Tag Archive | Arena crypto

I.T. Vendors, Do Your Jobs

I woke this morning to a series of panicked emails and text messages. A client has been hit with Crysis Ransomware. After orienting myself to the day, I got a handle on the situation and began restoring the client’s files, swept the infected server with malwarebytes, and am well on the way to having everything back up and running. Some people may remember that I was on Fox News a few years ago speaking about ransomware as an I.T. specialist, warning everyone then to back up their stuff, a sentiment mirrored by an FBI agent who participated in the same special. We are now something like four years later, and the link I provided a moment ago contains many people stating that their clients have been infected, and they want to know how they can go about finding decryption software.

Fucking ridiculous.

If you’re an I.T. vendor, it’s your job to know about ransomware. It’s literally your job to know about it, and to protect against it. For at least five years now, the only foolproof prevention is to have current backups. That’s why I don’t sweat it. A client panics and tells me they’ve been encrypted? No problem. Connect to the infected machine, identify the ransomware, google it, scan to remove it, restore files, done. This one might be more complex since it also encrypted programs and possibly some Windows features that no sane I.T. vendor would back up, but there’s absolutely no chance that the client is going to a) lose their files, or b) pay the ransom (currently $5100).

And just in the past 30 days, we’ve seen several “professional” I.T. vendors amateurishly asking about decryption utilities. I can’t blame them for not having found my website, to read my discussions about ransomware and the value of backups, or to read about my general indictment of I.T. people and their tendency to view security as an afterthought at best, but no professional should be caught with their pants down these days. As for decryption, no. It’s not happening. You have two options: pay the ransom, or lose the files. New variants are constantly being released–it’s a multi-billion dollar industry–do you really think that there’s any chance they’re going to let their encryption software be reverse engineered?

I know the hopeful feeling, the denial, of a first-time ransom attack. I was sure that I was always just a step away from the magical solution that would undo everything. Of course, through this I was also using Western Union to send $547 to Tel Aviv, Israel to buy Bitcoin and pay the ransom. Since the typical ransom is still “one bitcoin” and Bitcoin is currently at $5100, I’m not sure that the same client would go for it today. If they did, we’d be fired. That would be appropriate, I think, given that any I.T. vendor, at this point, should be aware of ransomware.

This is your job. This is what you do for a living. You’re supposed to be the experts. Your clients pay you to keep them protected from stuff like this.

Do your jobs.

If you’re hit with ransomware and you don’t have current backups for your clients, then you can go ahead and fire yourself. I’d fire you, especially if I, the client, googled things and found that ransomware has been around for several years, and that the solution is simply to back stuff up, and you couldn’t be bothered to do that. Make peace with it–your only options are to pay the ransom and hope that the people on the other end are honorable (they were in the case of CryptoWall, but that was a long time ago), or to say goodbye to all the files. They’re not recoverable and chances are that they never will be.

Just check out the full list of decryption tools that Kaspersky has available. Six. They have decryption tools for six (out of probably six thousand) variants of ransomware. CryptoWall 2.0, which released in 2014, still isn’t on there. Holding your breath for a decryption utility is like hoping to win the lottery. It requires tons of people to pay the ransom and receive the decryption utility, and for those people to provide those tools to Kaspersky, Bleeping Computer, or someone else, and for those people to laboriously reverse engineer the encryption algorithm. It’s called encryption for a reason, dude. That’s not easy to do.

To give you an idea of the task, start with your public key of “100.” Now, figure out the algorithm (the calculation) that I used to turn “100” into the private key of “2,114.” As you can immediately say, there are infinite ways to turn 100 into 2114. The larger your sample size–if you know that 300 also becomes 900, 52 becomes 1,433, and 91 becomes 30–the better your chances of finding the algorithm that will produce all of these results, but even if you have all of these public and private keys, the task is monumental. And that’s what you’re asking of Bleeping Computers because you can’t be bothered to do your job.

I have no sympathy for such I.T. people.