[HN Gopher] How to survive a ransomware attack without paying th... ___________________________________________________________________ How to survive a ransomware attack without paying the ransom Author : DamnInteresting Score : 64 points Date : 2020-07-23 16:52 UTC (2 days ago) (HTM) web link (www.bloomberg.com) (TXT) w3m dump (www.bloomberg.com) | Tiltowait-- wrote: | Easy: restore from backups. | gav wrote: | Sometimes not that simple, the attack could have corrupted or | deleted the backups, or the backups themselves could be the | source of reinfection. | matsemann wrote: | What if they hacked you months before pulling the trigger? The | article mentions they were hacked in December and the attack | launched in March. Restoring a backup would then still leave | the hackers inside. | | And even if most data were backed up, most computers still have | to be wiped and reinstalled. I don't think most companies | backup the entire disks off all employees, it's normally just a | dedicated file area. So while the data can be restored, the IT | department still have to set up hundreds of computers for all | kinds of different workers or machines on the spot. | | Nothing is ever easy, don't be so dismissive about things you | haven't thought through. | viraptor wrote: | Companies of non-trivial size often have (and should have) a | system allowing for remote device management. Which means: | | - It should be easy to reinstall to a known good image with | all the relevant software, settings, drivers, etc. then | restore the backed up data. This is relatively common in | corps. | | - Once you observe the malware and know how it reaches the | C&C server, you can push rules blocking that host or block | the bad binary network-wide. | | Of course there will be companies that didn't have good | enough system in place and once exploited are doomed. | marcinzm wrote: | The attackers likely compromised the computers using the | remote device management system which means it's either | disabled or unsafe to use. | viraptor wrote: | Sure, you need to make sure your AD and device management | is clean before starting the process. My point was that | once you're bootstraped you shouldn't need a fully manual | recovery process. | ourmandave wrote: | And format every hard drive in the building first. | | Also replace your IT security provider and/or person. | einrealist wrote: | I wonder how many of such attacks can be prevented / starved in a | zero-trust network. | LifeLiverTransp wrote: | Dont give into your lower instincts as a company to centralize | all the things. Air-Gap them in the architecture? | rectang wrote: | > _In other words, it's less a question of how to stop hackers | from breaking in than how to best survive the inevitable damage._ | | There doesn't seem to be conventional wisdom about how to build | systems that are easy to restore. How do you optimize for | recovery after an attack? How do you ensure that you've | eliminated all the backdoors? | | My guess is a combination of "continuous restoration", version | controlled code, and a complete separation of code from data. | | I want to read books about this but they don't seem to exist. | linsomniac wrote: | The unfortunate thing is that the ransom probably is priced such | that it's cheaper than the company resolving the problem on their | own. Or the company would just resolve it without paying the | ransom. On the other hand, it's bad on many fronts if the company | just decides it is the cost of doing business, and doesn't do a | great job of securing their systems in the future... | | Many companies just get by, rather than doing serious security | design. How do you change that culture in a company? Will paying | the ransom do that? Probably if it only costs $1M to do. If it | costs them $100M to do, would they do it? | abcok1 wrote: | You can't because of bitcoin. Bitcoin is what criminals dream of. | lobster45 wrote: | This is not really surviving. What do you need to do is prepare | and to have off line backups | ntucker wrote: | Paywall didn't let me read it, but as I clicked, I thought | "this article should be one sentence about doing backups." | FlyMoreRockets wrote: | Offline backups have been a thing for decades. Why is this not | standard practice? Especially for a technology company like | Garmin. It can't be about cost savings, businesses still pay | for insurance and security systems. For that matter, offsite | backups should also be saved in case of fires, floods, | tornadoes, theft, etc... | cpeterso wrote: | Offline backups are not a complete solution. What if your | backups are infected with the virus? Even if the backups are | uninfected, your IT department has to manually scrap and | rebuild all your computers from data centers to the warehouse | to the receptionist. And in the meantime, like the article | described, you have to pay your employees and suppliers and | continue to ship products to customers. | FlyMoreRockets wrote: | An important part of any backup strategy is testing your | backups on a regular basis. Perhaps it could even be | automated... | noir_lord wrote: | Wired did a phenomenal article on the Maersk attack | https://www.wired.com/story/notpetya-cyberattack-ukraine- | rus... company I worked for was affected as we had shipping | containers on the water at the time and it was chaos but | they recovered. | SV_BubbleTime wrote: | Backup price for 8TB is cheap enough. Backup price for 8PT | does not scale well. | | I don't know how much data Garmin has company wide. But it's | a lot different for me to consider offline backups as a | simple service than a company this size and complexity. | gpm wrote: | There are plenty of companies that can backup 8PB of data | from a wide variety of sources for you, and make it a | relatively staitforward task to interegrate with them. | | There is complexity, yes, but it's mostly a solved problem. | | Disclaimer: I work for one. | bloomingeek wrote: | Exactly, Although not always practical, if kept virus free | (which of course is possible), offline back ups are the best | solution because it's never broken into. ANYTHING online is | risky, we all know this, so why do corporations still | practically ignore the obvious? | beefhash wrote: | Given there's been a recent trend about ransomware not only | encrypting, but also exfiltrating data, backups won't save you | from the bad PR of the leak. | piokoch wrote: | Garmin CEO at al must be reading this impatiently, looking for | some clever-magic clue, which is not gonna arrive, I am afraid. | | Meanwhile Garmin watches users (like me) are wondering how it is | that syncing my watch that I have bought with an application on | my smartphone that I have bought requires presence of some | distant online service. | | I can understand that some parts like "social" stuff might depend | on some central service but, hey, something simple like syncing | ones excercise achievements between phone and watch? Really? Who | has designed that? | yread wrote: | _"A distributed system is one that prevents you from working | because of the failure of a machine that you had never heard | of."_ | | Leslie Lamport | matsemann wrote: | Over two days now, and almost radio silence from Garmin. I can | sympathize with their issues, but not keeping us informed at | all about what's going on is quickly leading people to become | angry on various fitness forums I frequent. Not a good way to | treat us customers. | prennert wrote: | It is surprisingly difficult to make synchronisation work | between two devices that might run different hard- and firmware | and even potentially software versions. Cloud based APIs as | middleware is soo much easier in comparison. | | I am completely with you conceptually, but from experience I | can tell you that even if there is a commercial incentive to | allow for local communication it takes a few days to get it | working with the cloud and months to do it locally only. And | you really need to know what you are doing to make it safe and | reliable in all eventualities. | eatingCake wrote: | My understanding[1] was that these types of devices sync by | sending a blob over bluetooth to the paired cell phone, and | then the cell phone uploads this to the cloud to be | decrypted. What kinds of devices are you talking about? | | [1]: https://hackaday.com/2017/12/29/34c3-fitbit-sniffing- | and-fir... | DebtDeflation wrote: | >It is surprisingly difficult to make synchronisation work | between two devices | | No it isn't. We were doing it for years before "the cloud" or | even the modern Internet even existed using Bluetooth, RF, | IR, and cables. Have you ever looked at a .fit file on a | Garmin watch? It's a binary format, but is straightforward to | convert to CSV, and doesn't contain much beyond timestamp, | latitude, longitude, altitude, heart rate, cadence, and a few | other fields. Calculating distance, duration, training | effect, calories burned, etc. is simple summarization and | arithmetic, plotting course on a map just requires an offline | map and a plotting library. It already does all of this ON | THE WATCH itself without needing any connection to anything | else, so there's nothing stopping an app from doing the same | thing locally on a much more powerful iPhone or Android | phone. The Garmin cloud is only inserted in the process here | so they can monetize your data. | feanaro wrote: | What makes it so difficult? What are some concrete problems | you encountered? | buran77 wrote: | It is not intrinsically difficult, it's made difficult by | the fact that the companies themselves specifically want to | have their infrastructure in the mix to have access to | valuable user data. There's no particularly difficult | challenge to sync the phone and watch directly, offline. A | good chunk of revenue comes from services which rely on the | data being in the cloud. | prennert wrote: | I agree that gathering user data might be a significant | factor why even products of large companies do not | support cloudless communication and sync. | | I just wanted to point out that since cloud based | communication is so easy nowadays, doing sync without | cloud support is a significantly larger effort. Not | unachievable though. | rasz wrote: | Releasing the clutches of control over user data/devices is | a very difficult concept to grasp for