Slashdot Mirror

← Back to Stories (view on slashdot.org)

TeslaCrypt Isn't All That Cryptic

Posted by timothy on from the nelson-laugh dept.

citpyrc writes: TeslaCrypt, the latest-and-greatest ransomware branch off of the CryptoWall family, claims to the unwitting user that his/her documents are encrypted with "a unique public key generated for this computer". This coudn't be farther from truth. In actuality, the developers of this malware appear to have been lazy and implemented encryption using symmetric AES256 with a decryption key generated on the user's machine. If any of your machines are afflicted, Talos has developed a tool that can be used to generate the user's machine's symmetric key and decrypt all of the ransomed files.

52 comments

  1. Does it matter? by gstoddart · · Score: 4, Insightful

    Since most people who will be subject to ransomware have no way of knowing the mechanics of the encryption (or wouldn't be able to access it anyway) ... does that they lied about their super secret crypto make a damned bit of difference?

    Most people would care more about blocking whatever vector for this crap is causing it instead of the technical details of the crypto.

    --
    Lost at C:>. Found at C.
    1. Re:Does it matter? by sribe · · Score: 2

      Since most people who will be subject to ransomware have no way of knowing the mechanics of the encryption (or wouldn't be able to access it anyway) ... does that they lied about their super secret crypto make a damned bit of difference?

      Well... IF the tool becomes widely-enough known, that when a victim goes looking for some tech to help them, then it could be very useful. As opposed to real public/private key encryption where no one could legitimately help them.

      I doubt this will happen; I doubt the tool will be utilized; but it's at least been made possible now. (And of course, new versions of the malware will keep popping up...)

    2. Re:Does it matter? by monkeyzoo · · Score: 1

      The malware authors will surely upgrade their crypto tech now. Cat and mouse game...

    3. Re:Does it matter? by Khyber · · Score: 0

      If the tool becomes widely-known the first thing that ransomware author will do is change the encryption method, if they're even half-intelligent, making the tool absolutely moot.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    4. Re:Does it matter? by Kjella · · Score: 1

      Since most people who will be subject to ransomware have no way of knowing the mechanics of the encryption (or wouldn't be able to access it anyway) ... does that they lied about their super secret crypto make a damned bit of difference?

      Well, I wouldn't bother to start poking at it but I would at least search online if there's a workaround if I managed to get hit with a cryptolocker. So by publicly announcing this tool a few may be helped, isn't that good enough? I didn't bother to read TFA but I imagine it came for "free" looking for the malware's infection vector/hiding techniques/C&C central/whatever so there's no reason to complain about a lucky break.

      --
      Live today, because you never know what tomorrow brings
    5. Re:Does it matter? by ledow · · Score: 5, Insightful

      Anyone with a brain:

      Would you trust the guys that infected your system, removed your access to files, ransomed the decryption key from you etc. to correctly - and perfectly - restore your untouched data?

      Because, I know I wouldn't. Not without hashes of pre-infected data that I could trust, on some untouched backup device, to compare against. And then the restoration, comparison and cleanup operation is actually worse than just restoring to pre-infection backups.

      You have to think of this. These people put a virus on your system that locked your files away. And you're "trusting" them to not only restore those files but to do so without introducing further infection vectors in the process. What's to say that their decrypt / encrypt routine isn't just a smokescreen to infect all your files with something else en-route? Or that they've not just done it to delay you realising that they now have that document you had with all your passwords in it...

      If you're victim to ransomware, there are two options:

      - You have no backups, the data wasn't important enough for a GBP50 device and you pressing the button once a month, so you've not lost anything of major value by not paying the ransom.
      - You have virtually-full, verified backups just over there anyway and would have to perform all kinds of integrity checks to ensure the ransomed data is clean.

      The option of "pay ransom" is really a sign that you've failed yourself (and your customers, if you're a business). You can't stop data exposure, but to have to pay to get your data back, that's just stupidity on your part.

      As such, blocking the infection vector is infinitely more important than anything else, and then taking a good backup on a regular basis is second on the list. Anything else is very much bottom of the list.

