Ransomeware

[Lodesman]

Bit of a fuss on TV this morning (UK) about ransomware.

My Mac runs El Cap protected by Macafee (free with my ISP). I am careful about not opening emails with attachments I don't recognise.

How vulnerable should I feel ?

 

[Phil A.]

Just continue to be careful about opening unknown attachments or downloads and make sure you have good offline backups

It's safest to view a ransomware event as a "when", not an "if" (just like you should view a hard disk failure) and to make sure you're well equipped to deal with it with multiple offline backups (so the backups can't be encrypted). That way, if you ever do fall prey to one, you won't suffer. The alternative of thinking it will never happen and not preparing for it leaves you vulnerable if you get hit by one

 

[Lodesman]

Thanks Phil A. Especially your advice about offline backups.

To date I have my TM backup ext HDD permanently connected. I think I'll pick up a small Ext HDD for offline backups.

 

[maflynn]

To date, ransomware has only been an issue with windows AFAIK, though that could possibly change at any time. As mentioned, safe computing habits should limit the risk. I'm hoping the security features in OS X, and its underlying Unix system also protects us

 

[KALLT]

Multiple backups – at least one offline backup – is the only defence against ransomware. There is not anything peculiar or advanced about ransomware, it is simply malicious software that encrypts the user’s files. Unless the executable is sandboxed or runs as a different user, your files can be read and written to.

 

[martint235]

Yup I've got a couple of offline backups. Not had any ransomware yet but if I do, it's just a simple re-install of Windows.

 

[maflynn]

Yup I've got a couple of offline backups. Not had any ransomware yet but if I do, it's just a simple re-install of Windows.

The thing that scares me is that ransomeware can lay dormant for a period of time, and then activate. That means backups are infected and you won't even know it.

 

[KALLT]

That is true. Presumably, the best defence would be to move older, unneeded files to an external drive and make backups of that drive with a separate system, such as a locked-down version of Linux or OpenBSD, unconnected to the Internet. If you have a DVD drive, you can also burn them of course (though a bit trickier with encryption, as you can never change the encryption key after the data was burned to disc).

 

[martint235]

The thing that scares me is that ransomeware can lay dormant for a period of time, and then activate. That means backups are infected and you won't even know it.

Ransomware isn't about "infection" per se. The idea is the software is loaded and executed and then encrypts all your files so that you can't access them. The encryption is removed when you pay them money.

If you can open a file before you back it up, then the backup won't be encrypted. I'm sure there are some clever hackers out there with ways round this but your bog standard Ransomware writer will just encrypt My Documents, My Pictures etc.

 

[maflynn]

Ransomware isn't about "infection" per se. The idea is the software is loaded and executed and then encrypts all your files so that you can't access them. The encryption is removed when you pay them money.

But it is
http://www.networkworld.com/article...infected-pcs-until-this-week-report-says.html

The reality of ransomware right now is that many of the devices infected will not have adequate backups installed, and even many of those who do back up files tend to find that the restore functions isn't working, rendering their backups useless.

 

[elf69]

malwarebytes make an anti ransomware program for windows.
It loads as windows does on boot.

It works really well and stops the dreaded crypto virus getting your files.

no version for mac yet though.

I use time machine on all my macs and disconnect drive after a back up so should be ok.

 

[martint235]

But it is
http://www.networkworld.com/article...infected-pcs-until-this-week-report-says.html

Still not infection, it's not entering the actual files and lying dormant, it's dormant on the PC. If you've backed up your files before it wakes, that back up is safe. You just need to ensure that when you're restoring from back up you don't bring it with you.

EDIT just to be clear I count infection as a file that either inserts itself into your files or into the registry. For ransomware, once you've reinstalled your OS the ransomware is gone.

 

[JohnDS]

Presumably if you had a backup, you could set the clock back on your computer and remove the ransomware from the backup.

 

[maflynn]

Presumably if you had a backup, you could set the clock back on your computer and remove the ransomware from the backup.

I don't know what the trigger is, but that might be a possibility, the fact remains that these types of malware are becoming more insidious and even backups may not be safe.

So far the fact remains that OS X appears to be largely untouched, whether because those malware authors choose to focus on windows, or because OS X has set up safeguards - or a mixture of two.

 

[997440]

There was a rare instance of a Mac targeting ransomware earlier this year - KeRanger. A signed installer for a BitTorrent client, Transmission, was used as its pathway. There was evidence in the code, though possibly not fully developed, that Time Machine appeared to be an included target. KeRanger's code included a three day delay before it would begin connecting with its control servers, then would begin to encrypt certain user files.

http://researchcenter.paloaltonetwo...ted-transmission-bittorrent-client-installer/

 

[TPadden]

....So far the fact remains that OS X appears to be largely untouched, whether because those malware authors choose to focus on windows, or because OS X has set up safeguards - or a mixture of two.

