[HN Gopher] How to survive a ransomware attack without paying th...
___________________________________________________________________
How to survive a ransomware attack without paying the ransom
Author : DamnInteresting
Score : 64 points
Date : 2020-07-23 16:52 UTC (2 days ago)
(HTM) web link (www.bloomberg.com)
(TXT) w3m dump (www.bloomberg.com)
| Tiltowait-- wrote:
| Easy: restore from backups.
| gav wrote:
| Sometimes not that simple, the attack could have corrupted or
| deleted the backups, or the backups themselves could be the
| source of reinfection.
| matsemann wrote:
| What if they hacked you months before pulling the trigger? The
| article mentions they were hacked in December and the attack
| launched in March. Restoring a backup would then still leave
| the hackers inside.
|
| And even if most data were backed up, most computers still have
| to be wiped and reinstalled. I don't think most companies
| backup the entire disks off all employees, it's normally just a
| dedicated file area. So while the data can be restored, the IT
| department still have to set up hundreds of computers for all
| kinds of different workers or machines on the spot.
|
| Nothing is ever easy, don't be so dismissive about things you
| haven't thought through.
| viraptor wrote:
| Companies of non-trivial size often have (and should have) a
| system allowing for remote device management. Which means:
|
| - It should be easy to reinstall to a known good image with
| all the relevant software, settings, drivers, etc. then
| restore the backed up data. This is relatively common in
| corps.
|
| - Once you observe the malware and know how it reaches the
| C&C server, you can push rules blocking that host or block
| the bad binary network-wide.
|
| Of course there will be companies that didn't have good
| enough system in place and once exploited are doomed.
| marcinzm wrote:
| The attackers likely compromised the computers using the
| remote device management system which means it's either
| disabled or unsafe to use.
| viraptor wrote:
| Sure, you need to make sure your AD and device management
| is clean before starting the process. My point was that
| once you're bootstraped you shouldn't need a fully manual
| recovery process.
| ourmandave wrote:
| And format every hard drive in the building first.
|
| Also replace your IT security provider and/or person.
| einrealist wrote:
| I wonder how many of such attacks can be prevented / starved in a
| zero-trust network.
| LifeLiverTransp wrote:
| Dont give into your lower instincts as a company to centralize
| all the things. Air-Gap them in the architecture?
| rectang wrote:
| > _In other words, it's less a question of how to stop hackers
| from breaking in than how to best survive the inevitable damage._
|
| There doesn't seem to be conventional wisdom about how to build
| systems that are easy to restore. How do you optimize for
| recovery after an attack? How do you ensure that you've
| eliminated all the backdoors?
|
| My guess is a combination of "continuous restoration", version
| controlled code, and a complete separation of code from data.
|
| I want to read books about this but they don't seem to exist.
| linsomniac wrote:
| The unfortunate thing is that the ransom probably is priced such
| that it's cheaper than the company resolving the problem on their
| own. Or the company would just resolve it without paying the
| ransom. On the other hand, it's bad on many fronts if the company
| just decides it is the cost of doing business, and doesn't do a
| great job of securing their systems in the future...
|
| Many companies just get by, rather than doing serious security
| design. How do you change that culture in a company? Will paying
| the ransom do that? Probably if it only costs $1M to do. If it
| costs them $100M to do, would they do it?
| abcok1 wrote:
| You can't because of bitcoin. Bitcoin is what criminals dream of.
| lobster45 wrote:
| This is not really surviving. What do you need to do is prepare
| and to have off line backups
| ntucker wrote:
| Paywall didn't let me read it, but as I clicked, I thought
| "this article should be one sentence about doing backups."
| FlyMoreRockets wrote:
| Offline backups have been a thing for decades. Why is this not
| standard practice? Especially for a technology company like
| Garmin. It can't be about cost savings, businesses still pay
| for insurance and security systems. For that matter, offsite
| backups should also be saved in case of fires, floods,
| tornadoes, theft, etc...
| cpeterso wrote:
| Offline backups are not a complete solution. What if your
| backups are infected with the virus? Even if the backups are
| uninfected, your IT department has to manually scrap and
| rebuild all your computers from data centers to the warehouse
| to the receptionist. And in the meantime, like the article
| described, you have to pay your employees and suppliers and
| continue to ship products to customers.
| FlyMoreRockets wrote:
| An important part of any backup strategy is testing your
| backups on a regular basis. Perhaps it could even be
| automated...
