Tuesday, 29 March 2016

Every cloud

I'm an inveterate optimist - I see the flecks of gold in heaps of dross, and I often find small coins in car parks. And every cloud has a silver lining, if you stare at it for long enough.

I'm seeing a lot more ransomware attacks. Typically, a gullible user has either clicked on an attachment in an email (I'm currently getting about a hundred such malware-bearing emails per day) or has been hit by malvertising. Probably the email is more frequent. Sadly, antivirus software has a 10% success rate in flagging such stuff. It misses nearly all of it. Because if you're about to send out a bunch of malwareiferous emails, you'd test to see if the AV products detected it, change it if it did, and continue to test and change until you had something that would pass the tests. This is called "crypting".

And the thing Gullible User (last name User, first name Gullible, called Gully for short) clicked on, reaches over the internet, downloads the malware, and installs it on Gully's computer. And ransomware is the flavour of the month.

The ransomware encrypts all the data files it can access (which means all the data files that Gully can access, including those on the corporate network) using a dual-key encryption system. Dual key means that one key encrypts, and a completely different key decrypts. So even if you trawl through Gully's computer and find the key that encrypted, that doesn't give you the key to decrypt. And modern crypto systems are strong enough to give serious obstacles to government spooks, so forget about cracking it by brute force.

So how do you get your data back? You pay. Money. Using Bitcoin, which is as untracable as sending money via Western Union or Moneygram. And they send you the decryption key. Maybe. You just have to trust the unscrupulous scroats who ripped you off in the first place and who have only a slight incentive to send you the key now that they have your money. Let's hope they're honest scroats.

The good news is that it's not much money - maybe a few thousand dollars, which is peanuts to a big organisation (but very painful for a tiny business, and if we're talking about grandma's collection of grandchild pictures, poses a heartbreaking barrier).

So what precautions are you taking against being hit by ransomware? Choose one of the below.

1) We're running an excellent antivirus, tests say that it detects 100% of in-the-wild threats, and it's updated daily.

 ... but, sadly, the tests are not correct. Do your own testing. Choose a dozen of the malware-bearing emails that you're getting every day (and deleting unread, I hope) and see if your AV flags them all. It won't. Maybe one or two of them. Ask your AV vendor why not, and they'll say "That's because you're testing on something that only came out an hour ago, you can't expect us to be able to detect that, can you?" Actually, you can, and in my blog I've explained how. And if you're paying money for something that the vendor says cannot possibly do what you're paying for, rename yourself Gully. You can also ask the organisations that publish these 100% tests, how come in the real world the figure is more like 10%?

2) We have backups.

 ... well, that's good. But have you? Some people use "cloud backup", which means that files that change are automatically copied over the internet to a server somewhere in Albuquerque. So the ransomware encrypted your data, the backup system says "Oh, that changed" and copies it to Albuquerque. And if you restore that backup, you've just restored an encrypted file, which doesn't help you. And this happened to someone recently.

Maybe your cloud backup works that way, or maybe it doesn't. If you don't understand how your backup system works, then that's probably the way it works.

Here's how my backup system works. On the 1st to the 10th of each month, files are backed up to one server. On the 11th to the 20th to a second server. And on all other days, to a third. Plus there's various other backups going to and fro, which aren't automated.

I even have servers that are powered off, and hold a copy taken several weeks ago.

So if something has borked all the files on my main server, I have at least a chance of restoring something not too ancient.

3) We're educating our users.

... don't make me laugh. That hasn't worked in the past - why would it work in the future?

38% of busnesses are confident that they could recover from a ransomware attack. There's two problems here; first the obvious problem of the 62% who aren't sure they can recover, but the other problem is that I suspect that a large proportion of the 38% who are confident, are only happy because they haven't really understood the problem. Here's a nine-point list of advice for avoiding ransomware attacks.

Most of those nine points are good ideas, but won't stop ransomware, especially ransomware delivered via email.

So where's the tiny silver lining in the large and unpleasant cloud?

Any organisation that has been hit by ransomware, has been charged several thousand dollars for a lesson in computer security, a lesson that people like me would be willing to teach them for free, but free stuff is subject to floccinaucinihilipilification and usually ignored. But the lesson bought for real money, is likely to be taken to heart.

I did warn you, it's only a tiny speck of silver.


  1. Time to put your money where you mouth is Dr. It's very easy for you youngsters to be sat sitting and talking about this global doom and gloom, you seem to know a bit about anti virus' and I think you should come to our aid.
    Perhaps start a company that builds proper antivirus software, you may make some money out of it if you are good. I can help you fund it, I have £13.67 in my piggy bank, and I'm sure I can raid the kids' pocket money too.

    1. £13.67 is a very splendid offer. You should be able to recruit several under-employed programmers with that inducement, and in another blog posting, I've already explained how to write the software.

  2. I get sent hundreds of malicious email attachments each day too, but they all seem to end up in my spam folder.

    Does it matter if an up-to-date anti-virus doesn't pick them up on transmission, if another layer of the defence (my anti-spam) is correctly intercepting them?

  3. It matters, for four reasons.

    1) You're spending money on AV that's not actually doing anything to defend you against today's threat. It's probably really excellent against the threat of 10 years ago.

    2) You think you have a layered defence. Actually, you have only one defence, the anti-spam, which (for most people) is not under their control, so it's only as good as the AOL people (or whoever does your email) make it.

    3) Spend five minutes thinking, and you'll think of three ways to get the emails through your spam filter, if your objective isn't to spam people, but to install ransomware.

    4) Your spam filter doesn't help with malvertising.