Ransomware arseholes
-
I have just had to advise a customer that the options for dealing with the aftermath of Cryptowall are
(a) Restore your data from your most recent offline backup
(b) Send some anonymous prick US$500 or US$1000 worth of BTC and hope they get back to you
(c) Learn to live without your dataand of course for this particular customer it turns out that (a) is not an option.
Panda has something called the Panda Ransomware Decrypter whose "advanced mode" requires access to encrypted and unencrypted versions of the same file in order to try to generate a decryption key, but AFAIK Cryptowall uses AES which is simply not vulnerable to known-plaintext key recovery.
If somebody here could convince me that my advice to this customer was wrong, I would be grateful.
I have the computer at my house. I've used a live CD and a NAS box to make a forensic block-for-block image of the affected hard disk, and I'm setting up a sandboxed VLAN that contains only the infected computer and an Internet gateway so that I can safely capture the traffic between this box and the malware's C&C server once I let it boot into Windows again. Can anybody suggest other measures it might be useful to put in place before doing that?
-
Can anybody suggest other measures it might be useful to put in place before doing that?
Pray to your goddess and/or god.... Because that shit is nasty.
more practically i'd make sure you do it on a completely isolated network containing only computers that have no sensitive data on them and cannot access your normal network. I would not trust a VLAN in this matter. physical separation of the networks is required if you ask me.
that way if it all goes pear shaped you limit the harm to the computers you built for dealing with this.
-
Cryptowall uses AES
I heard differently.
Unlike CryptoLocker's use of a symmetric cipher, such as AES, to encrypt
bulk data, CryptoWall uses the RSA public key to directly encrypt files... using public/private key encryption with a strong 2048-bit RSA key.
You're not breaking 2048-bit RSA. The data is gone.
-
I would not trust a VLAN in this matter.
The traffic between the infected machine and its switch port is not 802.1Q tagged and is therefore not identifiable as VLAN traffic, and the switch is configured to drop any Ethernet frames sent into that port that are tagged. Is that more vulnerable than physical separation?
-
Is that more vulnerable than physical separation?
You are already dealing with a malware infested computer. I would rather be overcautious and overreact with security than find out that the infected machine managed to escape the VLAN and infect my clean computers.
is my suggestion overkill? possibly. Can it backfire and cause the infection of my clean computers, not if i unplug them from the cable modem while i'm working with the infected computer. Is it more work and more disruptive than the alternative? sure, unless the other way fails and now your own computers are infected.
-
Is that more vulnerable than physical separation?
slightly.
There is only airgapped, or not air gapped.
-
I'd be wary of connecting it to the internet at all - knowingly connecting a malware-invested PC to the internet may be in breach of your contract with your ISP.
-
slightly.
Can you (or anybody! please!) cite any documented exploit that has ever allowed a properly configured 802.1Q VLAN to leak traffic across a VLAN boundary, or is this a gut-feel in-principle "slightly"?
-
knowingly connecting a malware-invested PC to the internet may be in breach of your contract with your ISP.
That one's well and truly filed under plausible deniability, so I'm not really fussed about it.
-
Can you cite any documented exploit that has ever allowed a properly configured 802.1Q VLAN to leak traffic across a VLAN boundary,
I cannot. however i would not like to find out first person that it is in fact possible.
Like i said, when dealing with malware i prefer to nuke it from orbit, just to be sure.
when dealing with infections that i get asked to deal with my first step is always DBAN
yes it's likely overreacting, but i have yet to meet a virus/trojan/malware that can survive a good DBAN session.
and of course when i reinstall the system i install Linux (used to be Ubuntu, but ever since unity it's been either Mint or Xubuntu) so even if the virus survived it can't work.
again, is it overkill? probably but i'm not taking chances and you did bring your computer to me with that virus. either you'll never see that virus again or you'll never ask me to clan the virus off your computer again. either way is a win.
-
i have yet to meet a virus/trojan/malware that can survive a good DBAN session.
We've discussed this before.