      What scares me most about ransomware is not the encryption, or the ransom, or the difficulty of decryption (once that data is compromised, it's gone, it's as simple as that). It's purely that it means a system-level restore of your PC / network, and that you had a hole somewhere whereby it could wreak that kind of havoc.

    6. Re:Does it matter? by Anonymous Coward · · Score: 0

      I agree. Most people would not have a clue how to fix this, even with step-by-step instructions. They are in a panic! They need their data! Oh, sh!t, taxes are due in 2 days and all my files are encrypted! How much do you want? ...

    7. Re:Does it matter? by Penguinisto · · Score: 3, Insightful

      Correction - *some* malware authors will update their kit.

      The script kiddies will continue using whatever they can find, and most malware authors will happily (and TBH, justifiably) rely on general user ignorance to get what they want.

      Consider it a parallel to those gawdawful stupid "You're about to get sued" phone scams. Everybody knows they're scams, yet enough ignorant/scared people take the bait to still make it worthwhile.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    8. Re:Does it matter? by freeze128 · · Score: 1

      The whole point of ransomware is that you PAY MONEY to get your files back. If there was any chance that the victim didn't believe that you would return all the data, then they would not pay. If one person paid the ransom and then found that not all the files were returned, or that something else was affected as you suggest, then word of mouth and rumors would spread about that particular strain of ransomware, and then NOBODY would pay the ransom.... They would all just restore from backups (which is ideally what they all should do anyway). This would seriously reduce the bad guys' income. They won't do something that would so obviously affect their bottom line.

    9. Re:Does it matter? by mlts · · Score: 4, Interesting

      It isn't that simple. Some ransomware variants will find the backup device (external hard drive, NAS share, etc.) and zero those out. In fact, if the hard disk is encrypted, malware can just zero out the locations where the volume encryption key is stored, then dismount the drive.

      Other variants will encrypt files, but will transparently allow access them until a point and time where it zeroes out the decryption key and puts up the ransom dialog. This makes backup utilities like Mozy and Carbonite ineffective since they may not have a usable copy.

      For effective backups, one needs a backup server that pulls backups from clients, so malware cannot tamper with already stored files on the server side. However, outside of larger enterprises that use NetBackup on desktops, this isn't something that is often done. On a small scale, one can use Windows Server 2012 R2 Essentials, Retrospect, or a file share from all clients which is mounted by the backup server to copy documents off.

      One also needs to keep good backups since the scrambled files might be around for a long time without someone knowing that they were tampered with. This requires multiple backup rotations and data lifetimes (again something only really found in enterprise-grade backup programs.)

    10. Re:Does it matter? by j2.718ff · · Score: 4, Insightful

      If there was any chance that the victim didn't believe that you would return all the data, then they would not pay.

      I'm not so sure of that. As a victim, you are aware that you have about 0% chance of getting your data back if you don't pay the ransom (unless you had a good backup setup somewhere). So you pay because you believe your data is important enough to justify the risk. This is similar (though nowhere near the same level) as someone demanding a random because they kidnapped your child. You already are well-aware that they are not trustworthy, but you really don't see an alternative.

      Now, I do agree with your other point. If news was out that people paying the random did not get their data back, then I'm sure a smaller percentage of victims would be paying. But some would still pay, because their data is important enough to them that they hold on to that small hope that they might get it back.

    11. Re:Does it matter? by Anonymous Coward · · Score: 2, Interesting

      Some ransomware variants will find the backup device (external hard drive, NAS share, etc.) and zero those out.

      But you contradict yourself.

      Neither an external hard drive or NAS share is a backup solution, it is instead nothing more than a copy.
      A client PC should not be able to reach the backup device. The backup device reaches out to the PC.

      Of course an online backup device being just another system on the LAN means if your client PC is penetrated, the attacker has network level access to the LAN just like your PC does, and could potentially exploit other non-related vulnerabilities in the backup device to take control of it as well.

      But that is why best practice is to use online backup storage (for frequent backups, bulk HD storage, and ease of access in restoring from them) combined with offline storage such as removable media used to copy the online storage.

