Ransomware arseholes



  • I have just had to advise a customer that the options for dealing with the aftermath of Cryptowall are

    (a) Restore your data from your most recent offline backup
    (b) Send some anonymous prick US$500 or US$1000 worth of BTC and hope they get back to you
    (c) Learn to live without your data

    and of course for this particular customer it turns out that (a) is not an option.

    Panda has something called the Panda Ransomware Decrypter whose "advanced mode" requires access to encrypted and unencrypted versions of the same file in order to try to generate a decryption key, but AFAIK Cryptowall uses AES which is simply not vulnerable to known-plaintext key recovery.

    If somebody here could convince me that my advice to this customer was wrong, I would be grateful.

    I have the computer at my house. I've used a live CD and a NAS box to make a forensic block-for-block image of the affected hard disk, and I'm setting up a sandboxed VLAN that contains only the infected computer and an Internet gateway so that I can safely capture the traffic between this box and the malware's C&C server once I let it boot into Windows again. Can anybody suggest other measures it might be useful to put in place before doing that?


  • SockDev

    @flabdablet said:

    Can anybody suggest other measures it might be useful to put in place before doing that?

    Pray to your goddess and/or god.... Because that shit is nasty.

    more practically i'd make sure you do it on a completely isolated network containing only computers that have no sensitive data on them and cannot access your normal network. I would not trust a VLAN in this matter. physical separation of the networks is required if you ask me.

    that way if it all goes pear shaped you limit the harm to the computers you built for dealing with this.



  • @flabdablet said:

    Cryptowall uses AES

    I heard differently.

    Unlike CryptoLocker's use of a symmetric cipher, such as AES, to encrypt
    bulk data, CryptoWall uses the RSA public key to directly encrypt files

    Source

    ... using public/private key encryption with a strong 2048-bit RSA key.

    Source

    You're not breaking 2048-bit RSA. The data is gone.



  • @accalia said:

    I would not trust a VLAN in this matter.

    The traffic between the infected machine and its switch port is not 802.1Q tagged and is therefore not identifiable as VLAN traffic, and the switch is configured to drop any Ethernet frames sent into that port that are tagged. Is that more vulnerable than physical separation?


  • SockDev

    @flabdablet said:

    Is that more vulnerable than physical separation?

    You are already dealing with a malware infested computer. I would rather be overcautious and overreact with security than find out that the infected machine managed to escape the VLAN and infect my clean computers.

    is my suggestion overkill? possibly. Can it backfire and cause the infection of my clean computers, not if i unplug them from the cable modem while i'm working with the infected computer. Is it more work and more disruptive than the alternative? sure, unless the other way fails and now your own computers are infected.



  • @flabdablet said:

    Is that more vulnerable than physical separation?

    slightly.
    There is only airgapped, or not air gapped.



  • I'd be wary of connecting it to the internet at all - knowingly connecting a malware-invested PC to the internet may be in breach of your contract with your ISP.



  • @swayde said:

    slightly.

    Can you (or anybody! please!) cite any documented exploit that has ever allowed a properly configured 802.1Q VLAN to leak traffic across a VLAN boundary, or is this a gut-feel in-principle "slightly"?



  • @PleegWat said:

    knowingly connecting a malware-invested PC to the internet may be in breach of your contract with your ISP.

    That one's well and truly filed under plausible deniability, so I'm not really fussed about it.


  • SockDev

    @flabdablet said:

    Can you cite any documented exploit that has ever allowed a properly configured 802.1Q VLAN to leak traffic across a VLAN boundary,

    I cannot. however i would not like to find out first person that it is in fact possible.

    Like i said, when dealing with malware i prefer to nuke it from orbit, just to be sure.

    when dealing with infections that i get asked to deal with my first step is always DBAN

    yes it's likely overreacting, but i have yet to meet a virus/trojan/malware that can survive a good DBAN session.

    and of course when i reinstall the system i install Linux (used to be Ubuntu, but ever since unity it's been either Mint or Xubuntu) so even if the virus survived it can't work.

    again, is it overkill? probably but i'm not taking chances and you did bring your computer to me with that virus. either you'll never see that virus again or you'll never ask me to clan the virus off your computer again. either way is a win.



  • @accalia said:

    i have yet to meet a virus/trojan/malware that can survive a good DBAN session.

    We've discussed this before.

    Filed under: the call is coming from inside the BIOS



  • @flabdablet said:

    802.1Q VLAN

    Obviously only works on some switches.



  • VLAN segmentation will be fine.
    Entire ISPs separate customer's traffic using that, and it's definitely in their interest not to risk VLAN leakage.

