The ransomware scheme only works because the users actually get their files back and the prices are pretty reasonable for many victims. The perpetrators spend a lot of time on the ransomware and its backend. The better it works works, the more people will pay. They rely on people like us to spread the word that it's not a scam, it's real and it works.
Now that I think about it: It would really damage the whole ransomware scheme if there were fake / rogue versions that won't decrypt, wouldn't it?
This wouldn't really help, because much like spam, the costs are extraordinarily asymmetric, it costs essentially nothing to infect somebody and they need 1 payout in 100000 to make it worth it.
> Come to think of it, our news sources write bigger lies every day
Unfortunately they are also cut throat with regard to each other. The first paper that does this risks the rest of them running stories about that source scare mongering and deliberately spreading panic on behalf of [insert conspiracy theory and/or unpopular agency here].
I'm kind amazed at the tone deafness of several comments in this thread. I get that as a larger effect, reducing the success rate of scammers hurts their business, but if I'm dealing with someone who's been hit because they weren't adequately prepared, I'm gonna recommend they pay the ransom if they want their stuff back. Because I'm trying to recommend what's best for them. People could be losing their entire family's memories for the last two decades here. (I find for many consumers, photos is their singular valuable on their PC.)
Most of us in this thread ARE adequately prepared with backups, so it's easy to forget that yeah, someone should probably value their family memories over an infinitesimal effect on the scammer business by not paying. A lot of people here seem to suggest lying to or misleading people to believing they can't get their stuff back is a solution, while ignoring that it leaves people... unable to get their stuff back.
When Transmission had an infected release a couple of months ago, I remember reading that the malware had in-progress features to encrypt Time Machine drives. It gets installed, waits a couple of days, locks up your hard drive and any backup drives that you connect, and there's nothing to do about it.
That's enough to hose 99% of users, even the ones following traditionally sufficient practices. You're only safe if you have offsite backups with drives that didn't mount to your computer recently.
> You're only safe if you have offsite backups with drives that didn't mount to your computer recently.
Or if your backup solution is—from the perspective of the computer being backed up—an append-only store. Like a box of tapes, or Tarsnap using restricted keys, or Arq pointed at a versioned S3 bucket, or a NAS exposing an iSCSI target backed by an LVM thin pool LV with automatic daily snapshots.
Sadly, as far as I know, no turn-key hardware "home backup" or "home NAS" product is in that category, though.
I've seen this in practice - the two person business with a file server, and a NAS they backed up onto. For the size of the business, they were doing everything right.
Every time I say this, someone chimes in and says that in their office, they air gap tape drives and do all sorts of things with storage snapshots. If you're an enterprise - great. A large proportion of "two laptops" businesses have no backups at all, or a "I selectively place important things in Dropbox" setup. This team went and bought a NAS and setup backups. Good on them. It was sad to see cryptolocker take down both desktops, and all backups on the NAS.
The email he received sent him to a website with a convincing looking download, which came up 0/55 on virustotal. He even told me he wouldn't have run an executable - but it was a Word document. It can be truly depressing to see who cryptolocker affects sometimes.
Fortunately, there do exist several inexpensive and user-friendly incremental cloud backup solutions. For a few bucks a month you can back up everything to Cloudflare or Backblaze and be fine even if your primary copy and recent backups all get hosed.
I've contemplated setting up a small home server with write-only shares for backups, but ended up not doing it because of the cost and time. If there were a reasonably priced off-the-shelf product for this, I'd recommend it to everyone I know.
On the other hand, if there were an off-the-shelf product for this, it would probably have unpatched security issues two weeks after you bought it, and if it were in common use you'd see ransomware targeting it. Tough problem to solve if you're not running and maintaining your own devices.
I suppose tarsnap or S3 would be the way to go, I'm just not that into cloud backups. Maybe it's time to get over that.
> if there were an off-the-shelf product for this, it would probably have unpatched security issues two weeks after you bought it
I'm waiting for the NAS "appliance" that's actually running CoreOS, and then just relies on running the :latest tag of some popular Docker image (and not a fork of it that they'll forget to update eventually; the original upstream image), plus a bit of config-file glue generated into a shared volume from a web-UI service running in another container. (Bonus points if the second container is only started up, for an hour at a time, when you press a button on the NAS, WPS-style.)
Such a design is essentially the same as shipping the device's OS as "firmware" with auto-updates, but for the fact that the vendor themselves isn't anywhere within the path of creating or distributing those updates. Which, in the end, makes all the difference.
> You're only safe if you have offsite backups with drives that didn't mount to your computer recently.
Or doesn't mount to the source computer(s) at all.
My active machines push backups to intermediate locations, and the true backup locations pull from there and create snapshots. Status information used to verify the backup process is passed back the other way. The active machines don't (in fact can't) authenticate with the main backups and vice versa, reducing the likelihood that someone hacking into one can easily compromise the other at the same time.
I wouldn't expect the man on the street to muck around setting this up though, but many cloud backup solutions effectively do this if they don't have an easy "delete snapshot" API call or similar. I'm surprised that the "soft offline" backup side of it isn't marketed more actively. Maybe no one thinks they can adequately explain the benefit to the man on the street without putting them off by it being a little more complicated than a simple file copy.
The problem is, the file can get locked and still be available for backup. Smart enough malware will send an encrypted version when accessed over LAN while local access is unimpeded for some time. There is a reasonable chance that your backup will end up with encrypted files. This is why you need more than one.
That only matters for content created after the malware was installed though, assuming the backups' snapshot interval is reasonable. The malware doesn't usually hang around very long, does it? If it's detected while it can still hide, it still has the decryption keys.
No, they (usually) work similar to PGP/GPG, i.e. each file is encrypted with a different AES key and the AES key is encrypted with a public RSA key. The original AES key for a particular file is immediately deleted from memory after the file is encrypted and the private RSA key (needed for decrypting the AES key that is stored in the file) only ever gets delivered to the system if the ransom is paid.
Exactly, but it will never be zero. There will always be scammers trying to get rich quick on the trust users have placed in the (more) honest scammers. All organized crime has to deal with some amount of posers trying to cash in on their reputation.
Sometimes the way they keep the dishonest guys in line is by attacking others who try to get in on the scheme. Traditionally this would be breaking people's knees, and I imagine well-organized cyber crime boils down to the same thing in the end.
> ... trust users have placed in the (more) honest scammers.
> Sometimes the way they keep the dishonest guys in line is by attacking others who try to get in on the scheme.
Are you really trying to frame some extortionists/scammers as honest and some as dishonest? How about they all are criminals, extorting money as they do from random people, they don't care about?
Some scammers can be honest. You might say "Transfer X amount of money to me. If you don't, you can never get your data back". Saying and acting on that doesn't make you dishonest, it makes you an asshole.
A trivial application of the principle of charity makes it obvious that the meaning here intended is 'truthful'. Splitting semantic hairs rather than discussing substance benefits no one.
Substantial discussion without accurate semantics is impossible, whereas splitting semantic hairs is substantial discussion in its own right. And the hairsplitting accuracy is necessary because the literal question of good and evil is hardly insignificant.
It is not insignificant but it is not the point of this discussion. The word honest was being used in a restricted context. One might argue that trustworthy might be a better word in this context but the meaning was clear nonetheless.
Now that I think about it: It would really damage the whole ransomware scheme if there were fake / rogue versions that won't decrypt, wouldn't it?