Hey, Mom! The Explanation.

Here's the permanent dedicated link to my first Hey, Mom! post and the explanation of the feature it contains.

Wednesday, May 17, 2017

Hey, Mom! Talking to My Mother #680 - How to avoid WCry and other RANSOMWARE

Hey, Mom! Talking to My Mother #680 - How to avoid WCry and other RANSOMWARE

Hi Mom,

Ever complained when you could not get on your company's network because of system maintenance?

Maybe after reading this, you won't complain as much.

I complained this last weekend. I had final grades due Saturday morning at 9 a.m. I was up starting at around 5 a.m. to work on them, and the network was down for maintenance. I thought doing the maintenance the morning that literally close to 800+ instructors are posting grades to an online school was incredibly bad and stupid timing, I was cool as long as the network came up on schedule at 7 a.m. But when I checked a bit after 7 a.m. the network was still down. And it was down at 7:30. And it was down at 8 a.m. at which point I texted my boss who usually is texting and emailing and even calling me to make sure I am working on grades, which are due in less than an hour. Then I called technical support.

Some technical support folks are very cool and well informed. And some seem like talking robots who tell you to do things you just told them you have already tried and seem to not be informed at all. I don't know how many times I have asked if something was a "known issue" only to be meant with silence, like no answer at all.

This morning was a bit different as the tech person did know that the system was down but had no idea when it would be back up, though he didn't say that exactly. "Check back in a few minutes," he said. I kind of wanted to know WHY the system was still down and why the maintenance had been scheduled at all for a time when, as I wrote, hundreds of people need access to input grades. I refuse to believe that I am the only one who finishes final grades the morning of. We're all human. I am sure I am in the majority.

The network came back up ten minutes before the deadline, and because I had done all the online work already and was working with offline data, I was done posting grades ten minutes after the deadline.

Now, this deadline might not sound like a big deal, but the school has to process hundreds of students and determine if some need to repeat courses on three day turn around between semesters, and two of those days are Saturday and Sunday. Only one work day, Monday, and then the new semester begins Tuesday.

But... maybe the tech department was fixing the network to protect it from Ransomware as the first message, the one I share below, is from them.

For everyone who works anywhere with an intranet, then he/she has heard of Ransonware, unless the person wantonly deletes emails from the tech department and ignores dire warnings from colleagues.

I received three such messages (two of which I shared here) and saw tons more commentary on the Inter-Google-Web-Tubes, and so I decided to do some investigating and collect some of the material here.

I am sharing two messages from schools where I work. I am sharing messages without attribution because I am shy about sharing where I work, less so to the actual regular readers of the blog (all two of you, plus Mom, hi there), but more so for the random drive by views I get daily, most of whom are probably robots.

Here's two good articles (below) about Ransomware, especially after the most recent "wannacry" version and its outbreak.


So the Wanna Cry outbreak caused tens of millions of dollars of damage and took down networks that should never be down, such as some hospitals.

The first of the two Computer World articles above lays some of the blame for the problems with the victims, and in some cases, the victims are large organizations, like UK's National Health Service. When the UK NHS went down because of WannaCry Ransomware, patients suffer because the computer network is basically essential to providing quality health care.

Check out this message from one of my schools (the name of which I scrubbed):

Over the past three days there has been a large cyber-attack infecting more than 300,000 computers in 150 countries. The attack was called several names, including WannaCry, WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor, which is a ransomware program targeting the Microsoft Windows operating system.

The attack affected several large companies in Spain, as well as parts of Britain's National Health Service (NHS), FedEx and many others.  We have patched the necessary servers and continue to be vigilant for any further signs of the attack.

Like many other attacks this started as ransomware, which spreads by phishing emails. Therefore, please be on the lookout for suspicious emails, both company and personal.

Remember the following to help identify if an email is suspicious:

  • Message contains poor spelling and grammar
  • Message asks for personal information including username or password
  • Message asks you to send money or sensitive information
  • Remember:
  • Do NOT click on links that are unknown and hover over the link to see destination
  • Do NOT open attachments from unsolicited emails.
So... basically, there's two problems. First off, someone let the worm into the system via the phishing scam, and secondly, the system was vulnerable because it had not been patched.

