The end is nigh. Or, more specifically, the end is nigh for those who have ignored the basics of a good, clean, and safe electronic life.
Since Friday 10th May, a ransomware product called WannaCry(ptor) has spread around the world. As of writing this, the first Monday morning has not occurred yet, and we all know what the usual Monday morning in an IT department looks like. WannaCry uses a known exploit in Windows, which was patched two months ago, and the virus itself detected quite quickly by the major vendors… and yet it is creating havok. Why?
Let’s recap; for the last three years a relatively new form of malware has been infecting Windows-based machines across the globe, called Ransomware. The reasons for malware and computer viruses have been to infiltrate a company and steal their precious electronic goodies (Sony were hit hard in 2014), or for the lulz, or to create specific damage (Stuxnet is a particularly beautiful example of this). However, Ransomware targets people and companies where it hurts the most; their data. The virus prevents access to the data unless a few hundred pounds is given to the makers, at which point the files should decrypt and access is given. As with most malware, the infection is usually a three stage process:
- A piece of software tries to exploit a vulnerability in a computer’s operating system or another application installed on the computer. This is known as a trojan.
- If successful, it will then try to communicate with a computer on the Internet (known as a Command and Control computer) and download a payload, which is the main virus itself.
- If an AV product does not detect the virus then it will run.
Ransomware will target the most common filetypes on a computer and encrypts them. Once successful it will upload an encryption key to the C&C computer and display a message informing the user that their files are encrypted, and some instructions on how to decrypt these files. In theory (and I have seen this done successfully), you can gain access to your files by paying the ransom. However, there are many reasons why you should not pay, which I will go into a little later on.
So let us examine the infection process and break each one down, including ways to mitigate any malware attempt on your machine.
Before I continue, this is a high-level blog post about ransomware, and I will be making generalisations by the bucketload. For example, running a non-Windows operating system is one way to avoid these kinds of viruses, but it is not to say that Linux is invulnerable to exploitation – POODLE and SHELLSHOCK are fantastic counter-arguments for this, and may be considered more severe than anything that has appeared on Windows.
I feel it fair to inform you that I am a reseller for Kaspersky, and mention Kaspersky a few times. As I tell my clients, I don’t recommend Kaspersky because I sell it, but I sell it because I recommend it. If you are looking for a security recommendation, a good start will be to visit AV Comparatives to see how security products compare against each-other.
The first step in infecting a system is to find a weakness. The old adage that “nothing is perfect” runs deep in the electronic world, and is accepted too. For example, banks use a combination of traditional security methods, “honeypots” (where virtual machines are used as cannon-fodder to examine how hackers are breaking into machines) and constant forensic examination to protect their businesses. They don’t try to stone-wall attacks, they allow it and then repair any damage once they identify how a hacker gained access.
Software vendors are constantly improving their products to increase performance, fix bugs, and also fix any security vulnerabilities. Google invites the world to submit any bugs found in exchange for a bounty via their Vulnerability Reward Program, but this highlights the value in any bugs in an application. Let’s consider the following; you are studying computer science at college and are creating a program using a popular coding language. One day you discover that, purely by accident, that you can create a piece of code that resets your PC without any confirmation message or having to be an administrator. Initially this seems like a problem with your particular PC, but you discover that it resets any Windows PC that it runs on. Useful? On the surface no, but to hackers it has incredible potential. From a disruptive point of view it could cause absolute chaos to an “enemy” nation, hospitals and public services would cease, and military assets could be taken out of action. The code could point to a particular vulnerability within the operating system and be used to run other applications, giving remote access and allowing the theft of electronic data. Your annoying bit of code suddenly becomes a doomsday weapon.
So your weapon, comprising of fifteen lines of code, has incredible value, but to who? The vendor would love to know exploits within its products but are generally not offering the prices that 3rd parties are. For example an exploit within Apple iOS can net you up to $1.5M. As a student, do you accept a few hundred dollars, or a few thousand? Do you do it for the greater good, or go for the big money? Do you help people protect themselves, or help the criminals get paid themselves? Either way you become a part of this issue, and you have a moral choice to make.
So what is the answer?
- Patching. Keeping all of your software up-to-date – not just Windows – is a large part of this. However, as above, every system has an unknown back door or vulnerability, and so patching and updating will not address these problems until they are found (or exploited). For the majority of computer users though, patching will eliminate most risks.
- Anti-virus. Running a good security product on your machine is absolutely essential. Even though a vulnerability may exist on a piece of software, products like Kaspersky Endpoint can detect the behaviour of trojans and malware, and prevent them from running properly.
- Passwords & Accounts. Running as an administrator for day-to-day use is not recommended. Additionally, a long password for all your accounts can only help any attempts to infect your system (which stifled Confiker when that hit my company).
- Education. The biggest reason why exploits are successful is through people not knowing the risks. I have seen people disable their AV product because it is stopping them from opening a zip file or movie. I have seen people respond to emails about their bank account supposedly being hacked. I have witnessed people giving their password over the phone to someone pretending to be from their company’s IT department. The UK government has a little-known website about best practise online which is incredibly useful for computer and phone users.
OK so you’ve been exploited; what happens now? Generally the trojan/exploit will try to communicate with a Command and Control computer and download the main virus. As serious as it sounds, there are still ways to prevent the infection. In a company, there should be a main Internet proxy and/or a firewall, both of which should prevent a machine from just accessing the Internet and downloading a payload. Previous companies I’ve worked for have been extremely good at this, and the logs useful for informing IT of infected machines. Even if a machine manages to get to the C&C machine, most edge security products scan for malware passing through. If the malware manages to get to the endpoint computer, then the locally-installed anti-virus product should have a good chance at preventing full infection. If all of this fails to prevent infection, then you will need to deal with the fallout.
