Author Topic: Ransomware is about to get a lot worse, by holding your operating system hostage (Read 5450 times)

SZonian · « **on:** January 31, 2017, 06:34:21 pm »

The threat of ransomware has grown at an unprecedented rate, rising from being a menace to becoming by far the most common form of malware delivered to victims by cyberattackers.

In the space of a year, ransomware appears to have evolved on from the simple but effective strategy of locking down the files of infected targets until they pay a ransom, to incorporating additional malicious elements, such as stealing personal or financial data from the victim's system.

While the success of ransomware demonstrates there are plenty of victims who'll pay cybercriminals in order to get their files back, there are also schemes such as No More Ransom which allow them to restore their computer without having to part with a penny.

Now cybersecurity researchers warn that new ransomware features could make life even worse for victims. Rather than just encrypting key files, ransomware could soon infect a computer to such an extent that the only two options available to the user would be to pay, or to lose access to the entire system.

[excerpted]
http://www.zdnet.com/article/ransomware-is-about-to-get-a-lot-worse-by-holding-your-operating-system-hostage/

Sanguine · « **Reply #1 on:** January 31, 2017, 06:36:56 pm »

Probably a dumb question, but if we have backups, what can they do?

endicom · « **Reply #2 on:** January 31, 2017, 06:41:32 pm »

Quote from: Sanguine on January 31, 2017, 06:36:56 pm

Probably a dumb question, but if we have backups, what can they do?

Backups are of data. If you've imaged your hard drive then you can reinstall your OS and apps. More correctly, you should be able to reinstall your OS and apps.

SZonian · « **Reply #3 on:** January 31, 2017, 06:42:43 pm »

Quote from: Sanguine on January 31, 2017, 06:36:56 pm

Probably a dumb question, but if we have backups, what can they do?

You probably won't lose your files, but from the article: "...variants of this type of ransomware, which is designed to modify the infected computer's Master Boot Record, the part of the system which controls the ability to boot into the operating system."

Sounds like you lose your 'puter unless you completely wipe it and start over. FTA: "The inability to do anything with the system aside from viewing the ransomware note will only give victims two options: pay up, or have their system wiped completely."

thackney · « **Reply #4 on:** January 31, 2017, 06:52:57 pm »

Quote from: Sanguine on January 31, 2017, 06:36:56 pm

Probably a dumb question, but if we have backups, what can they do?

No mini-bar for you: Luxury hotel pays up after virus locks guests out of rooms
http://www.digitaltrends.com/computing/ransomware-hotel-key-cards/
January 30, 2017

The targets for ransomware attacks continue to get stranger. Over the weekend it was reported that a luxury hotel in Austria paid about $1,600 in bitcoin to retrieve its systems. The attack had even compromised the hotel’s electronic key card network, locking guests out of their rooms.
The Romantik Seehotel Jaegerwirt hotel in Turracher Höhe, Austria, said it has been targeted numerous times by ransomware attacks, but is only going public with this information now as a warning to others....

InHeavenThereIsNoBeer · « **Reply #5 on:** January 31, 2017, 07:03:30 pm »

Quote from: SZonian on January 31, 2017, 06:42:43 pm

You probably won't lose your files, but from the article: "...variants of this type of ransomware, which is designed to modify the infected computer's Master Boot Record, the part of the system which controls the ability to boot into the operating system."

Sounds like you lose your 'puter unless you completely wipe it and start over. FTA: "The inability to do anything with the system aside from viewing the ransomware note will only give victims two options: pay up, or have their system wiped completely."

Nah, the MBR can be overwritten anytime without affecting anything (if you know what to write, which you'll have from backup at least in Llinux). Actually, if (almost) all it did was overwrite the MBR, recovery would be a very simple process.

roamer_1 · « **Reply #6 on:** January 31, 2017, 07:09:56 pm »

Quote from: Sanguine on January 31, 2017, 06:36:56 pm

Probably a dumb question, but if we have backups, what can they do?

The problem with that is that data has become so large that most backup scenarios are automated... So if the live file becomes 'infected' by way of being encrypted, the file's date is changed, which means the backup program will automatically copy the encrypted file into the backup store. The only thing presumably unaffected would be manual backups that are not network connected - Like a USB external drive that is only plugged in for backup purposes, and then disconnected again.

