Next step (unless it is already there) could be affiliate marketing (pay 25% of the ransom to people who distribute the malware). If people start getting smart with backups, the response could be to switch blackmailing (pay or we'll distribute your files).
I find this whole thing quite scary. We all know how difficult it is to protect yourself from a determined and skilled adversary. Now that there is clear business model and opportunity to make hundreds of millions[1] this thing will probably attract more and more people. Building botnets was a mass market operation. Ransomware could become more targeted, since the value of single infected machine can be much higher.
All the more reason to emphasize security over the latest in features and upgradability.
Why doesn't Microsoft get held accountable when a 0-day in Windows is exploited that results in loss of user funds? Without that, there's no incentive to build secure software in the first place.
How do we get society to have more of a security-first approach when it comes to things connected to the internet? A lot of these vulnerabilities are scary in a systemic way. Cyber warfare would likely be as damaging as dropping napalm on cities, and it's all preventable by having more security oriented infrastructure.
> Why doesn't Microsoft get held accountable when a 0-day in Windows is exploited that results in loss of user funds? Without that, there's no incentive to build secure software in the first place.
There is nothing stopping you from entering into a contract with Microsoft that requires them to take on that liability. And there are some companies that have contracts like that with some software vendors -- presumably in aerospace and so on. And those companies pay $5000 or more for a piece of software that you would pay $10 for. If you asked a normal person to pay that much for every app in the store they would just laugh.
If you made developers liable for vulnerabilities, that's what would need to happen. Software would have to cost enough to cover the liability. If you sell ten million copies of some code and you have one vulnerability (down from 75 before this), that vulnerability may cost 1% of your customers $20,000 each and you're suddenly on the hook for billions of dollars. And you better hope none of your customers are large corporations that could potentially suffer even bigger losses, even though the software developer has no control over that at all.
A big part of the problem here is that we keep trying to shield the users from liability, but they're the ones who make the decisions. The user won't be willing to pay extra or suffer any inconvenience for better security if it's the credit card company or insurance company or software vendor that sustains the loss when they get hacked.
Security is terrible because the party who decides how much to prioritize security is the party we give half a dozen ways to get out of suffering from the consequences of poor security.
But what would also happen is that for the software vendor to stay competitive, he would spend a lot of time and effort to harden the software to reduce the insurance premium.
Very far away from Microsoft's "let's use consumers as beta testers" approach.
> But what would also happen is that for the software vendor to stay competitive, he would spend a lot of time and effort to harden the software to reduce the insurance premium.
That's not competitive though. When the user is at minimal risk the user wants the cheapest software, not the most secure software. In that situation you can't spend money improving security or buying insurance, that would make your software cost more than the competition.
The winning competitive strategy would be to minimize the consequences of declaring bankruptcy. Take on debt financing instead of issuing stock, to minimize net assets. Develop the software as many pieces each owned by an independent business entity so there is no deep pocket to attract claims and there is a smaller loss when an owner has to write one off.
Another angle to this: Why does Apple get away with something like 2 year support windows for their OS? We now have a bunch of people on OS 10.6.8 who will stop getting updates, but even 10.9 will fall out of support before Win7
Though I suppose the best solution would be to get everyone on the upgrade treadmill
> Though I suppose the best solution would be to get everyone on the upgrade treadmill
No. The best solution would be to require Apple, Google and MS to split up their OSes into individual packages, that can be upgraded at will, and to unlink functionality from optics in all parts of the OS.
The reason is simple: most people, especially corp environments, don't upgrade their software because they see on friends' machines (or phones) that the look and feel has changed too much for them / that retraining time for employees is too expensive. A good example is the clusterfuck MS committed with Win8 by replacing the taskbar, the unremovable phone-home/unstoppable auto updater in Win10 or the various "design improvements" / "performance improvements" Apple did on OS X/iOS.
Oh, and with Apple there's the high risk of critical bugs or other incompatibilities with their newest OS. Software like the Adobe suite, music/video editor programs, and even office mainstream apps Lotus f..ing Notes and Cisco's programs tend to have boatloads of bugs each major OS X release. With MS, you can at least assume that you can run any old software that doesn't require drivers...
Look at the costs of healthcare in the US compared to most other western countries. Liability and the related insurance is often listed as a big reason for the high costs.
So you're not going to improve software with this, you're going to make it incredibly expensive in the US. The only groups benefiting from this will be lawyers and insurance companies.
