Story here. It seems that a large chunk of the Police Department in Maine has had its storage encrypted by ransomware. They paid the ransom in bitcoins.
I’m fairly horrified (while simultaneously not really being surprised) that their backups didn’t work.
I expect it depends on the nature of the backup. If you’ve got all your files duplicated on a DVD, or on a flash drive/external HDD that is then disconnected, your backup will probably be fine. OTOH, if you’ve got an automated backup system that’s constantly backing up the latest versions of all of your files, then your backup is probably fucked.
In the police case, the article says their backup system simply wasn’t working properly. I wonder how often this is the case, i.e. I wonder how many backup systems are waiting to let their owners down.
Where I work we have regular IT training, which includes (among other things) directives not to open mysterious email attachments from unknown parties. I haven’t heard of any coworkers causing a problem by doing so - which means either we’re all paying attention, or we’ve got better malware protection than those police departments.
An office that I work at was hit with the same ramsomware. Our network backups worked; however, some of our foolish people keep files on their PCs, instead of on network storage, so that data was lost. Plus it still took a lot of work to recover even with backups.
There were some police departments in Illinois who also paid.
This is fairly common, and I’ve heard of several police departments recently that have paid the ransom. A lot of smaller organizations either don’t have a backup system in place or have one but don’t routinely monitor and test it, so they don’t know it stopped working long ago. The people who run the ransomware are smart in that they don’t ask for a huge amount of money – usually they ask for a few hundred bucks, which seems to be the sweet spot where enough people will actually pay up. (The Invisible Hand at work, it seems.)
The ransomware folks are smart in other ways as well. Early versions of the various ransomware types out there had two main flaws. One was that they used symmetric encryption, and with luck and effort you could sometimes recover the key from the artifacts left by the malware. The other was that the ransomware deleted the original files with a typical delete command, so (again with luck and effort) you could sometimes recover the original files with forensic techniques. Newer versions of the malware use asymmetric encryption (public/private key pairs) so the decryption key is never present on the victim machine, and you have no hope of recovering it. They also use secure wiping techniques so you can’t recover the original files forensically. Pretty clever folks. Assholes, but clever.
I’m displaying my nativity in all things criminal here, but how does payment work? Surely in providing a mechanism for victims to pay, the attackers are exposing a means by which they can be tracked?
Yyayyyyyy, bitcoins - the virtual currency that only works if all holders maintain a complete record of all transactions, but can’t be used to trace any payments.
ISTR MoneyPak cards were at one point the preferred method of payment. I don’t quite understand how, but they somehow allowed for anonymity on the part of the receiver.
Bitcoin should probably be called pseudonymous rather than anonymous, but in either case, you can do a pretty good job of hiding your true identity when you make Bitcoin transactions if you are careful. See here.
The server infrastructure required to spread the malware and collect payments can be set up in a number of ways to hide the identity of those running it. The server where the victims go to make the payment and get the decryption key might be accessible only by Tor, or might itself be a compromised server that the owners do not realize is performing the function, or it might be hosted by a service that offers anonymous hosting, doesn’t keep logs, and doesn’t care what you do (see Bullet Proof Hosting). Then there are a lot of cross-border issues at play. The bad guys will often be operating from some country that isn’t particularly concerned with tracking them down and extraditing them.
So, finding and punishing the bad guys is hard. Even so, they do get caught once in a while. Spanish authorities reportedcatching some ransomware guys a couple years ago. But that, unfortunately, doesn’t happen too often.
link is no good. Goes to some domain page.
My favorite part from this story (same event, different media outlet):
…“next time”?
We’ve had it hit a couple of faculty members. Luckily, all data is stored on the network, and we have hourly backups. We removed the virus and went back to the last good files and restored them.
BTW, Dropbox now has versioning. Which means that if this happens to your dropbox files, you can go to their website and restore a good version.
I have a story of back-up failure that simply involved a major software vendor blunder, and nothing to do with deliberate malware. I was a Unix Sysadmin at a smallish tech company, 1984-1987. One day in 1985 or so, we upgraded our Vaxen from Berkeley 4.2BSD to 4.3 – This upgrade entailed a total re-design of the whole file system structure.
So we did a full back-up. Then installed the new 4.3 system. Then did a full restore from that back-up. Then ran fsck, the file system integrity checker, only to find that the restored file system was thoroughly mangled. Upon closer investigation, we found that the 4.3 restore program was unable to restore from 4.2 back-ups. Oops.
I know that usually money is the only reason to make creating these things worthwhile, but I’m surprised some prankster or anarchist hasn’t taken one of the preexisting versions of this virus, altered it so it just bricks whatever computer it’s on with no recourse, then sent it to banks or, say, police stations.
It has the http part doubled. Just remove the second “http//” and it will work.
Back in the day, I used to work with municipal and county government financial accounting software. Training them on the importance of data backups was a constant nightmare. Can’t even count the number of times I’d walk into their operation and find that the server had been telling them for the last 30 or 40 days that the backup failed because of some hardware glitch. They’d just acknowledge the message and sail along! One client had to reconstruct 9 months of payroll data from paper because their backup hadn’t worked for that long.
Or how about back in the day when data was small enough to be backed up on several floppy disks.
And the user would just remove and reinsert the same disk over and over.
Here is a pretty good article published today on the topic of this kind of extortion. It talks about a number of cases where ransomware stung various police departments and other organizations. It’s an easy and fairly low-risk way for the crooks to make money. The article notes,
Most (not all) of the time, the crooks do keep their end of the bargain and provide the key when you pay up.
The article also talks about the dilemma of the victims. In theory, you don’t want to feed the beast. But, one security consultant quoted in the article said,
I was interviewed by local news about cryptolocker virus
[quote=“drachillix, post:18, topic:717722”]
I was interviewed by local news about cryptolocker virus
[/QUOTE]Cool!
Which works out pretty slick if you have a pro version of dropbox and move your docs folder there.
We had a customer get hit with one of these, had to restore 110GB of offsite backups to get their stuff going again.