CryptoLocker is amazing. I find the reactions to it so intriguing. Because before, viruses would just delete your data and let you know you were screwed. Game over.
Now, they delete your data, but offer a quick time-rewind to undo the damage. $500 seems like a not-so-bad deal, and if the data was deleted instead of encrypted, I would imagine you'd pay more than $500 to send it to a recovery shop.
So really, it's just doing a good job of teaching users about data loss, without actually forcing them to lose data, just a bit of money. That seems like an overwhelmingly good bargain, overall. Especially if it gets someone to make backups before they suffer a hardware failure that truly renders the data lost.
And terrorists? Wikipedia indicates "Russian hackers". I suppose you can stretch terrorist to cover that but well, that's just being dramatic.
Malware hasn't gone around deleting data in ... I'm not sure exactly when the last time is I saw anything like that, but it's been a very, very long time.
The majority of malware now is a commercial effort, it's just trying to turn you into part of an obnoxious ad network, use your computer to send spam, pick up account information or credit card details that in aggregate are worth a little bit on some particular forums, that sort of thing.
Cryptolocker is amazing because the developers didn't screw it up. It runs very quietly in the background. Most people never realize it's there. It comes in multiple pieces, so your AV software might disable the UI portion of Cryptolocker but all your files will still disappear (oldest files first). Each file is encrypted with a different key, and then a master key is used to encrypt all of those keys. It's basically, "the kind of malware tptacek would build if tptacek built malware."
It's also been a huge boon for us in convincing people to get backups going finally, because the sort of people that are willing to gamble that their hard drive will never fail aren't also willing to gamble that they'll never click on the wrong thing online. I hate having to scare people into getting backups, but, that's how it is.
Attacking rich people with a knife is a net good. It means they'll hire body guards, then if they have a medical emergency there will be someone there to assist or call an ambulance. If you hadn't attacked them then they could have be choking or having a cardiac infarction and not have anyone there to help.
If someone kidnapped your child and asked for a ransom, would you consider it an "overwhelmingly good bargain" because you'd get them back and they wouldn't talk to strangers in future?
There is nothing novel about extortion, even on the internet, and it's not defensible as "doing a good job of teaching users about data loss"
Your metaphor is a little flawed. It's more like allowing a random person off the street to babysit your child then they kidnap them. You could have avoided the whole situation by not allowing some random person into your home.
If you consider opening email attachments that appear to be pdfs from legitimate sources (and only backing up occasionally) to be a comparable level of negligence to offering your children to anonymous strangers, perhaps. No amount of victim-blaming justifies the original poster's assertion that it's an "overwhelmingly good bargain" though.
No it really isn't. It's smart software written by smart people. Our continuous underestimation of the 'enemy' is the reason we keep finding ourselves in these situations.
The sooner we stop dismissing the blackhats as just 'dumb kids' and start accepting that many of them are probably smarter and better programmers than most of us, the sooner we as a society can start getting a real grip on computer security.
Your appeal to is humanity is noble and I certainly agree that it would very nice indeed, but it doesn't help solve the immediate problem in front of us.
The immediate solution to the problem in front of us is to have these talented people stop developing this awful piece of software
No that's the long term solution. A solution that is going to require some pretty huge changes in society as a whole. We need a solution in place today that works while try to figure out to get from where we are now to where we want to be. And we don't get to either of these solutions by failing to understand what we are dealing with.
At the end of the day I think these people realize the quality of their work and us pretending it is any less than it actually is isn't going to have any effect.
You can certainly argue that Cryptolocker is immoral, but I don't see how you could say it isn't clever. It is entirely possible to do bad things in intelligent ways.
Now, your parent is arguing that CL is actually a net good, even if it's doubtful that its author's motivations are altruistic. While I by no means endorse CL, I can certainly understand the argument. Most people will experience a hard drive failure at some point in their lives, surely. Could this malware ultimately save more data loss than it causes? Maybe. Although I doubt it. And even in cases where people have backups it will waste time. Regardless, I absolutely agree with you that it's immoral. But still clever.
Of course it's extortion. That's why I highly doubt the authors much care what people say about them. It's not an experiment, or a public service. It's a clever, sociopathic way to extort a lot of money quickly, and without getting caught, at least so far. They're certainly not going to shut it down for lack of praise on Hacker News.
