Slashdot Mirror
Writer: How My Mom Got Hacked
HughPickens.com writes Alina Simone writes in the NYT that her mother received a ransom note on the Tuesday before Thanksgiving.."Your files are encrypted," it announced. "To get the key to decrypt files you have to pay 500 USD." If she failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data would be lost forever. "By the time my mom called to ask for my help, it was already Day 6 and the clock was ticking," writes Simone. "My father had already spent all week trying to convince her that losing six months of files wasn't the end of the world (she had last backed up her computer in May). It was pointless to argue with her. She had thought through all of her options; she wanted to pay." Simone found that it appears to be technologically impossible for anyone to decrypt your files once CryptoWall 2.0 has locked them and so she eventually helped her mother through the process of making a cash deposit to the Bitcoin "wallet" provided by her ransomers and she was able to decrypt her files. "From what we can tell, they almost always honor what they say because they want word to get around that they're trustworthy criminals who'll give you your files back," says Chester Wisniewski.
The peddlers of ransomware are clearly businesspeople who have skillfully tested the market with prices as low as $100 and as high as $800,000, which the city of Detroit refused to pay. They are appropriating all the tools of e-commerce and their operations are part of "a very mature, well-oiled capitalist machine" says Wisniewski. "I think they like the idea they don't have to pretend they're not criminals. By using the fact that they're criminals to scare you, it's just a lot easier on them."
The peddlers of ransomware are clearly businesspeople who have skillfully tested the market with prices as low as $100 and as high as $800,000, which the city of Detroit refused to pay. They are appropriating all the tools of e-commerce and their operations are part of "a very mature, well-oiled capitalist machine" says Wisniewski. "I think they like the idea they don't have to pretend they're not criminals. By using the fact that they're criminals to scare you, it's just a lot easier on them."
When will people learn not to give in to extortion? The criminals want word to get around that they're trustworthy? How about we want word to get around that there's no point in extorting money because people don't pay up!
Backup your data, and rent "Ransom".
You should have lied. You should have written that they just stole the $500. Now, see, everybody who gets hit by them and saw your article will also feel compelled to pay them.
And yes, the first thing it does it does is purge all VSS (shadow copies) and encrypt data from local and mapped drives PRIOR to notifying you've been had. That malware is the only thing that stands between you and your now encrypted data. Purge the malware or slave the drive to another host, and you won't get your data base.
Let me put it to you this way. Crytowall is very well engineered ransomware. It doesn't fuck around.
Be sure to keep a set of backups not connected to your PC/Network using the Grandfather-father-son backup scheme. Rotate media according (weekly, monthly, and yearly).
Life is not for the lazy.
Context, man!
The "Don't blame the victim" notion comes in response to this kind of (boiled down) common claim:
"It was her fault that we exploited her! It was impossible for us to choose to not exploit her. We take no responsibility for our own actions!"
Which is the way psychopaths operate. They're always blameless or their actions are 100% forgivable in their eyes.
Her ignorance and subsequent choices were on her; she could have protected herself better, but the crime is not her fault and the perps should get zero slack because of it.
Ads. Block them.
Take your average computer worm, add this profitable payload, and this makes the bad guys rich. How does this work? What exploit are they using to install the payload?
First she probably used WindowsXP which has dozens of unpatched vulnerabilities which will never be patched since it is EOL. XP has no concept of user priveldges outside of programs so all services run as admin for everything. Drivers too can run as hardware and it has no ASLR or ram scrambling to prevent overflow attacks or stack smashing.
Secibd flash with ads and java is how these infections get in. Websites these days have over 20 ads for each tab. Hack a not stellar non Google Ad network and put a flash ad with a buffer overflow. Boom page loads and you are 0wned.
Best AV advise today is to run Adware. Even IE has support for this now! It may screw small websites but these webmasters do not respect a users security at all PERIOD. I use Java for Android and Teamviewer so I disabled the browser plug in. I also use NortonDNS which will filter out bad domains too and it is free to setup for any pc or router.
