1. 19
  1.  

    1. 2

      Awesome!

    2. 3

      While I certainly wouldn’t recommend paying the ransom…. I’m curious. Does paying the ransom even work?

      I thought the relevant email address to apply for the decryption key had been taken down.

      Sigh. I guess like gambling, this whole thing is a “Stupidity Tax”.

      1. 2

        It works more than 50% of the time I believe - unsure of the exact number and those things are hard to measure. But security experts do recommend paying it even if the chances are slim.

        1. 3

          i’m very curious where this information comes from. i’ve never seen anyone recommend paying these and in this case paying would do no good as the email address associated with it has been disabled.

          1. 3

            I could go and search a bunch of links, I’ve read it in various sources. FBI and law enforcement will probably advise against paying the ransom, but a practical security expert is likely to think: if your data is worth $2k and the ransom is $200, it’s worth the risk.

            There’s a well documented case (and on-going) in Korea where an entire web hosting company got taken over. Here’s a Google Translate link: https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.nayana.com%2Fbbs%2Fset_view.php%3Fb_name%3Dnotice%26w_no%3D960

            They negotiated, paid the hackers and are in the process of recovering the data.

            1. 2

              i think i’d recommend regular backups instead but i’m not a security expert. go figure.

              1. 2

                Yup, well they f’d up bad on this one.

                1. 1

                  Backups can be tricky for this, depending on how they’re set up. Many of these ransomwares try to access any backups they can and overwrite them too. Are your backups set up in such a way that a malicious admin app can’t overwrite them? Are you sure? You’re gonna need either an element of manual-ness to performing a backup, plus the ability to notice that something is going wrong, or a backup system that preserves multiple versions of files in a way that the previous versions can’t be destroyed.

                  1. 3

                    Two cloud options I’ve used, not because I have data that’s all that important, but mostly to learn how they work:

                    1. The access permissions supported by cloud-based object storage (S3, etc.) now make it fairly easy to set up a backup system where the system doing the backups can’t also wipe them. One way to do it is to grant the system only the ability to write new objects but not to delete/modify existing ones. So the backup cron job can push backup-20170628.tar.gz but can’t delete it (or previous snapshots) once it’s done so. This isn’t 100% foolproof because there is presumably still some account that can delete snapshots, and that could be compromised. But you can at least keep those credentials less widely distributed, not put them on every server that needs to be backed up.

                    2. Use a backup or cloud-storage service that keeps a fixed set of snapshots that the service itself rotates, using credentials you don’t have access to at all. For example, rsync.net takes and rotates daily and weekly ZFS snapshots on a fixed schedule.

        2. 3

          I’m honestly surprised that it’s so little… I know $8,000 is a lot of money in many places, but given the scale of these attacks I’d have thought a lot more money would have been raised. It must be incredibly tempting to pay - $300 in Bitcoin is nothing compared to the scale of the disruption some companies are experiencing. Hell, if I was CTO in one of the big firms I’d be getting some Bitcoin ready for some future attack where it turns out that paying the ransom is the only real option.

          1. 2

            If a CTO’s reaction was to get Bitcoin ready for some future attack then that CTO should be fired - backups, regular system maintenance, planning and testing disaster recovery would all mitigate this form of attack.

            1. 3

              The idea that a CTO can effectively enforce that mandate seems deeply confused to me.

              What size organisations are you working with?

              1. 5

                If a CTO cannot ensure that the disaster recovery or business continuity processes work - then in my opinion that CTO has failed, both in their duty to the organisation and in their role as a leader.

                I have worked at big and small organisations both in the public and private sectors, and worked with both outstanding and incompetent CTO’s. As a leader you are setting the standard that those who work for you will follow.

                1. 2

                  I agree 100% with @fcbsd on this - DR and BCP are key activities that any CTO must be responsible for.

                  @danielrheath - can you give us more detail on why you think the idea is deeply confused?

                  1. 2

                    At a company with 1500-ish developers and 1000+ in house systems.

                    In a system that size, the CTO can set expectations, but should assume something will be missed. Having a few grand of BTC handy seems like a perfectly reasonable call in case something goes badly wrong.

                    1. 1

                      A CTO should be responsible for DR? Are you sure you dont mean CIO? A CTO should be able to raise the issues with their counterparts and a CTO making sure that DR is implemented is certainly appropriate but I dont understand why they would be responsible for it.

                      1. 1

                        Yes, fair point - DR, et al. is the CIO’s responsibility (certainly from an operational perspective), rather than the CTO’s (assuming the CIO role exists and it hasn’t all been folded into a single CTO role).

                2. 1

                  Well that’s a good point too. I don’t know, I think BTC will have some use no matter what. I guess it might be good to have it anyway.

                3. 1

                  Yup, good thinking. I agree it’s little, but I guess they didn’t want to price out the general public. Smarter thing to build in would be to have it analyse how many computers the code can see on the network and price it dynamically, accordingly.

                  1. 1

                    That would make it expensive for students, sitting in a library full of laptops.

                    1. 1

                      True

                4. 3

                  Everybody already know the solution for these kind of problems: backups. :-)

                  1. 1

                    Ok, so I haven’t been paying attention to blockchains…. so help me here…

                    • If some largish number of btc addresses are known.
                    • the blockchain is a (long) list of btc address A paid btc address B X amount.
                    • You could create a graph of this and find the ransomware address in the graph.
                    • The inflows are innocent schmucks.
                    • The outflows is the arsehole spending his ill gotten gains.
                    • If the outflow graph touches any publicly known btc address you can start detective leg work to work your way back to ransomware arsehole.

                    ie. Watching inflows isn’t the interesting bit. It’s the outflows.

                    Or am I completely missing something?

                    1. 1

                      Yes, you can. The outflows are often complex graphs through difficult jurisdictions though, and it’s hard to know when an exchange trade was between different currencies.

                      1. 1

                        I think some of those difficult jurisdictions are a trifle irritated with this bloke at the moment…. so they might be a bit more helpful than usual. :-)