Ransomware Making a Comeback

snydeq writes "Ransomware is back. After a hiatus of more than two years, a variant of the GpCode program has again been released, kidnapping victims' data and demanding $120 for its return, InfoWorld reports. 'Like the ransomware programs before it, GpCode encrypts a victim's files and then demands payment for the decryption key. The new version of GpCode — labeled GpCode.AX by security firm Kaspersky — comes with a bit more nastiness than previous attempts. The program overwrites files with the encrypted data, causing total loss of the original data, and uses stronger crypto algorithms — RSA-1024 and AES-256 — to scramble the information.'"

Backups

[coerciblegerm]

Simple solution: Back up your data. In other news, make sure you patch software and operating system vulnerabilities and don't run executables from unknown sources.

Re:Backups

[Rob+Kaper]

And mark your existing backups read-only. Although that might require an OS which wouldn't run this malware anyway.

Re:Backups

If your backups are simply on the same machine that you're backing up, you're missing at least 1/2 the point.

Re:Backups

[txoof]

Whenever I see family/friends/co-workers using external drives for "backup" I have to repress the urge to launch into a lecture on the absurdity of relying on a local, always mounted backup.

WesternDigital and all the other purveyors of external hard disks should be ashamed of themselves for promoting their products as a reasonable backup solution. The ONLY kind of calamity that such devices protect you from is accidental deletion or hardware failure. An external drive provides absolutely no protection from any kind of malicious attack or catastrophic disaster (flood, fire, theft). The only real backup solution is an off-site backup. Considering how cheap Amazon S3 is, off-site backups are finally a real solution for the average person.

Apple's Time Machine and Fly Back is a step in the right direction, but without a real off-site backup solution kiss your data goodbye, because when it falls into a river of molten rock, man, it's gone.

Re:Backups

[black_lbi]

because when it falls into a river of molten rock, man, it's gone.

Sounds like you learned that from experience. One of the cons of maintaining the data center for Sauron, huh? Hope the pay is good, at least.

Re:Backups

I hate to break it to ya buddy, but accidental deletion and hardware failure make up 100% of my data loss causes. Shocking, I know. You see, some people actually do patch their software and ensure their OS is up to date, and some people don't run executables from strange places.

Mounted, active storage is perfectly acceptable for backing up all but the absolute most critical of data.

Re:Backups

[wvmarle]

Exactly.

It makes me wonder how come this kind of scams still work, I mean everyone is backing up their data on off-line media, right? Right? Oh, wait...

Re:Backups

[wvmarle]

My data set is about 40 GB (gzipped).

Amazon et. al. while cheap and off-site and probably pretty secure would require encryption at least. I don't want unencrypted data there. Makes it a bit more cumbersome.

The killer is going to be the upload. I've 2 Mbit up, uploading my data set to Amazon would saturate my pipe for about 55 hours straight. And that's a show stopper.

I'm slowly looking for 64GB USB drives. They exist but the local shop has only 32 GB, so have to look further. That's a much easier solution than Amazon.

Re:Backups

[ArsenneLupin]

Whenever I see family/friends/co-workers using external drives for "backup" I have to repress the urge to launch into a lecture on the absurdity of relying on a local, always mounted backup.

You know, malware is not the only threat to data. There's also hard disk failures, and human error. "Always-mounted" external disks protect against both.

WesternDigital and all the other purveyors of external hard disks should be ashamed of themselves for promoting their products as a reasonable backup solution.

... and even if you are concerned about "always mounted" being vulnerable to malware, you can always keep your drive securely stashed away, and only connect it once a week to do your backup.

The ONLY kind of calamity that such devices protect you from is accidental deletion or hardware failure.

Which is already quite useful. Even though we like to scoff at windows users, most malware is not interested in trashing user's data, and anti-virus programs still manage to catch most malware (if one is installed).

...or catastrophic disaster (flood, fire, theft).

... which are quite rare compared to the more usual failure modes (hard disk failures, or accidentally deleted the wrong files).

Considering how cheap Amazon S3 [amazon.com] is, off-site backups are finally a real solution for the average person.

You've got to trust Amazon to respect the privacy of your data.

Re:Backups

[the_womble]

If your PC gets stolen or destroyed and you have a backup on an external hard drive that is stored safely off-site, how are you not protected?

Re:Backups

[aclarke]

It seems to me that you're making far too big of a deal of the time to upload your files. I currently back up about 175GB to Amazon S3 via Jungledisk, and I only have a 600kbps uplink. Granted I did a lot of the initial backup from a client's office with a 10Mbps uplink, but that was also 3 years ago and I've been keeping the backup current from my home internet connection ever since.

Jungledisk uses differential copying, so once you have your original data up there it only needs to copy the changed parts of a file. It's very likely that once your data is backed up for the first time you'll never notice the slowdown on your internet connection. You'll be able to pretty much back up all your data within a weekend. I fail to see what the problem is here. It took me probably a month, but JungleDisk handled it just fine. And, it's backed up off-site now.

