Protecting Against Ransomware

[The Duke]

Wont the ransomware just re encrypt your encryption? Surly.

Just keep the stuff you want safe “air gapped” I like to keep my os is a state  which if it gets compromised a quick reinstall fixes all.

Ive done this for years, as an install of an early clone, is far quicker than hinting down some random issue. As I’ve found even fixing issues, leaves beind some cruft.

I just go nuclear at first sign of any issue. Not the most sophisticated approach, sledgehammer to crack a nut, but always the quickest option. But only if you keep your data seperate   to the os.

[Ed P]

Wheels-Of-Fire wrote:

As always a backup is a good idea but the question was how to prevent ransomeware. On that note there is evidence to sudgest that some ransomware that actually dose encrypt your discs in the background uses Windows own Bitlocker service to do it. I wonder if that would work on home versions of windows that dont have Bitlocker activated ?

Some A/V e.g. Kaspersky offer on-the-fly protection if suspicious activity is detected. I cannot imagine that this is 100% effective except for malware that attacks the file structure rather than individual files.

[Wheels-Of-Fire]

I have been looking into Sage 2.2 ransomware and im afraid its a nasty one.

Sage 2.2 is based on Crylocker and it was built using the RIG exploit Kit.

Sage can get on your computer via an infected website but its more likely it arrived in an email attatchment. The attatchment will be a zip file and the email will be about something tempting or just blank. Once extracted the zip contains an MS Word file with a VB Script macro and a JS script file. If either file is opened then your PC gets infected.

Sage installs in the user\App Data\Roaming directory with a random file name and adds its self as a scheduled task so it always starts when you log in.

Once running sage encrypts random files of many types using the Chacha20 cipher and adds .sage to the file name. Sage also deletes shadow copy’s of files it encrypts and can access files over a network too.

So can you get your files back ? The answer appears to be er no. Without the encryption key it can’t be done. Sorry  🙁 .

It is important to stop using the infected computer until it is cleaned too or sage will encrypt more files both local and remote.

Malwarebytes claims to clear this infection but it can’t get your files back. They also have a Beta for an anti-ransomware product but I haven’t tried it.

Sorry to be the bearer of bad news  😥

[Wheels-Of-Fire]

I wonder if the NHS IT team read Forumite ?

[Ed P]

Graham I’m sure that many in the NHS IT departments could teach us a thing or two particularly outdated pharts like me. The ones you really want to read this are the clueless senior managers and those who set the budgets in Whitehall.

As an interviewee on the Beeb said, ‘it is grossly unfair to criticise a Hospital Trust for prioritizing cancer treatments over a possible threat to computer systems’, the huge impacts of which just would not be appreciated or believed by those in power. (They probably do now but are still scurrying around in cya mode).

[Dave Rice]

Clearly not ?

Making an automatic backup is easy, keeping it away from the PC is the hard part. The cloud is as always connected as a plugged in USB drive is if you use automatic synchronisation.

[Ed P]

Graham I assume Dave was responding to you, but a snippet I heard on the Beeb implied that pinch-penny measures had resulted in zero separation in control between vulnerable PC systems e.g. email, and Office and the far more critical process control systems that interface with CT/MIR scanners.

Someone being interviewed claimed that his CT scan was stopped mid-scan by the whole system falling over. This suggests to me that the vulnerable system was processing ‘live’ data rather than something that was buffered off-line before being squirted to the Consultant. Nadgering a piece of process control kit is in my mind far more serious and worrying than just stuffing up emails and appointment systems – hopefully the person being interviewed go it wrong and the system only fell over when it could not handshake with the ‘office’ system.

[Wheels-Of-Fire]

I doubt there was much the NHS team could have done about it anyway because of the little reported bug in Windows.

Two days ago the security people at Google found an exploit in the MS Malware Protection Engine that allows the running of Java Script in an email without even opening it.

MS MPE runs with NT AUTHORITY permissions and it scans incoming mail in the background. The bug causes MS MPE to actually execute Java Script in the BODY of an email !

MS put out a patch within 6 hours of the discovery but these things take time to propagate. Hope you all have yours :good:

[Tippon]

Wheels-Of-Fire wrote:

I doubt there was much the NHS team could have done about it anyway because of the little reported bug in Windows. Two days ago the security people at Google found an exploit in the MS Malware Protection Engine that allows the running of Java Script in an email without even opening it. MS MPE runs with NT AUTHORITY permissions and it scans incoming mail in the background. The bug causes MS MPE to actually execute Java Script in the BODY of an email ! MS put out a patch within 6 hours of the discovery but these things take time to propagate. Hope you all have yours

Yep, EdP let us all know here:

https://forumite.co.uk/forums/topic/windows-defender-exploit/

[Wheels-Of-Fire]

When did we get a security section ???

[Tippon]

It’s been here a while now. There are quite a few categories in the forum list:

https://forumite.co.uk/forum-categories/

[Anonymous]

Microsoft has released a patch for stopping the cryptoware bug on XP.

I think that is a bad move, higher ups will hear it is patched and assume they are secure, no longer has IT got a great reason for some investment.

[The Duke]

Fs – I said exactly the same, they should of left it wide open, if noting else it’s a good marketing opportunity to force people to upgrade.

[Richard]

FS, I can see your point but there are other issues in play. The patch still has to be applied and this appears to be an emerging issue. Patches appear not to have been applied where they should have been, thus allowing greater impact than would have been the case.

Secondly some equipment has embedded or semi embedded ‘PCs’ that cannot simply be replaced or easily ‘updated’ and which are not really PCs in the usual meaning, they are hardly ‘personal’. In the past it was sometimes the case, that no one made any efforts to even install available updates to such devices due to ‘policy stipulations’. A relation was told not to mess with several unpatched systems for this reason and no one else would tell IT about the issue either – the relation did make a report and some stink was kicked up.