Can a Bitlocker encrypted drive be "touched"?

 

[maflynn]

Can a Bitlocker encrypted drive be "touched"?

you mean encrypt data that sits on an encrypted drive, I can't see why not. At the application level, the data appears to be unencrypted because the OS is handling the decryption.

 

[Phil A.]

Can a Bitlocker encrypted drive be "touched"?

Yes, if it's mounted - as @maflynn says, at application level it's unencrypted

 

[KALLT]

There was a rare instance of a Mac targeting ransomware earlier this year - KeRanger. A signed installer for a BitTorrent client, Transmission, was used as its pathway. There was evidence in the code, though possibly not fully developed, that Time Machine appeared to be an included target. KeRanger's code included a three day delay before it would begin connecting with its control servers, then would begin to encrypt certain user files.

http://researchcenter.paloaltonetwo...ted-transmission-bittorrent-client-installer/

I do not think that it would that be easy for a malware to touch Time Machine without root privileges. I remember reading that there are measures even at the kernel level that prevent mere users from writing to the Time Machine disk at all. As far as Time Machine goes, you will probably be secure as long as there are no vulnerabilities in Time Machine or the malware obtains root privileges. It is plausible that a malware could fill the computer with useless data to cause it to delete old backups though.

It deserves mentioning that once again, running as a standard user for 99.9% of the time is good advice.

 

[997440]

I do not think that it would that be easy for a malware to touch Time Machine without root privileges. I remember reading that there are measures even at the kernel level that prevent mere users from writing to the Time Machine disk at all. As far as Time Machine goes, you will probably be secure as long as there are no vulnerabilities in Time Machine or the malware obtains root privileges. It is plausible that a malware could fill the computer with useless data to cause it to delete old backups though.

It deserves mentioning that once again, running as a standard user for 99.9% of the time is good advice.

At the time of the incident, Dino Dai Zova tweeted this :

Why couldn't the ransomware encrypt files in TimeMachine backups? Mac OS X uses TMSafetyNet kext to make the files immutable after creation.

https://mobile.twitter.com/dinodaizovi/status/706723421116362752

I'm not quoting this as an appeal to authority but as a possible clue for research. I haven't yet found any confirmation for the claim.

 

[KALLT]

At the time of the incident, Dino Dai Zova tweeted this :

https://mobile.twitter.com/dinodaizovi/status/706723421116362752

I'm not quoting this as an appeal to authority but as a possible clue for research. I haven't yet found any confirmation for the claim.

That’s exactly what I read about. I came across this when I tried to remove a specific file from all Time Machine backups via the tmutil command-line program, similar to the function in the Time Machine application. It turns out that the Time Machine application is the only application capable of this. Older Time Machine backups are effectively untouchable, as long as the disk remains mounted as root and the kernel extension is active.

 

[thomasareed]

How vulnerable should I feel ?

McAfee won't make you much less vulnerable... it pretty thoroughly sucks on the Mac.

As for ransomware, currently there isn't any on the Mac. As has been mentioned, there was one - KeRanger - but it is extinct at this point.

Still, new ransomware could appear at any time, so you need to be prepared with good backups. Time Machine is a good start, although it's better for more generalized data loss, and not ideal against ransomware. It is possible for ransomware to tamper with Time Machine backups.

There has been some speculation that Time Machine backups can't be modified, but that's not actually true... I've known people to delete files from their Time Machine backups in the Finder, which can pretty thoroughly screw up the backup as a whole, often requiring erasing the backup drive and starting over from scratch. So it would definitely be possible for ransomware to damage your Time Machine backups, if they're connected to your computer when ransomware strikes.

My solution is to use Time Machine - for its convenience - as a primary backup. I also maintain a couple other, separate backups made with Carbon Copy Cloner. One of those always lives in the safe deposit box at the bank, the other is hidden around the house. I keep the one here updated frequently, and about once a month or so, I swap them, so the one in the safe deposit box is never more than a couple months old.

This protects me against ransomware, as well as against all manner of other threats - theft, fire, etc.

 

[Lodesman]

Thanks for all the input, I appreciate it, along with the advice.

 

[997440]

As stated earlier there was the instance with KeRanger and nothing since, but some good info including how to avoid and where to go if you become infected in a 12/16 article, by Krebs, here : https://krebsonsecurity.com/2016/12/before-you-pay-that-ransomware-demand/

 

[mkeeley]

As stated earlier there was the instance with KeRanger and nothing since, but some good info including how to avoid and where to go if you become infected in a 12/16 article, by Krebs, here : https://krebsonsecurity.com/2016/12/before-you-pay-that-ransomware-demand/

I have RansomWhere installed.
https://objective-see.com/products/ransomwhere.html