| noir_lord wrote:
| Wired did a phenomenal article on the Maersk attack
| https://www.wired.com/story/notpetya-cyberattack-ukraine-
| rus... company I worked for was affected as we had shipping
| containers on the water at the time and it was chaos but
| they recovered.
| SV_BubbleTime wrote:
| Backup price for 8TB is cheap enough. Backup price for 8PT
| does not scale well.
|
| I don't know how much data Garmin has company wide. But it's
| a lot different for me to consider offline backups as a
| simple service than a company this size and complexity.
| gpm wrote:
| There are plenty of companies that can backup 8PB of data
| from a wide variety of sources for you, and make it a
| relatively staitforward task to interegrate with them.
|
| There is complexity, yes, but it's mostly a solved problem.
|
| Disclaimer: I work for one.
| bloomingeek wrote:
| Exactly, Although not always practical, if kept virus free
| (which of course is possible), offline back ups are the best
| solution because it's never broken into. ANYTHING online is
| risky, we all know this, so why do corporations still
| practically ignore the obvious?
| beefhash wrote:
| Given there's been a recent trend about ransomware not only
| encrypting, but also exfiltrating data, backups won't save you
| from the bad PR of the leak.
| piokoch wrote:
| Garmin CEO at al must be reading this impatiently, looking for
| some clever-magic clue, which is not gonna arrive, I am afraid.
|
| Meanwhile Garmin watches users (like me) are wondering how it is
| that syncing my watch that I have bought with an application on
| my smartphone that I have bought requires presence of some
| distant online service.
|
| I can understand that some parts like "social" stuff might depend
| on some central service but, hey, something simple like syncing
| ones excercise achievements between phone and watch? Really? Who
| has designed that?
| yread wrote:
| _"A distributed system is one that prevents you from working
| because of the failure of a machine that you had never heard
| of."_
|
| Leslie Lamport
| matsemann wrote:
| Over two days now, and almost radio silence from Garmin. I can
| sympathize with their issues, but not keeping us informed at
| all about what's going on is quickly leading people to become
| angry on various fitness forums I frequent. Not a good way to
| treat us customers.
| prennert wrote:
| It is surprisingly difficult to make synchronisation work
| between two devices that might run different hard- and firmware
| and even potentially software versions. Cloud based APIs as
| middleware is soo much easier in comparison.
|
| I am completely with you conceptually, but from experience I
| can tell you that even if there is a commercial incentive to
| allow for local communication it takes a few days to get it
| working with the cloud and months to do it locally only. And
| you really need to know what you are doing to make it safe and
| reliable in all eventualities.
| eatingCake wrote:
| My understanding[1] was that these types of devices sync by
| sending a blob over bluetooth to the paired cell phone, and
| then the cell phone uploads this to the cloud to be
| decrypted. What kinds of devices are you talking about?
|
| [1]: https://hackaday.com/2017/12/29/34c3-fitbit-sniffing-
| and-fir...
| DebtDeflation wrote:
| >It is surprisingly difficult to make synchronisation work
| between two devices
|
| No it isn't. We were doing it for years before "the cloud" or
| even the modern Internet even existed using Bluetooth, RF,
| IR, and cables. Have you ever looked at a .fit file on a
| Garmin watch? It's a binary format, but is straightforward to
| convert to CSV, and doesn't contain much beyond timestamp,
| latitude, longitude, altitude, heart rate, cadence, and a few
| other fields. Calculating distance, duration, training
| effect, calories burned, etc. is simple summarization and
| arithmetic, plotting course on a map just requires an offline
| map and a plotting library. It already does all of this ON
| THE WATCH itself without needing any connection to anything
| else, so there's nothing stopping an app from doing the same
| thing locally on a much more powerful iPhone or Android
| phone. The Garmin cloud is only inserted in the process here
| so they can monetize your data.
| feanaro wrote:
| What makes it so difficult? What are some concrete problems
| you encountered?
| buran77 wrote:
| It is not intrinsically difficult, it's made difficult by
| the fact that the companies themselves specifically want to
| have their infrastructure in the mix to have access to
| valuable user data. There's no particularly difficult
| challenge to sync the phone and watch directly, offline. A
| good chunk of revenue comes from services which rely on the
| data being in the cloud.
| prennert wrote:
| I agree that gathering user data might be a significant
| factor why even products of large companies do not
| support cloudless communication and sync.
|
| I just wanted to point out that since cloud based
| communication is so easy nowadays, doing sync without
| cloud support is a significantly larger effort. Not
| unachievable though.