      (Also note "online" doesn't mean on the Internet, it means a machine on your network that is always-on)

    12. Re:Does it matter? by Zontar_Thing_From_Ve · · Score: 1

      Anyone with a brain:

      Would you trust the guys that infected your system, removed your access to files, ransomed the decryption key from you etc. to correctly - and perfectly - restore your untouched data?

      Because, I know I wouldn't.

      I understand your point, but in the case of individuals, most non-techies are often too embarrassed to ask a technical person for help in such situations, so they just pay and hope for the best. In the case of businesses, I can tell you as someone who works in IT for a Fortune 500 company and has to deal with IT staff in much smaller companies on a regular basis, smaller companies often don't have the best IT people. A lot of times I see that small companies just hire whoever they can get for the bottom tier wages they pay because they don't respect the job and they would outsource it to India if they really could do so. The IT staff of such companies are just barely competent enough to deal with most ordinary situations that come up and anything out of the ordinary like this gets way out of their comfort and knowledge zone. Maybe they have backups, but to actually verify those backups? Keep hashes? Probably not on both of those.

    13. Re:Does it matter? by firewrought · · Score: 1

      Would you trust the guys that infected your system, removed your access to files, ransomed the decryption key from you etc. to correctly - and perfectly - restore your untouched data?

      Yes, I would. The original authors have (1) the most technical experience with their particular product and (2) strong financial incentive to provide a "good" extortion experience. By contrast, Talos is working from what they can reverse engineer, and they may not be aware of all variants/quirks of the malware.

      Blocking the infection vector is infinitely more important than anything else.

      They've already owned your machine with the payload of their choosing, and it's probably even self-updating. While I wouldn't exactly trust the malware folks to leave your machine clean, they already have the power to add whatever they want (whether you pay or not).

      What's to say that their decrypt / encrypt routine isn't just a smokescreen to infect all your files with something else en-route?

      Fair point, but it's more true for EXEs and DLLs than it is for Office documents and text files, so you could do some measured restoration. And again, if they've infected your machine already it would have been simpler and more successful to just silently compromise your files to begin with.

      The option of "pay ransom" is really a sign that you've failed yourself.

      That's for damn sure, but among homeowners and small business owners, how many people have the skills, time, and discipline to setup offsite, incremental, "pull" backups? And even a "pull" strategy (like mlts mentions in another comment) can be subverted if an attacker is clever enough.

      Aside for those who want to get serious about backups: here's one strategy to consider. Combine with a weekly/monthly drive swap-out to offsite location for best effect, and remember that untested backups are no backup at all.

      --
      -1, Too Many Layers Of Abstraction
    14. Re:Does it matter? by Anonymous Coward · · Score: 0

      The whole point of ransomware is that you PAY MONEY to get your files back. If there was any chance that the victim didn't believe that you would return all the data, then they would not pay. If one person paid the ransom and then found that not all the files were returned, or that something else was affected as you suggest, then word of mouth and rumors would spread about that particular strain of ransomware, and then NOBODY would pay the ransom.... They would all just restore from backups (which is ideally what they all should do anyway). This would seriously reduce the bad guys' income. They won't do something that would so obviously affect their bottom line.

      Uh, I guess you're not aware of the dozens of documented cases where the ransom was paid and the victims got nothing?

      Like this: http://www.cso.com.au/article/...

      Only feckless cowards pay ransom, and those people aren't deterred by the failure of other ransoms. They are cowards, cowards always pay the Danegeld.

    15. Re:Does it matter? by Anonymous Coward · · Score: 0

      My best practice is that I have multiple network segments. One, with my backup server running a client/server backup utility. The router ACLs allow it to touch clients and back them up... but clients are not allowed to ssh/RDP into it.

      That way, if ransomware does hit it, it is only going back to a version that isn't corrupted and calling it done.

      Another best practice is to use VDI infrastructure... be it Citrix or MS RDP. That way, data can be manipulated... but the files can't be nailed by malware, since the desktop PC is just acting like a glorified terminal.

    16. Re:Does it matter? by gstoddart · · Score: 1

      Would you trust the guys that infected your system, removed your access to files, ransomed the decryption key from you etc. to correctly - and perfectly - restore your untouched data?

      Of course I wouldn't trust them. I don't trust anybody.