The biggest preventative measure for payloads at this stage is anti-virus software, and a firewall. Anti-virus software will monitor all processes in memory, and all files coming in via your network connection. It holds a list of known viruses and will kill anything that matches this list of definitions, and many have the ability to suspend processes that exhibit the behaviour of a virus. Additionally, some products use a cloud service as a definition database for “real-time” infections, which improves the response to zero-day malware. Many AV products have a firewall built in (and a few vendors now simply manage Windows Firewall on your behalf), but the best firewall for Windows is Windows Firewall. It works on the basis of allowing specific applications access to the network or Internet; if a program suddenly appears on your PC and wants to access the network then it is blocked. It does require some knowledge of configuration if you do have a program that is blocked, but it does do a good job of managing itself through knowledge of trusted applications.
So you are now infected with a virus; what now? If a piece of malware has made it onto your machine then you’re unlikely to know about it until the damage has been done, especially with ransomware. These kinds of products targets drive letters, so for those with mapped drives to company servers the virus will attack these files too; think about using desktop shortcuts and links in your Favorites bar instead. What you will experience depends on the virus itself, but you will probably lose the use of your computer, and your files.
At this stage you are not looking to repair, but to recover. The damage has been done, and it is impossible to tell whether your files have been infected with copies of the virus too, so recovery is not recommended. To mitigate the damage, you will need to have been taking backups of your data. Backing up is advice as old as computing itself, and is still valid to this day.
To ease the process you want to get a piece of software like Acronis or EaseUS. This will manage all the technical issues like capturing Windows itself as-is, and encrypting your data (properly, not like the ransomware encryption), and writing it to a backup device. For a backup device I would recommend several external USB drives (500GB or more, depending on how much data you have) and swapping them around every time you do a backup. This ensures that you have an offline copy of your files; if you have your backup device plugged into your machine when it is infected, your precious backup could be infected too! Once you have a few backups done, and a recovery disk created, do what most companies do and perform a DR test. Pretend that your machine has been infected and go for a recovery. If possible do this on another machine, or swap your hard drive out of your existing machine and replace with a blank hard drive (so you can swap the drives back after the DR test, regardless of whether it was successful or not).
If you want to do things a little more manual, simply copying all your files to an external USB stick periodically is suitable, but again keep several copies, and make sure you encrypt the drive. VeraCrypt is a good and free choice, or BitLocker if your version of Windows supports it.
Another course of action is to subscribe to cloud storage such as OneDrive or Dropbox and keep your files on this. Although your files will get infected, you can roll back the changes on both these products and recover your data this way.
If you are unlucky enough to be infected with a ransomware variant, you have a few choices; reload Windows from a fresh installation disk (it’s probably a good idea to keep one of these to hand regardless); recover from your backups; pay the ransom.
This depends if you are comfortable with installing Windows, drivers, and your software from scratch, AND the data stored on the infected machine is not important to you. If this is the case, and you don’t have any backups, then this is the path for you. Just remember to avoid any mistakes you made that got you infected in the first place. Get a better AV product (I prefer Kaspersky if you need a recommendation) or don’t install anything from a dodgy source. Also make sure that you don’t open email attachments unless you are 100% sure of the recipient.
This is the preferred method, and you should strive to get to a position where you can recover easily, and at any time. Make sure that your backups are good and that you know how to recover if needed. As long as you can recover your files and system easily, then ransomware viruses are a minor irritation at best. This does not mean that viruses are harmless; other viruses can steal your data so infection is to be avoided at all times.
The last choice. This is only to be considered if your data is absolutely unique, and if you have absolutely no backup at all, and if you are willing to take a substantial risk.
The fee to decrypt is anywhere between £300 and £1,000, depending on the exchange rate of BitCoin. This is the cryptocurrency of choice when paying these ransoms because BitCoin transactions are untraceable. If you paid with a credit card then the recipient will need an account, and the police would be able to capture the perp. Since there is no accountability with BitCoin, then you are putting a lot of trust in reciprocation; you are trusting a “cybercriminal” who is holding your data against your will, to honour their agreement to release your files to you once they have received payment to their anonymous account.
The other consideration is that every payment in response to ransomware legitimises this method of attack. The more money that is paid to ransomware makers will encourage others to do it, which will increase the attacks and make it a bigger business. This is easy to say when I don’t have a computer full of encrypted pictures of my family or my business spreadsheets, but it is a consideration.
Finally, it is sensible to consider that your machine is infected; once your files have been decrypted then there is nothing to stop a similar product from re-encrypting your machine again. Another possibility is that the virus infects your machine with another virus, so once your files are decrypted then your files are uploaded to another computer. In short, your machine cannot be trusted.
Anyway, from my personal experience I know of a business that paid the ransom of £1500 and got access to their files again (and then got reinfected by a different type of virus and so had to clean out 300 machines). I also know of an individual that paid £700 and did not get access to his files.
So the reason that WannaCry has spread so widely is not because it’s anything wildly different from other ransomware products, but because a lot of companies and individuals are running old versions of Windows, are not patched regularly, and/or are running no or poor anti-virus products. This was a problem waiting to happen, and it was inevitable it would happen soon. In that respect, watching the progress of WannaCry on a well-protected, maintained and backed-up machine is like watching Armageddon from the ISS. And if you want to drastically reduce your exposure to these types of viruses (for now), then look at using Linux. Ubuntu and CentOS is as functional as Windows, and has great support from the community too.