Do these and you eliminate 90% of infections. Oh and of course I use a standard user account. I have that and an admin account which is occasionally annoying with UAC but this helps and puts in another layer of security as now the payload will need to bypass this.
http://saveie6.com/
The victim is to blame for ignorance; the criminals are to blame for maliciousness. There's enough blame for everyone.
This is pretty much the very definition of international organized crime. And it is affecting way more Americans than "terrorism".
The action of the government on this issue shows that the government is more interested in what terrorism can do for the military industrial complex than what the government can do for you.
I would really hate to have all my files encrypted and inaccessible. I'd probably just pay the $500 with much begrudge.
That being said, as soon as I would get the encryption key and get my files back, I would post everywhere that the hackers did NOT give me the key after I paid the $500.
It's kind of like game theory. If enough people do the same, then fewer people would actually pay up, or the price would drop lower, thus proving an advantage for the victims.
Posting in the damn NYT that the hackers are true to their word assures that they have credibility, and just torpedoes the strategy above. In the same way that it's valuable for them to get the word out that they are (kinda) honest, it would be valuable for the victims to get the word out that they are crooked. Being the marketing and pricing geniuses they seem to be, they would surely lower the price if they had bad publicity. So in the name of future victims, I would like to sarcastically thank you Alina for giving those fuckers ammo. They'll probably raise their price now.
I feel bad for the victims of these vile bastards, but at the same time I think that if that doesn't get them into the habit of regularly backing up their files, then NOTHING will. Also a good motivator to get the hell off Windows.
I'd rather pay $800 to a “criminal” than $5000 to a lawyer
False dilemma. In no meaningful way whatsoever is the money paid to these criminals an alternative to legal fees paid to a lawyer for a completely unrelated matter. Implying that the two payments are alternatives is idiotic.
Oh wait I forgot - you can't blame the victim ever no matter how much of a stupid fucking idiot they are!
I blame our industry for being as you put it "stupid fucking idiots". The most common attack vector for this particular malware and many like it is email attachments.
It's 2015 anyone in the world can still send an email with file attachments to anyone using whatever FROM address they'd like without any prior trust relationship, vetting or authorization by receiver. Most mail clients let users execute it in the same security context as the user without so much as a peep.
It isn't the users fault they don't fully understand the depths to which the technology they are using is completely broken and wholly unsuitable for purposes for which it is used by countless millions on a daily basis.
It is *our* fault for installing AV software and going back to picking our noses. *MILLIONS* of people are being exploited using the same attack vectors with malware and spyware... this business of calling everyone "fucking idiots" is getting old.
Ug. In a way, by passing on this "success" story, the writer of this article has played right in to the hands of these criminals. This is exactly the kind of press they want.
One always should assume that once their systems are infected that there files are GONE. Don't treat it any differently than a fatal hard drive crash. If you didn't have backup, then what were you going to do when your hard drive crashes anyway?
You should also question if giving these criminals money doesn't also indirectly make YOU a criminal. (And to any pedantics who might drop in to counter that: fuck you)
Anything you think you might have recovered should always be suspect. How do really know they haven't hidden more crap elsewhere? Worse yet, you should also assume these criminals now have copies of potentially important information.
Ha ha. Yet why are people not using such things in real life compared to them using Time Machine?
Most people don't want (a) to put a whole computer drive replicated in the cloud (they would not wait for the time it took to upload 100+ GB of data), (b) bother to attach local media for backup more than every six months (as per the article), (c) have other computers they consider a backup destination.
Time Machine is something that is backing up stuff EVERY HOUR. Even better, it's versioned so when the next backup happens and the now-encrypted files get pushed to the backup, you can still recover what was encrypted before. Not all of the things you list have that property, and for the topic UNDER DISCUSSION that is key to recovery of recent, or any, data. I myself manage my own backups by cloning hard drives and keeping offsite backups, yet I also have Time Machine enabled and running and I have to say there have been several occasions where is has saved me where the other forms of backup failed.
It's such a shame that you flippantly just point out backup software exists for Windows (duh) without going into a deep discussion of why Time Machine actually works for users while it's failing many people on Windows. Then we would all learn something instead of you simply feeling momentarily clever.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
... set up an automatic backup system for all your systems, now. Every system on your network should back itself up automatically daily, not only for this possibility but for all of the platform-agnostic ones such as hardware failure.