particular type of | business people. | reaperducer wrote: | And yet everything from Palm Pilots to iPaqs were able to do | it a quarter of a century ago with just a beam of light. | Kenji wrote: | _Meanwhile Garmin watches users (like me) are wondering how it | is that syncing my watch that I have bought with an application | on my smartphone that I have bought requires presence of some | distant online service._ | | You really wonder that? I'm sorry, how stupid are you? It's | obviously to harvest data and control users. We've been warning | and educating people about this for decades. When are you guys | starting to wake up and voting with your wallet? Open services! | Open software! Open formats! Own your data! Own your devices! | Your life will be full of such disruptions if you keep using | products that let corporations dominate you. | atdrummond wrote: | This reply strikes me as an uncharitable interpretation of | OP's statement. It's also rude. | andrewcooke wrote: | the garmin data actually is in an open format. i've written | software to decode it using publicly available documentation. | the software is free to use. you can copy the (.FIT) file off | the watch over USB. | rconti wrote: | What about non-activity data, such as step counts, sleep | data, pulse ox, etc? | pengaru wrote: | Obviously there's a business incentive to maximize gatekeeping. | Even if the gate's left wide open (for now), having control of | a gate is of tremendous potential value. | | Just imagine how much more $$ one can elicit in an acquisition | when the potential buyer has the option of adding tolls to an | already established and well-traveled gate. | jvehent wrote: | Wait until this happens to your car... | buran77 wrote: | Or your pacemaker... | JohnTHaller wrote: | A Fitbit won't even sync with the app on your phone unless it | has internet access and can connect to Fitbit's cloud servers. | Without them it's basically a paperweight. | wlll wrote: | What's the backstory for this? | latchkey wrote: | Part of the backstory is that in 2010, they fired all the | Garmin Connect staff [0]. More recently, they've been shut | down [1]. | | [0] https://news.ycombinator.com/item?id=1196996 | | [1] https://news.ycombinator.com/item?id=23926289 | dehrmann wrote: | I forgot about 0. I had to double check, but a high school | friend was on that team. | larrymcp wrote: | How is ransomware able to spread to all the PCs in a company? | (Especially PCs at different locations around the globe) | | The malware needs to execute itself on each computer. But I would | think this would be thwarted by hardware firewalls as well as | apps like Windows Firewall. | | If my PC at work gets infected, somehow it can magically infect | the guy down the hall's PC too? I thought that was made | impossible years ago. | core_dumped wrote: | Firewalls can only protect against what's known. Once you've | invented or discovered a method the firewall doesn't know | about, you're trusted as much as any regular program. Sometimes | even changing the binary or payload slightly will thwart some | firewalls because they're precise machines looking for precise | signatures. It's not super easy to get past a firewall with a | known vulnerability, but not impossible. With a 0day the | firewall is almost irrelevant. | packet_nerd wrote: | This is true regarding "next-gen" firewalls. But, if you | design a plain old segmentation strategy with simple but well | thought out allow/deny rules, then a firewall will be pretty | valuable in many situations. | | Extreme example: you can think of an air gap as a "firewall" | with all deny rules. Air gaps are pretty secure. (Yes, there | are still way's in but finding them will be many orders of | magnitude harder than finding a 0day in a "next-gen" | firewall). | | Another example: I put all printers in a dedicated VLAN and | block all traffic in and out except specific print ports from | the print server IP only. In practice, way more secure than | any "next-gen" firewall will ever be. | nuker wrote: | Here is the diagram | | https://www.bleepingcomputer.com/news/security/evil-corp-blo... | IshKebab wrote: | That doesn't actually say at all. Symantec's report has more | detail but it still has gaps: | | > The initial compromise of an organization involves the | SocGholish framework, which is delivered to the victim in a | zipped file via compromised legitimate websites. | | > The zipped file contains malicious JavaScript, masquerading | as a browser update. | | So are people just like "this random website is trying to | download a browser update, ok I'll unzip it and run it, even | though I never normally have to do this". Seems plausible. | | Then: | | > Privilege escalation was performed using a publicly | documented technique [there's a link] involving the Software | Licensing User Interface tool (slui.exe), a Windows command | line utility that is responsible for activating and updating | the Windows operating system. | | > The attackers used the Windows Management Instrumentation | Command Line Utility (wmic.exe) to execute commands on remote | computers, such as adding a new user or executing additional | downloaded PowerShell