"The Tewksbury Police Department chief told its local newspaper, the Tewksbury Town Crier that those who infected the computers in early December 2014 were "terrorists.""
None of the definitions of terrorism I can find would describe this. Exaction, perhaps? Is there a better term?
Text of the patriot act definition below. As much as I hate the Patriot Act, its terrorism definitions do a pretty good job I think, but B(ii) seems a bit redundant given B(iii). Note that it's A && B, not A || B.
‘‘(5) the term ‘domestic terrorism’ means activities that— ‘‘(A) involve acts dangerous to human life that are
a violation of the criminal laws of the United States or
of any State; ‘‘(B) appear to be intended— ‘‘(i) to intimidate or coerce a civilian population;
‘‘(ii) to influence the policy of a government by
intimidation or coercion; or ‘‘(iii) to affect the conduct of a government by
mass destruction, assassination, or kidnapping; and
‘‘(C) occur primarily within the territorial jurisdiction
of the United States.’’
Didn't the Obama administration issue an executive order basically saying any hacking on any US government infrastructure is terrorism? Ransomware would be terrorism in that case (not that I agree).
This raises so many questions. The 3 major ones that come to my mind are;
1. How is security on a police server so bad it can be infected with malware in the first place
2. It sounds like they didnt have (good enough) backups, where they could just format the server and restore the data
3. Doesnt this mean that all the data on the police server is effectively compromised? i.e. the hackers could have made a copy before encrypting - so it is likely the data is breached?
It's a small town police department. They just don't have the resources to properly address those aspects of IT. I worked IT helpdesk for an affluent city of 70,000, you would be surprised at all the ancient equipment they were still using.
It's not that costly to hire a smart highschool kid to handle the basic security, such as backups and virus/malware prevention. It probably would have been enough in this case. Of course, such means won't protect against targeted attacks, but I doubt small town police departments are in a high risk of that anyway.
Yeah, but they don't operate that way, and that's part of the problem.
From their point of view, if anything goes wrong with whoever they hire to work on their infrastructure, they get excoriated by the public. That smart high school kid turns out to be fond of child porn? The department ends up in the state newspaper.
So, they publish RFPs and select for established companies. The RFP publishing process isn't that great, so generally speaking there's a subset of companies that monitor for RFPs at various governmental levels, and those companies don't tend to be supplying the most cutting edge technology at the lowest prices.
Then, to cover themselves, the departments require a stupid amount of paperwork and a carefully-prepared proposal that's supposed to establish firm costs on vague requirements, like, "cost per computer to provide hardware support for offices in the county". So, the businesses writing the proposals stuff pork all over the place so that they don't end up upside-down on the deal, and besides, they have to pay somebody just to sit and write up reports like these and fill out paperwork and supply background information and client references and attend social mixers and so on and so forth just to get the work in the first place.
The entire process is not great, and it's the direct result of everyone just trying to watch out for their own best interests.
Please, don't call "manually copying files to a USB drive once a week" a "backup", that's something we have to educate people on and it's frustrating. I know you didn't mean it that way, I'm just trying to combat the spread of a bad idea.
CryptoLocker doesn't lay in wait or try specifically to target backups. However, it will hit shared network drives; basically, anything that Windows has mounted as a drive letter at the time of infection can end up getting its files encrypted. (And I'm betting that's how the police department's file server was affected -- it wasn't the point of infection, it was just a shared network drive.)
CryptoLocker bets on most Windows users not having reliable backups, and it's usually right. This is one area where Mac users often have no idea how good they have it; there is simply nothing in the Windows ecosystem that is as simple, reliable, and complete as Time Machine, at any price.
A combination of Crashplan, configured to backup all file types in any directory where you have irreplaceable files (generally your user folder should suffice), and a full disk imaging program. I use Macrium Reflect, as it's free and for me has been more reliable than Acronis. Run Crashplan continuously and image weekly or so. Even monthly would probably be fine, since Crashplan's incremental backups save you from any data loss. More frequent is just more convenient for restoration.
Your answer's better than mine, I kinda half-assed it.
I don't know if Macrium made it into our last round of backup software evals, and we're overdue for another one anyway (and not terribly happy with Acronis).