Filed under: the call is coming from inside the BIOS
-
802.1Q VLAN
Obviously only works on some switches.
-
VLAN segmentation will be fine.
Entire ISPs separate customer's traffic using that, and it's definitely in their interest not to risk VLAN leakage.On the obvious caveat that you've already mentioned though, which is that it's correctly configured.
-
Thank you. I'm confident that my present VLAN setups are all correctly configured to resist all the attacks your linked resources list, but I will work through them methodically with Wireshark and find out; after all, I have no a priori reason to place full trust in the switch firmware.
-
but i have yet to meet a virus/trojan/malware that can survive a good DBAN session.
You've not met them yet then. See: Lenovo (as linked above), OSX.
and of course when i reinstall the system i install Linux (used to be Ubuntu, but ever since unity it's been either Mint or Xubuntu) so even if the virus survived it can't work.
What if they want Windows?
-
-
You could investigate whether it is possible to recover data from the magnetic disk.
On one hand, there are the programs which overwrite disks with patterns that prevent recovery - from that one could conclude that without such patterns, it is possible to recover normally overwritten data.
On the other hand, evolution of disk technology may have made that no longer possible.By the way, why would the malware encrypt the files instead of replacing them with random noise? If someone pays them, they already win, no need to decrypt the files.
-
By the way, why would the malware encrypt the files instead of replacing them with random noise? If someone pays them, they already win, no need to decrypt the files.
When word gets out that you don't get your data back if you pay, they'll probably be getting paid less.
-
If someone pays them, they already win, no need to decrypt the files.
These pricks are playing the long game.
The general consensus among other techs I've talked to is that they do generally provide the decryption keys they're paid for; if they didn't, their business model would have become unviable years ago.
-
You've not met them yet then.
no i have not, btu then i don't buy stuff from assholes like lenovo or apple.
What if they want Windows?
then they shouldn't have asked me to solve their virus problems.
-
My friend once discovered that windows makes some random backups, maybe check if that happened for your client.
http://www.howtogeek.com/howto/11130/restore-previous-versions-of-files-in-every-edition-of-windows-7/
-
no i have not, btu then i don't buy stuff from assholes like lenovo or apple
Which assholes do you buy stuff from then?
then they shouldn't have asked me to solve their virus problems.
Whaaaa?
-
Which assholes do you buy stuff from then?
for desktops i build them myself. for laptops....
i won't claim it's malware proof, but i've never seen any non google malware on it.
and since google already has enough information to ruin me seven ways from sunday that's not that big a deal.
I imagine @ben_lubar will be interested in this
Whaaaa?
look, you asked me to solve the virus problem. i solved it. It's not that linux doesn't have viruses for it, it's just that it's not a valuable target so there are way fewer of them and the malware slingers don't tend to even try. so i solved your virus problem.
-
i don't buy stuff from assholes like lenovo or apple
Lots of laptop manufacturers preload this shit. It's a feature!
-
Lots of laptop manufacturers preload this shit. It's a feature!
fuck the lot of them with a rusty metal dildo that has spikes on.
seriously.
-
for desktops i build them myself.
Avoiding assholes like Gigabyte, Acer, MSI ... and Asus presumably?
look, you asked me to solve the virus problem. i solved it. It's not that linux doesn't have viruses for it, it's just that it's not a valuable target so there are way fewer of them and the malware slingers don't tend to even try. so i solved your virus problem.
Rather than providing them with decent malware protection and a bit of guidance about being safer online, so they're still safe but have the software they actually want?
-
You could investigate whether it is possible to recover data from the magnetic disk.
My friend once discovered that windows makes some random backups
I will certainly be searching the forensic image I took for shadow copies, as well as running TestDisk, PhotoRec and ZAR against it, but I'm not expecting to find much if anything. Shadow copies are super-easy to trash, and I believe NTFS does overwrite-in-place rather than delete-and-recreate when you open files for writing which is almost certainly what any halfway competent ransomware encrypter would do.
Good thinking though.
-
which is almost certainly what any halfway competent ransomware encrypter would do.
