Essential Skills: Avoiding A King's Ransom
April 22, 2015
Editor's Note: HP 3000 managers do many jobs, work that often extends outside the MPE realm. In Essential Skills, we cover the non-3000 skillset for multi-talented MPE pros.
In a recent message on a 3000 developer mailing list, one MPE expert warned of the most common malware attack of 2015: Ransomware. "This is probably the most likely thing to happen to your computer if you click on the wrong thing today," Gavin Scott reports.
It's a nearly perfect criminal scheme.You get the malware on your system and it encrypts all files of value with a randomly generated key, and directs you to send $300 in bitcoin to them in order to get the encryption key to get your files back. It will encrypt every drive it can get access to, so a lot of people get their backups infected in the process of trying to recover. If you pay the $300, then by all reports they do give you the key, you get all your files back, and they don't bother you again. They even direct you to bitcoin ATM companies who reportedly spend much of their time these days providing technical support — to help Grandma operate the bitcoin system to pay her computer ransom.
To explain the fate of having to toss out computers in the IT shop which cannot be ransomed, we call on our security expert Steve Hardwick for some insights.
By Steve Hardwick, CISSP
In a previous article I looked at a Man in the Middle attack using SuperFish. That malware effectively bypassed the encryption built into HTTPS and so allowed Lenovo to inspect secure web traffic. There's another type of encryption hack that's becoming a serious threat: Ransomware.
In standard symmetric encryption, a key — a password — is used to scramble the information to render it undecipherable. The same key is then used to allow a valid user to convert that data back into the original data. Encryption systems ensure that anyone without a key will be unable to reconstitute the original data from encrypted data. Another key component (forgive the pun) is the password used to generate the encrypted data. If a valid user is not able to access the key, then they no longer have access to the data.
In many situations as a security professional, I've been asked how to recover encrypted data after the encryption key has been lost. Despite what TV shows depict, this is not as easy as it looks. Typical recovery of encrypted data is time consuming and costly. The first thing any security professional will say when an encryption key is lost is, "Just recover your data from your backup." But today there's a type of virus out there that uses this weakness, and can compromise backups, too.
The actions that can be performed after this attack are very limited. Cracking the encryption itself is going to be difficult at best. Perhaps the one method that can be used is to hope that the virus has been reverse-engineered, so the decryption key is found. There's one common ransomware virus, CryptoLocker, whose code has been cracked and a solution posted for victims to use for free. But you may not be so fortunate. As the time honored saying goes “The best form of defense is a good offense.” Putting provisions in place before the attack is the best way to prevent this extortion.
Here is a list of these measures:
1) Make sure the machine is backed up regularly. It is a good idea to make sure that the backup you are using cannot be compromised by the same virus. For example, some viruses are able to infect the backup as well as the source. That means storing a recent backup offline.
Ed: It's also important that your backup solution does versioning. You don't want to write over a good backup with a bunch of encrypted garbage.
2) Keep your operating system and application software up-to-date with the latest patches.
3) Do not follow unsolicited web links in email
4) Keep your anti-virus software up to date
5) Try to get Windows users not to run with Administrative privileges, which are more prone to attack.
By using these methods, not only will you be less susceptible to ransomware, you will also be less vulnerable to other problems such as other viruses, hard drive failure and loss of your machine.