>If people start getting smart with backups, the response could be to switch blackmailing (pay or we'll distribute your files).
how does that work when most home connections have terrible upload? to make matters worse, if you upload at full speed, people will notice that their internet is getting sluggish and notice something is up.
You throttle the bandwidth or you upload at full speed when the bandwidth consumption is idle. Or if you're into blackmail you develop an algorithm that searches for nudity in pictures and upload only those. Or you extract the text from documents, zip it and then upload it. Obviously if you're into this you develop some patterns, you don't just upload everything because then you'd have to spend an eternity browsing through all those files. How many chances are there that the average user will have a file called finance or something similar in their documents folder? You could simply upload a text file with all the file names and then make selective uploads.
This might only be sort of related to what you're talking about, but reansomware as a service already exists. You delivery a premade executable and get a cut cut of the profits. You could install it in systems where you have physical access like your work or at a friends house or systems that you have remotely compromised.
Doesn't work. The moment someone exposes the game the affiliate marketer will have his affiliate account closed by whichever company or network they're trying to work with.
It won't be hard to set up a darknet-based affiliate service, e.g. one that upon retrieval of the Bitcoins sends 25% to the affiliate, 74% to the botnet herder and 1% to the affiliate service.
Perhaps an Ethereum program could do it, but then it might be a good idea to set up a second Ethereum network for anonymous use over darknets.
Weren't we talking about affiliate marketing? For affiliate marketing you need an actual company that is getting sales out of it. Most companies will immediately turn off affiliate marketers getting it sales by spreading malware/ransomware.
In a simplified model, a legitimate set of actors for a legitimate product would be
a. publisher
b. affiliate network
c. person selling a product
You are saying that the affiliate network would block the publishers for distributing malware. Yes, that's true. But what is stopping someone from creating another affiliate network? That would replace the actors with the following:
a. malware distributor
b. illicit affiliate network
c. malware publisher selling key
In this case, the "product" is the key to decrypt the files. The network could be anyone. It could even be the same person who wrote the malware.
I imagine that anyone who is willing and skilled enough to be a malware distributor would rather just do the whole thing himself, ie code the malware himself and collect himself.
It doesn't take a genius to spread malware. Install said malware on a USB stick and then drop it in a parking lot, or just go ahead and use it on a "friend's" computer etc. Using an existing affiliate network is much less effort than building one.
My point wasn't using an existing affiliate network versus bulding one. Was having the skills to spread malware and using an affiliate network to get the malware, versus having the skills to spread malware and coding your own malware. But ok I got your main idea.
Yes, the creators of the malware could also run the network. But they would spread wider by paying a bounty for each ransom, based on through whom the targeted system got infected.
The benefits are that the creators get more people to hero then spread their blackmail.
Call it affiliate, call it MLM, call it resellers, call it a distributed crime syndicate. Same thing.
You'd be surprised. Many of these illicit affiliate networks have been existing for years and continue to thrive. Especially with cryptocurrency nowadays, they have ways of safely cashing out.
At that point they're just cashing out bitcoins. And while I think that should be illegal (bitcoins can a priori be reasonably assumed to be the proceeds of either a) crime or b) "mining" i.e. being paid to run a network that's used primarily for crime, because those are the only use cases that makes sense), currently it doesn't seem to be seen that way.
There are a number of affiliate marketing companies who will "revoke" an account, but make no effort to keep bad actors from opening new accounts, make it as hard as possible to report affiliates using malicious tactics, etc. Once you start getting into the lowest tiers of banner sellers you start seeing a lot of real skeezy moves.
Interesting plan. I think people are underestimating how effective it might be.
Suppose a kid gets their parents computer infected. There is a pretty good chance that they will panic and take the non-monetary route. It's not like infecting others is beyond most kids abilities. Just run the exe themselves on school computers, post it in video game chats, send it to friends, etc. Since they aren't sure how many people will pay before their parents notice there is a strong incentive to send it to a lot of people, not just two.
The other route I see is that an adult sees this and tries to infect some company computers, on the theory that the won't be caught and there is a good chance the company will pay up. Not many people will go for it of course, but if it manages to spread internally then they will be in a decent position to demand a lot of money.
I wonder how Bitcoin-based scammers launder their money.
Bitcoin addresses are anonymous, but all transactions are public, right? So while it's hard to find out who's behind an address, it's publicly visible if they spend money, and where it goes. Thus, they're only able to spend it on "trusted" peers to not jeopardize their own anonymosity.
