47

I just read that "ransom" attacks are on the rise - where the attacker uses a vulnerability to enable them to encrypt files and demand money for the key.

Why is this any different to a disk failure, where the solution is "get the backup"?

GreenAsJade
  • 1,031
  • 1
  • 9
  • 10
  • 4
    Why are they successful? Because they honor their end of the bargain when you pay the money. You actually get your data back unlike a crashed hard drive which may or may not be recoverable by a forensics operation. In 2012, a single command and control server generated $394,400 per month in ransom. Source: https://www.us-cert.gov/ncas/alerts/TA14-295A – ThisClark Aug 10 '15 at 02:49
  • 1
    An incredible breakdown of the 2014 cryptowall attack, seen in network trace etc - https://blogs.mcafee.com/mcafee-labs/cryptowall-ransomware-built-with-rc4-bricks – ThisClark Aug 10 '15 at 02:56

11 Answers11

70

Most people don't have backups. Most people who do have backups, haven't tested them to make sure they work.

The real difference between disk failure and ransomware is that paying the ransom is cheaper than paying a data-recovery company, and is more likely to get your data back.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • 14
    Also newer ransomware encrypts the file while keeping them accressible, and only disables the access when most files are encrypted. So the backup can also be encrypted, unless you do incremental backups regularly! But most home users don't do any backups at all. – Josef Aug 07 '15 at 07:05
  • 1
    I can't imagine how one would collect data to judge which option has the highest probability of success. – kasperd Aug 07 '15 at 08:07
  • 4
    As the saying goes, you don't have a backup unless you've tested that you can restore it. – Steve Jessop Aug 07 '15 at 11:11
  • 8
    Lots of pre-built backup solutions are also fundamentally flawed and vulnerable to ransomware: there is no hardware-enforced append-only policy, so the ransomware can get full rw access to the backup and encrypt it too. – R.. GitHub STOP HELPING ICE Aug 07 '15 at 18:43
41

A few people are mentioning back-ups as a fix for ransomware. Ransomware works because the target is not prepared for the outcome. While a failed hard drive and a ransomware encryption can both be "recovered" via restoring a backup to a new drive, the ransomware is sometimes a malware that runs on the machine itself. In any event, restoring from an external backup will not remove the issue that allowed the attackers access to the system in the first place. This requires countermeasures such as:

  1. elevated security permissions on a system to prevent trojans
  2. remote backup strategies to prevent connected backups from being encrypted
  3. infiltration detection in the event of something like a worm
  4. hardened passwords to prevent intrusion

Unfortunately most computer users do not have these countermeasures in place.

To recover from a failed drive, simply make backups to an external disk. Upon drive failure replace the disk and restore the volumes. Simple.

To recover from a ransomware requires time, downtime, and investigation to determine if the machine was compromised due to:

  1. a user account running with permissions that were too high for the user's needs (desktop user as administrator)
  2. an infection on another machine or device that allowed a user to pivot to the system allowing the infection (infected domain controller)
  3. a lack of awareness in regard to something like a phishing attempt in an e-mail where the user clicked on something they did not intend to (along with #1)
  4. very simple passwords (if the attack was on-site)
  5. remote access permissions into a machine with remote access software like LogMeIn or Windows Remote Desktop
  6. a non-firewalled network
  7. other compromised systems like IoT devices

If the cost of an investigation is expensive, it may be cheaper to pay the ransom.

Note: the system/network still needs to be secured prior to and after an investigation, otherwise the same attack can recur.

In some cases, by enabling encryption on a volume with BitLocker where the volume was not already encrypted, the attacker can prevent access to the entire volume locking the user out of their own system. In this case it's a Windows feature. There would be no evidence of anything "installed" on the system, but rather there would be evidence of an intrusion if the system was configured in such a way that the user's account could be compromised either remotely or in-person with the insertion of an infected device.

On Disk Failure

When a disk fails you simply replace the device because it was a physical failure. If several disks are failing, then there is an issue with the controller. You can only tell if a disk has failed by testing it in a different machine if a new disk exhibits the same symptoms, or if you test a new disk in the failed machine and it works, then you know the controller is okay. In situations like a RAID where multiple disks work together, a failed disk can take out other disks, so there is a chance for systemic failure across multiple devices. Think about bad sectors and file corruption on a single drive being mirrored to multiple copies on a RAID. Disk failure is typically only limited to one machine, with the exception of networks where terminals (thin clients) all connect to a central system. Replacing a failed disk usually remedies the issue. Statistically you're not likely to experience the same issue unless the replacement disk was purchased at the same time and was part of the same vendor run in which case it might be a manufacturer defect of a component line.

