We “Will Be Paying No Ransom,” Vows Town

CommanderFrank

CommanderFrank

Cat Can't Scratch It
Joined
May 9, 2000
Messages
75,399
This is a bazaar bit of news involving a small New Hampshire town’s police department computers: they are being held for ransom by Criptowall malware.

"Make no mistake, the Town of Durham will be paying no ransom," Town Manager Todd Selig was quoted as saying by CBS Boston news. Police department computers for the town of almost 15,000 residents were reportedly infected Thursday after an officer opened what appeared to be a legitimate file attachment to an e-mail.
Click to expand...
 
So in the article it was stated that all data had been backed up so, why other than this being an major annoyance for the town, what news is here?
 
At least some people have the courage to suck it up and swallow the truth and not cave in to criminals demands. It's the right thing to do. Even if the information was vital you and thousands of others are just feeding them by paying the ransom. Remove the incentive and they wont bother with extreme methods of siphoning off money from people.

Unfortunately many will cave in because information they deem priceless outweighs the outcome of faltering. It's nice to see some not paying demands despite how much it hurts.
 
The town of Durham could turn this into an opportunity and run some kind of contest for prospective white hats to get in on the action and go after the control servers... there is nothing to stop Durham from escalating their response now that they have drawn the line in the sand.

Best of luck to the town. It's refreshing to see this happening.
 
Guess they haven't learned not to run computers as admin accounts...
 
Reimu said:
The town of Durham could turn this into an opportunity and run some kind of contest for prospective white hats to get in on the action and go after the control servers... there is nothing to stop Durham from escalating their response now that they have drawn the line in the sand.

Best of luck to the town. It's refreshing to see this happening.
Click to expand...

A better solution might be if the victims of these crimes pooled their money and offered a bounty for these criminals death ... it might make cyber crime a tad less desirable if you never knew whether you were going to eat a bullet for your misdeeds ;)
 
teh_chem said:
Guess they haven't learned not to run computers as admin accounts...
Click to expand...

It still encrypts the users files. I had to reimage a PC, and the user was a standard user but every file he had on his system (personal files, my docs, etc.) were screwed. He didn't have a backup for most things. Stuff that we sync with server was fine, but the rest was gone...
 
We (at work) got hit twice this year. Lucky we use tape backup and flashcopy all the file servers every 3 hours. Easy to get files back and running. We also limit users access to mapped file servers. They only get what they really need and everything else goes back and forth through a temp dropbox file location.

Cryptolocker came from someone clicking on a link in their email (you have a fax it said) and downloaded the file from dropbox website to their machine.

We have since filtered out all known cloud based file sharing website and looking at doing more.
 
These ransomeware viruses are OS agnostic and can come in at a variety of vectors. The only real way of not getting infected is to remove the network or restrict the user from opening files...kinda removes the use of computers. Once the payload executes, it begins encrypting user files and puts a screen up saying the user must pay. The malware encrypts the files and sends the encryption key to a command and control server where it's held for a few days before being erased forever. As far as I know, nobody has been able to figure out how to reverse the encryption. Users that pay HAVE gotten their files back though...honest crooks I guess.

If you don't want to pay and have backups then you just wipe the drive and restore from backup, none of the files are actually transferred.
 
Unknown-One said:
The attack vector that was used (a Trojan horse launched by the user who thinks it's a legit file) also works on Linux.

Don't really see how Linux fixes stupid people :confused:
Click to expand...

It doesn't it just makes fanboi's circlejerk with each other.
 
maxius said:
if you are skilled enough you can find the cryptokeys on the pc :)
Click to expand...

Apparently, if the infection was before April 15th. They fixed that 'bug' in the malware so it's not there anymore...
 
MajorDomo said:
This is a bazaar bit of news involving a small New Hampshire town’s police department computers: they are being held for ransom by Criptowall malware.
Click to expand...

Why are they allowing executable attachments at all? My e-mail servers reject any e-mail with an executable of any kind even if it is hiding in an archive (and they reject encrypted archive files).
 