Re:Backups

[LordSnooty]

The ONLY kind of calamity that such devices protect you from is accidental deletion or hardware failure.

Fortunately these are by FAR the most common data loss ailments that will hit your average clueless user. Off-site is just overkill for most. Fire is not something that most people experience in their lives. A hard disk crash, however, is. And accidental deletion most certainly is.

Re:Backups

[Cato]

Antiviruses catch only a declining percentage of malware, so you can't rely on them - see http://en.wikipedia.org/wiki/Antivirus_software#Effectiveness which shows that even in 2007 the average percentage caught was about 50%. Various independent tests confirm this, particularly for zero-day viruses (i.e. you must rely on heuristics in the AV product, not signatures). In 2007, 23% of infected PCs had up to date antivirus: http://www.pandasecurity.com/infected_or_not/ and http://www.pandasecurity.com/infected_or_not/panda_security_research/

Even when there is coverage for a specific virus/trojan, highly polymorphic ones are often not caught - for example the Zeus banking trojan, which steals from bank accounts while hiding the illicit transactions and resulting balance from the user, is missed in 77% of cases - http://www.darkreading.com/security/article/220000718/index.html

Re:Backups

[txoof]

How does that work with incremental backups, though? Does that mean if you have 50GB of encrypted data, you would need to upload the entire 50GB every time you change a single file?

Jungledisk can do file level encryption on the fly. This probably isn't a great solution if you're dealing with something like 50GB truecrypt volumes.

Some S3 clients (jungledisk) can send up only the changed parts of files. Of course, if a huge chunk of the 50G has changed, then you're boned. If you are regularly changing huge files of that kind, then another backup solution is probably better suited for you than S3. Either that, or a really fast connection.

Re:Backups

[aclarke]

Jungledisk will encrypt your files on your computer, with your private key. Your private key never gets sent to Jungledisk, so I believe that answers your first concern.

I'm just not sure if Jungledisk can do differential updates when you're encrpyting your files. I am not using their latest products so I'm not sure. A lot of the data I'm storing is just my iPhoto library so I am not encrypting that. That's the only potential problem I see for you, if you are changing large files very often and the differential copy is incompatible with encryption.

Jungledisk has very extensive archiving features. They've thought of that already.

Dropbox is also a good solution that might do everything you need. I mean this in a good way, but you want what a lot of people want, which means that there are several companies who provide it.

Re:Backups

[walshy007]

just make the key the md5sum or sha1sum or whatever of whichever bitlength you need of a common passphrase you will always remember.

You lose it you can recreate what it was on a new machine with common checksum tools.

My...

[MrQuacker]

You sure have some nice data here. Would be a shame if something were to happen to it now wouldn't it?

Encryption

[flyingfsck]

All my data is already encrypted you insensitive clod!

Re:Encryption

[Opportunist]

But we'll encrypt it again for you! For free!

(What's really scary is that I am tempted now to write ransomware that displays that and an "I agree" button, and only actually encrypts and locks the user out if he clicks that "I agree" button. Just to see how many morons will fall for it)

Allright, bring back the Slot Machines of DOS!

I remember back when I was running MSDOS 5, and at first Bootup it cut to a screen with a Slot Machine that said it was a Virus holding my MBR and File Allocation Table ransom until I get such and such combination after I pull the Arm. It also said if I tried to turn-off the computer, then all my data is already gone unless I got the sequence in this game to restore my MBR and FAT.

Needless to say, I left the computer on all day and drove to my grandmother's Insanitarium/Old-Folk's home and said I didn't come visit these past 10 years because I've always given her bad luck and now I need her more than ever. She stopped taking her pills, said goodbye to the trees and bushes and pigeons as I walked her to my car, and upon arriving at my desk she knew exactly what to do: she pulled-out her vile of lipstick, puckered some on her mouth, and gave the computer screen a kiss. She was insane again.

Fuck you Slot Machine! I pulled the Arm, and I won back my MBR and FAT. I told my grandmother she could walk back home, and so I gave her $10 to buy some cigarettes and lunch, and I and her Retired-Living Facility have never seen her since.

Ok, a question or two

[Weaselmancer]

The whole point of these malware authors is to ransom data for cash, right?

How the hell do they get paid? And if that is an answerable question, that brings question number two.

Why the hell can't the law find them?

There would be a money trail of some sort. The money has to go from victim to the criminal. That is traceable.

Isn't this really just a gigantic "kick me" sign?

Re:Ok, a question or two

If the money ends up going to a country like Somalia what are you going to do?

Ask for the Somali government's help to get your 100 bucks back?

Good luck with that.

