69

Recently, my employer blocked access to Gmail, Yahoo Mail, etc., because an employee downloaded an email attachment which contained ransomware and got their disk encrypted.

QUESTION : How does ransomware get the root/admin permissions to encrypt your disk? Presumably, the person who downloaded it had to have entered the admin/root password at some point.

techraf
  • 9,141
  • 11
  • 44
  • 62
irritable_phd_syndrome
  • 757
  • 1
  • 5
  • 6
  • 3
    Usability vs Security. My system restricts all non admin folders (basically everything in the user folder) with a white-list of programs that are allowed access. This should block most ransomware, but it causes usability problems (having to white-list programs). Most users will gladly sacrifice a little security for usability. – AstroDan Dec 07 '16 at 14:49
  • 37
    Related: https://xkcd.com/1200/ – CodesInChaos Dec 07 '16 at 20:50
  • 10
    @AstroDan Once again affirm what we already know: Security that comes at the expense of usability comes at the expense of security. – Williham Totland Dec 07 '16 at 21:14
  • 32
    Usually it doesn't encrypt your disk. It just encrypts all your important documents that you already have permission to access. – user253751 Dec 07 '16 at 22:54
  • With the little information included in this post, it sounds like your employer is overreacting. You name gmail and yahoo mail, two services which remove most malware. It seems much more likely that the user got that malware elsewhere, like using Outlook to check both Yahoo and a home ISP mail server. And who is to call the user on doing that because the evidence is gone. Instead of targeting the specific email program used on that computer, your employer appears to be painting with a very wide brush. Sounds like a hardware error: the nut between the chair and the keyboard. – SDsolar Dec 10 '16 at 21:10
  • It would be interesting to know which email systems the employer approves of. It seems apparent that your employer is not providing a solution to the problem. Just closing the windows after the daughter has gone out the front door. – SDsolar Dec 10 '16 at 21:15

3 Answers3

115

Ransomware doesn't get root/admin permissions, because it does not need to.

It does not encrypt the disk or files protected by the operating system (executables, configuration, credentials), it encrypts files created and stored by the users (data); and all it requires to do so, is the same level of access as the users themselves.

Just like a user would create a password-protected zip and delete the original file, so does ransomware (except, it keeps the password in secret and makes sure the original file is really inaccessible).

That's the whole reason why ransomware is so successful, it encrypts what is the most valuable for users and companies: their work.

techraf
  • 9,141
  • 11
  • 44
  • 62
  • 4
    "it keeps the password in secret" I either vaguely remember or imagine that they use public/private key pairs, so that the "password" isn't even stored on the user's machine. Is that correct? – jpmc26 Dec 07 '16 at 22:56
  • 1
    Of course they do, sometimes they even employ complex schemes to implement a master key functionality, like [explained here](http://security.stackexchange.com/a/131493/86652). Here I used an analogy ("just like") to explain that from a user perspective the password is kept secret. – techraf Dec 07 '16 at 23:03
  • 4
    @jpmc26 But strictly speaking file encryption is usually preformed using symmetric encryption, and then the key is encrypted with an asymmetric one. – techraf Dec 07 '16 at 23:13
  • 33
    or they just corrupt the data permanently, and after you pay the extortion fees you find out you've not just been held at ransom but then scammed out of your money as well. – jwenting Dec 08 '16 at 08:19
  • 23
    @jwenting They make very good money of extortion fees. If they wouldn't be reliable (strange as it sounds), they would cut off their source of income. – techraf Dec 08 '16 at 13:18
  • 2
    Fortunately, there is a repository holding all that is relevant. Only stupid people hold important documents on local computer. – BЈовић Dec 08 '16 at 15:30
  • @techraf they just start afresh with another paypal account (or whatever anonymous payment service they use). Most victims aren't going to go public anyway, and if they get just a few hundred to pay a few thousand dollars before they disappear they're rich. Start again with a new (probably stolen) identity and do the same again a few weeks later. – jwenting Dec 08 '16 at 19:41
  • 2
    What you suggest has no reflection in reality, malware analysts confirm the design of ransomware to allow for decryption. It also makes no economical sense. Developing effective ransomware is hard, spreading it is hard, on the other hand, once it catches on it benefits hugely in the long run, there's no incentive for hit-and-run. – techraf Dec 08 '16 at 23:18
  • 11
    @jwenting The idea of trust is weirdly important, some ransomware hackers even provide a type of 'customer support' to help people make the payments, as strange as that sounds. https://www.engadget.com/2016/09/09/customer-service-matters-when-it-comes-to-ransomware/ – Jezzamon Dec 08 '16 at 23:38
  • 1
    @jwenting is partially correct - there have been a couple of instances of ransomware that was just deleteware. These appear to die out rapidly. Not sure whether that is because ransomware gangs put pressure on the fake ones... – Rory Alsop Dec 09 '16 at 13:22
  • Does that mean that I can protect my files by backing up them to a protected system directory? –  Jun 01 '17 at 16:54
  • 1
    @programmer5000 Maybe. If the "protected system directory" is writable only with elevated privileges and malware is running as a regular user process, it won't be able to alter the files. But if there is a simple mistake somewhere in the process, you might end up with encrypted files being backed up. – techraf Jun 02 '17 at 00:10
16