UK's NHS had an array of excuses about legacy systems that are no longer supported and can't be patched, systems that cannot be shut down because they are critical, and even some systems that supposedly vendors will withdraw support for if the systems are updated (which sounds just as stupid as it is).

This is not about those things listed in those arguments. It's all time and money. The people in charge of the budget for security did not take seriously enough the threat and then they got hacked and paid a steep price in down time.

This is terrible negligence.

Check out this quote from 

Managers and budget appropriators that undervalue the security function have to understand that, when they make a business decision to save money, they are assuming risk. In the case of hospitals, would they ever decide that they just don’t have the money to properly maintain their defibrillators? It’s unimaginable. But they seem to be blind to the fact that properly functioning computers are also critical. Most of the WannaCry infections were the result of the people responsible for those computers simply not patching them as part of a systematic practice, without any justification. If they considered the danger, they apparently chose not to implement compensating controls as well. It all potentially adds up to negligent security practices.

and this next from this

The cruel reality of a global ransomware attack that crippled computer systems in 150 countries on Friday is this: Attackers took advantage of under-prepared computer users and their organizations.

Microsoft released a patch in MARCH.

People still vulnerable in May ignored update requests for two months.

Here's the thing for users to know.

Basically, proceed from the assumption that EVERYTHING is an attempt to hack you and verify everything before you open attachments, share personal information, or fall for something like the image below.

Following another message from my other school, a good article on the whole issue from WIRED.

See? Original content AND sharing.

If you're new to my blog (not you, Mom), check out the link at the top of the page to Hay Mom #1 and what I am doing with this blog.


The Department of  Information Technology Services would like to inform you of a Ransomware campaign that surfaced recently. Ransomware is a class of computer malicious software  that stops you from using your PC until you pay a certain amount of money. Currently the most visible  Ransomware circulating  is the WCry (also known as WannaCry/WanaCrypt0r), which targets Microsoft systems running windows 8, windows 7, Vista and Windows XP operating System. The malware will also search for other systems in the network to infect. This variant of Ransomware restricts access to infected computers and demands the user provides a payment to the attackers in order to decrypt and recover their files.

WCry (WannaCry/WanaCrypt0r) worm is generally spread via drive-by downloads or as an attachment to fake e-mails disguised as a legitimate message. When a user opens such a message, WCry installs itself on the user's system, scans the hard drive, and encrypts certain file types, such as images, documents, and spreadsheets. WCry then launches a window displaying a demand for ransom and a countdown timer showing the date and time before which the user must submit payment in order to obtain the decryption key before it is destroyed.

Here is an example of what a demand screen could look like when infected:

Here are steps you can take to minimize exposure to WCry and other malware on your work and home PC.

1.      Do not follow unsolicited web links on email
2.      Use caution when opening email attachments.
3.      Follow safe practices when browsing the web by not surfing questionable websites.
4.      Routinely make and keep handy, reliable systems and data back ups
5.      Ensure your anti-virus signatures are current.

If your PC becomes infected, press and hold the power button on your computer until the computer turns off, and then call the ITS Helpdesk.  It is important to remember to turn off your computer immediately and not turn it back on. Failing to do so could affect any network to which you are connected.


RANSOMWARE IS MALWARE that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom, usually demanded in Bitcoin. The digital extortion racket is not new—it’s been around since about 2005, but attackers have greatly improved on the scheme with the development of ransom cryptware, which encrypts your files using a private key that only the attacker possesses, instead of simply locking your keyboard or computer. Most recently, a global cyberattack spread ransomware to countless computers over 150 countries.

And these days ransomware doesn’t just affect desktop machines or laptops; it also targets mobile phones. In 2015, ransomware in the wild masqueraded as a porn app. The so-called Porn Droid app targeted Android users and allowed attackers to lock the phone and change its PIN number while demanding a $500 ransom from victims to regain access.
Also that year, the FBI issued an alert warning that all types of ransomware are on the rise. Individuals, businesses, government agencies, academic institutions, and even law enforcement agents have all been victims. The malware can infect you via a malicious email or website, or attackers can deliver it straight to your computer if they’ve already infected it with a backdoor through which they can enter.