It's not always only one machine with Ransomware though

Some ransomware can actually encrypt more than one machine on a network. I have a client whose server was infected, and allowed the virus to spread to multiple machines on the network and then the server and workstations were all locked. In cases where the server might not be infected, but is acting as a host, this can cause recurring infections to workstations that connect to the infected files. Regardless, the issue needs to be fixed systemically to stop the infection.

If a hard drive in a workstation dies it doesn't replicate the failure across a network. Comparing ransomware and hard drive failures is like comparing cancer to a broken limb; they are both debilitating.

AbsoluteƵERØ
  • 3,104
  • 17
  • 20
  • 19
    Even if you pay the ransom you should still have to investigate how the breach happened. – Christian Aug 07 '15 at 12:17
  • I'd argue that also, at least recently, ransom attacks are far more common than hard drive failure. Last year I had one co-worker fall prey to the former, and zero instances of the latter. – Rick Chatham Aug 13 '15 at 19:57
  • @Christian exactly. You're still at risk. – AbsoluteƵERØ Sep 04 '15 at 16:10
  • Ransomware is very easy to get around, if you follow your microsoft updates (going on a standard windows user) your system keeps restore points, ransomware is an application so resetting back to a previous point keeps your files but removes all applications. booting in safe mode will allow you to get around this (well this is what I had to do for a neighbour when they went on naughty websites D: ) – TheHidden Oct 02 '15 at 09:59
  • @silverpenguin Ransomware works by encrypting the files on your disk with a key only the software's creator knows. So even if that method you cite *did* remove the ransomware software (and my guess is it won't, as I suspect system restore it only works on well-behaved software), it still wouldn't recover your files. – Ajedi32 Oct 02 '15 at 14:37
  • @Ajedi32 Not all ransomware works the same, some just lock of the computer and threaten to delete the files ( this is one i HAVE encountered)... I would like to get hold of some ransomware, just so i could see how they manage the keys... Im guessing they use PPK if not feels like you would be able to trace the key on the harddisk some where – TheHidden Oct 02 '15 at 14:47
  • @silverpenguin Yeah, that sounds like some really crappy ransomware. I've never encountered any ransomware in the wild, but all the examples I've heard about up til now use asymmetric cryptography to encrypt files so only the attacker can recover the data. The kind of ransomware you're describing doesn't seem like a serious threat at all. "Really? You're *going* to delete my files? Care to explain how exactly you're going to manage that after I unplug my hard drive?" – Ajedi32 Oct 02 '15 at 14:53
9
  • There's the potential of backing up encrypted data with the ransomware
  • Most people aren't backing up to the cloud in the first place
  • If you're regularly backing up your hard drive you don't need to worry about automatically backing up your dead hard drive
  • With the encryption there wouldn't be any way to recover my data without paying the ransom (which isn't guaranteed to work).
  • If the drive dies, there's still the potential that some of it can be recovered.

Overall, hard drive failure has potential to not be as damaging with precautions and recovery services, whereas ransomware is designed to be intentionally much more damaging.

8

For backups to be useful you have to do them regularily. If you work on your computer and your last backup was one week ago, those files created in one week may already be worth 50-100$/€ whatever the attacker demands. And if not-backed- up photos are involved, most are even more willing to pay. This makes this kind of attack quite profitable.

Most people have no clue about computers. They are just plain simple users, with little knowledge of what to avoid or what could go wrong. After all, in most cases when you have a virus or a rootkit, you will know someone who can help you out, save your files, format your computer and reinstall Windows for you. That means for those users the attack comes out of nowhere and they are just unprepared.

And people are also lazy. Even if they knew that backups are useful, most would be too lazy to connect their computer to an external drive periodically. And most wouldn't really know how to do it, besides pulling all files they like manually onto the drive. In which case they could easily miss some or copy so many files that the process gets tedious over time.

Also if your backups are connected to your network/computer they may simply be vulnerable as well, because you are expecting a disk failure, but you think that your network/computer generally is safe from most exploits or users were told what to avoid.

HopefullyHelpful
  • 1,254
  • 1
  • 12
  • 17
  • 1
    +1 *"Most people have no clue about computers."*. Hardest thing about security. –  Jun 01 '17 at 17:12
6

With ransomware, there is a strong psychological element - a feeling of violation.

If your hard drive dies and you have no backup, well that it something that just happened, like an earthquake.

Ransomware is like someone broke into your house, someone actually did something to you. In addition, a hard drive dies and you have no backup, you're done. If it's ransomeware, now the user needs to decide: Do I pay? If I pay, will they actually give me my data?

If a hard drive dies, what's the likelihood of another drive failing? If someone was stupid enough to download the ransomware, they may not know what they did and will be scared that it will happen again. In many cases, the user probably downloaded something, but many users will think they were "hacked" and were targets.

