Ransomware on the cheap: RaaS on a budget is here

Just when we thought it couldn’t get more fun, Karmen ransomware makes it appearance on the scene with cheap version of Ransomware as a Service (Raas). According to Diana Granger, technical threat analyst for the threat intelligence company Recorded Future, this variant appears to be derived from the “Hidden Tear”open source ransomware project.

The article has a lot of good information about this, with the key things being the ransomware is priced at only $175 and has some advanced features such as deleting the decryptor if it figures out that it is being run in a sandbox environment.

RaaS is one of the things that I believe is going to cause is a lot of problems moving forward. No longer do people have to be technically literate to get in to the cybercrime game, they just buy something like this. This also isn’t the first cheap RaaS offering, there is also Dot (a 50/50 profit-sharing strain) and it won’t be the last. This is just not good news for businesses and us security folks.

Image Credit: recordedfuture.com
Image Credit: recordedfuture.com

Ransomware might just be good for security

I’ve been thinking about this a bit myself lately. Is ransomware really helping security get better? While I don’t agree with the “We are too small to have anything of value” argument on other principles (you do have employees with W-2’s and email from which to send invoices, right?), the fact that ransomware is making some of the smaller organizations take security a bit more seriously is a good thing, even if ransomware is not.

 

United Flight 3411 – The Violent Removal Of Dr. David Dao

Okay, before we even start on this topic, I ask you to put down your pitchforks and torches for just a moment while we look at what happened in a non-emotional way.

Obviously the internet is abuzz with this story, some folks even claiming racism as the motive behind it. Clearly this is not the way United wanted things to go down, but here we are. Given the reports I’ve read and of course the video footage,  I think there is more to this story then we know. This does not mean I’m supporting United in the actions that happened, but I don’t think this was racially motivated. I rather think this was an emotional reaction that could have very easily been avoided.

So, obviously we know that United overbooked the flight  As a frequent air traveler I’m not surprised by this. It does happen on most carriers. In the U.S. air travel used to be an exciting thing to do, now has become more of a commodity and the people who travel are treated as such. The flight crew is told their primary responsibility is safety, but customer service is not really something that is focused on. In addition, many of these people are given a lot of authority on the aircraft. They are human too, and suffer the same faults as other humans. sometimes this can make people a bit more abrasive, especially when they know that there isn’t much you can do about it.

On the flip side, this has made air travel more stressful and indeed more irritating for the traveler. Now combine this with the folks that feel like they have to carry their entire house worth of stuff onto the plane, taking up more than their own amount of overhead space, being very selfish, and you start to have a recipe for high tensions and associated aggressive attitudes.

So, now you have irritated passengers and empowered flight Crews mixed in this tiny tube on the runway or in the air. Things tend to go wrong.

So what went wrong in this case? I honestly believe that both sides have a part in this. Starting with United, this should have been resolved before people got on the plane. I can tell you that I’ve been moved 15 rows back on a plane after boarding and it annoyed me a lot. My boarding pass had me and row 15, they moved me back to row 30. I wasn’t even having to get off, they just changed my seat without telling me.

I have no doubt that he was selected randomly, or maybe pseudo-randomly based on class of service, check-in time, or similar variables. Same thing happens with seat upgrades, it can be based on your original ticket class, time of check-in, etc. I do not believe this was racially motivated.

Finally, I believe the police were actually from the airport as opposed to United employees. Likely, the way this went down is that he was being belligerent (again, he had the right to be pissed), they called security to deal with the issue and the police went way too far with it. Is that United’s fault? Only sort of. The root cause was their over booking of the flight, however the actions of the police officers were their own and in my opinion they are most responsible for the violent removal of the Doctor. Think about it this way, if a store owner call the police because a customer does not like a policy and is becoming belligerent, then the police take it too far, is that the fault of the store owner?

With respect to the Doctor it is a little bit tougher, however many of the reports do say that he had been belligerent and that’s why they ended up calling in the police. Did he have a right to be irritated, yes, but I would bet that United is on firm legal ground with respect to “re-accommodating” passengers. We don’t have the part where he may have been belligerent on video, but I caution you that there are usually two sides of a story and neither is always 100% accurate. I have the feeling that a lot of things happened prior to the police coming on board that led to that happening. I’m not saying it should have gone down like this, because I don’t think it should have, but I seriously doubt he was being in any way cooperative. That then escalated into what we have here.

Before we jump on the bandwagon here I guess I’m suggesting we take a step back and consider the issue without the emotional parts involved. United screwed up bad, the Police in my opinion did not handle this well and we are seeing the fallout from that. just keep in mind that there may be other parts to this that we haven’t seen or aren’t aware of. I’ve been on flights where unruly people have been removed, I’ll be less violently, and honestly it was a relief to many of the other passengers.  In this case, I don’t know if that was the way it happened, but we have to be careful applauding the involuntary removal of belligerent people in some cases, but not others.

