About This Ransomware Thing

The news media are breathlessly scaring the hell out of everybody lately, warning us of impending doom that awaits us from WannaCry, the latest in a series of ransomware viruses.

Where did this modern scourge of civilization as we know it come from, for goodness’ sake? Uh….a leak from the NSA, sometimes known as Nobody’s Safe Anymore. They have an inventory of hidden vulnerabilities in Windows they choose not to pass on to Microsoft so they can be addressed. Never know when they might come in handy for super secret government work, you know.

Despite all the hysterical media talk, WannaCry is not a “worm”. A worm is an attack on your router. WannaCry is a virus, and you get it from email attachments and poisoned links in email. You don’t “catch it” from toilet seats, either. You trigger it yourself.

By the time you see the ransomware demand screen, it’s already too late. Brace yourself for a really bad day. You’re screwed. Any attached backup drive is also screwed, and so are those “safe files” you have secreted on DropBox, GoogleDrive or Microsoft’s OneDrive. As soon as these files are corrupted on your local machine, they’re synchronized with your cloud storage files.

I had a consulting client attacked last fall with an earlier version of WannaCry, called Zepto, and it wiped out a large public self-storage business. See story below. Their database, email, documents, photos, and their backup drive got completely encrypted. The only thing that didn’t get wiped out was Windows itself, which the virus left unperturbed. Purely by luck, other machines on the network were unaffected in this case, possibly because we immediately hit the power switch on all connected machines before it spread. I don’t know if WannaCry behaves the same way, and I don’t want to find out.

Recovery started with disconnecting the infected machine from the network and removing the active part of the virus. Zepto renames encrypted user files as *.zepto. User files were completely unrecoverable, and they were deleted from a DOS prompt with:

“c:\del *.zepto /s”.

You might as well delete them, because you’ll never see their unencrypted contents again. Unfortunately, this machine was used as a peer-to-peer “server” for a critical shared app. It was toast.

Ultimately, I reformatted the machine, brought the Windows updates current and reinstalled everything. It’s the only way you can be sure. Then I reinstalled the user’s management software they used to run the business. The only thing that saved us was an old off-line backup drive we had replaced six months earlier. That meant six months of daily transactions had to be manually reentered, which took a month, but they were eventually able to get back to normal operations.

I’m suggesting to my clients that they take this virus very seriously.

  1. The key word is “off-line”. Buy a second removable hard drive and swap them out after their (usually weekly) backups complete, with only one drive attached at any time. Do it nightly if you’re fastidious or have mission critical files to worry about, such as a medical facility, but most people do it weekly. Another alternative, if you have the chops to do it, is to use drive imaging software to clone your drive, and then disconnect the drive. Then it’s just a drive swap to get back in business. But bottom line, any user files you can see in Windows Explorer are going to get destroyed.
  2. Make certain that everybody understands what to do if a machine gets infected: hit the power switch on the now wasted machine and shut down every machine on the network immediately. At the same time, pull the power plug out of the router and any network switches. Minutes count.
  3. This virus uses email as an attack vector. This client had been receiving daily emails for weeks, all short, plausible messages designed to trick the unwary into clicking on an email link or to open an attachment. “Your contract is approved and needs your signature”, “Your credit card was declined. See attached.”, or simply “See invoice attached.” Finally, Bad Luck Brian (there’s one in every office) clicked on an attachment, “because I wanted to make sure it wasn’t deleting something important”, and the game was afoot. It is critically important that every person in your office understands what to watch for and to delete such messages without opening the attachments or following links in messages. It may or may not appear to be from someone you know.
  4. The most likely victims of WannaCry are older systems not running Windows 10 or systems that are not current with Windows Updates. Sometimes it’s because updates upset older software, but more often than not, Windows Update itself has gotten stuck. Many businesses depend on old or poorly designed software that will not run on Windows 7 or Windows 10. Some lazy or incompetent vendors even require you to lower your security settings in order to run at all, even under Windows 10. I currently have two such clients, so it’s not as rare as you might think. Might as well put “Kick Me” signs on them. Many process control systems, including hospitals, traffic signals and ATM machines still rely on Windows XP, believe it or not.

In the end, an off-line backup is your best protection.
 

Is Cloud Storage Safe?

Short Answer? No.

There are only three things you have to worry about when you store something on the web. Your host, the federal government, and hackers.

1. Your host. If you think Microsoft’s OneDrive or Google’s Cloud Storage is private, dig up their “Terms of Use”. When you use their servers, you accept the terms of service which is part of the deal. That gives them both the right to inspect – and delete – materials that they find offensive, illegal or objectionable in any other way. Recently, we’ve seen various types of political censorship as part of our bitter election fight this year. Using Microsoft as an obvious, but certainly not the only, example, you agree to the following condition:

Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion

Other cloud storage services have the same conditions. In other words, anything you store in the cloud is subject to inspection by the service provider, despite vague promises to the contrary. In addition, those are only the legitimate, permitted access.

2. The federal government. More recently, various agencies of the federal government have come to believe they have the right to snoop through your personal emails and anything else they think they need to protect you from yourself. With or with out search warrants from the secret FISA Court, You should just simply assume that anything you have ever stored, emailed or posted on the web is subject to inspection at any time.