The Ransom Business Is Booming

Just how lucrative is ransomware? Very. In 2012, Symantec gained access to a command-and-control server used by the CryptoDefense malware and got a glimpse of the hackers’ haul based on transactions for two Bitcoin addresses the attackers used to receive ransoms. Out of 5,700 computers infected with the malware in a single day, about three percent of victims appeared to shell out for the ransom. At an average of $200 per victim, Symantec estimated that the attackers hauled in at least $34,000 that day (.pdf). Extrapolating from this, they would have earned more than $394,000 in a month. And this was based on data from just one command server and two Bitcoin addresses; the attackers were likely using multiple servers and Bitcoin addresses for their operation.
Symantec has estimated, conservatively, that at least $5 million is extorted from ransomware victims each year. But forking over funds to pay the ransom doesn’t guarantee attackers will be true to their word and victims will be able to access their data again. In many cases, Symantec notes, this doesn’t occur.
Ransomware has come a long way since it first showed up in Russia and other parts of Eastern Europe between 2005 and 2009. Many of these early schemes had a big drawback for perpetrators, though: a reliable way to collect money from victims. In the early days, online payment methods weren’t popular the way they are today, so some victims in Europe and the US were instructed to pay ransoms via SMS messages or with pre-paid cards. But the growth in digital payment methods, particularly Bitcoin, has greatly contributed to ransomware’s proliferation. Bitcoin has become the most popular method for demanding ransom because it helps anonymize the transactions to prevent extortionists from being tracked.
According to Symantec, some of the first versions of ransomware that struck Russia displayed a pornographic image on the victim’s machine and demanded payment to remove it. The victim was instructed to make payments either through an SMS text message or by calling a premium rate phone number that would earn the attacker revenue.

The Evolution of Ransomware

It didn’t take long for the attacks to spread to Europe and the US, and with new targets came new techniques, including posing as local law enforcement agencies. One ransomware attack known as Reveton that is directed at US victims produces a pop-up message saying your machine has been involved in child porn activity or some other crime and has been locked by the FBI or Justice Department. Unless you pay a fine—in bitcoin, of course, and sent to an address the attackers control—the government won’t restore access to your system. Apparently the fine for committing a federal offense involving child porn is cheap, however, because Reveton ransoms are just $500 or less. Victims are given 72 hours to pay up and an email address, fines@fbi.gov, if they have any questions. In some cases they are threatened with arrest if they don’t pay. However improbable the scheme is, victims have paid—probably because the extortionists distributed their malware through advertising networks that operated on porn sites, inducing guilt and fear in victims who had knowingly been perusing pornography, whether it was child porn or not. Symantec determined that some 500,000 people clicked on the malicious ads over a period of 18 days.
In August 2013, the world of ransomware took a big leap with the arrival of CryptoLocker, which used public and private cryptographic keys to lock and unlock a victim’s files. Created by a hacker named Slavik, reportedly the same mind behind the prolific Zeus banking trojan, CryptoLocker was initially distributed to victims via the Gameover ZeuS banking trojan botnet. The attackers would first infect a victim with Gameover Zeus in order to steal banking credentials. But if that didn’t work, they installed the Zeus backdoor on the victim’s machine to simply extort them. Later versions of CryptoLocker spread via an email purporting to come from UPS or FedEx. Victims were warned that if they didn’t pay within four days—a digital doomsday clock in the pop-up message from the attackers counted down the hours—the decryption key would be destroyed and no one would be able to help unlock their files.
In just six months, between September 2013 and May 2014, CryptoLocker infected more than half a million victims. The attack was highly effective, even though only about 1.3 percent of victims paid the ransom. The FBI estimated last year that the extortionists had swindled some $27 million from users who did pay.

