In his first entry for WebcraftDaily.com, security expert Carlos Sanchez makes the case for prevention by looking at two malware lessons from the past. Simple backup procedures can keep your files from being held for ransom.
Hello fellow Web Craft-ers! I’m glad to finally be here in the “blogosphere” and I apologize for the delay. It turned out that getting a photo I could use in this forum was a much bigger problem than I ever expected. Normally I simply advise the powers-that-be that I am planning to contribute to a web forum aimed at Independent Web Developers. However this time a few “issues” popped up. You see, I work in the shadowy world of “cyber security” and while I am definitely a “White Hat” my work frequently has me traveling pretty far into the “badlands” and dealing with some very evil people. What I will try and do is to relate information in a timely manner (or at least as timely as I am permitted); information that can help protect everyone who owns or maintains an on-line presence.
So, having said all that as an intro, let me start with an old story that keeps getting updated as technology progresses.
The idea of malware infecting and then encrypting a user’s files first came to my attention back in 1994 with a piece of malware called “Half Virus”. The virus would secretly infect a computer running MS DOS or Windows 3.11 and then encrypt on-the-fly portions of the hard drive. Overall this virus was fairly harmless unless it was carelessly removed, unlike the variants circulating today. Half Virus still exists and is still circulating in the wild.
But today’s cyber landscape has changed drastically from “hacker pranks” to “organized crime”. Just about 2 weeks ago a new variant appeared called LoroBot. This piece of malware encrypts users’ MS Word, MS Excel, MP3, JPG, PDF and Data Base files. The malware then demands $100 for the key to unlock the encrypted files. Fortunately several big international anti virus companies have provided the decryption key for free. But what about the next time, when the decryption key is different for every infection? Or worse, if your website has been targeted for extortion and there is no cavalry riding over the horizon to your rescue?
Well the unfortunate answer is that you don’t have many choices: you can either pay or accept the total loss of all files on the compromised computer. And as you can see, neither of these options is very good. What is you pay and the hackers don’t send the decryption key? What if you pay but the hackers have hidden some more malware in the “decryption software”? The following is a true story of a very large state agency where this exact scenario occurred.
A particular state government recently had an entire database of critical data encrypted and then ransomed back to them (approximately 8-1/2 million critical records in all). Like all kidnappings, they were given an amount to pay and a “pay by this date or else” ultimatum. The state informed the Federal Government which tasked several Agencies to work 24-7 to break the encryption before the deadline.
The outcome? The state wired $10M to a bank, which then wired it to an offshore bank, and then another, and another, etc. The Federal Agencies were able to see the transactions for approximately the first 5 hops, but then the money went to a country where the US has no diplomatic contacts and the trace was lost.
The fable of the story: Backup EVERYTHING! With external 1.5 Terrabyte hard drives selling for $109 at membership warehouses, it really is a case of an “ounce of prevention…”.
No related posts.
One Response
Good post Carlos. I would add this: Remember to back up your databases. Many webmasters are used to having local copies of all the html, php, and other type of files that they typically upload and download via ftp.
They sometimes forget that the Database files are not in the ftp and must be accounted for separately.
I have a cron job on my servers. On the first of every month all databases are zipped up and emailed to me for local back-ups off the server.