Re:Ok, a question or two

[igreaterthanu]

Just an example method of payment, there are exchanges from PayPal US$ to BitCoin (and back). It would be easy enough to set this up to ask for credit card details and automate the payment, funds could then be converted back into real money (anonymously) at a later date.

Although I doubt that they are smart enough to do this.

Re:Ok, a question or two

[ArsenneLupin]

How the hell do they get paid?

... and this is the Achilles heel of just about every ransom ploy. Most kidnappings for ransom fail at the "money handover" stage.

Re:Ok, a question or two

[QuantumG]

suckers. Usually there's money mules who transfer the money around.. sometimes they're given the job of buying goods and sending those goods to someone else who sells them, etc, etc. It's all traditional money laundering techniques being done by "work from home" saps.

Re:Ok, a question or two

[aix+tom]

I could imagine (but I usually over-estimate peoples intelligence) that the virus might also look for the presence of the right content.

Someone might be reluctant to go to the police with "Officer, Officer, someone encrypted my 100MB of important business data and my 600GB collection of pirated movies and illegal stuff!!!!!"

Re:Ok, a question or two

[imsabbel]

I can tell you an example: I was victim to credit card fraud a couple of years ago (I think it was skimmed at a parking lot acception credit cards as a pass).

I went to the police after an unautorized payment was made.
They came back to me a few months later with what happened: Somebody in Germany got the credit card data from somebody in california to buy stuff to be delivered to moscow (1 Playstation and a Gameboy). I never understood how such an tranaction was accepted for payment with credit card...). The woman in germany stated to the police that she was doing one of those "easy money from home! Just need a computer and an account!" jobs, getting lists of what to buy for whom.

Some comcept here: Get a few idiots that take the fall, lose a part of the money in the process, but be clean at the end.
Just as in that case: The value was too low for anybody really to have consequences.

Re:Ok, a question or two

[rsmith-mac]

While Western Union doesn't cover Somalia, it does cover practically everywhere else. Nigeria (or most of sub-Saharan Africa for that matter) is a good place to get lost.

Re:Ok, a question or two

[Monkeedude1212]

Ok, great. I'm like the guys in Office Space who don't know how to launder money.

So. Wanna illuminate me or are you satisfied with being merely cryptic?

The thing is that most of these sites will ransom you for your credit card info to make the payment, its almost never just the amount they claim that they want to steal from you.

So you go to their website and enter the info. They return your data. They go and they use your credit card to make a deposit to a paypal account that they've hacked - its not actually one of theirs its of an unsuspecting victim. They run the money through a couple of those, whose purchasing history is actually protected so the cops need a warrant to search through it - which will often just put the wrong person under suspicion.

Eventually they run it to an account outside of the US's Jurisdiction.

Re:Preemptive strike

[underqualified]

That last AVG update encrypts your whole OS.

No data is actually encrypted.....

[Skellbasher]

Fortinet did an analysis of this. http://blog.fortinet.com/all-your-drives-are-belong-to-us/ It simply backs up the partiton table and rewrites the MBR. It's fixable without paying the ransom.

Re:No data is actually encrypted.....

[jonwil]

TFA says its a new varient of this virus (which means it may actually encrypt the data)

Fixable possibly, but be careful anyway...

[SuperKendall]

I'd feel a little better about the proposed solution (let a disk utility recover the partitions) if they had actually tried a disk utility to see if it could in fact find the partitions and restore them. It does seem like it should work... and copying that thing back by hand is not a task I'd take on lightly with anyone's data but my own.

Also wouldn't the thing that messed up the MBR in the first place still be in your Windows installation? I didn't see that they tried to boot from that drive after repairing the MBR. It could be the ransomware is just waiting for you to reboot and will do something nasty if you've not entered the password. It seems like even after a recovery you should take the drive to a different system and back it up immediately before you tried to boot from it again, but they do not mention that.

1) 2) 2) -- They can't count to three

[PatPending]

Funny how these crooks can write ransomware but they can't count to three: 1) 2) 2)

Re:chanel bags 2011

[ikkonoishi]

Maybe it could rot13 the text of the comment, and then have a javascript autotranslate on click thing. That way it would be worthless for SEO type stuff.

If it got any positive mods whatsoever it wouldn't do it to avoid it being used as a "I disagree" option on otherwise decent posts.

Who would trust them?

[kasperd]

Who would actually trust those people to give access to the data after receiving payment? What is the most profitable thing to do after somebody have paid? Give them their data back or demand more money. Granted, very few people would be stupid enough to pay twice. But even if one person would fall for that, it would mean more money to them. And people are more likely to pay more money if they can make it look like the sucker was just unlucky and they didn't intentionally fail to give the data back. For example make the browser crash at the point where it "should" have shown the password.

Re:Who would trust them?

[Opportunist]

Unless word gets out that you don't get your data back after paying.

And this is the internet. The first thing people will do after this happens is painting it all across facebook and twitter.