      But my distrust starts at the front door, and I wouldn't have likely trusted whatever vector leads to this stuff ... because I've learned not to trust the internet at all. Or at least to not give it access to my machine and click on stuff embedded in web pages.

      But the people who find themselves in this mess have fewer options, and are apparently more likely to trust stupid random crap in the first place.

      When my parents first got on the intertubes, I sat them down and had the talk telling them the internet was full of lying, thieving bastards, and should be treated skeptically and warily, and that everything should be presumed to be a lie on behalf of crooks and assholes. On the phone, in person, and on the internet my parents are pretty damned good at spotting potential bullshit and scams -- because they listened to me.

      Oddly enough, if you start out assuming the internet is a hostile place, you don't run into as many problems.

      And yet loads of people fall for the fake Microsoft tech support calls pretty much daily, along with all of the other scams.

      What you and I would experience is very different from someone willing to believe internet ads and that people aren't primarily out there to rip you off.

      Other people will see an ad that says "click here for a chance to win something" and click on damned near anything without the barest notion that it could be a Really Fucking Stupid Idea.

      --
      Lost at C:>. Found at C.
    17. Re:Does it matter? by Anonymous Coward · · Score: 0

      As someone who has seen startups and such, there are a lot of companies out there whose mantra is "call Geek Squad" if they are a SMB, or if larger, "Call Tata or Infosys". IT is looked at a necessary evil, like HVAC, so they call someone, and expect their stuff to work and work indefinitely, just like a building A/C unit which works until something breaks, then call the repairman in, and go on.

      A lot of smaller companies just don't want to pay the money, and they get what they pay for. An enterprise is not a home network, and oftentimes, they get someone who thinks they can set up a NAS, DMZ web server, DB server, AD, and other items just the same as they set up their XBox One and PlayStation at home. Router ACLs get in their way, so they set the darn thing wide open (iptables -F; /etc/init.d/iptables save), and allow anyone to access their NAS that has network access. Of course, basic desktop sanitation (like not running the "codec installer" when prompted by a dodgy pr0n hub, or failing to run a Web browser in a VM or sand box) doesn't happen either.

      So the SMBs get stung by ransomware, which, as with all malware written, is generally the best quality code written these days [1]. Of course, with the crummy IT people that are hired, there are no backups out there, so the only way for them to get data back is to send the ransomware makers the requested bitcoins and hope for the best.

      I have seen backups break in many ways. One example is backup software that requires a key so you can unlock it for a restore... and the key was safely stored on media... only accessible through the backup program.

      [1]: I actually dare anyone to refute that. Malware, in general, is the most robust, bug-free, and reliable code out there these days, bar none.

    18. Re:Does it matter? by mlts · · Score: 1

      You know what you are doing. Ransomware makers don't prey on the Slashdot crowd. In general, people here are well inoculated from malware, just because we tend not to run files from the Web, our Web browsers are well sandboxed (or run in a VM), and if someone calls up and demands we run software to "fix our Windows box", the response will make the caller's brain ooze out their ears.

      However, most people on the Net don't. They go to a pr0n site, and get presented with "you must download this application in order to get past this point"... download it, and get infected. Or, their browser isn't patched and some add-on gets compromised. Or, a phishing E-mail says they have a UPS package, and they need to just open the "foo.pdf .exe" file to see more details. The ones that get nailed by those are the ones that the ransomware guys know are going to pay up.

    19. Re:Does it matter? by Anonymous Coward · · Score: 0

      > Not without hashes of pre-infected data that I could trust, on some untouched backup device.

      If you have an untouched backup device I assume that the backup device contains the data (not just the hashes). If that is the case, then why bother going through the trouble of comparing hashes at all (and paying a ransom)? Just format the drive and start over, or if you are really paranoid rip out the drive and put a new one in and restore you system from the backup you have.

    20. Re:Does it matter? by wallsg · · Score: 2

      Consider it a parallel to those gawdawful stupid "You're about to get sued" phone scams. Everybody knows they're scams, yet enough ignorant/scared people take the bait to still make it worthwhile.

      It's actually beneficial to the scammers that the scams are so transparent. Those who will eventually figure it out and stop before paying any money drop out right away, leaving only the truly gullible for the scammers to devote real effort to.