    On the obvious caveat that you've already mentioned though, which is that it's correctly configured.



  • Thank you. I'm confident that my present VLAN setups are all correctly configured to resist all the attacks your linked resources list, but I will work through them methodically with Wireshark and find out; after all, I have no a priori reason to place full trust in the switch firmware.



  • @accalia said:

    but i have yet to meet a virus/trojan/malware that can survive a good DBAN session.

    You've not met them yet then. See: Lenovo (as linked above), OSX.

    @accalia said:

    and of course when i reinstall the system i install Linux (used to be Ubuntu, but ever since unity it's been either Mint or Xubuntu) so even if the virus survived it can't work.

    What if they want Windows?




  • area_pol

    You could investigate whether it is possible to recover data from the magnetic disk.
    On one hand, there are the programs which overwrite disks with patterns that prevent recovery - from that one could conclude that without such patterns, it is possible to recover normally overwritten data.
    On the other hand, evolution of disk technology may have made that no longer possible.

    By the way, why would the malware encrypt the files instead of replacing them with random noise? If someone pays them, they already win, no need to decrypt the files.



  • @Adynathos said:

    By the way, why would the malware encrypt the files instead of replacing them with random noise? If someone pays them, they already win, no need to decrypt the files.

    When word gets out that you don't get your data back if you pay, they'll probably be getting paid less.



  • @Adynathos said:

    If someone pays them, they already win, no need to decrypt the files.

    These pricks are playing the long game.

    The general consensus among other techs I've talked to is that they do generally provide the decryption keys they're paid for; if they didn't, their business model would have become unviable years ago.


  • SockDev

    @loopback0 said:

    You've not met them yet then.

    no i have not, btu then i don't buy stuff from assholes like lenovo or apple.

    @loopback0 said:

    What if they want Windows?
    then they shouldn't have asked me to solve their virus problems.


  • area_pol

    My friend once discovered that windows makes some random backups, maybe check if that happened for your client.



  • @accalia said:

    no i have not, btu then i don't buy stuff from assholes like lenovo or apple

    Which assholes do you buy stuff from then?

    @accalia said:

    then they shouldn't have asked me to solve their virus problems.

    Whaaaa?


  • SockDev

    @loopback0 said:

    Which assholes do you buy stuff from then?

    for desktops i build them myself. for laptops....

    i won't claim it's malware proof, but i've never seen any non google malware on it.

    and since google already has enough information to ruin me seven ways from sunday that's not that big a deal.

    I imagine @ben_lubar will be interested in this

    @loopback0 said:

    Whaaaa?
    look, you asked me to solve the virus problem. i solved it. It's not that linux doesn't have viruses for it, it's just that it's not a valuable target so there are way fewer of them and the malware slingers don't tend to even try. so i solved your virus problem.



  • @accalia said:

    i don't buy stuff from assholes like lenovo or apple

    Lots of laptop manufacturers preload this shit. It's a feature!


  • SockDev

    @flabdablet said:

    Lots of laptop manufacturers preload this shit. It's a feature!

    fuck the lot of them with a rusty metal dildo that has spikes on.

    seriously.



  • @accalia said:

    for desktops i build them myself.

    Avoiding assholes like Gigabyte, Acer, MSI ... and Asus presumably?

    @accalia said:

    look, you asked me to solve the virus problem. i solved it. It's not that linux doesn't have viruses for it, it's just that it's not a valuable target so there are way fewer of them and the malware slingers don't tend to even try. so i solved your virus problem.

    Rather than providing them with decent malware protection and a bit of guidance about being safer online, so they're still safe but have the software they actually want?



  • @Adynathos said:

    You could investigate whether it is possible to recover data from the magnetic disk.

    @Adynathos said:

    My friend once discovered that windows makes some random backups

    I will certainly be searching the forensic image I took for shadow copies, as well as running TestDisk, PhotoRec and ZAR against it, but I'm not expecting to find much if anything. Shadow copies are super-easy to trash, and I believe NTFS does overwrite-in-place rather than delete-and-recreate when you open files for writing which is almost certainly what any halfway competent ransomware encrypter would do.

    Good thinking though.


  • Winner of the 2016 Presidential Election

    @flabdablet said:

    which is almost certainly what any halfway competent ransomware encrypter would do.

    It is almost sad how much competence we credit to malware / virus / ransomware programmers and how little we expect from firms like M$.

    I wish you the best of luck. Keep us posted on what you find and how much you can recover. Let's hope your ransomware arsehole was one of the bad kind!

    Filed Under: @accalia and @loopback0 could you guys please either make out or start throwing insults around? This constant emberwar is not entertaining enough. Thank you!