| rasz wrote:
| Releasing the clutches of control over user data/devices is
| a very difficult concept to grasp for particular type of
| business people.
| reaperducer wrote:
| And yet everything from Palm Pilots to iPaqs were able to do
| it a quarter of a century ago with just a beam of light.
| Kenji wrote:
| _Meanwhile Garmin watches users (like me) are wondering how it
| is that syncing my watch that I have bought with an application
| on my smartphone that I have bought requires presence of some
| distant online service._
|
| You really wonder that? I'm sorry, how stupid are you? It's
| obviously to harvest data and control users. We've been warning
| and educating people about this for decades. When are you guys
| starting to wake up and voting with your wallet? Open services!
| Open software! Open formats! Own your data! Own your devices!
| Your life will be full of such disruptions if you keep using
| products that let corporations dominate you.
| atdrummond wrote:
| This reply strikes me as an uncharitable interpretation of
| OP's statement. It's also rude.
| andrewcooke wrote:
| the garmin data actually is in an open format. i've written
| software to decode it using publicly available documentation.
| the software is free to use. you can copy the (.FIT) file off
| the watch over USB.
| rconti wrote:
| What about non-activity data, such as step counts, sleep
| data, pulse ox, etc?
| pengaru wrote:
| Obviously there's a business incentive to maximize gatekeeping.
| Even if the gate's left wide open (for now), having control of
| a gate is of tremendous potential value.
|
| Just imagine how much more $$ one can elicit in an acquisition
| when the potential buyer has the option of adding tolls to an
| already established and well-traveled gate.
| jvehent wrote:
| Wait until this happens to your car...
| buran77 wrote:
| Or your pacemaker...
| JohnTHaller wrote:
| A Fitbit won't even sync with the app on your phone unless it
| has internet access and can connect to Fitbit's cloud servers.
| Without them it's basically a paperweight.
| wlll wrote:
| What's the backstory for this?
| latchkey wrote:
| Part of the backstory is that in 2010, they fired all the
| Garmin Connect staff [0]. More recently, they've been shut
| down [1].
|
| [0] https://news.ycombinator.com/item?id=1196996
|
| [1] https://news.ycombinator.com/item?id=23926289
| dehrmann wrote:
| I forgot about 0. I had to double check, but a high school
| friend was on that team.
| larrymcp wrote:
| How is ransomware able to spread to all the PCs in a company?
| (Especially PCs at different locations around the globe)
|
| The malware needs to execute itself on each computer. But I would
| think this would be thwarted by hardware firewalls as well as
| apps like Windows Firewall.
|
| If my PC at work gets infected, somehow it can magically infect
| the guy down the hall's PC too? I thought that was made
| impossible years ago.
| core_dumped wrote:
| Firewalls can only protect against what's known. Once you've
| invented or discovered a method the firewall doesn't know
| about, you're trusted as much as any regular program. Sometimes
| even changing the binary or payload slightly will thwart some
| firewalls because they're precise machines looking for precise
| signatures. It's not super easy to get past a firewall with a
| known vulnerability, but not impossible. With a 0day the
| firewall is almost irrelevant.
| packet_nerd wrote:
| This is true regarding "next-gen" firewalls. But, if you
| design a plain old segmentation strategy with simple but well
| thought out allow/deny rules, then a firewall will be pretty
| valuable in many situations.
|
| Extreme example: you can think of an air gap as a "firewall"
| with all deny rules. Air gaps are pretty secure. (Yes, there
| are still way's in but finding them will be many orders of
| magnitude harder than finding a 0day in a "next-gen"
| firewall).
|
| Another example: I put all printers in a dedicated VLAN and
| block all traffic in and out except specific print ports from
| the print server IP only. In practice, way more secure than
| any "next-gen" firewall will ever be.
| nuker wrote:
| Here is the diagram
|
| https://www.bleepingcomputer.com/news/security/evil-corp-blo...
| IshKebab wrote:
| That doesn't actually say at all. Symantec's report has more
| detail but it still has gaps:
|
| > The initial compromise of an organization involves the
| SocGholish framework, which is delivered to the victim in a
| zipped file via compromised legitimate websites.
|
| > The zipped file contains malicious JavaScript, masquerading
| as a browser update.
|
| So are people just like "this random website is trying to
| download a browser update, ok I'll unzip it and run it, even
| though I never normally have to do this". Seems plausible.
|
| Then:
|
| > Privilege escalation was performed using a publicly
| documented technique [there's a link] involving the Software
| Licensing User Interface tool (slui.exe), a Windows command
| line utility that is responsible for activating and updating
| the Windows operating system.
