Why are ransomware attacks so effective?

Another big one today.

What I don’t understand is how they can possibly work. Don’t all big companies have secure offline backups for their data? One would think it’s simply a case of switching off the systems, restoring the data, and telling the blackmailers to take a hike.

What am I missing?

That many keep files on there personal folders without uploading them to the cloud or onto corporate servers. Especially higher level white collar types who are massaging presentations and crunching numbers. They may not want their boss or co-workers seeing draft copies. These drafts can represent weeks or months of work that cannot be reproduced in time to make their deadlines/meetings. There can be hundreds of people working on things like this in any decent sized size company so the threat of lost opportunity cost adds up quick.

There are two problems here

The first is data recovery, proper backups can indeed help with that.

The second is disruption. If all the computers at the front desk of a hotel are infected and thus locked down and customers can no longer check in, that’s a problem on its own. Now you have to disconnect the devices from the network, wipe them and reinstall from scratch. And if you’re in a corporate environment that got infected in the first place, the re-image is probably still vulnerable, so if you put it back on the network it’ll just get reinfected–so did you not patch because you’re lazy and hadn’t gotten to it yet, or did you not patch because there’s some compatibility problem with whatever business software you’re running.

You’re missing the fact that it takes a lot of time & resources to wipe the malware from all affected computers and restore the backups. It can cripple a business or organization for many days.

Also, many small organizations and businesses don’t have secure offline backups.

Yes, at a big company with a competent IT department if you got infected with ransomware you’d just hand them your laptop and they’d wipe it and give you new one and the problem would be solved.

Oh, your files weren’t saved on the server, but your local documents folder? Well those are gone now. Oh, your IT department fucked up and now the network share files are corrupt? Oops. Oh, you’re a small company and your backups are up to you? Ooops.

Also, remember, at Competence Inc., when somehow a server gets infected, they do just restore from backup, close whatever hole let the ransomware in, and go on their way without it ever being a big media story. If it’s in the news, it’s rare.

I remember a friend of mine getting ransomware years ago so it’s not a new thing. It would encrypt his whole drive and anything attached and you could buy a key for x amount. I don’t recall the price but it wasn’t a lot, maybe $50 or something?

I’m just surprised it took this long to reach the corporate level.

It is as easy as that, for companies that have, follow, and test regularly a comprehensive backup plan. The companies and organizations that DON’T have that are the ones you hear about on TV.

The other thing, I used to work for a small startup company a couple of years ago. We regularly made tape backups, and sent the tapes to an offsite location. And blah blah blah, we had a disaster recovery plan.

Except we never executed that recovery plan to see it it would work. So while on paper we did everything right, I was not very confident that in the event that shit went down that we’d actually be able to get shit back up. Probably we would?

But I was always worried that it would turn out that we’d been doing it wrong, and all our efforts were just a big waste of time because we didn’t know to set parameter foo to value bar, or some such nonsense.

Plans work when you execute the plan and figure out what went wrong, so the next time the plan will work. But if you never recover from disaster, even simulated disaster, you won’t know what you don’t know.

Even at large companies with robust IT departments, people don’t back up. Even if the company configures the system so that it should back up for the employee, says the voice of experience, something will get fucked up for whatever reason, and there won’t be a back up. Examples:

-The storage allotment is full
-The external storage is at the office and the employee is not
-The back up software doesn’t upgrade properly and the back ups stop working
-Windows pushes an update or upgrade (every week more or less) and sometimes these hose the back up software. Again, your back up has stopped working.
-The user powers off the machine every night, so the back ups don’t run
-The user has multiple systems, but IT only configured one backup profile (think programmers or product managers)

Even if none of those things happen, now you need to restore systems for 25,000-100,000 employees (or more). That’s just the end users. Starting to think about the larger systems that are also impacted makes my head hurt. There’s a reason companies often just pay - it’s more cost effective.

