What is " Ransomware " and how to defend yourself

Another article post from BestVPN that delves into a part of computing we should all keep our guard up against .

Always important to have backups of files you don’t want to lose for any reason on a separate external drive just in case and make sure the backup drive is never connected unless you’re actually doing some backups to it to avoid getting the backed up files infected. If you have backups then you can simply wipe your computer’s hard drive and reinstall your operating system from scratch and copy the backed up files back to your freshly installed, now ransomware free, device… No need to pay any ransom that way.

…and have backups of the backups (eg 2 copies of the backup) since a backup or backup device can fail

And to be safer still - keep one of the backups in a separate location.

Backup is the only answer to ransomware.

Even if you pay the ransom there is no guarantee that your files will be returned to you or that your computer will be left free of malicious software. Ask yourself what kind of person operates ransomware and whether they are trustworthy and reputable.

So you must do frequent backups. The frequency of backup determines how much content you will lose. It is your trade-off to make.

You should have a cycle of at least 2 backup disks/tapes if backing up to disk/tape - so that if something catastrophic happens during the backup, it does not take out both the original and the only backup copy.

Backups must always be kept disconnected from the computer except when doing a backup.

At least one backup copy (presumably the most recent if only one copy) should be kept out of harm’s way e.g. off-site, or in a fire-proof / water-proof safe.

You should do backup anyway (in case of software malfunction or hardware failure or user accident). So ransomware or other malicious software is just one more reason to do backup.

Microsoft, Industry, and the US Military have combined their efforts to disrupt a ransomware spreading botnet called Trickbot. Microsoft were concerned by the potential the botnet had to affect the US elections among other reasons.

From the article by Microsoft from the 12th of October here are some of the details:

"Trickbot has infected over a million computing devices around the world since late 2016. While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives.

In the course of Microsoft’s investigation into Trickbot, we analyzed approximately 61,000 samples of Trickbot malware. What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a “malware-as-a-service” model. Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end user computers, Trickbot has also infected a number of “Internet of Things” devices, such as routers, which has extended Trickbot’s reach into households and organizations."

" We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.

In addition to protecting election infrastructure from ransomware attacks, today’s action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses and universities from the various malware infections Trickbot enabled."

To read the full article the link follows:

While not directly relevant to this botnet, necessarily, on my honeypot in recent years I am seeing more and more attacks into other IoT devices such as PV equipment, GPON (fibre) network equipment and VoIP phones. Add: I am also seeing attacks against Digital Video Recording equipment.

Previous discussion in the Choice forum has also mentioned IP cameras - and, of course, yes, I do see plenty of attacks against known exploits into routers e.g. Netgear, Cisco.

So whatever trojan horse, um, latest tech gadget you just installed in your house, ask yourself things like:

• how often is it getting software (security) updates, if ever? (it has probably been abandoned by the manufacturer)
• is it likely to be free of security defects?
• do I really need this gadget at all?
• do I know what this gadget does (sends and receives) on the internet?
• would I notice if it had been enslaved to a botnet?
• do I really need this gadget to have internet access?

Apart from the last bullet point the answers are generally in the negative.

That must annoy the Trump campaign.

I would change that to:

• Do I really need this gadget to share the same network as my critical infrastructure?

If you can, put it on a totally separate network using a separate router. If you can’t, put it on a guest network. (My work-issued laptop is on a separate network, as I do not trust it as much as I trust my own stuff.)

That is an additional very valid question.

I was more concerned about “phoning home” but intrusion against other equipment on your network is also a legitimate concern.

As an additional comment, putting aside into a separate category all attacks against IoT devices, by far the most frequent attacks that I see are probes for PHP. So, if you use PHP, it is essential to ensure that

• the PHP version is current and fully patched
• you keep abreast of known security issues with PHP plug-ins, if any, and where appropriate keep current and fully patched
• you keep abreast of known security issues with any software packages implemented on top of PHP (like WordPress), if any, …

Unfortunately, the PHP ecosystem has a poor security reputation. Hackers know that. Do you? PHP - Wikipedia

This is more likely to be relevant to businesses than individuals (unless maybe you are having e.g. a WordPress site hosted for you by some service provider).

While we all end up using PHP by way of venturing online, the key message is to web developers and designers. Make sure you are doing it right.

For those of us who are consumers of online content, we need to be aware that it is possible for Bad People to tamper with good websites - and think about what we click.