Let me guess he opened a legitimate file attachment and elevated UAC
 
Before they announced they weren't paying, maybe they should have contacted the FBI, and tracked down the culprit with the promise of paying the ransom.
 
Seriously, just PAY the few hundred bucks... if the alternative is a definite loss of hundreds of man hours and non-recoverable emails...

And yes BladeVenom, you WOULD think the FBI / CIA would have a literal field day working with a police department to track down the scammers especially since it's the PD directly affected. It really doesn't get any more straightforward from a law enforcement angle.
 
i thought this happened a few months ago?
 
teh_chem said:
Guess they haven't learned not to run computers as admin accounts...
Click to expand...

Unfortunately, all of the effort to add account security with Windows 7/Vista are being undone with default cloud features being disabled on Windows 8 when not running as admin.
 
teh_chem said:
Guess they haven't learned not to run computers as admin accounts...
Click to expand...

Heh, like that ever helped a single Windows user. The attacks can do privilege escalation using system weaknesses, no need for admin accounts.
 
-PK- said:
Unfortunately, all of the effort to add account security with Windows 7/Vista are being undone with default cloud features being disabled on Windows 8 when not running as admin.
Click to expand...

What, what? You must be joking. That's hilarious! :D

The article probably forgot to mention that they have backups, which are now encrypted due to the backup machine getting infected :rolleyes:
 
Unknown-One said:
The attack vector that was used (a Trojan horse launched by the user who thinks it's a legit file) also works on Linux.

Don't really see how Linux fixes stupid people :confused:
Click to expand...

Except that there is no in-the-wild attack for linux such as that. And except that linux users do not run as root by default. And except that e-mail attachments do not ship with executable flags by default so the user can't run it by just clicking the attachment. And except linux e-mail attachments do not autoexecute. And because linux does not suffer from the malformed JPEG header vulnerability which enables to pwn older windows by image preview. And except linux e-mail softwares do not have other similar forms of known security holes to exploit automatically. And the list continues.

The user would have to make a serious mistake of changing the attachment flags executable and then run it, which would tell immediately that the file in question is not a document but some form of an executable i.e. an attack.
 
It happened on a Windows XP 32bit pc.
Considering that, the pc is probably old as hell and their entire system is in desperate need of an upgrade.
Seriously though, wish it was legal for us to hunt down these bastards and pump a few hundred rounds into them.
 
damicatz said:
Why are they allowing executable attachments at all? My e-mail servers reject any e-mail with an executable of any kind even if it is hiding in an archive (and they reject encrypted archive files).
Click to expand...

I suggest you change your policy to quarantine them rather than reject them. Archives can be encrypted for reasons of security, for instance. And how else do you get small patches?
 
The press is good as it alerts the rest of the non-technical population to the threat. I've seen about 6 sites in the past 6 months get hit with it. Using dropbox was a much better idea than .zip files as the scanners and spam filters don't block it. Having volume shadow copies on the file server is the easiest way to restore quickly in most cases. Near-line backup is what most people end up doing with maybe a days worth of lost data.

Given that every instance I've seen in the last month is using dropbox, I'd like to see dropbox step up and stop allowing executable files to be hosted or at the very least scan them for malware.
 
Ur_Mom said:
It still encrypts the users files. I had to reimage a PC, and the user was a standard user but every file he had on his system (personal files, my docs, etc.) were screwed. He didn't have a backup for most things. Stuff that we sync with server was fine, but the rest was gone...
Click to expand...


Skripka said:
Cryptolocker does not require an admin account to fuck your data.
Click to expand...


B00nie said:
Heh, like that ever helped a single Windows user. The attacks can do privilege escalation using system weaknesses, no need for admin accounts.
Click to expand...
Are you guys serious? I thought crypto malware needs to run an exe to initiate the encryption? If the account is running non-admin, or some other such account privilege that doesn't allow execution of programs, how would the malware progress? It's not a rhetorical question to imply I know better--what I've read about crypto malware indicates that running as a limited user does not allow it to execute. Is that not the case? And how are privileges escalated on a limited account?
 
