Why is the internet so fascinated by ransomware? Is it because ransomware is attacking our precious data? Is it simply a threat that the average person can understand and therefore makes it newsworthy and headline rich? Is it because ransomware is so profitable and morphing into a mature business model? Or is it just a fascination with so-called evil genius? After all, everybody loves to hate a good super villain…until they come to visit YOU.

The Ransomizer at www.ransomizer.com

Here is the shortlist of things you should know about this topic if you’d like to get up to speed quickly:

• Attackers will hold anything hostage they can encrypt or threaten to delete, including pictures, documents, spreadsheets, entire websites and databases or anything else they can get their red hands on.
• In many cases, paying the ransom will get you your data back. But there is no guarantee and little honor among thieves.
• There have been some cases where databases are fully deleted, yet the bad guys claim if you pay the ransom they will restore your data (and they don’t). In other cases of fake ransomware, they have falsely claimed that your files are encrypted, but they are not. This is a form of social engineering combined with ransomware, or what some would call, “SYNERGY!”

Dilbert Comic for 1996-02-06 by Scott Adams http://dilbert.com/strip/1996-02-06 via @Dilbert_Daily

• Once you pay the ransom and get your data back, you still have a mess to clean up. They are still in your system and you must fully eradicate the attacker from your environment. Easier said than done.
• Some mature ransomware operations have technical support available, so if you are having trouble paying the ransom you can call for assistance and the call center will walk you through it. Yes, it’s true.
• There are cloud ransomware solutions out there so if an attacker doesn’t want to go through the trouble of building their own solution, they can buy ransomware as a service. Krebs blogged about it recently and the commercial they posted on YouTube is quite persuasive! (Yes, I just blogged about a blog.)

• If you work for an organization that deals with protected health information (PHI) and HIPAA, the U.S. Department of Health and Human Services (HHS) removed some ambiguity regarding whether or not ransomware is considered to be a breach: “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.” Read all about it.

Some cyber security practitioners and thought leaders got together recently to talk about the 7 most dangerous new attack techniques, and of course ransomware was on the list. Ed Skoudis asked, “How much would you pay to turn on your heat?” Many of us, other than me of course, have internet connected thermostats that could potentially be held hostage in this way. This is a theoretical scenario today, but the thought of this one gives me the chills (pun intended).

Another noteworthy gem from Ed is regarding what to do if you find yourself held hostage by a digital ransom that for some reason or another you have no choice but to pay. He made a point to remind us that it is a negotiation. So, don’t assume they know who you are or who you work for in the event that they encrypted your data. Assume they don’t know anything about you or the data and try to convince them you are simply an individual that wants to restore those precious shopping lists and pictures of your grandchildren, even if you did just lose access to your entire customer database <ouch>. If they don’t know you work for a fortune 100 company, don’t volunteer that information. You may be able to convince them you are a grandparent with a fixed income and they *might* even accept a lower ransom. In New York we haggle for a better price on just about everything. Why shouldn’t we do the same for our stolen data?

In conclusion…don’t get ransomware in the first place if you can avoid it. It might be intriguing, but some things are better off observed from afar.

A coworker received the below pop-up while using Google Chrome.

Being the helpful guy that I am, I made the phone call for him and did a little bit of recon at the same time. Here’s the good news…sort of. They hung up on me twice when I told them I was using a work computer. It seems they are only interested in personally owned computers. Good news if you are an IT guy/gal, bad news for Grandma.

Here’s some more bad news…they were using a legitimate service, support.me to connect remotely. This is bad because it looks safe and wholesome to an unsuspecting victim. Plus, it likely has legitimate uses on your network, which means it may be hard to globally block.

Also, the approach of letting people call them, is very effective. After all, if you are initiating the conversation, you already have your guard down. This is a really good social engineering tactic. Bait the victim, but let them “think” that they initiated the transaction. On the other hand, if you receive a phone call out of the clear blue from someone with a foreign accent telling you that your computer is infected with a virus, well, that’s a harder sell. Still, it’s not uncommon for members of our campus community to receive calls from “Microsoft” and “Google.” Sometimes, they are just looking for an IP address to target from the outside. “Hello, we are trying to fix your copier. Can you please tell me what the IP address is?” If you ever get an unsolicited call like that, just tell them it is 265.548.175.15. The geeks out there will get why that IP is safe to share.

Interestingly, they didn’t have me connect to that website through my browser. They had to me go to Start –> Run and then type “hh web” which opened an “HTML Help” window.

From there, you can press that little yellow question mark at the top left of the box and choose “jump to url.” I would imagine that they do this to bypass browser security and plug-ins. Pretty clever, I suppose. The rest of the call consisted of him trying to get me to type in the session code to allow him remote access to my computer. I just could not get it right…

What was the end game? I’m not sure. Clearly they would have charged me to “clean” my computer, although I was assured repeatedly that the diagnosis would be free. Would they then steal that credit card number altogether? Install additional malware to ensure my credentials are uploaded to the grasp of an excited hacker? Probably yes and yes, but for today, I’m fine being in the dark on that!

Have any of your coworkers or family members fallen victim to this scam? Share the details in the comments below.

Thanks for reading and don’t forget to subscribe.

This story has been over-reported on already, so I figured I would join the party! The FBI issued a warning regarding malware that completely wipes all data on a computer’s hard drive. Destructive malware is nothing new, but it has fallen out of favor with malware writers probably because there isn’t much to gain by destroying someone’s data. Of late, it seems that most destructive malware has been targeted, so for the most part the average person doesn’t need to worry about that risk. However, that may be about to change.

All evidence indicates that this malware wreaked havoc on Sony pictures recently. If I can find a bright side to this type of news, it’s the fact that people tend to listen up when they hear that they can potentially loose family photos and videos forever if they click on the wrong link. Low probability perhaps, but very high impact! So I will take this opportunity to make a few recommendations.

I am not going to tell you to install anti-virus, even if you are a Mac user, because I know that my blog readers already have AV installed…right?!  And I know you would never log in to your local workstation as an administrator to check email and surf the web, so no need to mention that!

Consider installing and using EMET if you are a Windows user. I have been running it on my Windows desktop set to “Maximum security settings” with no adverse effects.  Well, that’s not entirely true.  There was one patch recently that caused EMET to crash IE continually, but updating EMET resolved the problem.

Backup, backup, backup. Oh and don’t forget to backup your data. Make sure your data is backed up too. And if you are really smart, you will backup your data.

One more thing…AUTOMATE your backup. Don’t rely on remembering to manually copy your data to a USB drive. Automate the process otherwise when you need your backup, it will be 1 year old. I guarantee it!

Did I mention the importance of backing up your data?

Technical Details published by Symantec about Backdoor.Destover:  http://www.symantec.com/security_response/writeup.jsp?docid=2014-120209-5631-99&tabid=2

Thanks for reading and don’t forget to subscribe!