By successful you mean, why do people pay instead of using backups? Some possibilities:

  • They don't have backups
  • They have backups, but they were also locked or targeted (e.g., they have backups, but their concept of backup was put them in another folder on the main hard drive)

  • They have something like Carbonite or Mozy as their backups, have their password in a .txt file and will never be able to retrieve the password since they are locked out of their computer

  • Someone else set up their backups and they don't know how to do it, and don't want to admit they downloaded something and got attacked to the their IT friend

  • It could happen again, "maybe if I pay they will leave me alone"
  • Recovering from backups seems hard or they are worried the last backup doesn't have the most important file, maybe their time is worth more than the cost of ransom

A dead hard drive is a failure, ransomware is an attack. They both result in loss of data availability if no action is taken, however, the ransomware also implies other attacks or violations may be possible - why shouldn't the attacker unlock your data and then relock it again and again or also add you to a botnet? The ransomware may not be a one and done ordeal.

Peter Mortensen
  • 877
  • 5
  • 10
Eric G
  • 9,691
  • 4
  • 31
  • 58
  • 1
    I like your analogy: You may get your house contents destroyed due to an earthquake, or due to a vandal breaking in. – Ángel Aug 09 '15 at 22:28
6

If backups are being performed, and those backups are not accessible by the ransomware, then just getting the backup should be enough (after of course fully removing the ransomware software from the infected computer).

If the backup medium is always connected (eg. mounted network share, USB hard drive, etc), it is possible that the ransomware encrypts the backups also.

n1000
  • 161
  • 1
  • This! Ransomware typically encrypts all connected drives. So unless you backup to write-only memory such as DVD (not always practical in today's world of terabyte sized data) your backup will most likely be encrypted as well. Non-mounted backup solutions such as rsync over ssh will also protect you. – slebetman Aug 10 '15 at 03:57
6

"Why is this any different to a disk failure"

One point hasn't been brought up yet: It's not really different at all. The people who pay for encryption type ransomware would also pay $500 to have their harddrive instantly restored after a disk failure.*

Backups are very uncommon on average people's home PCs. Buying a NAS and learning about networks and how to do automated backups is neither cheap nor simple for an average computer user. Buying an external HDD and connecting it occasionally is cheap and simple, but too cumbersome so the last backup will be a couple months old. And it doesn't help that if you use Windows, the built-in way to do backups changes every 3 years. The backups also have the issue that they are on publicly accessible network shares, meaning the ransomware could decide to encrypt them too.

Also, let's not forget about installing Windows from scratch, without having a disc. I'd guess less than 25% of users are comfortable doing that - even if there's a backup, they would have to go to a repair shop to fix the PC, reinstall Windows, and install the backup. The repair shop costs money as well and means the PC won't be available for a week.

*A special case are people who are ashamed to have caught a virus while doing I don't know what, who want the problem to go away without anyone else noticing. They will pay the ransom to avoid humiliation.

Peter
  • 3,620
  • 3
  • 13
  • 24
  • I can go to a store and buy a new, clean computer for less than I paid a year ago. If I decide to copy files to a CD or whatever only occasionally, that is my problem. Computers are almost throwaway these days. The solution is to store stuff you don't want to lose (photos, your dissertation) in multiple places and publicly available, and everything else is just noise that you don't care about. Soon, no one will use PCs for real work anyway, only for connectivity like your phone. (Only the phone number would be a problem if it changed, and no one can "ransom" your phone number.) Non-problem. –  Aug 08 '15 at 01:27
  • 1
    @nocomprende This is not a discussion about how you think people should do their backups. This is an answer to the question "Why are ransom attacks successful?" – Peter Aug 08 '15 at 13:56
  • Theft or ransom is successful due to the Sunk Cost Fallacy: people have *invested* time in to something (such as their photos) and they do not wish to 'lose' it. If they *revalue* their possessions and how they spend their time, then crime (except to the body or mind) would not succeed. Had a discussion with a friend about how the alarm system on his car kept malfunctioning. I proposed my answer to that: own a really old, battered car that no one wants to steal (old Camry catalytic converter shortage issue excepted). Younger people will grow up with nothing of value on their devices. –  Aug 08 '15 at 15:23
  • I would also point out that WindowsNT had a utility ntbackup which was around a long time. Then Microsoft decided to remove it except from Pro versions. That made it cost $100 as Pro had nothing else useful on it for a "regular" user. So basic users get no backup software; you would have thought ransomeware was a Microsoft Gold Partner for them to shaft thier customers like that. Another popular home OS sells a backup appliance which is effortless to use. Opensource OS make no secret of how to backup. So this is largely a windows problem of Microsoft's making. – simbo1905 Aug 09 '15 at 21:08
  • 1
    @nocomprende ransom attacks also don't work on the majority of people, but they can be very successful even if a small part of targets will pay. For example, we had a local incident targeted at accountants in smallish businesses (which also hit many unrelated people). Many of them didn't have fresh enough backups, and the labor costs for repairing the data (and possible fines for missing their tax reporting deadlines) were objectively greater than the requested ransom. And cloud services are not a magic solution - good ransomware will also explicitly target data on onedrive/icloud/dropbox/etc. – Peteris Aug 09 '15 at 21:18
2

The other answers all raise excellent points about the availability of backups and the viability of ransomware as a method of attack. However I don't feel that any have particularly compared the specific case of ransomware vs. disk failure from the attacker's perspective.