For me takeaway was regular manual backups to offline storage is important.
When malware has the ability to jump ship to network resources my guess very few "automatic" solutions deployed today are capable of denying remote commands to delete or overwrite online backups. Even offsite "cloud" solutions almost always include remote administrative capability that would have the affect of rendering backup medium worthless.
Everyone is stupid.
I'm stupid. You're stupid. We're all ignorant of something.
Malice gets 100% of the blame.
To use knowledge of something to abuse and transgress against another who does not, is a crime. The only crime. And all of the blame
Analogy: if you leave a $100 bill on your front porch, yeah, that's fucking stupid.
But someone has to go on property they have no permission to, and take something that is not there's. That's 100% of the blame. The moral person will not steal that $100 bill. In fact, they'll ring the doorbell and educate the stupid person, that they should be careful and not leave money on their front porch.
You don't punish stupid, you educate it. You punish malice.
Unfortunately, we punish stupidity too much in this world, our anger is always in full rage and pointed at the dumb. And we let the truly malicious off, because our hate goes towards the stupid, and in the meantime, the malicious gets away. Or we have no more anger left for them.
It's some sort of fundamental weakness with human nature, that we do this: punish the stupid and ignore the malicious. When we should be educating the stupid and punishing the malicious.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Turns out, when Microsoft tried this, they really annoyed a lot of their customers and took an awful lot of stick for it. Even from people who would consider themselves fairly technical. Users don't want you to put hoops between them and what they (think they) want to do.
Typical user scenario:
Clicks malware.exe email attachment.
Email client: Email attachments of this type this type are dangerous. Are you sure you want to run it?
*yes*
MSE/Windows defender: Virus detected. Quarantine file?
*nah... seems legit*
Windows: Filez from teh internetz can be dangerous. Continue?
*Yes. How dare you question me Bill Gates!?!*
UAC: File malware.exe from some dude on the internet wants admin access to your computer. Allow?
*Stop getting in my way stupid computer*
Windows: Install unsigned drivers? Guidance: Basically no unless your plugging in exotic or old hardware.
*Get the **** out of my way piece of *** I bet that *** Bill Gates thinks he knows better than me*
MSE/Windows defender: ***DEFCON1DEFCON1***
*whatevs. I need those novelty smileys and cool web search*
Malware: Mwhahahaha installs pop ups, steals bank details, encrypts files emails child pr0ns to the police etc. etc.
*Wah.... f***cking stupid Bill Gates your software's **** I hate Microsoft. Plus whenever I want to do something it asks me questions like I'm stupid and it knows better*
They hate the dialogues etc. and just click through them. Don't get me wrong I'm all for warning dialogues, but they exist already and they don't help a large proportion of "average users".
And, before some smartypants points it out, I know MS have since said that UAC was designed to annoy users to encourage developers to write apps that don't require admin privileges. A good warning system *should* be annoying though, and hopefully fairly infrequently triggered by innocent actions (as it is now that UAC has been around for a while and developers have fixed their apps (and MS have tweaked it a little)).
you do realize you yourself are stupid
and that you, many times a year, make bad mistakes that hurt you. i know this because we all do
let's assume you are a programmer, top of your field. no one can top your knowledge and wisdom. now you move into management, and you make dumbfuck mistakes 1, 2, 3 that noobs of management always make. should we make this painful for you? should we mock you?
you're starting a new job: there's a dozen things you will fuck up that your coworkers already know. are they supposed to laugh at you?
you do something in your house that creates a $2,000 repair. the plumber or contractor sees it all the time. should he yell at you?
your ignorance of your own essential weakness makes you perhaps much more stupid than the people you mock who don't know trifling technical things but have a much better attitude. you're ignorant of something that many of us realize in grade school. the irony
should i make it painful for you? should i kick you in the face for your ignorance of basic human weakness?
arrogance. hubris. and the worst kind of ignorance: prideful ignorance. that's you. you're what is wrong with the world
we all fuck up out of ignorance throughout our entire life. show some fucking humility and adjust your shitty smug attitude
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it