Only that it doesn't support Acronis-style incremental images. So imaging takes more time and space. It also (last I checked) doesn't provide a way to automatically delete old images (but that's easy enough to script). It does do full images very quickly and reliability though, which is worth it for me. I tried for a long time to like Acronis. Even submitted several bug reports. But I had no end of problems, and even aside from the annoyance and wasted time, I don't want to trust a program with such quality control issues with my backups.
Acronis TrueImage. But, it's not totally reliable. We've recently seen it have trouble removing old backups from attached drives, so the drive fills up and then TrueImage stops running with little or no notice. It does this significantly less often than EaseUs ToDo Backup though.
You can trade completeness for reliability by going with Backblaze or Carbonite or CrashPlan or SpiderOak for online backups. All of those offer a really good overall backup system, you just don't get a bare-metal restore and if you store files in an unusual location on your drive or use unknown file types, the backup service might not grab them.
Call it what you want buy the reality remains that for many victims, if they had periodically connected a USB drive and copy pasted their files, they'd stand s good chance of being OK.
Can't they sell one of their armoured personnel carriers or assault vehicles to pay for modern IT equipment? Decent opsec and backups strike me as more useful than militarizing the police.
No, they get those on a "loan" from the agency that actually needs them, mainly as a way to shunt maintenance costs onto the police. But they can't sell them because they don't actually own them.
Isn't this why you have centralised government. Every town doesn't need to do a procurement process for basic logical infrastructure. The government acquires personnel and skill sufficient to implement the infrastructure and does so in all areas vs. private companies it has to be more cost-effective as there is no need to pay out profits. With logical infrastructure there is no overhead for equipment retention and maintenance. In short why doesn't the gov offer IT support to ensure that government services have properly configured networks, backups, and such - a police department doesn't need freedom to not make backups or to have no firewall.
Private companies would still be involved in filling procurement orders for hardware needed to implement the logical infrastructure.
It's like having 10,000 offices write their own dress-code, you only need a central standard gov dress-code for office workers; individual locations could overload or enforce the code as they see fit but you reduce the workload using scale.
A police department should be more like a fast food restaurant [or at least a UK one], you come along with a pre-built infrastructure and implement it, rather like "apt-get police-department", bang there you have it cookie cutter infrastructure.
All bureaucratic and personnel issues aside, it wouldn't do enough to address the simple fact that a lot of government services are under-funded right now. As a trivial example, a local fire department just enacted "rolling brown-outs", periods of the week during which they will not have any fire personnel available, and any calls to the fire department will have to be handled by a nearby agency instead.
Local citizens are still refusing to accept any tax increases or new fees of any kind to keep the fire department 100% open.
It's really that bad.
Centralizing services can get you some gains in efficiency -- sometimes! -- but I doubt there'd still be enough to go around.
It's a slow-change environment. Salaries are low. Morale is often low. Sometimes it's contracted out to the lowest bidder. It's a procedure-orientated environment.
I'm not an expert of CryptoLocker but at this point I would just format the computer and assume all data is stolen and gone already, then deal with the consequences and train my employees about computer security a bit more.
It's not like someone has a physical thing in their hands and are willing to give it back if the ransom is paid. That is a bad situation as well, of course; but I find this to be worse.
You can't simply delete police records, it's not your home computer with cat pics. According to the article, these files were pretty important:
"the infected computer contained a significant amount of police data, including its "Computer Aided Dispatch, records management, arrest logs, calls for service, [and] motor vehicle matters"
That's why you take backups. This is similar to someone taking the computer for a swim. Yeah maybe you may get the files back; but it's most likely too late.
In some cases "deal with the consequences" can be very costly. Imagine some record the police need for a court case is part of that data. You've just deleted it. A drug dealer walks free. You've just let a drug dealer go free all for $500. Good luck at your performance review.
I can imagine a drug dealer's defence lawyer having fun questioning the admissibility of evidence that had been "corrupted by Russian hackers" in front of a non-technical judge and jury though...
Sure but do you really expect them to actually decrypt the files and then walk away? If they do I think they would be more honourable than some non-criminals!