    21. Re:Does it matter? by Anonymous Coward · · Score: 0

      It isn't that simple. Some ransomware variants will find the backup device (external hard drive, NAS share, etc.) and zero those out. In fact, if the hard disk is encrypted, malware can just zero out the locations where the volume encryption key is stored, then dismount the drive.

      I'll show them! I'll zero out my own data!

    22. Re:Does it matter? by retchdog · · Score: 1

      uh, since ransom malware generally isn't targeted, that doesn't make a lot of sense. the line you're referencing is that once you pay the danegeld, you never get rid of the dane.

      malware is more of a "stumbling into a pit full of spikes" thing than a "village being raided by vikings" thing.

      --
      "They were pure niggers." – Noam Chomsky
    23. Re:Does it matter? by SuricouRaven · · Score: 1

      "general user ignorance"

      It's worked for the last ten thousand years. No reason to expect it to change any time soon. Target enough people, you'll find someone who falls for it. Computers just take the leg-work out.

    24. Re:Does it matter? by Anonymous Coward · · Score: 0

      The problem with NetBackup, is it is "Net Backup", not "Net Restore"...
      I hate symantec...

    25. Re:Does it matter? by gl4ss · · Score: 1

      if the backups don't go back long enough, it doesn't matter if the backup device fetches the data or if the data is pushed to the device.

      besides, all cheap backup hd's etc with a simple button, or cheap nas backup devices, do the pushing in software on the host pc...

      --
      world was created 5 seconds before this post as it is.
    26. Re: Does it matter? by DigiShaman · · Score: 1

      MozyHome - 30 days
      MozyPro - 60 days
      Mozy Enterprise or Pro purchased from a reseller - 90 days

      Those are the retention periods FYI. And yes, I work for an MSP that resells Mozy Pro. It's not cheap, but then again neither is your data.

      --
      Life is not for the lazy.
    27. Re:Does it matter? by someoneOtherThanMe · · Score: 1

      And this is why I regularly back up my two sons!

    28. Re: Does it matter? by Anonymous Coward · · Score: 0

      Data can get corrupted and easily stay that way for more than 30-60 days. I've personally seen this, so Mozy is great for catastrophic issues (and for home users, I recommend it, as well as Mozy Pro.) But it doesn't do much against ransomware.

      One really needs four backup processes:

      1: "Oh shit" bare metal recovery. Time Machine, wbadmin, tar (since Linux has no real way of backing up a complete running system to restore bare metal. Try restoring using most programs, and you will bang into fatal LVM issues unless one periodically uses offline images), mksysb, dump, and so on.

      2: Document recovery. Some meth-head breaks into your place and steals your laptop and backup drive, your house catches fire, the machine shits during a backup rendering both the primary copy and the backup copy useless. This is what Mozy is useful for [1].

      3: Long term document backups. This is something to do every so often, and it is a different mechanism than the other two, as it is designed to deal with software that gradually corrupts files (this isn't new -- some MS-DOS viruses did this), On the UNIX side, it would be ssh-ing in, comparing hash values of files, and then doing periodic tars, as opposed to rsyncs, just so if files were silently corrupted, they can be put back. This is something that can't run on the client as stated above, but needs to come from another box. Windows Home Server used to have the ability to have daily/weekly/monthly backups, and have the ability to have different lengths of time for those (at the minimum, store monthly backups for a year or so.)

      4: Permanent offsite archives. The simplest thing is that every so often, burn some WORM media (optical for example) with the critical files on it, and stash those somewhere. This is the absolute last resort, and should be not cloud related if at all possible.

      [1]: Of couse, security is a concern with Mozy, Carbonite, and any cloud backup. Even with a file key, how do we know it happily accepts a key, but doesn't actually do encryption? There have been programs in the past like this, as well as hardware devices that would password protect... but not encrypt, or if they encrypted, it was all with the same key. This is something only the individual user can judge. I personally use Mozy... but for confidential stuff, I have it back up the encrypted volume, gaining security at the cost of granularity.