For example, if they buy something from an online shop, this transaction will be visible for all Bitcoin users. And if that shop publicly shows its Bitcoin address, authorities might track down that shop and force it to give away their shipment address.
Bitcoin tumblers take care of this. Roughly, you set up a service that puts a lot of people's coins in a single wallet, then you route bitcoins from that wallet to a bunch of different wallets operating in similar fashion. Kind of like how TOR works.
It's easy to generate many temporary wallets that can not be linked back to your main wallet, shops can do this too and I think it's considered a good practice to use one address per sale.
You can also convert the Bitcoins to a more anonymous coin (Monero?) and back.
There's a niche field of malware economics, but it makes sense that for-profit malware is ultimately a business, albeit an usually illegal one, which has to optimize just like any other app:
At some point, it would make sense anonymized malware (i2p, tor only) may go open source similar to commercial open source but instead because of scene cred / blackmarket consulting.
This is roughly what happened with several "exploit droppers" a few years ago. It wasn't pretty GitHub sites or open source blogs, but rather "leaked" versions of the software suites, missing nearly all of the actual exploits. Usually there'd be a couple of very old, widely patched exploits in there so you could see how it worked. People would download the stripped out version, play with it, then buy the actual exploit payloads/plugins.
Pretty interesting process to watch from the sidelines!
I wonder why no one is looking at the obvious solution - discredit the ransomware folks. I.e. create ransomware that doesn't free your files even after you pay the ransom. As soon as word gets around that there are ransomwares like that their whole business model will collapse. Sure, this will not be nice to the (small number of) people who get screwed over but it definitely solves the larger problem.
Ransomware already has a less-than-stellar reputation as far as that goes[1], but many people are willing to make that gamble in order have a chance at retrieving their data. Not to mention that making the dysfunctional ransomware would be illegal, and authors (who therefore must be in it for profit) have motivation to avoid tarnishing their 'reputation', to extract the most payment.
Are you saying that it'll convince literally zero people to not pay the ransom? Every ransom that does not get paid is money that doesn't contribute to the "distributing ransomware is a viable way to make money" problem.
Major corporate and government networks are better able to handle it, so long as you have top-down buy-in. Just publish a policy that anyone caught paying a ransom will be fired, and throw a bit of money into PR puff pieces talking about your tough-on-ransomware policies. Ransomware makers won't try to target your network, since they'll won't get money from the CEO and will have a real hard time negotiating with people from other layers. Any incidental damage will get dealt with by various mitigation policies (backups, etc).
Completely evil and terrifying, yet also somehow brilliant psychologically. Tricking people to install it thinking it's the Popcorn Time streaming app has a bit of irony involved.
That's interesting how they use the sob story. Anyone wanting to pay is going to feel conflicted, so they give the user an out by letting them feel like they're helping poor people in Syria. They've chosen Syria because it's well-known and in the news.
I wonder if their English is poor, or if they're trying to be endearing to help their conversion rates. You could confirm the former by correlating it with what common errors people in different countries make.
It doesn't look like they expect people to infect their friends, but offering the false choice is a pretty common way of making people feel slightly more in control. It probably helps their conversion rates, even if nobody picks the blue option.
What I don't understand about ransomware in general is how the AES key is stored on the machine. I'm assuming that it's grabbed from the server, used only during encryption, and then scrubbed from RAM/filesystem. Otherwise, it would be possible to recover the key post-encryption. Or am I missing something?
I've read a few articles of people managing to get the key out of the ransomware programs, so it some cases it really is just stored on the system and you can find it if you know what you're doing. Those articles were a while-back though, so it's possible they've 'fixed' that issue.
Like others have said, public/private key crypto can be used to achieve this, and fairly easy: The randomware is distributed with a public key, and after generating the AES key and encrypting the system, it then encrypts the AES key using the public key and removes all other copies of the AES key. Thus, nobody with access to the system can decrypt the system now unless they have the matching private key. If you pay to decrypt your system, the program sends off the encrypted AES key, and then they send back the decrypted AES key which they got by using the matching private key. And then from there you use the AES key to decrypt the rest of the system.
The encryption uses a public/private keys to encrypt the files using the public key, while keeping the private key stored on the remote servers. The clients PC never has access to the decryption key.
Using PK crypto would be horrendously slow, especially if there are a large number of files. Besides, the article notes that this ransomware uses AES-256.
Perhaps the AES key is encrypted with RSA after encryption is complete and kept on the infected machine.