Among CryptoLocker’s victims? A police computer in Swansea, Massachusetts. The police department decided to pay the ransom of 2 Bitcoins (about $750 at the time) rather than try to figure out how to break the lock.
“(The virus) is so complicated and successful that you have to buy these Bitcoins, which we had never heard of,” Swansea Police Lt. Gregory Ryan told the Herald News.
In June 2014, the FBI and partners were able to seize command-and-control servers used for the Gameover Zeus botnet and CryptoLocker. As a result of the seizure, the security firm FireEye was able to develop a tool called DecryptCryptoLocker to unlock victims’ machines. Victims could upload locked files to the FireEye web site and obtain a private key to decrypt them. FireEye was only able to develop the tool after obtaining access to a number of the crypto keys that had been stored on the attack servers.
Prior to the crackdown, CryptoLocker had been so successful that it spawned several copycats. Among them was one called CryptoDefense, which used aggressive tactics to strong-arm victims into paying. If they didn’t fork over the ransom within four days, it doubled. They also had to pay using the Tor network so the transactions were anonymized and not as easily traced. The attackers even provided users with a handy how-to guide for downloading and installing the Tor client. But they made one major mistake—they left the decryption key for unlocking victim files stored on the victim’s machine. The ransomware generated the key on the victim’s machine using the Windows API before sending it to the attackers so they could store it until the victim paid up. But they failed to understand that in using the victim’s own operating system to generate the key, a copy of it remained on the victim’s machine.
The “malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape,” Symantec noted in a blog post.
The business of ransomware has become highly professionalized. In 2012, for example, Symantec identified some 16 different variants of ransomware, which were being used by different criminal gangs. All of the malware programs, however, could be traced back to a single individual who apparently was working full time to program ransomware for customers on request.

The Ransomware to Watch Out for Now

Recently Fox-IT catalogued what they consider to be the top three ransomware families in the wild today, which they identify as CryptoWall, CTB-Locker, and TorrentLocker. CryptoWall is an improved version of CryptoDefense minus its fatal flaw. Now, instead of using the victim’s machine to generate the key, the attackers generate it on their server. In one version of CryptoWall they use strong AES symmetric cryptography to encrypt the victim’s files and an RSA-2048 key to encrypt the AES key. Recent versions of CryptoWall host their command server on the Tor network to better hide them and also communicate with the malware on victim machines through several proxies.
CryptoWall can not only encrypt files on the victim’s computer but also any external or shared drives that connect to the computer. And the shakedown demand can range anywhere from $200 to $5,000. CryptoWall’s authors have also established an affiliate program, which gives criminals a cut of the profit if they help spread the word about the ransomware to other criminal buyers.
TB-Locker’s name stands for curve-Tor-Bitcoin because it uses an elliptic curve encryption scheme, the Tor network for hosting its command server, and Bitcoin for ransom payments. It also has an affiliate sales program.
TorrentLocker harvests email addresses from a victim’s mail client to spam itself to other victims. Fox-IT calculated at one point that TorrentLocker had amassed some 2.6 million email addresses in this manner.
Protecting against ransomware can be difficult since attackers actively alter their programs to defeat anti-virus detection. However, antivirus is still one of the best methods to protect yourself against known ransomware in the wild. It might not be possible to completely eliminate your risk of becoming a victim of ransomware, but you can lessen the pain of being a victim by doing regular backups of your data and storing it on a device that isn’t online.
This post has been lightly updated to reflect the recent spread of WannaCry ransomware in 2017.


Reflect and connect.

Have someone give you a kiss, and tell you that I love you.

I miss you so very much, Mom.

Talk to you tomorrow, Mom.


- Days ago = 682 days ago

- Bloggery committed by chris tower - 1705.17 - 10:10

NOTE on time: When I post late, I had been posting at 7:10 a.m. because Google is on Pacific Time, and so this is really 10:10 EDT. However, it still shows up on the blog in Pacific time. So, I am going to start posting at 10:10 a.m. Pacific time, intending this to be 10:10 Eastern time. I know this only matters to me, and to you, Mom. But I am not going back and changing all the 7:10 a.m. times. But I will run this note for a while. Mom, you know that I am posting at 10:10 a.m. often because this is the time of your death.


Post a Comment