In closing, until the U.S. airlines can start treating their people like humans and less like cargo, packing humans in to every spare inch of the plane, tensions will remain high and we will see more and more things like this.

 

 

 

 

 

 

20,000 Scottrade Bank Customers Data Inadvertently Exposed To The Public

Image Credit: Chris Vickery

Whoops. MacKeeper researcher Chris Vickery spotted the exposed data on March 31st while running searches against the s3.amazonaws.com domain. The unencrypted domain included 59,000 rows of data including sensitive stuff like SSN’s and internal data such as unencrypted credentials for credit report sites. On a plus side, after being informed, the database was secured quickly, but it shouldn’t have happened in the first place.

 

 

 

 

Richmond Indiana Housing Agency Loses A Month Of Data In Ransomware Attack

Richmond’s housing agency was hit by ransomware demanding an $8,000 ransom. They are not paying, but had to bite the bullet and understand that they have lost a month worth of data. It is noted that, “some of the system’s parts of were outdated and no longer as secure as they were when first installed”. That reads to me like a lot of words that essentially say that the software is outdated and probably unpatched.

“Weapons-Grade” Backups? What does that mean exactly?

So, one of the things I preach in my talks about ransomware is the need for “Weapons-Grade” backups. I want to talk a bit about what that means, and why it’s so important. This is not meant to be a complete guide to backups, but it is meant to get you to think a bit about the risk you are at with respect to your data. Further more, I’ll tell you how many of these concepts can be applied at home as well.

Why all the worry?

We all have a lot of things in life that are competing for our limited amount of time. In order to understand why we should dedicate some of that time to making sure we are backed up, we need to understand the risks being faced today. The top 4 things that increase my grey hair count are:

  • Ransomware/malware that destroys or holds data hostage
  • Hardware failure that results in loss of data
  • Intentional or unintentional destruction or changes to data
  • Physical theft of the data

You might notice a pattern here. All of them result in losing data. Not a big surprise given the topic. This is not an exhaustive list of how data can be lost, but it covers enough for this article. You should also be familiar with the 3-2-1 Rule before we go on.

Common Backup Methods and Pros/Cons:

  • Copy to tape – Not usually used at home and often not in small businesses. This involves a tape backup drive and special magnetic data storage tapes to keep your data safe. In some cases, you can use the software built-in to the operating system to back up to tape, but often you will want some 3rd party software to help. Accessing individual files from tape is pretty slow compared to other modern storage devices, so typically it is used for long-term backups, or even backups of other backups (remember the 2 media rule) that have been made to a disk. Backing up to tape is a method that has saved a lot of tears from falling. Like anything else though, restoring from tape can fail, so it is important to test these regularly. Finally, tape backups are pretty easy to move offsite compared to some other methods.
  • Copy files to another device – A lot of organizations have turned to backing up data to another computer or a Network Attached Storage (NAS) device, across the company network. You can do this with individual files or in backup sets, like you usually do with tape.  When accessing individual files, this is usually much faster than tape, but is typically not as easy to store offsite. You can use external hard drives to do this is well and they are easier to move and store offsite than a NAS. It is very important if you are doing this, that you keep these files isolated from your regular network and test the ability to restore often. This can save them from being encrypted by ransomware that is network aware. A lot of people have found themselves in a bad place when their backups are found to be encrypted as well.
  • Synchronizing/Replicating files – There are a number of cloud solutions out there that allow you to synchronize files. These include services such as Dropbox and One Drive and can have some. You can also use tools such as Robocopy, SyncToy and rsync locally. The cloud solutions are a good way to get files offsite in case of physical theft or destruction, however it is not foolproof. For one thing, many newer types of ransomware will look for these services and try to attack them as well as the local machine. Similarly, replication between sites is not the same as backing up. In this case if the file is infected or encrypted by ransomware at “Site A” and is replicated to “Site B”, that means that both copies of your files are infected or encrypted. Take for example THIS STORY where the Police Chief says, “Our automatic backup started after the infection, so it just backed up infected files”. That is a sign of replication as opposed to actually running backups.