scripts. | | It's not really clear to me how local privilege escalation | allows you to execute commands on remote computers though. | PeterisP wrote: | If you gain local privilege escalation on some workstation | user, you can gain access to credentials of user(s) of that | workstation which allow you to impersonate that user | throughout the network. | | If it's a privileged user, then you can move to many more | workstations, if it's a non-privileged user then you may be | able to use their normal access (email, network shares, | access to internal applications) to try and trip some | privileged user into compromising their workstation in a | way that you could not from the outside. Or you can wait a | month until some tech support person logs in to that | workstation and you can steal their credentials. | halfcat wrote: | Probably through Active Directory, which has the ability to | deploy software. If a domain controller was compromised, the | payload could be pushed out across the board. | | Endpoints like PCs and servers check in with domain controllers | at recurring intervals, so even if all endpoints are behind | firewalls and can't talk to one another, they still reach out | to domain controllers periodically to pull down configuration | updates and so forth. | redprince wrote: | The few instances I was assisting companies with ongoing | ransom ware attacks, all had a similar pattern. Some initial | breach of a client system (think malicious office document) | gave attackers a foothold inside the network. From there the | attackers ultimately pivoted to own the Active Directory. | Equipped with this level of access they identified key assets | and proceeded to encrypt them. Backups, if not stored | offline, were rendered useless. | | It is quite challenging to recover from this kind of breach | since the attackers had every opportunity to touch every | system connected to the AD and leave backdoors behind. I have | seen companies trashing their whole AD, re-imaging all | machines and basically starting from scratch at great cost. | SV_BubbleTime wrote: | Pretty much this. | | Firewalls do absolutely nothing once someone got your weakest | link to click something and go to town. | | From my last penn test it goes, phish, get a click and | execute or credentials, use a hack like getting legacy | NetBIOS exploit to give up hashes for all your users, crack | the hashes and hope someone used a short 12 char password or | something dictionary-easy like "Wr3st1ing1!", then leverage | that access again and again until you have a printer that | someone gave domain admin access to because it was easier | than setting correct policies, an admin actual, a service not | account that has good AD privileges, etc. Then start pushing | software as admin. | | Most of the time it's not even this complicated. | | The only thing that "saves" you from paying the ransom is | good backups. But if a group is fairly competent, they'll | encrypt your backups too. So it needs to be offline. | | I don't have much love for Barracuda Backup, but for very | little money you get nightly offsite backups that might just | save your cyber insurance or company itself from having to | pay. | scott_w wrote: | > The only thing that "saves" you from paying the ransom is | good backups. But if a group is fairly competent, they'll | encrypt your backups too. So it needs to be offline. | | This is the part I've never understood. Surely you should | be backing up in an append only fashion initiated from the | backup server? | | My best guess is that this gets managed from AD as well, so | they find it and take over? | halfcat wrote: | > Surely you should be backing up in an append only | fashion initiated from the backup server | | The key idea is assuming everything is compromised. | Whether you use append or whatever, is not helpful if the | functionality to change that configuration exists, | because that gets changed, backup server is gone, backup | storage is gone, etc. | | You have to design a system where even a rogue IT admin | with full access to everything can't screw you. Usually | that involves third parties where there is no mechanism | for a rogue IT person or other attacker to delete your | offline backups. So some people have Iron Mountain pick | up disks in a lock box daily, or use an online backup | service that specifically has features for this, where | they keep extra copies of your backups completely offline | and provide no mechanism for the customer to delete them. | viraptor wrote: | This is definitely doable, but it's harder than the naive | solution so often it's not done. Same as log storage for | example, or any other incremental data. | | Related - see how many examples of S3 policies split | access into read and write rather than read, append, | write. It doesn't even matter where the logic lives - | only whether the storage service allows you to delete | anything. | PeterisP wrote: | Your backups will contain all the backdoors that the | attackers managed to deploy - so even ignoring the normal | massive effort of restoring all your computers, you can't | simply restore backups, you need to carefully audit | everything