  • You can fuck right off.



    Filed under: Better?



  • What the fuck are you fucking the fuck doing to my fucking thread, you fuck?

    /blakeyrat



  • @PleegWat said:

    I'd be wary of connecting it to the internet at all - knowingly connecting a malware-invested PC to the internet may be in breach of your contract with your ISP.

    You mean every computer run by a typical consumer?


  • SockDev

    @loopback0 said:

    Avoiding assholes like Gigabyte, Acer, MSI ... and Asus presumably?

    as best i can. I'm certainly extremely selective of the mobo provider and what bios version they have.

    it takes a lot of research.

    @loopback0 said:

    Rather than providing them with decent malware protection and a bit of guidance about being safer online, so they're still safe but have the software they actually want?
    oh they get plenty of that before hand. i only accept computers to fix that i provided them in the first place. and you got a good lesson about online security and were told i would be happy to provide additional training at any point. You also got a followup call a couple of weeks after i sold you the computer.

    if you got a virus then you already blew that.

    also i don't want to do tech support so, y'know i win there if you go elsewhere for tech support.



  • @accalia said:

    also i don't want to do tech support so, y'know i win there if you go elsewhere for tech support.

    Why not just tell them to go elsewhere then? Or stop providing computers if you don't want to be tech support.

    "Oh you crashed your car and asked me to fix it? Well here's a pushbike instead so you can't crash a car again".


  • SockDev

    @Kuro said:

    Filed Under: @accalia and @loopback0 could you guys please either make out or start throwing insults around? This constant emberwar is not entertaining enough. Thank you!

    i do try to avoid throwing the insults around.... but since you asked....

    ahem

    @Kuro: Your mother was a hamster and your father smelled of elderberries!

    is that what you wanted?


  • SockDev

    @loopback0 said:

    Why not just tell them to go elsewhere then?

    i thought that was what i was doing

    @loopback0 said:

    Or stop providing computers if you don't want to be tech support.
    they are family. further they are not good at taking no for an answer, so i use alternate discouragement techniques.

    non family i simply tell to fuck off.... but i can't do that to family.... well i can but then i get uninvited to the family parties and those are fun.


  • Winner of the 2016 Presidential Election

    @accalia said:

    elderberries!

    Is that something I can search for at work to find out how he smelled according to you?

    Also, I am not sure. Your insults sound a lot like you being jelly!

    Filed Under: then again, I rarely participate in these flamewars so maybe this is key?



  • @accalia said:

    i thought that was what i was doing

    I meant before formatting their computer and putting Linux on it :laughing:


  • SockDev

    @Kuro said:

    Is that something I can search for at work to find out how he smelled according to you?

    as far as i am aware the plant itself is safe for work.

    @Kuro said:

    Your insults sound a lot like you being jelly!
    i'm a fox! not jelly!


  • SockDev

    @loopback0 said:

    I meant before formatting their computer and putting Linux on i

    think of it as aggressive reinforcement of my point.

    I try not to be an asshole to strangers, but family..... especially that part of the family.... family earned it. :-P


  • Winner of the 2016 Presidential Election

    @accalia said:

    i'm a fox! not jelly!

    #@accalia is jelly! @accalia is jelly! @accalia is jelly! sing

    Filed Under: INB4 this starts a flamewar!




  • SockDev

    Slime:

    Fox:

    see the difference?



  • No?


  • Winner of the 2016 Presidential Election

    Filed Under: What difference??

    Addendum: If @RaceProUK wants to make @accalia use this as an avatar, I can probably do a little better. I had a very harsh deadline for this, since @JazzyJosh already replied!




  • Winner of the 2016 Presidential Election

    That is neither a slime nor a fox!

    Filed Under: It's clearly a horse and a bird!
    Also Filed Under: Plus: my picture looks way more realistic!



  • I'm not paying the expedited rate. :colbert:


  • Winner of the 2016 Presidential Election

    And I am not paying the :hanzo:-fee. So in the end we probably come out even!

    Filed Under: It's a good deal!


  • SockDev

    @Kuro said:

    Filed Under: What difference??

    Addendum: If @RaceProUK wants to make @accalia use this as an avatar, I can probably do a little better. I had a very harsh deadline for this, since @JazzyJosh already replied!

    /me plans to see if she can find a hedgehog picture that would thematically work, also a similar picture of a red slime.


  • BINNED

    Can you install the image in a VM and run it (in Linux) instead of powering on the computer itself? That should be a harder sandbox to get out, and you would be able to do little more than listening to traffic, if nothing else you can get snapshots and redo a test.

    Of course it depends on how much you are paid to make the effort worthwhile, good luck


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.