Ransomware and Computer/Network Security

Its called Backup, you idiot.

[Image is public domain, by definition]

Ransomware

An experienced IT Security professional and Systems Administrator I am absolutely sick of all this Ransomware rubbish, and rubbish it is.

Let me explain. "Rasomware" is essentially a specific computerized form of extortion. Lets zoom out, then in then very far out.

Almost always by accident, someone withing an organisation's network and computing equipment installs an unwanted program, usually without even realising they are installing a program, is the first step in a "cyber crime". More technically, they are usually installing a mechanism by which one little program can install a more sophisticated one. The end result is the same. Some unwanted program is running inside their network, on behalf a user account which provides some level of access to computing, networking and storage infrastructure run (or paid for) by the organisation.

Now, imagine that you are the group that gets to run that program. What are you going to do?

If you're some demolitionist who enjoys destroy things, you can do things like delete data. Or if you prefer to be an "evil genius" you can cause any number of vary annoying anomolies in how other systems behave to make life hell for the systems administrators, but deliberately no damage much. I cite Spotify as a classic example of the later.

If you're an intelligence agency, you hide your tracks ASAP and then being a very cautious enumeration of the environment in which you have been able to insert yourself, and choose your next target. Each new target is a new risk and there is a risk/reward calculus. The better targets tend to be better defended and more expensive or secretive methods are required to gain a new foothold.

If you're a cyber-criminal and the target is money, extortion is the simplest method. Encrypt data, demand a payment in hard to trace cryptocurrency, and either be a complete arse and run away with the moeny, or be a reputable theif and provide the decryption key. Either way its a crime.

There is a very simple defence against the demolitionist and the ransomware extortionists. Its called backup.

My "0th Law of Systems Administration" is:

There Shall be Backup

The small team that I lead at my most recent employer helped the organisation recover from over 5 ransomware attacks in about the same number of years by, you guessed it, finding the system doing the encrypting, disconnecting it, and recovering the impacted data from backup. Its a pain, but its all in a days work for any competent systems administrator. It should also be almost entirely mechanical. This is called an incident response plan. The only creative bit is in identifying the infected/encrypting system, and even that’s not hard.

So, when you hear that company X was issued a ransomware demand do not think about the cyber criminals, but the idiocy of the company. Where is your backup? Where is your incident response? If they dont have these they deserve no sympathy WHATSOEVER. They are complete idiots.

You expect to need to recover from a ransomware attack now and then. The trick is to minimize them.

Here we meet my "1st Law of Systems Administration"

Your greatest asset and defence are your people

IT is a little complex here and there, but most people dont need to know much about that. They need to be aware of what the threats are and how to NOT make the mistake of accidentally installing software. Each organisation will choose its own strategy for security policy, but if you dont see educating your people as a very significant line of defence, you are foot-shootingly myopic. Lastly, and this is extemely important, if someone reports a security incident in which they think that they made a mistake, and they are are correct, they should be praised (not be name) from the highest levels of management. People make mistakes, but recognising and reporting it in a timely manner is essential. To recover from backup takes time, and its does have a productivity impact. The faster the mistake is acknowledged the faster the response, and thus the less productivity is lost. As an IT leader I always thanked people for reporting mistakes they had made. Then, once you've dealt with the problem, you can talk to them and see if further help can be provided, or investigate if this is a new type of thing and an organisational wide educational update is required. Usually, that is the smallest nudge. A few sentences reporting the case (not the person) and referring to the organisation’s security documentation where this risk has been documented previously is all it takes to keep your greatest line of defence on their toes..

Thanks are far more powerful than criticisms in maintaining a culture.

To Geopolitics

Lets be honest, most journalists and an equal proportion of society do not know how to read IT security reports issued by national IT defence organisations. Its all jargon and acronyms. It is also almost impossible to provide definitive evidence of the course of an attack in a way that is generally comprehensible.

We thus get these evidence free accusations about cyber-attacks. Do threats to national security infrastructure exist. Well, yes. Look at what the USA and Israel did to Iran with STUXNET and see what can of worms that opened, not just for Iran but everyone. Attacks on Programmable Logic Controllers in automated factories can really bounce back hard.