We got nailed with the "You have a fax, click here" emails where I work. Most people receive electronic faxes on a daily basis, so they just opened and ran with it. Fortunately they were too stupid to extract the ZIP file and were calling the help desk asking for assistance.:eek:
 
teh_chem said:
If the account is running non-admin,....what I've read about crypto malware indicates that running as a limited user does not allow it to execute.
Click to expand...

You can run programs as a user (non-admin). After all MSWord is a program and millions of non-admin users launch it every day. A program is a program. Users have permissions to access their own files, for example word documents in their respective My Doccuments folder. Any program launched as a user has the same rights as that user, ie. if a user can open the .doc files, so can any piece of software started by that user, including malware, etc.
 
They are not all being sent as attachments although we did have a few users who went through herculean efforts to unzip the file, follow the instructions to the letter and then infect the network. Malware works primarily because of the end users. We had a user who did it twice with the exact same type of email AFTER she had been instructed to never follow a link or open an attachment.
 
B00nie said:
Except that there is no in-the-wild attack for linux such as that.
Click to expand...
That's totally beside the point. If everyone suddenly decided to switch to Linux, and attack like this would be developed rather quickly.

B00nie said:
And except that linux users do not run as root by default.
Click to expand...
That doesn't matter. Did you even read the article?

It was a user-level process that encrypted files owned by the currently-running user. It can't own the whole machine, but that's NOT the point of this malware.

B00nie said:
And except that e-mail attachments do not ship with executable flags by default so the user can't run it by just clicking the attachment.
Click to expand...
Weather an executable flag is obeyed or not will depend entierly on your email client (on both Windows and Linux).

Outlook doesn't obey executable flags by default, and this type of attack doesn't need to exploit that kind of functionality. The attachment was downloaded and THEN run by the user, who was tricked into thinking it was a legitimate file.

Once again, switching to Linux doesn't fix stupid people...

B00nie said:
And because linux does not suffer from the malformed JPEG header vulnerability which enables to pwn older windows by image preview.
Click to expand...
Not sure why you're bringing up an already-patched vulnerability, but ok?

B00nie said:
And the list continues.
Click to expand...
No it doesn't, because none of this matters for the given process flow:
1. User gets e-mail.
2. User thinks the e-mail is legit and downloads the attachment to their hard disk.
3. User runs the downloaded file, which is already clearly formatted as an executable.
4. File executes, running as the current user. The current user has permission to read/write to their own files.
5. Process proceeds to encrypt all files the current user has access to.

This isn't something that switching to Linux inherently fixes...

B00nie said:
The user would have to make a serious mistake of changing the attachment flags executable and then run it, which would tell immediately that the file in question is not a document but some form of an executable i.e. an attack.
Click to expand...
You're over-thinking it. This type of attack doesn't depend on any form of auto-execute vulnerability to be successful.
 
damicatz said:
Why are they allowing executable attachments at all? My e-mail servers reject any e-mail with an executable of any kind even if it is hiding in an archive (and they reject encrypted archive files).
Click to expand...

It sounds like there was a link to a dropbox hosted executable in the email and not an actual executable attachment.
 
canna said:
You can run programs as a user (non-admin). After all MSWord is a program and millions of non-admin users launch it every day. A program is a program. Users have permissions to access their own files, for example word documents in their respective My Doccuments folder. Any program launched as a user has the same rights as that user, ie. if a user can open the .doc files, so can any piece of software started by that user, including malware, etc.
Click to expand...

On a Vista or later machine with UAC running a user account, a previously unknown executable from an unknown publisher should pop up with a message requiring someone to enter an admin password in order to run the program.
 
It's funny: one of the reasons Vista was panned was the introduction of UAC.
 
Fuck the police coming straight from the Russian underground.

A young virus got it bad cause I encrypt things.
 
You must log in or register to reply here.
Back
Top