I'd assume all the details needed to decrypt the files EXCEPT for a small key would be stored in the encrypted file headers. The AES key could be encrypted to a given public key and then directly displayed to the victim. This means that the software doesn't really need to know how to send infoto the ransomware writers. Instead the victim would be responsible for contacting them.
Interesting idea! So for example, the user would provide the displayed hex digest as a note along with the payment. The payment verification server could then email the user the decrypted key.
Yeah, or more likely a Bitcoin address and payment amount would be generated based on the attacker's Bitcoin public key and a hash of the encrypted key. Then the victim would pay that address and somehow contact the attacker (email, forum, twitter, whatever). The point is that the attacker could rely on the victim's human ingenuity to make it harder for the authorities to block payments.
That is generally how one encrypts large files with pk, yea. In fact I vaguely recall some crypto tool I had for personal use many years ago did exactly that for files above some size.
The end result is you see a file encrypted with a symmetric key.
Generally they generate a private / public keypair, transmit them to a server, store both somewhere while the encryption process is in progress, then they scrub the local private key.
I do have a follow up question to this. If the ransomware encrypt the files, then it would also need to delete the original files. Unless the original files are overwritten, wouldn't it be possible to recover them? If the files are indeed overwritten, I would presume it would take a really long time, and, if I remember correctly, this wouldn't work on SSDs, unless you fill the SSD completely. Or am I missing something?
The problem with ransomware is also, that it can infect a lot of people who dont have that kind of money.
If they would do it decently, the would allow for partial recovery of files with rising prices per batch, and measuring how long the user could come up with the coins.
Pricebuilding exercise combined with social engineering.
God, they could go full ponzi scheming with this and get a billion people to get rich and accomplices..
Clever idea, but I doubt this would work in 99% of cases.
It's basically a link to an EXE. You could probably only convince someone to run it if you have some acquaintance with them, so obviously they'd hate you afterwards. And you only get the key if they not only get infected, but pay up. And you have to do it twice.
A better method might be "get 5 people infected", regardless of payment.
> A better method might be "get 5 people infected", regardless of payment.
If you don't require payment, anyone could just spin up five VMs and infect them, then request a decryption key. Not saying these guys are clever or anything and the scheme seems likely to fail for the reasons you mention, but I think something like a "get two other people infected and they pay up" scheme is the most workable version.
"why does the FBI, NSA, CIA, or any cyber security agency exist? They should not exist.
SECONDLY, why aren't they actively targeting those criminals?"
I think it's important to remember that those agencies shouldn't even exist, before asking why they're not doing something. Don't quietly justify them.
The primary point of my comment was to remind people that most HN readers are very against cyber capabilities/surveillance/etc - so when someone calls for those agencies to do something, it is important to remember that people are against those agencies even existing, having any capabilities at all.
Now as for providing you the argument for why they should or shouldn't exist, I think it's political and I like HN's move away from political discussion so let's not have it. But I think it's not going too far to ask people to be explicit about some of the contradictions. If you look at the comment phrasing I "suggested", you'll see it's a contradiction. I don't mean to resolve that contradiction but we shouldn't ignore it - my point was to write the contradiction explicitly.
One possible way to address your question briefly would be with reference to some films and books. but we don't need to answer your question in order to acknowledge the contradiction and I wouldn't like to answer it (one way or another - why they should, why they shouldn't exist.) it's good for HN to step back from politics a bit so let's leave it at that.
1984; the film "Brazil" (1985); "The Lives of Others" (about the Stasi); Snowden's film and revelations; the history of dictatorships and surveillance, etc; I could also make many specific arguments.
But my point wasn't any of this: just that most of HN strongly feels against surveillance and the capabilities mentioned.
I don't want to take a side I just want the contradiction to be put front and center in these cases. It will lead to everyone on HN having a better position, when they do eventually take one. I still think we don't need to have that argument here (or in most cases where it comes up).
I'm not against these agencies if the are actively targeting criminals with a clearly defined scope. Drag net surveillance of innocent people is a different matter.
I don't think most HN user oppose the use intelligence capabilities in various three letter organizations, just that those orgs should be constrained by the rule of law in some meaningful way.
Most HN users are quite upset in the comments under any story about any capabilities, by any organization anywhere in the world, and regardless of their cooperation with America (where the three letter organizations I quoted are from) and regardless of their legality.
I put in "backdoor found" as a search query here https://hn.algolia.com/ after modifying it to search the last year.