When you see "the russians" performed a ransomware attack on company X, what is usually happening is that there is very little evidence presented because almost nobody can understand it, so it is immediately suspect. But, you should be pointing your finger at company X; where is the backup, you idiots?

However, there is a backstory to this. In the early 2000s as internet based electronic payments via credit cards were starting, the security measures around this were childish. Many people made a lot of money stealing other people's credit card details and spending their money on whatever they wanted. Some, and I repeat some, of this happened in Easter Europe. It was also happening, especially in the USA and other "Western" countries. The credit card companies invested in improving their defences, especially with Chip and Pin style cards. The USA just lagged behind, increasing their vulnerability to these internet based fraud attacks on their own citizens.

The next big thing was taking over people's computers and running your own programs on them (like the demolishionist/cyber-crime described above). But, these computers would not destroy things locally, but grouped in collections of very large numbers called 'botnets' wherein computers from all over the world could be controlled from a single "command and control" system and do all sorts of stuff. Email spam was a biggy. Then, denial of service attacks etc.. Then the cyber criminals realised they had this huge power of these botnets and started renting out these botnets of other criminal gangs. It is the case that there are significant cyber-crime groups, and botnet operators, operating out of Eastern Europe and the Caucusses in which Russian is a dominant language. There are also similar groups in the USA, Latin America, and greater Asia. Its everywhere.

I have read from reputable IT Security sources than for the portion operating in Eastern Europe, than the botnet operators have banned a bunch of Russian infrastructure from being attacked by the clients that use their rented botnets. This can be seen in two ways, and I believe that both are true at once. Preventing attacks on Russian infrastructure greatly reduces the risk of your group being taken down by Russian based law enforcement or intelligence operatives, which also means they can focus on other things. It means that you'll make more money. Thus, it could be said that these criminal botnet operators are "tolerated" by the Russian security services. Personnally, I dont think many operate on Russia soil or they will get taken down. Russia demands deniability, much closer to real than plausible.

However, if Russian intelligence services are doing a little “toleration”, which I think likely, they also see the threat. President Putin has been calling for a "Cyber Arms Treaty" for years. Again, two games are being played. If there's no threat, you'll never get a treaty. So, a threat must remain, but if its not directed at you, you can give it less attention.

To make matters worse the "Internet of Things" (or Internet of Shit, as its called in the IT Security field) happened and the number of controllable internet connected devices skyrocketed. This remains a problem to this day. The root cause of the problem is that it takes a few cents to add an network device to some piece of consumer electronics, and way way more to ensure that that device can be secured against remote control.

I say, throw away your mobile phone controlled baby monitor and pay cash to a local young babysitter. They are much better value.

Zooming out

There are a plethora of "bad actors" (or "not actors" or "uninformed actors") in this state of affairs. The 'demolishionists', credit care fraudsters, botnet controllers, spammers and scammers, and ransomware gangs are the easy targets. There are also the financial regulators, the consumer electronic regulators, and the "national security / intelligence" regulators. The last one is a tension; the intelligence people want to break into other people's stuff to steal their information (and not get detected), but to do that they often need to use clever abuse of mistakes in programming (bugs). So, the offensive side hide the bugs so that they can use them from the defensive side who want to have those bugs fixed.

The last "bad actor" groups are the software houses and businesses. Here again is tension; software improves productivity, but it has bugs. So, you could blame the software houses, but thats not helpful. The complexity in modern software is insane. It is going to have bugs, so 'security' is not a state, but a process. Business that wish to utilize the productivity improvements from software have to also invest in the defense mechanisms which are their security process. If you really want to blame the software producers, fund Free and Open Source Software.

The entire internet, operating system, software, computing and mobile phone, business, banking, intelligence, regulatory space makes sub-atomic physics look like tic-tack-toe. It is not a guaranteed draw.

Sources

Ransomware: a process for creating political or geopolitical turmoil with evidence free accusations directed at some “other” when the real cause is incompetence and stupidity.