Uh, yes? Because if they behave well, then word spreads and people know they can trust the ransom. If they kill the hostage each time, then no one pays. It's not like they make more money if they defect. Yeah, they could try to ransom again, but a: the success rate might be lower since right after ransom people are likely to have made a backup and b: word spreads that paying just results in more extortion, leading to less payments.
Yes, CryptoLocker does actually decrypt your files if you pay the ransom. At first, there was an expiration date; you had 10 days or something like that to pay the ransom, and then your files were gone forever. More recently, it changed so that you can pay a ransom at any time to retrieve your files, but the ransom goes up after the initial 10 day period (or whatever it is now).
The developers are savvy business people and CryptoLocker is very well done.
I think we'll have to agree to disagree. I follow the "respect your enemy" school of thought, and I dislike the kind of us-vs-them hyperbole that passes for political debate these days.
It should be clear from my comments that I'm opposed to CryptoLocker. You'd have to assume the worst of me to imagine that I'm encouraging it at all. But it's factually correct to say that CryptoLocker is well-written and well-executed and is making good money, and that's exactly the argument I use to convince people that they need to have backups.
No, it's not, and this is where your approach and mine differ. You're trying to speak as though your audience is "people who might be encouraged to write something like this"; I'm speaking as though my audience is "potential victims who might underestimate the danger of CryptoLocker".
People, especially technically savvy people, constantly overestimate their ability to avoid problems like this. Every time there's a popular thread about malware on Reddit, there will be popular comments along the lines of, "I don't know how other peasants get infected with stuff like this, all you have to do is (not click on the wrong things online || run my favorite software || use an ad-blocker || use Linux || use MacOS || only browse the web on Wednesdays)".
That is the kind of mindset I have to regularly defeat in order to get people to take sensible precautions, like having backups, and CryptoLocker is the one piece of malware out there that I can effectively use against that mindset, because I can point to my highly technical business customers (with current enterprise-class AV and ad blockers and Chrome/Firefox and and and...) that have been hit by it, I can point to news articles like this one about governmental agencies paying the ransom after being hit by it, I can use it to scare a few over-confident people into doing the thing they should have done all along to utterly defeat CryptoLocker: get a good backup system.
Frankly, the best thing that could happen, in the long run, would be for half a dozen people on HN to go, "Oh, that thaumaturgy, he thinks CryptoLocker is cool, now I'll write a clone of it too," because, after the initial horror and pain of data loss and suffering that many people would be subjected to, suddenly backup software would be one of the most popular projects in the computer industry, instead of being the totally unsexy project that nobody really wants to bother working on, and my job would go from, "let me spend 2 hours trying to convince you to listen to reason and spend money on a mediocre backup system" to "here's the really great all-in-one backup system that you already know you need, call me if you need anything else".
Your approach doesn't convince anyone that CryptoLocker is a threat they should take seriously. My approach is consciously intended to protect people from their own bad judgement.
People writing aggressive malware aren't tipping back and forth based on the language they see in message board comments.
Their default state is no shits given.
Imagine them having an interview where they say they were going to give it all up, but then they saw that one guy remark that their software was effective at doing what it does, and they were so chuffed that they went on to scam thousands and thousands dollars more out of people. It's preposterous.
I wonder if logicallee deleted all their comments in this story as a not very good way to admit that they were wrong, as a way to stop getting negative internet points, or for some other reason?
From what I have seen in most countries I have been in, it is very safe to assume that most of the offices (including government or small businesses) do not have very good practices nor training regarding digital content or software security.
Yep. This is also true about large companies and software startups. Pick any group of savvy technologists you want, then on the morning of their A round take the CEO's Macbook and throw it into the river. That should be a non-event. It is not.
And even people that think they're covered sometimes turn out not to be.
"But I have a NAS with two hard drives and all my files are on it. That's my backup."
"Yeah, the company that set it up did it wrong. Your files were spread across both drives, instead of copied to each drive. When one of the drives failed, all of your files went with it."
You and I (and, hopefully, most of HN) are well aware.
However, this was the very first business I had the pleasure of working with that had even attempted something resembling a comprehensive backup system, and the system they got was wrong.
RAID 1 (or say RAID 1+5) sounds like a [local] backup to me - what am I missing. Are you just saying local backup is insufficient or is it something less obvious??
