With ransomware attacks on the rise, big organisations like the NHS, banks like CIMB and national posts like POS Malaysia have been victims, costing lots of money and downtime for critical services. Even some cities in the US have been affected bringing down their admin systems and delaying processes for weeks. The spread of ransomware has shown that the lack of regard for good security measures should not be disregarded and that there are many people in the job who should not be in there if they have to post and ask what to do or even allow it to happen in the first place, makes me question why the heck am i writing this, starving to death jobless because i upheld strong and good practices in software development, security and customer safety while these guys get all the money for blindly doing what is asked and not caring about the quality of their work and a well designed system architecture. It took a lot of effort, research and html coding to write this article (yes wordpress was not sufficient, so i had to add my own html for better presentation).
->What is ransomware.
Ransomware is a type of malware that encrypts your files, deletes the original, and holds them for ransom requiring you to pay to get the key to decrypt them. I was once hit by ransomware on a VM of mine hosting a game server. Thankfully it was a single purpose VM and the game always churned out new files it an easy fix, to not lose any game time and to simply restore the OS and config from a backup copy of the virtual drive but it as caused by remote desktop to my server exposed for only a day because an admin could not use VPN.
->How it most commonly spreads
Ransomware spreads through both an infected file such as a trojan, and networks where vulnerable software are exposed.
Most commonly spread through known software vulnerabilities such as windows remote desktop and through them from being exposed to a network such as from another infected device on the network or from port forwarding or service exposed to the internet. They also spread through remote code execution vulnerabilities currently present in microsoft’s RDP and other applications which is where code can be executed in a target machine remotely such as from something as simple as leaving a piece of code in comment by an attacker on a web server or through an application and the protocol it uses such as sending a payload or command through it which is a very big problem with windows internet explorer and its extensions. They can spread from visiting a malicious website through a vulnerable browser, or an attacker probing for weaknesses and sending code to download and execute the malware or even from an infected host doing the same thing on your local network.
It also spreads from the lack of user zone control and policy such as the permissions to write for different files and directories as well. Some services or applications with remote code execution vulnerability, if exposed to the internet can allow ransomware to infect from there.
Ransomware however cannot target files that are continuously being generated or locked by the OS such as if the file is being used by a software like the OS itself, and in some cases will avoid OS related files to ensure that the victim can communicate with the attacker to pay for decryption which most likely the attacker gets the money and does not give the key for decryption. So advice in coding of not holding a file hostage (locked) in the OS for writing allows for the file to be encrypted by ransomware but at the same time, a locked file can stay lock should the software crash and cause even more issues until reboot. It does not target data in ram as well at the moment since its a fickle thing to do, risking a crash aside from modern OSes and hardware having contained memory to prevent malware from infecting another software’s memory.
->Preparing for ransomware
–>Back up regularly and redundantly
Certain backup measures are vulnerable to ransomware, and some aren’t. Physical media attached to the host will get infected when attached to an infected host, whereas networked media compatible with the OS directory system such as a mapped network drive is also just as vulnerable. Although its important to keep offline backups, have more than 1 offline backup drive. For networked storage, make sure it is done through other means and not by mapping a drive or directory to your OS, even cloud based services are fine if their directories are not mapped to your OS storage choices. Automated backup software is vulnerable to ransomware as the ransomware will be copied over, while at the same time, deleting a file in a folder synced by the software could also do the same on your networked or cloud backup. The best way around this is to use file versioning, which can be done on the host and its attached media backups that are only temporarily attached, and also on the NAS or cloud storage that you use. File versioning is the best line of defence against ransomware as long as the file that’s deleted is not deleted from the file versioning backup and that the backup/versions itself are not accessible like a locked volume. Some online storage providers offer file versioning but should be checked whether deleted files are deleted or still stored as you wouldn’t want the files to be deleted if they are locally.
–>Controlling your network
You should secure your network. Do not port forward or expose a host to the internet entirely, rather use a VPN to access anything that doesnt need to be publicly access. Dont expose your IOTs or smart TVs to the internet either, make sure that any access to them is done through a VPN which you can use your home router as one to access sensitive things remotely so you do not need to purchase a public VPN service as all you have to do is to not expose the device to the internet. When using ipv6 you can opt to use ipv6 NAT as well as despite the performance loss, a translation like with ipv4 prevents direct exposure for potentially vulnerable software that you run. In your own local network, segment it between devices that you control and devices that you dont. 1 problem some networks do is block VPN, which makes it much harder when you have to securely access your own resources (looking at you malaysian mobile telcos).
When you expose your device to another network, using a VPN will not prevent ransomware from spreading to you as VPN only adds another network interface to your device, while the local interface used to connect to that network can still communicate with that network and so without proper firewall control you are more likely to expose vulnerable services running, so it is important to shut off services and software you do not use. In various OSes, disable the services you do not use like windows media sharing which exposes windows media player and media sharing to the network making you visible, which if there is a vulnerability in that service that by default was always on in windows 7, would allow you to get infected. Tweak your OS installation to disable unused services and software, and use the firewall to control even software that you use what they can use or do when it comes to communication. Becareful of what software or services you open when you are on a different network or when directly connected to the internet. If a software is vulnerable like microsoft internet explorer, use an alternative like google chrome or firefox which are both more secure than IE. There are also other secure alternatives like opera for browsing, and combined with secure browser extensions you also need to configure your browsers for security as well. For remote access, SSH or x over SSH or even VNC are secure alternatives to microsoft RDP. So becareful what you use when on another network or even your own network if you are setting up servers, single purpose thin clients and etc . Lock down what you can which would not only limit potential vulnerabilities, but also reduce hardware resource usage and potentially improve battery life.