Apparently, the latest one should be relatively easy to fix as it doesn’t encrypt files but scrambles the boot table and MFT. Fortunately NTFS backs these up so in theory you should be able to use TestDisk to recover your data.

One of the reasons ransomeware attacks are so effective is because once an infected PC is connected to a corporate network it can propagate unattended. The ransomeware listens to the network for other PCs and Servers that have the SMB filesharing protocol switched on. There are usually lots of these on any organisation that uses Microsoft Windows. It is often switched on by default. So one infected machine can spread right across a LAN and sometimes across a corporate WAN to other sites.

Corporate networks are rarely managed efficiently and the guys who run the desktops and servers are often different departments. They may even work for different companies that share the same network and there some of this work is outsourced to other companies. In large organisations the support arrangements can get very complicated and it is rare for there to be a highly centralised administration of desktops, servers and networks. Infrastructure is regarded as an expense, an overhead and they try to keep costs down. It only gets serious attention when it impacts the main business of the organisation.

An update: apparently the malware also encrypts files, so it’s not such an easy fix. :frowning:

A working backup plan isn’t enough. You need a good working backup plan.

If, like many people, you just have one backup copy, it may well be that you’ve backed up the encrypted files. They overwrite the previous copy and you’re as screwed as before.

One should have rolling daily backups, with one moved to long-term perhaps once a week, and then put in permanent storage perhaps once a month. That at least somewhat limits the scope of the damage even if the malware makes it to the backup. But many smaller organizations don’t go through all this trouble. If the backup plan is an external hard drive and a copy script, you may well be screwed.

Cloud backup services do help, though, since they support versioning. Not everyone is using these yet.

And that doesn’t depend on company size.

My current client got hit pretty badly by WannaCry. My team includes people who are self-employed: none got hit, and in fact our computers were declared “clean and up to date” by the client’s IT review (we could’a told them that, since all of us had checked and rechecked over the weekend).

We have antivirus, antimalware, antiyounameit. We do sort-of-periodic backups to external HDDs and/or to another computer. I use different anti-everythings on the two computers, on the hypothesis that there may be some stuff one doesn’t catch but the other does.

Users from the client do things such as have an old corporate laptop they keep in a drawer and use only once a month: OS unsupported, Office version unsupported, no antianything, there is a file with macros that someone whose name they can’t even remember gave them and they haven’t moved it to their newer laptops (at least one user had four assigned company laptops), they use it once a month every month. Any unsafe computer behavior you can think of, a lot of users in this company do it. So yeah, they got hit.

This is amazingly common. Companies that make backups religiously (as a chore that the IT guys make them do) have an “event” and find out that all of their backups are corrupt, or have gone missing, or just weren’t done right in the first place. Rule of thumb is that if you are not doing periodic recovery drills, you might as well not have backups. Companies (should) pay for recoveries, not backups.

Back in '95 or '96, my coworkers thought I was nuts for dong my own backups; after all, the Boss was either making them or having someone else make them weekly.

I’d noticed that he’d change the settings whenever he felt like it, did not indicate on each tape which settings he’d use, and would rewrite old tapes. After my backups had to be used by a coworker who would have lost more than one year of work without them (he’d been deleting his local files after every weekly backup), other team members started making their own.

Beyond that, you need a tested recovery plan.

This is a good plan, but may be overkill for home use. I suggest people think about how many days’ work they are prepared to lose and use that as your baseline. For the typical home user, it doesn’t matter if she loses a week or even two, as it may only take a couple of hours to redo the work. Of course, the corollary is that if as a home user you’ve done a substantial amount of work, you should immediately back it up.

As it happens, I have daily backups at home thanks to Windows Server Essentials, and I do monthly offline backups of my data (which includes license keys and software install sets).

I still say the only possible ongoing method to prevent any problems is to be able to detect the encryption process and stop it before it starts. Proper backups are great, but not enough to prevent downtime and hassle.

I know the current anti-ransomware software is in its infancy, but I can only think it will get better if people use it.

I just don’t turn my computer on, anymore.