It is almost sad how much competence we credit to malware / virus / ransomware programmers and how little we expect from firms like M$.
I wish you the best of luck. Keep us posted on what you find and how much you can recover. Let's hope your ransomware arsehole was one of the bad kind!
-
-
What the fuck are you fucking the fuck doing to my fucking thread, you fuck?
/blakeyrat
-
I'd be wary of connecting it to the internet at all - knowingly connecting a malware-invested PC to the internet may be in breach of your contract with your ISP.
You mean every computer run by a typical consumer?
-
Avoiding assholes like Gigabyte, Acer, MSI ... and Asus presumably?
as best i can. I'm certainly extremely selective of the mobo provider and what bios version they have.
it takes a lot of research.
Rather than providing them with decent malware protection and a bit of guidance about being safer online, so they're still safe but have the software they actually want?
oh they get plenty of that before hand. i only accept computers to fix that i provided them in the first place. and you got a good lesson about online security and were told i would be happy to provide additional training at any point. You also got a followup call a couple of weeks after i sold you the computer.if you got a virus then you already blew that.
also i don't want to do tech support so, y'know i win there if you go elsewhere for tech support.
-
also i don't want to do tech support so, y'know i win there if you go elsewhere for tech support.
Why not just tell them to go elsewhere then? Or stop providing computers if you don't want to be tech support.
"Oh you crashed your car and asked me to fix it? Well here's a pushbike instead so you can't crash a car again".
-
Filed Under: @accalia and @loopback0 could you guys please either make out or start throwing insults around? This constant emberwar is not entertaining enough. Thank you!
i do try to avoid throwing the insults around.... but since you asked....
ahem
@Kuro: Your mother was a hamster and your father smelled of elderberries!
is that what you wanted?
-
Why not just tell them to go elsewhere then?
i thought that was what i was doing
Or stop providing computers if you don't want to be tech support.
they are family. further they are not good at taking no for an answer, so i use alternate discouragement techniques.non family i simply tell to fuck off.... but i can't do that to family.... well i can but then i get uninvited to the family parties and those are fun.
-
elderberries!
Is that something I can search for at work to find out how he smelled according to you?
Also, I am not sure. Your insults sound a lot like you being jelly!
Filed Under: then again, I rarely participate in these flamewars so maybe this is key?
-
i thought that was what i was doing
I meant before formatting their computer and putting Linux on it
-
Is that something I can search for at work to find out how he smelled according to you?
as far as i am aware the plant itself is safe for work.
Your insults sound a lot like you being jelly!
i'm a fox! not jelly!
-
I meant before formatting their computer and putting Linux on i
think of it as aggressive reinforcement of my point.
I try not to be an asshole to strangers, but family..... especially that part of the family.... family earned it. :-P
-
i'm a fox! not jelly!
#@accalia is jelly! @accalia is jelly! @accalia is jelly! sing
Filed Under: INB4 this starts a flamewar!
-
-
Slime:
Fox:
see the difference?
-
No?
-
Filed Under: What difference??
Addendum: If @RaceProUK wants to make @accalia use this as an avatar, I can probably do a little better. I had a very harsh deadline for this, since @JazzyJosh already replied!
-
-
That is neither a slime nor a fox!
Filed Under: It's clearly a horse and a bird!
Also Filed Under: Plus: my picture looks way more realistic!
-
I'm not paying the expedited rate.
-
And I am not paying the -fee. So in the end we probably come out even!
Filed Under: It's a good deal!
-
Filed Under: What difference??
Addendum: If @RaceProUK wants to make @accalia use this as an avatar, I can probably do a little better. I had a very harsh deadline for this, since @JazzyJosh already replied!
/me plans to see if she can find a hedgehog picture that would thematically work, also a similar picture of a red slime.
-
Can you install the image in a VM and run it (in Linux) instead of powering on the computer itself? That should be a harder sandbox to get out, and you would be able to do little more than listening to traffic, if nothing else you can get snapshots and redo a test.
Of course it depends on how much you are paid to make the effort worthwhile, good luck