Were I to attack somebody's computer system and I had the choice of those two results with roughly equal probability of success then it seems plenty obvious to choose the one which potentially provides me a monetary profit should it succeed.

Aiken
  • 121
  • 2
  • 1
    Maybe all hard disk "failures" are actually the result of a huge invisible conspiracy to get money for doing the "repair". Same with appliances breaking down, plumbing, car repairs, illnesses, relationship issues. AAAAHHHHHHRRRRGGGGGHHHHH!!! –  Aug 08 '15 at 01:30
  • @nocomprende It's not exactly a conspiracy. More a necessity based on how capitalism works. If you produce items that never break you will have high customer loyalty. If the loyal customers never need to replace their items that customer loyalty is worth exactly $0. If the items you produce rarely break, you make more money than if they never break. – Peter Aug 08 '15 at 14:01
  • @Peter: Healthcare is the fastest growing sector of the (US) economy and one of the largest. (You know that my original comment was a *joke*, right? Didn't the "AAAA..." tip you off? The concept was that if **almost everything** that everyone does is basically a way to get money out of other people, then, then... --Stack Overflow--) –  Aug 08 '15 at 15:29
1

Ransom attacks may do more than lock files.

I once was victim of an attack that didn't allow me to boot the computer without seeing a screen that stated something in the tone of:

The police has detected this computer doing all kind of bad stuff and a fine needs to be paid to resolve the charges.

If this happens on a computer that is shared with those who do not know about ransomware this could be much more harmfull than a 'normal' system wipe. And thus an attack may be more likely to yield something.

Community
  • 1
Dennis Jaheruddin
  • 1,715
  • 11
  • 17
  • What operating system? – simbo1905 Aug 09 '15 at 21:11
  • However, in terms of recovery this is no harder than a complete hard disk wipe. - Just wipe the drive and reset the bios and the malware goes away. Then do a clean install, get your files from backup, run a malware scan to clear the malware from your files and continue. – Taemyr Aug 10 '15 at 09:04
  • @simbo1905 Windows, not sure which version it was – Dennis Jaheruddin Aug 10 '15 at 09:08
  • 1
    @Taemyr That is all nice and good if you have a few hours and a spare PC/boot disk at hand. But in that case you could actually just download the right software to remove this ware. However, if other people need to use the computer before that (or if you don't know how to get rid of these nuisances) it could be awkward (more so than a wipe). – Dennis Jaheruddin Aug 10 '15 at 09:11
  • @DennisJaheruddin You need about an hour and a spare PC or boot disk. And this is different from a complete disk failure in what respect? – Taemyr Aug 10 '15 at 09:17
  • @Taemyr Perhaps it won't matter for you, but in a situation where there may be a colleague/relative behind me at any time I would rather look at a black screen than one that states that I have been given a fine for doing illegal gambling and looking at child pornography. -- Technically it may not be much different but that is not my point. Ransomware does not want to do as much damage as possible, but just wants to maximize the chance that you are going to pay. – Dennis Jaheruddin Aug 10 '15 at 09:24
  • @DennisJaheruddin Sure that would be embarasing. But it has little impact on the steps to recover from the malware. If your colleague happes to be looking over your shoulder then that damage is already done, paying the ransom will not undo this. – Taemyr Aug 10 '15 at 09:47
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/26790/discussion-between-dennis-jaheruddin-and-taemyr). – Dennis Jaheruddin Aug 10 '15 at 09:58
0

In addition to the other answers, I'd like to point out that some ransomware doesn't advertise itself as such.

Instead, it disguises itself as a component that alerts the user that it has detected some corrupted files on the machine. It then "proceeds to find a solution online", like the legitimate OS does, and brings the user to a webpage where he can buy "a software to fix his computer". Of course, the "corrupted" files were encrypted by the ransomware in the first place, and the software the user buys at a dear price decrypts the files.

The beauty of this safer, low-profile approach is that often the user doesn't even realize he has been scammed. This contributes to increase the numbers for successful ransomware attempts.

(Unfortunately I can't find the references anymore for this kind of malware; I'll add examples should I find them.)

dr_
  • 5,060
  • 4
  • 19
  • 30
0

Ransomware attacks are successful because users do not always save copies of their sensitive data other than on their computers and lot of people accept to pay to get back their compromised data.

As long as there are users who pay, ransomware attacks won't stop but only will evolve and improve.