Sunday 4 July 2021

Day 475 of self-isolation - Ransomware


We're seeing  lot of attacks by ransomware recently. Ransomware is when the files on your computer systems get encrypted, and you're asked to pay for the decryption key.

The media seems to think that these are targetted, and that they are done by state actors.

I think that's making unnecessary assumptions. I think they're done by ordinary criminals, with a profit motive. And they aren't targetted, they're just sprayed around at random.

Ransomware goes back a long way. I received one of the first efforts - the "Aids Information Disk". If you ran it, then it encrypted the filenames on your hard disk (the filenames, not the files) and then demanded money to decrypt them. It arrived by post, in an envelope - I think I might still have mine.

But it's all more sophisticated today. The AIDS Disk encryption was easily reversed, but modern ransomware uses a cryptosystem that isn't so easy to break. And such dual key cryptosystems are widely available, and easy to implement. Payment also used to be a problem - if you mail dollars to an address, that address can be watched and the culprit arrested. But these days, you're asked to pay by Bitcoin, so the payment is untraceable.

Distribution is easier now. You don't have to mail out a few hundred diskettes; you can spam millions of email addresses with something tempting, and some people will fall for it.

The situation is made worse by the fact that many people have given up control over their computing needs, by running the software on Someone Else's Computer, and storing the data likewise. It's called "the cloud", but what it means is that you no longer have control.

Coop Sweden says it closed more than half of its 800 stores on Friday when their checkouts stopped working. The failure was actually at a US software supplier Kaseya. Someone Else's Computer. The security that the Coop was using was not the issue; the failure was on Someone Else's Computer.

How does the ransomware spread? There's probably more than one way, but the most obvious way is via an email that persuades you to click on a link; doing so, installs the ransomware on that computer, and then the ransomware has read/write access to anything that the computer can access.

What's the answer?

If I was trying to defend a company from ransomware, I would arrange email so that you cannot click on a link. How is that possible?

For 30 years, I've been using a mail client that is NOT web-based. The one I use is called "pine" or "alpine", but there are probably others. I cannot click on any link that is emailed to me, and that, of course, can be a nuisance because it's very clear to me that everyone assumes that I can click on a link. And these days, it's actually difficult to explain even to someone in technical support, that I can't click on the link they just emailed me.

What I can do, is to go through a rather clumsy process - I need to display the actual link (not just what it pretends to be), and then copy that URL to a browser, and by the time I've done that, I've had plenty of time to reflect on whether this is a good idea.

A text-based email system isn't a full answer - there are other measures that can be taken. But I think that if a company switches to that, they are less likely to be caught by an attempt to exploit the trust of users.

What else can you do? Think about a ransomware attack that gradually encrypts your data, but only announces itself after some weeks. And design a backup system that can cope with that.

What can't you do? I am firmly of the opinion that user education doesn't do much. Users don't care about computer security, they think that the IT department takes care of that. And, in general, people don't care about security. You can see the proof of that for yourself by driving on a motorway, and seeing how far apart people think is safe.


No comments:

Post a Comment