Sadly if such equipment is not a short term depreciation PC but a major expense, capital item with no apparent upgrade path what should anyone do? Yes, the system managers should of course do everything they can to isolate such devices and use them in ways to mitigate threats.

It appears that this problem may apply not just to medical hardware but some in other fields such as manufacturing.

Hopefully, the original builders can be pressured to sort out the issue, though in some cases they have dropped out of the business. While spare parts can be obtained, (often they were bought in anyway), the overall machine design is a more difficult issue. Some greater effort to find solutions, not chest beating is clearly required. A year or two spent on re-certification is not usually helpful either.

Any ‘manager or ‘higher up’ who assumes, should be encouraged to assume they do not have a job

[The Duke]

The embedded windows you refer to is I think called win xt or nx, they still gets security patches.

Atms and stuff like that use it.

Xp is almost two decades old, it was created in and for a pre Internet era, Ms should cut it lose Altogether.

[Ed P]

M$ were damned if the did nothing, just as they are damned for giving lazy management a get out of jail free card.

I’m just waiting for similar malware to hit India – then we should get some squeals of pain from the traitorous bean-counters who ‘right-shored’ our vital IT systems. It is not just Indian PCs and Servers that are vulnerable, computer mainframe’s are just as susceptible to virus/Trojan attack – perhaps even more so as few believe or know that they are equally capable of being pwned. (It is however a lot harder to write such a VMS Trojan and get it installed – but the cost of subverting or pressuring an employee in India is a lot lower).

The day a Corporate or major Bank’s cloud gets nadgered is the day the criminals really hit pay-dirt. (particularly if the criminals let five or six backup cycles elapse before triggering their malware!).

[Richard]

The Duke wrote:

The embedded windows you refer to is I think called win xt or nx, they still gets security patches. Atms and stuff like that use it. Xp is almost two decades old, it was created in and for a pre Internet era, Ms should cut it lose Altogether.

Not relevant, this is not the full on embedded version like that used in ATMs but was a proper version used for such unimportant functions as CT scanners and MRI units and other ‘possibly useful’ stuff. If you are happy to do without those extra fair enough, others might like a more thought ful and pragmatic answer.

I guess you missed  the point about a history of failure to apply patches at all? Since the latest figures show that many Trusts have gone to more modern systems anyway, but still got caught because of a lack of patching and generally poor IT hygiene habits there are some culture changes still urgently needed.

I repeat my closing remarks from earlier in case you missed them, ‘

Some greater effort to find solutions, not chest beating is clearly required. A year or two spent on re-certification is not usually helpful either.

Any ‘manager or ‘higher up’ who assumes, should be encouraged to assume they do not have a job.

[Ed P]

Richard, without making excuses, in the other NHS thread,Dave explained why ‘instant’ application of patches is difficult and time-consuming in environments where some bean-counter has ‘saved money’ by insisting on not replacing/upgrading all the components of a whole systems environment. Add in a dash of caution – Managers getting heavily censured by their Board equivalents for the outages/delays caused by failed patching/upgrading and there are a lot of pressures to thoroughly test each patch in each of the different variety of machines within the IT eco-system (using sand-boxed cloned test machines). This all takes time, and I could easily see such testing taking a month even for a clean well managed system. more if ‘Management’ insist on getting ‘Industry’ experience/feedback before doing the wholesale patch. (Patching individual elements is often not possible).

Three months ago Microsoft released the patches as part of their normal security update cycle. There were no fanfares announcing the dire consequences of delaying the patch (that only emerged a couple of weeks ago.). While I think a three month delay in patching is unacceptable you are perfectly correct to point a condemning finger at not only the IT bods but also their Management (all the way to the top of the tree.)

Education of a bunch of Arts graduates and Legal bods (MPs and Secretarial level Civil Servants) in the practicalities of running a complex IT system would be a laudable but I fear impractical goal and outcome for this mess.

[Dave Rice]

Such “embedded” devices or even separate control PCs are widespread in the defence and postal sectors too. But as I mentioned earlier they are thoroughly isolated and air gapped. The problem that I have seen with my own eyes is that XP isn’t just in use on such systems, it’s still in widespread use on clinicians PCs too.

Speculation. Just getting the patches out on (maybe) unaffected PCs (this malware can lie dormant for weeks) will I suspect be a manual affair as you can’t risk putting a machine back on the network. Problem is if they’ve disabled the USB and DVD drives by policy or software you may not be able to do even that (as you have to have it on the network to change the policy). I think I’d just be rebuilding the lot and be done with it.

The problem I have seen with line of business software isn’t so much that it won’t work on a particular o/s, but that it will only work in a particular browser. And of course it costs money to put that right. The other thing with obsolete o/ses is that you may not be able to run up to date apps and those apps will have vulnerabilities too. Patch XP and you still have holes elsewhere.

EDIT – Ed MS did warn of dire consequences. Each patch comes with an Affected Software and Vulnerability Severity Rating by o/s. I used to put these into a matrix for review by the Security Dept to decide if an accelerated roll out was required for a particular patch. In cases like this Security would have been on to us as MS would have pre warned them.

In the case of MS17-010 it’s Critical / Remote Code Execution pretty much across the board link, enough to have alarm bells ringing.

[Ed P]

True Dave , but unfortunately a ‘Critical’ warning is not the same as saying ‘There is zero day exploit code already in the wild for XP, Windows server 2003 and all later versions’ which was the message coming out just a few weeks ago.  If things are really serious people need a degree of panic in order to overcome inertia.

[Author]

Posts