That’s not paranoid raving.  In the news this week, Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials. The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI. Microsoft and Google swear they haven’t received similar demands and of course, they would rigorously object…long enough to create plausible deniability for their public relations folks.

But that’s just our government. Now consider the Russians, the North Koreans, Iranians, terrorist groups. All of them are hungry to purloin your extensive collection of cat pictures.

3. Now add in non-legitimate intruders – hackers and criminals. Yahoo recently admitted that 500 million user accounts had been hacked, including passwords, user profiles and anything else stored in your user account. Note that the population of the US is only 340 million people. We hear of banks losing control of their credit card accounts almost on a monthly basis. You have to worry about everything from pimple-faced teenagers in mom’s basement, but everything up to contract programming for money by expert professionals.

The internet is a tough neighborhood. Ask Jennifer Lawrence and perhaps 600 other iCloud users, apparently after a successful hack by a Chicago cretin. Over Labor Day last year, dozens of nude celebrity photos were released all over the internet. This case doesn’t really mean that iCloud is any less secure than any other online cloud storage, any more than a padlocked bicycle on a public street. It wasn’t system-wide, but individual accounts were hacked one at a time by password cracking. The point to be noted here, of course, is that most any cloud storage account can – and predictably, will be hacked.

Does all this mean you should go into panic mode? Like most things, no. Nobody cares about 200 cat photos, or your kids’ homework. Most people have nothing to worry about, but you might give some careful thought about storing your password list (“So I can find my passwords no matter where I am…”), your Quicken backup files, your bank statements, employee salaries, your social security number, or anything else that might be sensitive.

Bottom line, the rule is simple:

If you wouldn’t put it up on the bulletin board at the grocery store, don’t poke it up to the cloud.

A little reasonable caution goes a long way. For me, the best solution is simply not to use cloud storage at all. My personal opinion is this: The only way to win is not to play the game in the first place.

A Ransomware Attack

despairWorst virus I’ve seen in 35 years. You won’t like it.

It’s called Zepto. It doesn’t show up as viral, so your antivirus product ain’t gonna see it.

It starts out with vague email messages, usually one-liners, giving you good reason to open the attachment,

“Your credit card payment was declined.”
“Revised lease is attached. Please Review.”
“Thank you for your business. Invoice attached.”

The point of it is to get you to open the attachment,  which is usually a compressed zip file. Opening this attachment launches javascript code that encrypts all of your user documents. All of them. Every document, photo, data file, spreadsheet, powerpoint presentation, and word document. Then it goes looking for your backup drive and wipes that out, too. And if you’re attached to a network, it can do the same trash job on attached machines.

You won’t be able to decrypt these files. There are a number of malware removal products, including Malware Bytes, that can remove the virus itself, but the important thing is this: none of them can decrypt your files. You’ll never see them again. Hysteria ensues.

You could, of course, submit and send half a Bitcoin (about $300.00) to an anonymous mailbox, after which they promise to maybe send you a decryption key to get your documents back. But then again, these are the extortionists that poisoned your machine in the first place, right? Does that sound like a smart idea? Really?

That’s OK, I’ve got a backup! No, you don’t. It’s been encrypted, too, unless it’s an offline backup. Quite by accident, my client had disconnected their backup drive, so I was able to restore their files as of their last backup – six months ago. Two weeks later, they’re still re-entering transactions for their site management accounting system. Everything else since that time was lost.

What to do?

  • Never EVER open an email attachment from somebody you don’t know. Ask yourself if the subject line and the email copy itself makes sense. You have to realize that the internet is a bad neighborhood, and it gets a little scarier every day. A little paranoia can be a healthy thing.
  • If you see the dreaded warning that your files have been encrypted, press your power button and hold it there until the machine powers off. Don’t think about it. Don’t take time to gracefully close anything you have open. Don’t worry about saving that half finished email. Do it immediately. I mean right NOW. It’s already eating your files as fast as it can. Seconds matter. The idea is to save as many documents as you can.
  • Once you’ve forced your machine to shut down, do NOT turn it back on again until you have help from somebody who knows what they’re doing. You will NOT be able to resolve it yourself. No kidding.
  • What needs to happen is to remove the hard drive from the machine and connect it to another machine as a secondary drive, at which point a malware removal tool can stop the encryption process from restarting, and then salvage as many uncorrupted files as you can to the uninfected machine. Then make an image of the corrupted drive. At this point, the corrupted files can be removed all at once from a DOS prompt with C:\DEL *.zepto /s
  • Zepto, at least this version, doesn’t appear to infect operating system or program files, presumably to keep you from noticing that your machine is eating itself. It’s possible in some cases to put the drive back in your machine, and it may start up without too much trouble. But you’d better make sure by scanning the dickens out of it before you consider it safe. Make sure you can get Windows updates and that all your applications open properly.

A more complete description of the mechanics is beyond the scope of this post, but you would be well advised to read up on the subject.

Is Zepto ransomware the new Locky?

http://www.idigitaltimes.com/ransomware-update-zepto-bart-cryptxxx-cerber-hitting-users-hard-month-542946