While techraf has the correct answer (that it only encrypts user-space files), I wanted to add that if it did want to do stuff to other parts of your disk, it would do so the same way as some other malware... via exploit.

Malware authors can find flaws in operating system design that allow mundane programs to get to places they shouldn't. Buffer overflows, IPC flaws, poor encapsulation, and simple mistakes can make it possible for programs to get into places they shouldn't. This is why it's important to patch your machine regularly, and keep those Windows Updates current. Even anti-virus software won't help if the operating system it depends on has a flaw that allows a virus in behind it.

This is why it's important not to use Windows XP any more (and Windows 7 after next year)... these flaws are no longer fixed as they are discovered. Security add-on products like anti-virus don't help protect against these problems, as they themselves are merely guest processes in the operating system that depend on it's functioning low-level security in order to do their jobs.

Joel Coehoorn
  • 2,116
  • 1
  • 13
  • 14
  • Upvote, but I would add that there still can be a place for WinXP. Microsoft took the last version and added all the service packs, then released it to be used for free. I have taken that, loaded only the two programs I need, and given the system its own NAT router. I would never use it as a general PC. I wouldn't run any computer in the wild without NAT and a decent antivirus/firewall - those get regular updates, no matter which OS. The key is right-sizing your equipment, knowing the risk/benefit tradeoffs. My WinXP machine is a Latitude D610 which would otherwise be useless.. – SDsolar Dec 10 '16 at 21:28
  • The free version is only licensed for use in a virtual machine. If you're running it on bare hardware, you may be in violation of that license. – Joel Coehoorn Dec 10 '16 at 21:48
  • You did not provide a reference so I can't fact check. While I know it runs in a virtual machine, I see no prohibition to running it on old hardware. It is the Professional version with all service packs. It sure has helped me because that old laptop is right-sized for satellite reception (Firefox with Flash and updates) and ZaraStudio, also free. It makes for a very nice small CSN radio station (http://www.csnradio.com/listen). As for Windows XP Pro for free, here is where you can get it: http://softlay.net/operating-system/windows-xp-sp3-iso-full-version-free-download.html – SDsolar Dec 11 '16 at 20:03
1

No not really, the malware or ransomware can actually do it's work without gaining admin privileges just as an ordinary user.

Apart from that, the malware or ransomware uses known exploits like that of the NSA exploits which got leaked by the Shadow Brokers group, likewise we have examples - the WannaCry malware which took the world by surprise with a huge number of infected computers actually exploited the Eternalblue exploit which makes use of a vulberability in the Windows SMB Relay. Now the ransomware went on to encrypt the user's valuable files.

Rooting or gaining admin privileges part

So, more often ransomware mainly target known exploits, so yes even I can develop a malware which can target unpatched Windows systems and further if I want gain root access to perform something more malicious. For an example, my friend and fellow researcher SandboxEscaper disclosed an alpc LPE bug in Windows earlier this week, we can actually implement it in the malware to gain Local Privilege Escalation after making an user download an executable or malware we develop and perform more malicious actions on the system. But rooting or gaining admin privileges isn't always required.

Bottom line : Ransomware uses specific known exploits and to target a specific level of damage might as well chain Remote bugs with LPE to widen its impact but, this isn't usual since it can encrypt files with normal user privileges

A Khan
  • 67
  • 5