Sanguine · « **Reply #7 on:** January 31, 2017, 07:13:15 pm »

Quote from: roamer_1 on January 31, 2017, 07:09:56 pm

The problem with that is that data has become so large that most backup scenarios are automated... So if the live file becomes 'infected' by way of being encrypted, the file's date is changed, which means the backup program will automatically copy the encrypted file into the backup store. The only thing presumably unaffected would be manual backups that are not network connected - Like a USB external drive that is only plugged in for backup purposes, and then disconnected again.

That's exactly what I use. Backup once a week and the backup is kept separate from the computer.

SZonian · « **Reply #8 on:** January 31, 2017, 07:17:16 pm »

Quote from: InHeavenThereIsNoBeer on January 31, 2017, 07:03:30 pm

Nah, the MBR can be overwritten anytime without affecting anything (if you know what to write, which you'll have from backup at least in Llinux). Actually, if (almost) all it did was overwrite the MBR, recovery would be a very simple process.

Probably for the more computer "literate" in our midst...

roamer_1 · « **Reply #9 on:** January 31, 2017, 07:24:13 pm »

Quote from: InHeavenThereIsNoBeer on January 31, 2017, 07:03:30 pm

Nah, the MBR can be overwritten anytime without affecting anything (if you know what to write, which you'll have from backup at least in Llinux). Actually, if (almost) all it did was overwrite the MBR, recovery would be a very simple process.

Unless it sets the encryption bit, or pwd protects the hdd... very few techs can fix that. I can usually crack a HDD pwd, but I still don't have a reliable means of recovering an encrypted drive.

ShadowAce · « **Reply #10 on:** January 31, 2017, 07:27:28 pm »

@BikkFire @geronl @Smokin Joe @roamer_1 @Blizzardnh @markomalley @VarmintAl @Doug Loss @Unlimited @guitar4jesus
@kevindavis

roamer_1 · « **Reply #11 on:** January 31, 2017, 07:27:50 pm »

Quote from: Sanguine on January 31, 2017, 07:13:15 pm

That's exactly what I use. Backup once a week and the backup is kept separate from the computer.

Good for you (n this case)- though that is uncommon anymore... and not enough, btw... Always have two chains of backup. Doing what you do AND having an automated backup to an external drive tied to your router (as an instance) might just save you... What happens if the external you use becomes corrupted or fails? Always have two.

Sanguine · « **Reply #12 on:** January 31, 2017, 07:49:43 pm »

Quote from: roamer_1 on January 31, 2017, 07:27:50 pm

Good for you (n this case)- though that is uncommon anymore... and not enough, btw... Always have two chains of backup. Doing what you do AND having an automated backup to an external drive tied to your router (as an instance) might just save you... What happens if the external you use becomes corrupted or fails? Always have two.

Good advice; thanks.

InHeavenThereIsNoBeer · « **Reply #13 on:** January 31, 2017, 09:13:33 pm »

Quote from: roamer_1 on January 31, 2017, 07:24:13 pm

Unless it sets the encryption bit, or pwd protects the hdd... very few techs can fix that. I can usually crack a HDD pwd, but I still don't have a reliable means of recovering an encrypted drive.

That's true, but, if they do anything that protects the MBR with a password, they're probably losing most of their "customers". Once an infected system is rebooted, if you can't access the MBR you can't get to the message about where to send your money.

Of course, if they're not after the money...

roamer_1 · « **Reply #14 on:** February 01, 2017, 01:35:38 am »

Quote from: InHeavenThereIsNoBeer on January 31, 2017, 09:13:33 pm

That's true, but, if they do anything that protects the MBR with a password, they're probably losing most of their "customers". Once an infected system is rebooted, if you can't access the MBR you can't get to the message about where to send your money.

Of course, if they're not after the money...

It's hard to understand what the press means - their lack of expertise may lead to misunderstanding. If it is indeed only an MBR overwrite, then replacing it would be so simple that an NT rescue disk could probably do it automatically - which is saying something... Pretty easy to find the PARTS and see which one is active...

If all the bug does is set some tiny PART off the end of some drive, and direct the MBR to hand off to that PART (make it active)...

Or if it is firing itself from the MBR (a boot manager w/o choices)...

Simple things to fix.

Oceander · « **Reply #15 on:** February 01, 2017, 01:59:39 am »

Quote from: InHeavenThereIsNoBeer on January 31, 2017, 09:13:33 pm

That's true, but, if they do anything that protects the MBR with a password, they're probably losing most of their "customers". Once an infected system is rebooted, if you can't access the MBR you can't get to the message about where to send your money.