|
| > The attackers used the Windows Management Instrumentation
| Command Line Utility (wmic.exe) to execute commands on remote
| computers, such as adding a new user or executing additional
| downloaded PowerShell scripts.
|
| It's not really clear to me how local privilege escalation
| allows you to execute commands on remote computers though.
| PeterisP wrote:
| If you gain local privilege escalation on some workstation
| user, you can gain access to credentials of user(s) of that
| workstation which allow you to impersonate that user
| throughout the network.
|
| If it's a privileged user, then you can move to many more
| workstations, if it's a non-privileged user then you may be
| able to use their normal access (email, network shares,
| access to internal applications) to try and trip some
| privileged user into compromising their workstation in a
| way that you could not from the outside. Or you can wait a
| month until some tech support person logs in to that
| workstation and you can steal their credentials.
| halfcat wrote:
| Probably through Active Directory, which has the ability to
| deploy software. If a domain controller was compromised, the
| payload could be pushed out across the board.
|
| Endpoints like PCs and servers check in with domain controllers
| at recurring intervals, so even if all endpoints are behind
| firewalls and can't talk to one another, they still reach out
| to domain controllers periodically to pull down configuration
| updates and so forth.
| redprince wrote:
| The few instances I was assisting companies with ongoing
| ransom ware attacks, all had a similar pattern. Some initial
| breach of a client system (think malicious office document)
| gave attackers a foothold inside the network. From there the
| attackers ultimately pivoted to own the Active Directory.
| Equipped with this level of access they identified key assets
| and proceeded to encrypt them. Backups, if not stored
| offline, were rendered useless.
|
| It is quite challenging to recover from this kind of breach
| since the attackers had every opportunity to touch every
| system connected to the AD and leave backdoors behind. I have
| seen companies trashing their whole AD, re-imaging all
| machines and basically starting from scratch at great cost.
| SV_BubbleTime wrote:
| Pretty much this.
|
| Firewalls do absolutely nothing once someone got your weakest
| link to click something and go to town.
|
| From my last penn test it goes, phish, get a click and
| execute or credentials, use a hack like getting legacy
| NetBIOS exploit to give up hashes for all your users, crack
| the hashes and hope someone used a short 12 char password or
| something dictionary-easy like "Wr3st1ing1!", then leverage
| that access again and again until you have a printer that
| someone gave domain admin access to because it was easier
| than setting correct policies, an admin actual, a service not
| account that has good AD privileges, etc. Then start pushing
| software as admin.
|
| Most of the time it's not even this complicated.
|
| The only thing that "saves" you from paying the ransom is
| good backups. But if a group is fairly competent, they'll
| encrypt your backups too. So it needs to be offline.
|
| I don't have much love for Barracuda Backup, but for very
| little money you get nightly offsite backups that might just
| save your cyber insurance or company itself from having to
| pay.
| scott_w wrote:
| > The only thing that "saves" you from paying the ransom is
| good backups. But if a group is fairly competent, they'll
| encrypt your backups too. So it needs to be offline.
|
| This is the part I've never understood. Surely you should
| be backing up in an append only fashion initiated from the
| backup server?
|
| My best guess is that this gets managed from AD as well, so
| they find it and take over?
| halfcat wrote:
| > Surely you should be backing up in an append only
| fashion initiated from the backup server
|
| The key idea is assuming everything is compromised.
| Whether you use append or whatever, is not helpful if the
| functionality to change that configuration exists,
| because that gets changed, backup server is gone, backup
| storage is gone, etc.
|
| You have to design a system where even a rogue IT admin
| with full access to everything can't screw you. Usually
| that involves third parties where there is no mechanism
| for a rogue IT person or other attacker to delete your
| offline backups. So some people have Iron Mountain pick
| up disks in a lock box daily, or use an online backup
| service that specifically has features for this, where
| they keep extra copies of your backups completely offline
| and provide no mechanism for the customer to delete them.
| viraptor wrote:
| This is definitely doable, but it's harder than the naive
| solution so often it's not done. Same as log storage for
| example, or any other incremental data.
|
| Related - see how many examples of S3 policies split
| access into read and write rather than read, append,
| write. It doesn't even matter where the logic lives -
| only whether the storage service allows you to delete
| anything.
