I guess so really

Victims of a major ransomware cyberattack that has spread through the US and Europe can no longer unlock their computers even if they pay the ransom.

The “Petya” ransomware has caused serious disruption at large firms including the advertising giant WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft.

Infected computers display a message demanding a Bitcoin ransom worth $300. Those who pay are asked to send confirmation of payment to an email address. However, that email address has been shut down by the email provider.

“We do not tolerate any misuse of our platform,” said the German email provider Posteo in a blog post.

This means that there is no longer any way for people who decide to pay the ransom to contact the attacker for a decryption key to unlock their computer.

“This is not an experienced ransomware operator,” said Ryan Kalember, senior vice-president of cybersecurity strategy at Proofpoint.

18 comments on “I guess so really

  1. This let’s me ask a question about Bitcoin as I’ve obviously misunderstood how it works. I thought the point of Bitcoin was that all transactions could be seen and if so the ransomware people could easily be traced once they try to spend it?

  2. You can indeed trace payments. They’ve done so, Some 30 people have paid the ransom apparently.

    What you don’t know is who owns the account.

  3. Thanks. So not dissimilar to the old days of very secret Swiss accounts then?

  4. The Bitcoin protocol does allow users to send a message alongside the transaction. This would have been a better mechanism for exchanging the decryption key than a free email address. Amateurs indeed.

  5. A really good ransomeware attack encrypts the backups simultaneously, at least any backups/shadow volumes it can see that is. A lot of people rely on the shadow volume idea and that is easily hijacked; others don’t backup local drives, which if you’re networked is reasonable as you just re-image a PC, but all too often files are stored locally by default.

    And getting everything back from off-site is often pretty tedious, a medium site may have 4-10 Tb to restore, and depending on how you plan to bring it back, that can take a serious amount of time. Large sites with 100’s of Tb or Eb face a major task in actually getting the data back, just the logistics. So often they can, but it is a lot quicker and cheaper to decrypt in place for $300 per machine.

    Just FWIW.

  6. Relatively easy to clone the disk. Much easier to restore on. And these days cloud storage options solve most back up problems

  7. I heard that the hackers have no way of decrypting your syuff anyway, so even if you pay up, you’re still screwed. Is that not the case?

  8. Tim Newman: I briefly dated their CFO.

    Had the relationship blossomed, would you have learned the spelling?

  9. @ Tim Newman “I briefly dated their CFO”

    Guillaume Texier? I must admit, I’m surprised…

  10. “A really good ransomeware attack encrypts the backups simultaneously”
    How does it manage that? How does it turn off my computer, reach across to the bookcase, get the read-only hard drive off the shelf, plug it in, disable the read-only link, power back up, and then attack it?

  11. I must admit that my 8 TB documents & video disk is periodically synchronized with another, identical 8TB disk using Free File Sync (no connection, just a user of the software)

    http://www.freefilesync.org/

    The purpose of the backup was primarily to prevent against disk failure, since I lost some of my stuff back in 2004 when a power failure fried my computer and hard disk drive (I subsequently switched to a UPS based power supply)

    Since the ransomware attacks started happening I now physically remove the backup 8TB drive from its drive bay after each manual synchronisation and store it on the bookshelf (as jgh suggests)

    Thus if attacked by ransomware, I can just reformat the PC (including the 8TB video device) and restore from the backup.

    Not that I fancy doing that as restoring 8TB worth of files takes about 4 days, but at least I have a consistently recoverable backup.

  12. I keep my hard drive backup in the wife’s studio. OK there’s a chance of the house and studio burning down when I’m not there but I figure if the house is on fire I can get to the studio before it catches fire and if she decides to torch the studio I can very easily remove the drives from my computer as the HDD bay is open.


  13. Had the relationship blossomed, would you have learned the spelling?

    Nah. Part of the attraction for her was that I’d never heard of them and didn’t care.

  14. Guillaume Texier? I must admit, I’m surprised…

    Heh. CFO of a subsidiary is probably more accurate, but she got moved to HQ in some senior position.

  15. A friend of mine said his company furloughed some employees. Phones out for a day. Computers out for two days – still out. Inquiry as to status got, “Status? There is no status.”

    I asked if they’d be able to run month end. He said, “Yeah, we run it on A400. I hooked up a couple of terminals today.”

    “Hardwired?”

    “Yeah. Daisy chained ’em.”

    “Wow. I haven’t heard of hardwiring terminals in 25 years.”

  16. Yep, physical separation of drives is the best way, but you’d be in the minority I would assert. A lot of organizations use shadow volumes and these are, through various mechanisms, quite easily compromised as are network attached storage devices.

    Off site is much harder but can be done sometimes. On technique that works with some setups is to encrypt slowly starting with unused or older files and wait long enough to get those encrypted files down to backup overwriting earlier copies. I know my incremental backups have a finite life before being merged so a 2 week cycle would see me with no unencrypted files. But there are of course risks with that, the encryption itself could well be noticed (and there are utilities, one of which I use) that are supposed to be able to spot that happening.

    And note your sizes, 8 GB, we used to think that was a lot, now it is small, important, sure, but easily stored on a single physical device. Now when we talk of a company, files change every day, and the total backup of all files is probably (for a medium sized firm) 5 Tb, and getting that back on site means either hours of downloading or physical retrieval (and 6-8 Tb portable devices are readily available), and if your data is cloud stored overseas ? Then imagine 10-20 Tb, then 100 Tb, then 1 Exabyte. Maersk for example probably have Eb of data that may need to be retrieved. Quite simply, that does take time.

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.