Of course, if they're not after the money...

Drop in a custom MBR that points to a custom mini-OS that boots up and runs just enough code to provide the victim with the place to send the ransom and a field to enter the unlocking code.

Fishrrman · « **Reply #16 on:** February 01, 2017, 02:01:29 am »

Over on the Mac side, "ransomware" isn't a problem -- at least, not yet.

There has been only one instance of ransomware on a Mac:
A ransomware app buried in a release of the "Transmission" bit torrent application.
It was quickly identified, and a fix was issued in a day or two.

That was some time ago.
Nothing since...

Oceander · « **Reply #17 on:** February 01, 2017, 02:08:56 am »

Quote from: Fishrrman on February 01, 2017, 02:01:29 am

Over on the Mac side, "ransomware" isn't a problem -- at least, not yet.

There has been only one instance of ransomware on a Mac:
A ransomware app buried in a release of the "Transmission" bit torrent application.
It was quickly identified, and a fix was issued in a day or two.

That was some time ago.
Nothing since...

The middle of 2016 - not so long ago - and there has been AFAIK one *nix-based ransomware that was discovered in 2015 and, allegedly, infected "tens of users". Might want to consider linux instead of MAC if that's your primary concern.

roamer_1 · « **Reply #18 on:** February 01, 2017, 02:17:48 am »

Quote from: Oceander on February 01, 2017, 01:59:39 am

Drop in a custom MBR that points to a custom mini-OS that boots up and runs just enough code to provide the victim with the place to send the ransom and a field to enter the unlocking code.

@Oceander

Right, but if that's all it does, I can fix that in my sleep... if it is actually encrypting, that's a whole nuther matter.

Oceander · « **Reply #19 on:** February 01, 2017, 02:20:43 am »

Quote from: roamer_1 on February 01, 2017, 02:17:48 am

@Oceander

Right, but if that's all it does, I can fix that in my sleep... if it is actually encrypting, that's a whole nuther matter.

Very true. Unfortunately, most people don't know how to do that and a significant fraction would probably pay up.

roamer_1 · « **Reply #20 on:** February 01, 2017, 02:25:04 am »

Quote from: Oceander on February 01, 2017, 02:20:43 am

Very true. Unfortunately, most people don't know how to do that and a significant fraction would probably pay up.

But in the meantime, I'll write an automated fix, my 5 station pre-test bench will fill up, and I'll be makin bank on my $50 minimum...

Not that i'd wish it on anyone...

Oceander · « **Reply #21 on:** February 01, 2017, 02:25:58 am »

Quote from: roamer_1 on February 01, 2017, 02:25:04 am

But in the meantime, I'll write an automated fix, my 5 station pre-test bench will fill up, and I'll be makin bank on my $50 minimum...

Not that i'd wish it on anyone...

Ahhh! The truth will out! Perhaps you're the one who wrote this stuff!!

roamer_1 · « **Reply #22 on:** February 01, 2017, 02:32:47 am »

Quote from: Oceander on February 01, 2017, 02:25:58 am

Ahhh! The truth will out! Perhaps you're the one who wrote this stuff!!

Actually, for a change, bugs have not been profitable... I fully expected a massive surge as Win10's exploitable code becomes discovered... but no such boom occurred, unlike every other major version change in Windows*.

*Begrudging kudos, harrumphing all the same.

Oceander · « **Reply #23 on:** February 01, 2017, 02:37:44 am »

Quote from: roamer_1 on February 01, 2017, 02:32:47 am

Actually, for a change, bugs have not been profitable... I fully expected a massive surge as Win10's exploitable code becomes discovered... but no such boom occurred, unlike every other major version change in Windows*.

*Begrudging kudos, harrumphing all the same.

I'm sure it's just a temporary vacation!

roamer_1 · « **Reply #24 on:** February 01, 2017, 02:44:15 am »

Quote from: Oceander on February 01, 2017, 02:37:44 am

I'm sure it's just a temporary vacation!

Do you remember 2k's release?? Or XP gold through SP-2? O.M.G! Horror highway (exponentially so with no ready bootdisk available). I was buried under bugs for months, literally working around the clock to try to keep up.

This unexpected lull is well worthy of mention.