One of the best ways to avoid Bad Stuff Online is to limit oneself to the most popular websites as they are likely to have the best security team and hence best security. Unfortunately, this would the web a much less valuable experience because of all the bits you would miss out on - like some of the blogs maintained by this community’s members.

My understanding is that WordPress itself is reasonably secure, but some of its third party plugins have some worrying vulnerabilities. While the third party developers have been fixing their plugins, individual website owners need to but do not always update to the latest version. If you have a site that is hosted by a service provider, make sure that they are keeping everything current.

Turning back to how to protect oneself from ransomware, many of the distributors have turned to another way to pressure their victims into paying. “Pay or we publish” i.e. all of your most guarded secrets are going online for public access.

This threat may be best made against a large entity - especially if it has valuable intellectual property - but personally I wouldn’t like everything on my computer to be public.

A backup does not protect you from reputational and/or financial damage when all your ‘friends’ can see your bank balance and the password to get to it - as well as whatever embarrassing medical history you may have stored locally.

So the best defence against ransomware remains not getting infected. While it is impossible to avoid getting infected if you are targeted, most of us will (hopefully) not be targeted. In most cases, you as the user are the best and main line of defence.

• Don’t click on email links. Seriously, unless you expected the email and even then most of the time you are better off going to the website separately.
• Don’t click on website links saying that ‘to see this you need…’ (probably Adobe something). If you think you do ‘need’ whatever it is, then browse to the official provider and find the software there - don’t trust that popup or other message, that may send you to something that looks like the official site.
• Don’t give websites more information than they need. Fake your birth date occasionally (or all the time). Definitely don’t tell them about your favourite teacher, or your pet’s name.
• Don’t reuse passwords. I saw someone complain elsewhere online that Google was telling them about fifty of their accounts had been breached. On the bright side, modern password managers can do all the changes for you. On the downside - WHY WERE YOU REUSING THE SAME PASSWORD?! If it happens to be your network password as well, then you are leaving yourself wide open for takeover.
• Friends don’t let friends use their Internet. Give them guest access. It’s all they need, and if they have been attacked then it is more difficult for them to pass on any potential contagion.
• Many websites will hate this, but - run at least one ad blocker. Yes, bad people have bought ad space to serve up malware - and no, you do not necessarily need to click on the ad.
• Don’t pirate stuff. Sure, you’re just downloading that latest episode of Game of Thrones (okay, I am a little behind the times), but that may not be all you’re getting for your money.
• Seriously, don’t click that link. Yes, it’s a hassle to go there manually - but ransomware (and other malware) would be a worse hassle.

Yes. This for sure.

I would guess that intruders do one pass looking for anything that responds to PHP and if it does then they will look more closely for specific exploits based on out-of-date / unpatched / broken software.

This definitely happens. There are a range of reasons why “we publish” is not good. For a business, there is reputational damage in its being known that you have been hacked. It just makes it look like you are a security risk and risky to do business with. Hence why Mandatory Data Breach Notification is important. Businesses should not have the option to sweep it under the carpet. That however also takes away the option for this specific aspect of extortion.

That’s over and above the more direct issues with confidential documents being leaked, intellectual property being released, … (such as you list)

I would say … the number 1 defence against any malware is: keep your software up to date.

Once a bugfix is released, black hat hackers will (attempt to) reverse engineer the bug, and exploit it on unpatched systems. For well maintained systems there can still be a window of opportunity (a few days?) for well-resourced nation state hackers between bugfix release and patch application. For poorly maintained systems, well, you are wide open.

A corollary to that is … don’t continue to use unsupported systems. Yes, that comes at a price i.e. junking something once the vendor ends support for it, but ransomware and all other forms of malware also come at a price.

Sorry, but we have moved beyond ‘black’ and ‘white’ hats. I think the terms are now ethical and unethical, respectively - although there is some variation.

I realise that some people may see this as ‘political correctness’, but if my language offends someone then it is easier to change my language than to persuade them not to be offended.

Your list is excellent and goes a long way to protect an average internet user. Maybe Choice (@BrendanMays/@jhook) can look at making it slicker and including it on their website, Computer and Consumer Mags. The more who are aware of simple measures to prevent malware/ransonware, the more might be saved from succumbing to these criminal gangs.

Or you can just ignore them.

Seriously though, giving in to blackmail (oops) over language leads in a bad direction.

Speak for yourself?

Per the article, Chromium may have but Firefox certainly hasn’t.

I suppose we are going to ban the font ‘Arial Black’. Black Fonts Matter?