    29. Re: Does it matter? by DigiShaman · · Score: 1

      Not even that complicated. If the issue is document retention against ransomware (and I've delt with the fallout from CryptoWall 2.0, it's nasty), then what's really needed is Grandfather-Father-Son for cloud based backups. Being a reseller, I'll ask Mozy about this idea. Hopefully the bite on the idea.

      --
      Life is not for the lazy.
  2. Further from the truth by wonkey_monkey · · Score: 1

    This coudn't be farther from truth.

    That should be probably further, but anyway, c'mon, it could be a lot further from the truth. They could have claimed to have encrypted the documents using a slice of lemon wrapped around a hamster.

    a unique public key generated for this computer

    So the only thing wrong with that sentence is the word "public," isn't it? That doesn't sound very far from the truth.

    (in fact the screenshot shows the text also says "RSA-2048")

    In actuality, the developers of this malware appear to have been lazy and implemented encryption using symmetric AES256 with a decryption key generated on the user's machine.

    Whadya mean, "decryption key"? It's the same key! That's the whole point of the story!

    --
    systemd is Roko's Basilisk.
    1. Re:Further from the truth by monkeyzoo · · Score: 5, Funny

      They could have claimed to have encrypted the documents using a slice of lemon wrapped around a hamster.

      The problem with hamster-based encryption is the animal rarely survives the XOR process.

      [Nice username.] =)

    2. Re:Further from the truth by Anonymous Coward · · Score: 2, Funny

      I encrypt everything with asymmetric ROT-13, you insensitive clod!

    3. Re:Further from the truth by jratcliffe · · Score: 5, Insightful

      The problem with hamster-based encryption is the animal rarely survives the XOR process.

      [Nice username.] =)

      Actually, that's not that hard. Getting a slice of hamster is pretty straightforward. It's unslicing the lemon that's challenging.

    4. Re:Further from the truth by Woeful+Countenance · · Score: 1

      That should be probably further, but anyway, c'mon, it could be a lot further from the truth. They could have claimed to have encrypted the documents using a slice of lemon wrapped around a hamster.

      I had exactly the same two thoughts, which probably should be frightening to both of us. Except that I thought it would be further from the truth to say they had encrypted without actually doing any encrypting at all. (I've also been reading about string theory, so now I'm trying to picture a six-dimensional Calabi-Yau hamster wrapped by a lemon slice.)

      Excessively exaggerated hyperbole is the greatest threat the human species has ever faced.

    5. Re:Further from the truth by Dr_Barnowl · · Score: 4, Insightful

      It doesn't make the right emphasis

      Should be "a symmetric key generated from details of the user's machine".

      It's a design trade-off.

      Their method means they don't have to maintain a repository of the keys that their infected machines have generated. They don't need a server receiving key transmissions, which means no server to attack, and also means their software is simpler, fewer moving parts, less to go wrong.

      Unfortunately it suffers from the same problems as consumer media DRM - the user has both the encrypted data, and everything they need to generate the decryption key, it's just the algorithm that's "private". Security though obscurity.

    6. Re:Further from the truth by Trouvist · · Score: 1

      Does this mean that the ransomware is protected by the DMCA, so by releasing this decryption tool, the researchers are circumventing the DRM protections put in place to secure the data? I realize it's during the commision of a crime, but nonetheless, is the ransomware protected?

    7. Re:Further from the truth by fishybell · · Score: 1

      I prefer to encrypt everything with RND-10: rounding each byte to the nearest base-10 number. Decryption is left as an exercise for the user.

      --
      ><));>
    8. Re:Further from the truth by Anonymous Coward · · Score: 0

      I like lemon juice with my gin. Hamster juice, not quite as much.

    9. Re:Further from the truth by Anonymous Coward · · Score: 1

      As I understand it, the Supreme Court has ruled that the DMCAs wording is specific in that breaking DRM is only illegal when the purpose of that DRM is to protect IP.

      I would suspect that the ruling likely wouldn't hold that DRM meant to protect IP that the IP owner doesn't want protected would not be illegal, but I can't be certain of that.