RAID (of any kind) isn't a backup because it doesn't store previous versions of files. For example, if your RAID 1, 5, 6, 10, etc. array is attached as a Windows shared network drive -- which is not uncommon -- then CryptoLocker can find it, silently encrypt every single .doc, .pdf, .jpg, etc. file on it, and you're still boned because you don't have a copy of those files before they were changed.
Less dramatically, sometimes people make mistakes, like editing a document, then fat-fingering a mass deletion in the document during the save process and not noticing it until a month later. Again, RAID doesn't protect you from that, but a proper backup system does.
And finally, it's not unheard-of for RAID systems of any kind to just fall over. Even a RAID 10 is a whole lot of redundancy all running on a single drive controller; if that drive controller does something very silly -- and I've seen it happen, we've personally shipped systems to data recovery outfits for this -- then you can end up with garbage on all of your drives.
There are two different concepts at work here. "Redundancy" and "High Availability". RAID uses redundancy, but it belongs under "High Availability" -- it's a system that's designed to still be mostly available even if it suffers a hardware failure. But strictly speaking it does not provide for redundancy of your data.
Ha, lol, yes mirroring rather than backup. Have made the same comments as you per dropbox. Mirroring, eg RAID 1, provides some hardware redundancy; it's an entirely incomplete backup that is easily made useless. It's more like having a spare-tyre when what you really need is a spare car.
Point entirely accepted but I can't help feel there is a deficiency in the language here - a hardware failover is a backup of a sort; it's not a sufficient backup to address even most potential failures.
Yeah, and ordinarily I'd happily agree with you and not take a militant "raaaaaahh that's not a backup" stance, 'cause you're right, it is a backup of sorts.
Unfortunately, for a lot of people, especially computer novices, "backup" is confused with "absolute guarantee against data loss", which forces me to occasionally say things that aren't 100% true in an engineering sense. If I say, "Well, RAID is kind of a backup, but...", people seem to stop listening just before "but".
RAID 1 is a very poor backup, for several reasons. For starters, anything bad that happens to one copy is likely to compromise the other copy. Deleted or corrupted the file? Oops, it was mirrored to both disks. PC stolen? Oops. Water damage in the office? Oops. Raid controller died? Oops.
I wonder if there is a way to come down with the full force of the police & surveillance state on this. I mean it has to be good for something....
For example (and I'm just making this up): If the malware contacts a server, send a rapid response team there. Find out where the data goes next, repeat. If they make it a national security or terrorism issue, they would have the cooperation of many western/interpol states (at least Europe, Australia and Canada). I also can't imagine that its in the interest of the Russians to be a host to this kind of crime, so you might get them to cooperate, too.
I realize that this is complicated through the bitcoin protocol (if the malware doesn't communicate back in any other way - although it has to get the key from somewhere). But in an age where the GHCQ can record all trafic in and out of the UK for a day, it shouldn't be beyond their technical reach to monitor all bitcoin transactions passing through their nets in realtime. A transaction from/to a tainted wallet was issued from your PC? Expect a SWAT team in 10 minutes at your door.
Of course this would be grossly undemocratic, complete overkill, and create huge collateral damage. But I believe the capabilities for such a crackdown are almost there. And if criminals start targeting infrastructure and law enforcement (and don't just "accidentially" attack them), something like that might happen.
Yev from Backblaze here -> Isn't that crazy? I've written to blog posts about Cryptolocker, and how you can use a backup system to defeat it (just wipe the machine and restore from a backup). The cryptolocker virus is definitely pretty amazing from a virus perspective. It turned the virus world on its head a bit. Still defeated by having a good backup strategy though!
Paying an extortionist only makes it easier for the extortionist to continue. The same with kidnapping. In some countries it is in fact illegal to pay a ransom.
Now, they delete your data, but offer a quick time-rewind to undo the damage. $500 seems like a not-so-bad deal, and if the data was deleted instead of encrypted, I would imagine you'd pay more than $500 to send it to a recovery shop.
So really, it's just doing a good job of teaching users about data loss, without actually forcing them to lose data, just a bit of money. That seems like an overwhelmingly good bargain, overall. Especially if it gets someone to make backups before they suffer a hardware failure that truly renders the data lost.
And terrorists? Wikipedia indicates "Russian hackers". I suppose you can stretch terrorist to cover that but well, that's just being dramatic.