up a jpeg in an image editor and change it from a blue cast to a green cast, or edit your copy of the works of e e cummings and change it to ALL UPPER CASE or something. That's all that's happening. Heck, I encrypt files regularly -- the only difference is that I know the encryption key.

The more recent Cryptowall variants that I have seen are sneakier now - they don't always select every eligible file to encrypt. They also set the last-changed time stamp back to the file's original time stamp, so you can't tell from that what files were affected. Maybe that could be a clue to a/v software that something is amiss.

[IainB]

@mouser: Are you able to answer this? It would be interesting to know what defences the virus had got through.

@mouser: What virus and/or malware protection did your relative have on his/her PC?

-IainB (June 27, 2015, 07:05 AM)

[IainB]

In the DOS OS, I recall using an excellent file manager/explorer called Lotus Magellan. From memory, one of the functions it had which I tried out but rarely used was to calculate and record the CRC (Cyclic Redundancy Check) value for important files that you wanted to preserve. You could then periodically run a check to see whether the CRC value had changed (i.e., if the file contents had been changed).

In a modern OS, in the case of a virus that encrypts a file but leaves the file name/extension unchanged, you could have a report that tells you when specified data filenames/types have the CRC (or other checksum) changed.
In the case of a virus that encrypts a file and changes the filename/extension, you could have a report that tells you when the old file name/extension is changed or if it "disappears" (i.e., is renamed in some way or deleted).

Some kind of monitor/logging/warning like that seems like it might be useful for data file security. I don't know whether that is a common practice though. For example, the OS can object strongly if specific system file types are touched in any way, so it might be happening at a system-file level.

[TaoPhoenix]

That too is something like what I was pondering Iain. Elsewhere it was a good point that AV programs are supposed to catch certain things, but your theme is an example of that "backchannel backup" because the malware shouldn't know to look for that file and fool the report etc.

As regards to "encrypting is a valid process", what if you took a whitelisted approach? Variations on things like "the only valid files able to be worked with right now are in this X folder, and are copies. No change of any kind is allowed to any other document files".

Then you summarize the contents of all other documents in a second folder, so then the comp can just do something like a 5 step check ultra fast all the time, maybe once a second? The second (literally!) it finds problems, then it goes into lockdown mode.

Comments?

Silly coda:
Other than "corp programs have to be boring, programmers can't have fun anymore", there's no reason you can't just invent a whole new kind of document file! bit-merge it onto the back of a picture of Baby Cody riding in Mouser's car and call it a BCC file!
 

[Edvard]

My mother-in-law got one of these.  Fortunately, I found the hijacked files shuffled away in an archive somewhere with the file extensions removed.  A little sleuthing and I got all that restored.  It was a little harder to restore the "My Documents" folder, Start Menu items, default icons, etc.  Whatever it was really went to town...
The clincher is, when I explained to her what probably happened, she suddenly knew, in startling detail how ransomware works and how the ransomware people con you.  

My MIL is kinda funny sometimes...