    10. Re: Further from the truth by Anonymous Coward · · Score: 0

      A lot of users here do not seems to know the difference between symmetric and asymmetric encryption. This article states that this random ware uses a symmetric scheme whereby the key is stored locally on the victim PC. This is obviously an attempt to not get raided by the FBI when a savvy user runs wire shark or TCPView and sees the remote server performing the key exchange --This variant has no key exchange; the key is stored locally so no key needs to be transferred in order to decrypt

  3. Yeah! For lazy Malware authors! by goochman · · Score: 1

    I predicted this when the first Instance of Cryptolocker came out. Unfortunately a new form of anti-virus will be post mortem decryption. I really don't want people to pay norton/mcafee for these kind of services (But it beats paying the bad guys)

  4. Good job, Talos! by Mirar · · Score: 4, Insightful

    Great that someone is providing tools to counter this plague...

    1. Re:Good job, Talos! by Anonymous Coward · · Score: 0

      Talos the mighty! Talos the unerring! Talos the unassailable! To you we give praise!

      Damn the malware-writing Thalmor and the cursed milk-drinking Emperor who treats with them!

  5. WE HATE VIRUS by tld-id · · Score: 0

    malware is spy. malware is ... ?

  6. Reality: small companies will pay up... by bradley13 · · Score: 1

    "The option of "pay ransom" is really a sign that you've failed yourself (and your customers, if you're a business). You can't stop data exposure, but to have to pay to get your data back, that's just stupidity on your part."

    The victims of ransomware are companies too small to have a full-up IT department. Since lots of /.ers are in the US, look at the stats on company size. The vast majority of companies have fewer than 10 employees. Those are the companies where the IT was probably set up by a friend or neighbor.

    It's all well and good to say that you should have a full backup tested and ready to go, but only larger companies actually do. At best, what a small company has is a hard-disk that some employee takes home on the weekend, which is supposed to contain a backup of all critical files. Most won't have anything beyond a local file synchronization, which the ransomware may be able to overwrite.

    Most small businesses run on a shoestring: they can't afford to pay an IT person to run a professional network for their 3 PCs and 2 laptops. Heck, one company I am currently working has one employee using their workgroup server as their normal PC. Win-XP with full administrative rights. That's how they saved money when they started six or seven years ago, and only now - when the hardware is end-of-life - is it finally going to change.

    If there is an offsite backup, it will be days or possibly weeks old. It's certain that no one has ever actually wiped down the server and tried a full restore; they don't really know if the backup is complete (or even readable). Some critical file somewhere won't have been backed up, or they won't be able to find all the license keys, or... Figure it will take days, maybe even a couple of weeks to get the company running again. Lost time, lost business, plus the lost data (since the backup won't be current), plus paying consulting fees for an expert to do all of the work.

    Likely as not, the company will pay the ransom and hope for the best.

    --
    Enjoy life! This is not a dress rehearsal.
  7. Backups by WoodburyMan · · Score: 1

    Who cares when you have backups. I've had one family relative, and a system on my network get infected. First had backups of important stuff, latter took out a few thousand folders on our network, which our backup solution recovered in an hour. We have backups daily for 8 weeks or more that can restore in as long as it takes to transfer, something around 300mbyte/s.

  8. That level of "quality" is industrial standard by gweihir · · Score: 1

    One of the things I do for a living is review use of crypto in applications. The level of understanding "TeslaCrypt" demonstrates of how to use crypto right is industrial standard. Most developers are entirely clueless what it takes to use crypto securely. That you can now do crypto in the browser using JavaScript makes things worse, and takes the crown of incompetence from the average Java programmer. People then use all sorts of big terminology to justify their broken solutions like "secure browser sandbox" (disregarding that this one protects against something inside breaking out, not the other way round), "mini HSM" (no, a chipcard is not a "Hardware Security Module", no matter how much you wish it was), "secure tunnel isolation" (yes, nice, but if the endpoint is the actual primary attack target, that does not help at all) and the like. Whenever you stumble over such terminology, it is a pretty good bet that the thing is insecure and easily broken.

    There seems to be this delusion around among coders that using crypto magically makes you secure. That software security is a holistic thing and that even one mistake in how crypto is used can break the whole thing trivially is something not many know or understand.

    Oh, well. At least this is good for my job-security...

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.