Pitfalls and Fails

  • Not checking the logs – I see a lot of admins that set up the backups, monitor them for a little while, and then stop watching logs. This is a recipe for much wailing and gnashing of teeth. If something goes wrong with your backups, alarm bell should sound, lights should flash, and pagers/smartphones should be going nuts. It’s really that important. If you get a lot of false alerts, you need to tune your alerts, but don’t tune them out.
  • Not reviewing what is being backed up – I also see where backup jobs are set up but when new folders are added or the architecture changes, the backup jobs aren’t updated to include the changes. The result here is a lot of files and folders don’t get backed up. You need to review your folders and compare them to what you expect is being backed up on a regular basis. The more critical the data, the more often this needs to happen.
  • Failing to test the ability to restore -More than one sysadmin, including myself, have felt the sinking feeling when backups fail to restore. If you haven’t experienced it, this is something really don’t want to experience. Although it takes time, it is vitally important to test your ability to restore files. Sometimes you can pick critical folders to test on but on occasion, maybe even monthly, I recommend that you restore the full backup set and ensure all of the files you expected are there.
  • Not having enough space to restore – Something that folks often forget to look at is, do they have enough space to restore their files without deleting the old ones. This can be important when it comes to retaining the forensic evidence. If you follow the previous step and test your restores, you should already know if you have the space for this. One option is to move the old files to inexpensive external drives or other non-enterprise storage, so this really doesn’t have to be a financial burden.
  • Backups are network accessible – I’ve heard of this happening several times where they have good backups, however they’re accessible on the network. What happens is the ransomware encrypts the backups as well, leaving these folks in a pickle. Make sure that any backups you have are not accessible on the network. Isolate them however you need to, for example, on a VLAN that only the backup server has access to. This can really save your day if you get a particularly nasty strain of ransomware.

Backup Software

Commercial backup software can get pretty expensive pretty quickly. Well I can’t specifically recommend any single solution because your needs may vary, it doesn’t hurt to look at options such as Code 42’s Crashplan. I use the free version of Crashplan at home to keep all of my stuff backed up. I like the fact that I can back up to a friend or families house and they can back up to me, and it’s all encrypted prior to transmission. In addition, it’s hard to beat free. Don’t discount the use of tools such as rsync, Robocopy, and Synctoy as well for replication of files or backups to other destinations.

If you follow these tips and tricks and you give your backups the attention they deserve, this can make your life a lot easier in the case of a ransomware infection.

 

Stay safe out there!

Android Ransomware Targets Russian Language Users

This new variant, discovered by Zscaler, appears to target Russian speaking Android owners. It’s a cloned version of popular apps that is uploaded to 3rd party app stores. It waits 4 hours before kicking off a bunch of popup screens and finally holding the phone for ransom.  While the ransom demand is low at about $8-$10 (500 Russian rubles), it’s still a good lesson to only download apps from legit stores.

 

Skype Ads Are Spreading Ransomware

It looks like some malicious ads made their way to Skype this week. These ads push a download that is made to look like a Flash update, but instead reaches out and downloads malware, most likely ransomware. It looks like the domains used for Command and Control are currently offline, which is a good thing.

Just remember that it’s better to go to the Adobe Flash website to download updates, or even use the daily obnoxious update notifications in your taskbar, as opposed to clicking on something pushed to you through a browser.

 

 

CISO Exchange West Event – Sunday Was Speaking and Eating

Having survived the night and getting some good sleep, I was ready to tackle the day. Being that I did not actually speak until 3:30pm, I had plenty of time to prepare so I decided to take a walk around and grab some breakfast.

A typical view across the table for the road warrior

San Francisco is a very beautiful place. My hotel was right beside the Moscone Center and across from the YBCA (Yerba Buena Center for the Arts) which has a beautiful park setting and backs up to some shopping. I ended up eating breakfast at the iconic “Mel’s Drive-In” and continued to enjoy the area.

On my way back, I stopped by where the event was, checked in and made sure I knew how it was going to work. I like to make sure I am ready for issues, which proved to be a good idea later. I spent the next couple of hours in the hotel room checking and replying to emails while waiting.

At about 2:45 I suited up and headed down to the conference. When I got to my room, they had a laptop already set up, however the slides that were loaded were old, they were also in 4:3 format when I usually use 16:9. I’m really not sure where the deck came from (they looked like ones I used at another event for these folks a few months ago), but the race was on to correct the issue. When you do this sort of work, nothing is surprising, so you simply adapt and overcome. I had to do a high-speed rework of the slides I had in to 16:9 format since the projector and screen were 4:3. I got it done, but barely. My mad skillz in PowerPoint bailed me out. 🙂

The session went well with a lot of interactive discussion. I didn’t make it through the whole deck, but I had expected that if we had good Q&A so it was fine. I even got to meet a gentleman I recently did a webinar with. It was very cool.

Even the garlic is cooked in garlic sauce

After the session, I hung out at our booth for a bit and learned some from the sales guys. From there, it was dinner time. I suggested that we go to “The Stinking Rose” for dinner. This is another iconic SF place to eat, and the general premise is to cook everything in garlic. Even the garlic is garlic roasted. Good times and good eats with my sales brethren. At dinner I was introduced to a drink called “Grappa” which is the grape waste products from making wine. Basically, they take the dead, crushed husks of the grapes after pressing for wine and let it rot (aka ferment) and squeeze the juice out of it. It tastes just as bad as you may imagine.

From there, it was walking back to the hotel to catch some sleep (in the warm pink glow of the Buddha of course) so I could get up and get to the airport for my 8am flight.