–>User and directory control
One way to secure a system against ransomware is to use user and directory control. There are 3 basic attributes you can set on various OSes, they are known as read, write, execute. Read allows a file or files in a directory to be read. Write allows modifying a file, or writing a new file into a directory while execute allows a file or all files in a directory to be executed by allowing the CPU to process it like instructions. Oses will have more like modify, full control, special permissions but these do apply to things like changing the file’s permissions and so on though many can be derived from the basic 3. On linux the numbers correspond like this
0 = No Permission
1 = Execute
2 = Write
4 = Read
you then add up the permissions you want to give. It then gets more complicated as you can apply it only to a single user, a group of users, or everyone. So when applying this rule you can use this to restrict directories to only be writable/accessible to certain users. Disable users like the guest user (make sure it is disabled or deleted and unable to be used not even in authentication or in any way), and especially in services, make sure that each software/service runs under its own user and set the default policy for users to be unable to access anything outside their own directory. Give manual access when needed in a specific way (like if you need to give apache access to a config file in /etc , dont give it 777 in /etc, but rather only give it 700 for its specific file, and the higher directory not owned by it, 444 . Restricting things to read only and allowing a software to only run as its own user with only manual access given only to its own files can help a lot in preventing a serious spread of ransomware. On windows, even by using the read only flag and manually configuring the users and policies, windows does allow file modification even when it is read only or user restricted which is a big problem and so you will need to use window’s own file versioning system at minimum since user access control on Miscrosoft windows is not very effective, but that brings us to another measure below.
You can also use software options to help. Some anti-malware like windows defender has a ransomware defence option which restricts file access. It can be an effective way to stop ransomware but it can be a pain/hassle when you need to run a program or do certain things. It works best on systems that do not change like a navigation kiosk, server or an ATM (seriously don’t use windows here even if it is an option). There are plenty of software measures that can be used to stop ransomware from getting a hold of your files and plenty of decent anti malware software to choose from.
Lastly don’t forget to keep your system up to date and its software. Even if an update creates a new exploit, you are more likely to be attacked because of an old version of a software than a new one, so update, backup, configure and isolate devices especially if it gets infected. You can also run a networked anti virus as well and one that also checks the network for suspicious connections, even implementing a IDS/IPS alongside a configurable router/firewall/gateway and switch to help reduce the vulnerability of software you have to run and expose to the net. Use white-lists for accessing administrative roles as even from the internet you can configure your VPN IP address statically and use custom routing setups with that.
->How to deal with ransomware
Ransomware like any malware can be very devastating to varying degrees from no hope of recovery and a total system wipe to being able to run programs to remove the malware and recover the files.
–>dont panic and dont pay!
Paying the fee will only encourage them, and not always do the attackers get the key to decode your files, but will take your money regardless without giving you the key, and may also just leave you stranded irregardless. Its very important to remember, you cannot trust a criminal on the job, there is no honour among thieves so do not waste your time, effort and money contacting the attackers to get your files back, as theres only a less than 10% chance that this will work. I hope you would’ve taken the measures mentioned here at least and take steps to solve it without resorting to empowering the attackers more with your money. When you get attacked, if you cant recover your files, consider them lost for good and save yourself the time, money and hassle.
–>Dont shut down yet
The key to decrypt your files may still be in memory, and shutting down the system may make backing up any files possible impossible since files in use are locked by the OS. Game servers for instance produce new saves without relying on old files, and so can be backed up instantly after a save to reduce minutes of lost game play time. Software thats still running will also have a lock on their files, preventing the ransomeware from infecting them. Make sure however to disconnect it from the network (unless you want to backup what you can via the network but make sure to isolate it at least)
–>Backup what you can
find and copy what files you need through a more secure way. if you have a VM, you could poke around the virtual disk externally and safely, or simply copy them through the VM’s implementations for file transfer. If the system is not virtual, i suggest to use SSH or FTP since they are command based and not browser based. FTP can be used natively from various OSes command lines which should still function with non windows OSes (not android or apple IOS) having SSH built in and usable even in a bad situation. Remember not to map any storage or use automated copying in the process. Its a laborious manual process.
Now you can start trying to recover the files. If you have a backup that you can just hit format and restore from an image or reinstall and backup the files, this would be the easiest method, otherwise before you turn off the infected system consider some methods below.
If you didnt shut off the system, the key to decrypt your files may still be in memory. Start getting on that hex editor and reading the RAM. You can also take a full dump of the memory to study through it offline. If the ransomware is devastating, there may not be a key if the key had already been sent to the attackers, but its worth a look. You can now turn off the system for other methods below.
Decrypt your files via brute force. If you cant find a key, you will need to brute force to figure it out. This means taking a file and using a decryption software for it, though GPU acceleration and a networked GPGPU cluster will significantly speed this up as long as the encryption can be identified.
If your storage use was not fully utilised, like 10% total (files prior + files after attack) or less, then theres a high chance it may not have been written over. Both hard drives and SSDs only delink files that are deleted rather than actually deleting them, especially with SSDs to level out the wear. This is one easy way to get your files back by scanning the drive for deleted files. This is also a long process but for lowly utilised SSDs can be a huge recovery chance. Make sure this is done offline through another host (or booting a live distro). You can then recover the files, format and reinstall from scratch.
I would like to add more, even put some pictures and charts and example scenarios while improving presentation when i have time, in the mean time feel free to suggest some and even point out improvements and mistakes, thanks for reading it this far
Note: -> Text is clickable