Saturday, 15 May 2021

Day 425 of self-isolation - Ransomware


In the USA, gas prices have risen because of a ransomware attack on the "Colonial pipeline". There are calls for greater cybersecurity, but there are very few suggestions on how to achieve that.

So let's look at that.

Ransomware is when a trojan (unwanted) program encrypts the data no your system, and the criminal demands payment for restoring the data. How do you defend against that. Backups? It isn't that easy.

So let's start off by looking at how a nasty ransomware system would work.

First, the user installs the ransomware on their computer. Unwittingly, of course. I'll discuss later how that can happen.

The ransomware has access to the same data that they user can access. If the user can write to a file, so can the ransomware.

So, all the files that they user can access, can be encrypted. 

But surely, the user would notice that he no longer has access to his data? No, because the ransomware also decrypts the data, on the fly, whenever the user tries to use it. So it can be working silently, in the background, for days, weeks, even months. And then, eventually, it triggers.

So what backup are you going to restore, one that is six months old?

What about decrypting the data? No - modern crypto is strong enough to make that impossible.

What about paying the ransom? Colonial Pipeline paid $5 million. Let's hope that they got their data back - but this is obviously going to encourage more people to deploy ransomware. It's a get-rich-quick that works. And payment is in bitcoin, and so impossible to trace.

I first met ransomware in 1989, when a 5 1/5 floppy arrived through the post. It was the "Aids Info disk". It came with a piece of paper requesting $189 as the cost of the software. And when I installed it, it encrypted (with a very simple code) all the filenames (not the files) on the test computer that I installed it on; it was easy to reverse this. The perpetrator eventually got arrested and tried

So, the ransomware is only writing to files that the user has wrote access to. The only way to stop it, is to prevent it from being installed.

Some people suggest "user education". That doesn't work. It's been tried. We can't even stop people from killing themselves with tobacco or speeding cars, or using the phone while driving.

And also, maybe you remember the Incident of The Register? I do, because it got me. The Register is an informative tech news web site, I visit it most days. On 2004, I made one of my regular visits, and immediately, all hell broke loose. It turned out that if you were running Windows, and Internet Explrer version 6, you wee vulnerable. The malware was in an advert, being served by Falk AG (a middleman in the advertising business) into an iframe on the register page.

I spent half an hour trying to get rid of it, but I obviouslty didn't root it out deeply enough, because each time I thought I got rid of it, it came back. Eventually, I decided to Zap that hard drive and reinstall Windows . and then I realised that this would be a good time to change to Linux Workstation.

So, you see - no amount of user education would have stopped me visiting a legitimate tech news site (that I still visit). And that is why I even today, block most advertising.

Having said that, there are so many other ways that malware can get onto your computer. I block adverts, and also javascript - but sometimes I have to allow it, so that I can perform some action. This wouldn't be an issue for most users; most users don't need to see adverts, popups or dancing chickens. So maybe a good start would be to lock down users computers to disallow all that.

Another useful precaution, is to avoid using software that most people are using. So, I don't use Windows now. If you really hae to use Windows, don't use one of the common browsers.

But the bottom line is that as long as ransomware is immensely profitable, people will create and spread it.

No comments:

Post a Comment