I'm not sure if you're referring to attention paid to political discussions in general or the Political Detox Week. If the latter, the week-long experiment was terminated early. See https://news.ycombinator.com/item?id=13131251
the whole purpose of the detox week was to move conversation away from too many politics - so while the experiment is over, the improvement everyone saw leaves lessons we can remember. HN was just better.
Gotcha. I thought that might be the case from your phrasing. There have quite a few people who weren't aware it had been rescinded or assumed that it was a permanent thing. I appreciate your desire and efforts to focus the discussion.
And how they know if I infected a friend's computer ? It can be mine, right ? I have just have to setup a new computer with a fresh install and repeat it again and again until they give the key.
OSes will have to start detecting processes that do a lot of disk read/write, and perhaps network upload, and quarantine them.
Also, checkpoint/log based file systems like nilfs2 can let you roll back to any point before infection.
It seems like a far more plausible explanation that this is real malware that picked well-known software that people are likely to be downloading from sources that they're not super sure about.
I wonder what can be changed to help find and prosecute the distributors of malware?
By the way I think that the ones held responsible and paying for the damages should be distributors, not malware developers especially if they did not know exactly how it would be used. Making malware is like making a gun, it is allowed in some countries. Maybe it will be used for good purposes.
I think that's bogus. They can and should be held accountable if they're running enterprises like this. How can malware be used for good purposes? (Mal)icious Soft(ware) doesn't sound too "good" to me.
Of course not many people out of the general population know how to make a (primarily) windows VM, but I'm surprised that others aren't mentioning it in this thread.
With airplanes, the manufacturer is on the hook until the plane is no longer in the air.
We should require OS manufacturers to do the same. They should be on the hook for security until the last device using their technology is no longer in use.
That doesn't really make sense. 'Security' is not a binary thing, many pieces of malware, quite possibly including this one, don't break the OSes security model.
The OS doesn't consider your browser downloading and running executable a problem, if it did we would all be complaining about wall gardens. If that executable wants to read and write files in your home directory it is allowed to (otherwise you couldn't download and run emacs). The fact that it happens to be encrypting them to ransom back to you isn't something the OS is really in a position to know, or do anything about.
Do you mean one has to be a computer science graduate to use a computer? And I doubt even CS graduates can always distinguish between real software and fake one with malware inside.
What I meant is that ransomware predominantly spreads by tricking the user into running malicious code, as opposed to tricking the OS. There's not a whole lot the OS can do if the user is determined to open e.g. "kittenpic.jpg.exe" or "invoice.doc.exe".
That is because user has a previous experience of double clicking files to run or view them and nothing bad happened.
> There's not a whole lot the OS can do if the user is determined to open e.g. "kittenpic.jpg.exe" or "invoice.doc.exe".
I think there are many options:
1) do not download executable files or make them non-executable after download
2) do not run downloaded executable files
3) do not run executable files without valid signature from OS developers
4) run executable files inside a sandbox
For example, iOS uses approaches 1, 3 and 4, and Android uses 4. Only desktop operating systems (including some Linux distrbutions) allow to trick user into running a malware with full access to user's files by clicking a link and pressing Ok twice. That is why I consider this is OS fault, not user's.
In many environments users are not supposed to download and run executable files. For example, in a workplace an employee is supposed to use only software approved by the company. And still no operating system provides an easy way to enforce it.
Imagine if pressing a wrong button on a washing machine would cause installing malware. Would you like to buy such device?
In many environments users are not supposed to download and run executable files. For example, in a workplace an employee is supposed to use only software approved by the company. And still no operating system provides an easy way to enforce it.
Windows domains can do this with Group Policies, with the first large ransomware waves companies actually started using that feature ;)
Other than that, Windows shows a prompt asking for confirmation when running a downloaded executable, but it doesn't stick to files from ZIP files, doesn't apply to mail attachments (although I'd expect mail software to warn itself) and stuff like that.
Windows has all of those implemented in the windows store world, yet everybody is yelling how anticompetitive Microsoft is for wanting people to switch to that model.
If we had Linux on the desktop, we'd have Linux ransomware.
I find this whole thing quite scary. We all know how difficult it is to protect yourself from a determined and skilled adversary. Now that there is clear business model and opportunity to make hundreds of millions[1] this thing will probably attract more and more people. Building botnets was a mass market operation. Ransomware could become more targeted, since the value of single infected machine can be much higher.
[1] http://thehackernews.com/2015/10/cryptowall-ransomware.html