that you're restoring to clean hardware, and you | need _everyone_ to change their credentials (and not just | by appending "2" at the end) otherwise you'll be owned | again immediately afterwards. | aj3 wrote: | > Firewalls do absolutely nothing once someone got your | weakest link to click something and go to town. | | Well, fw would be effective if organizations used network | segmentation effectively, but of course close to no one | does that in practice (e.g. usually IT/support have access | to everything). | Kalium wrote: | Depending on how the network is configured, node-to-node spread | may be possible. Firewalls - hardware or software - are not | magic and can definitely miss things. | | It may also have been a matter of servers getting infected, | infecting hosted files in shares, and client machines open the | files to get infected. | | Or, as another user points out, domain controllers can readily | do this. | eikenberry wrote: | It's common to install security management software on systems | to allow for centralized update push. That system was probably | comprimizsed and used to push out the ransomware. | darkhorn wrote: | Some of our Windows computers were affected but none of our | Linux computers were affected. | 6c696e7578 wrote: | The common components in the ransomware attacks is Windows and | AD. | | Some leverage known exploits against elements like LSASS, so if | the person infected has credentials for another computer, why | not slurp up all the credential tokens on remote computers that | you can log into too. | | If you use Linux/Unix on the other hand, you can do descent | things to contain access. Firstly, elevated management accounts | can restrict login sources, either by ssh authorized_keys or | deny rules in sshd_config. Secondly, and very importantly, you | can contain what applications can access through SELinux. | | Running Windows these days is like walking around with "Kick | me" hung around your neck. | lostmsu wrote: | None of what you mentioned requires a lot of effort on | Windows. Exploits in LSASS are no different from exploits in | Linux kernel, and if you stay up to date and configure | everything correctly you should be fine. | viraptor wrote: | I think your generalisation doesn't work once you get to | sites with advanced staff and budget. For example this will | stop all but extremely targeted attacks: | https://docs.microsoft.com/en-us/windows/security/threat- | pro... but it requires a lot of time managing and the more | varied things you do, the more annoying it will be to manage. | (+ It's probably impossible for devs) | PeterisP wrote: | The key point there is that all the recent major events | generally are not an automated attack by a simple virus, in | such situations the malware opens a command&control link that | is [ab]used by multiple skilled people for weeks to gain | persistence, move laterally throughout the network, find | systems and user accounts with elevated privileges, disable | monitoring and backups, deploy to all machines just as your | administrators can (because at that point they are the de facto | admins of all your systems) and only "pull the trigger" of | ransomware when all the prep work is done. | | In the case discussed in this article, attackers took three | months between the initial compromise and the ransomware | attack. One can do a _lot_ in that time. | aj3 wrote: | Apart from some special cases like Wannacry/NotPetya, | ransomware crews do only as much lateral movement as is | required for privilege escalation. Once they have DA, they can | just disable protections and push malware centrally through AD. | fortran77 wrote: | Isn't a ransomware attack no different from a catastrophic disk | drive failure? You reformat and restore from backup. Of course, | the companies profiled in that article had all their computers | infected, so it could take some time. Still a recovery boot disk | could be distributed and a clean image restored over the network. | hibbelig wrote: | The network was infiltrated in December, the attack happened in | March. So the last clean backup was from November. This would | be a very old backup. Not sure how useful that would have been. | PeterisP wrote: | No, because you can't consider your backups as a "known good | state". A malicious attack is fundamentally different from a | disaster or accident. | | You should expect that any backup of systems (instead of | backups of 100% pure data) will contain backdoors, that any | weird systems (routers, printers, phone centrals) may be | compromised even if they seem fine, and that the credentials of | all the employees and any private keys/certificates have been | exfiltrated, so they need to be changed. | neonate wrote: | https://archive.is/Rfcha | naple wrote: | I consider the modal on the bloomberg site a ransomware. Can't | close till you pay. Joking :) | dheera wrote: | Yeah screw that paywall. Paste this into the console | document.querySelector('.paywall-inline-tout').remove(); | document.querySelectorAll('p').forEach(e => | e.style.display=''); ___________________________________________________________________ (page generated 2020-07-25 23:00 UTC)