| PeterisP wrote:
| Your backups will contain all the backdoors that the
| attackers managed to deploy - so even ignoring the normal
| massive effort of restoring all your computers, you can't
| simply restore backups, you need to carefully audit
| everything that you're restoring to clean hardware, and you
| need _everyone_ to change their credentials (and not just
| by appending "2" at the end) otherwise you'll be owned
| again immediately afterwards.
| aj3 wrote:
| > Firewalls do absolutely nothing once someone got your
| weakest link to click something and go to town.
|
| Well, fw would be effective if organizations used network
| segmentation effectively, but of course close to no one
| does that in practice (e.g. usually IT/support have access
| to everything).
| Kalium wrote:
| Depending on how the network is configured, node-to-node spread
| may be possible. Firewalls - hardware or software - are not
| magic and can definitely miss things.
|
| It may also have been a matter of servers getting infected,
| infecting hosted files in shares, and client machines open the
| files to get infected.
|
| Or, as another user points out, domain controllers can readily
| do this.
| eikenberry wrote:
| It's common to install security management software on systems
| to allow for centralized update push. That system was probably
| comprimizsed and used to push out the ransomware.
| darkhorn wrote:
| Some of our Windows computers were affected but none of our
| Linux computers were affected.
| 6c696e7578 wrote:
| The common components in the ransomware attacks is Windows and
| AD.
|
| Some leverage known exploits against elements like LSASS, so if
| the person infected has credentials for another computer, why
| not slurp up all the credential tokens on remote computers that
| you can log into too.
|
| If you use Linux/Unix on the other hand, you can do descent
| things to contain access. Firstly, elevated management accounts
| can restrict login sources, either by ssh authorized_keys or
| deny rules in sshd_config. Secondly, and very importantly, you
| can contain what applications can access through SELinux.
|
| Running Windows these days is like walking around with "Kick
| me" hung around your neck.
| lostmsu wrote:
| None of what you mentioned requires a lot of effort on
| Windows. Exploits in LSASS are no different from exploits in
| Linux kernel, and if you stay up to date and configure
| everything correctly you should be fine.
| viraptor wrote:
| I think your generalisation doesn't work once you get to
| sites with advanced staff and budget. For example this will
| stop all but extremely targeted attacks:
| https://docs.microsoft.com/en-us/windows/security/threat-
| pro... but it requires a lot of time managing and the more
| varied things you do, the more annoying it will be to manage.
| (+ It's probably impossible for devs)
| PeterisP wrote:
| The key point there is that all the recent major events
| generally are not an automated attack by a simple virus, in
| such situations the malware opens a command&control link that
| is [ab]used by multiple skilled people for weeks to gain
| persistence, move laterally throughout the network, find
| systems and user accounts with elevated privileges, disable
| monitoring and backups, deploy to all machines just as your
| administrators can (because at that point they are the de facto
| admins of all your systems) and only "pull the trigger" of
| ransomware when all the prep work is done.
|
| In the case discussed in this article, attackers took three
| months between the initial compromise and the ransomware
| attack. One can do a _lot_ in that time.
| aj3 wrote:
| Apart from some special cases like Wannacry/NotPetya,
| ransomware crews do only as much lateral movement as is
| required for privilege escalation. Once they have DA, they can
| just disable protections and push malware centrally through AD.
| fortran77 wrote:
| Isn't a ransomware attack no different from a catastrophic disk
| drive failure? You reformat and restore from backup. Of course,
| the companies profiled in that article had all their computers
| infected, so it could take some time. Still a recovery boot disk
| could be distributed and a clean image restored over the network.
| hibbelig wrote:
| The network was infiltrated in December, the attack happened in
| March. So the last clean backup was from November. This would
| be a very old backup. Not sure how useful that would have been.
| PeterisP wrote:
| No, because you can't consider your backups as a "known good
| state". A malicious attack is fundamentally different from a
| disaster or accident.
|
| You should expect that any backup of systems (instead of
| backups of 100% pure data) will contain backdoors, that any
| weird systems (routers, printers, phone centrals) may be
| compromised even if they seem fine, and that the credentials of
| all the employees and any private keys/certificates have been
| exfiltrated, so they need to be changed.
| neonate wrote:
| https://archive.is/Rfcha
| naple wrote:
| I consider the modal on the bloomberg site a ransomware. Can't
| close till you pay. Joking :)
| dheera wrote:
| Yeah screw that paywall. Paste this into the console
| document.querySelector('.paywall-inline-tout').remove();
| document.querySelectorAll('p').forEach(e =>
| e.style.display='');
___________________________________________________________________
(page generated 2020-07-25 23:00 UTC)