Ransomware And Other Scary Monsters

Ransomware and other scary monsters

The chances are good that you weren’t affected by the ransomware attack that began Friday and is still in progress around the world. In fact, it’s very likely that it’s not a threat to you, even if you click on its evil link. I’ll tell you some of the reasons for that. Don’t relax! You need to protect yourself against the other scary monsters arriving in your email inbox. There is a new onslaught of malicious email unrelated to the ransomware in the news, and the bad guys are only getting smarter.

You’ve already read about the WannaCry ransomware attack, which started in the UK and Spain, then rapidly spread to hundreds of thousands of computers in more than 150 countries. As near as I can tell, it starts with a click on an email link that installs a virus on an unpatched Windows computer. The virus then aggressively spreads to other unpatched computers on the network, including unpatched Windows servers. Like all ransomware malware, it acts silently to encrypt all the data files, then pops up with a demand for payment. In the case of WannaCry, the demand is small – only $300 – which makes the ransom completely disproportional to the huge damage it inflicted on hospitals and medical centers, Britain’s National Health Service, and large companies like FedEx and Telefonica. Like all ransomware, it’s impossible to know if paying the ransom will actually get the necessary decrypting key, or just make the bad guys richer because they lied about unlocking the files. At best it’s a horrible time-consuming mess for IT to clean up. At worst it kills people trying to get treatment in hospitals taken down by the malware.

Chaos ensued, the media went nuts covering the disaster, and – well, this part is a little weird. A British researcher registered a gibberish domain name that he found deep in the virus code and it accidentally turned out to be a kill switch that stopped the virus dead in its tracks. Total cost to stop the global catastrophe: $10.39.

That’s not the end of it, of course. By the end of the weekend, new variations of the virus are on the loose without the kill switch. No surprise.

But that’s also not the end of the strange things about WannaCry.

Although media reports were quick to mention that this virus attacked WINDOWS WINDOWS WINDOWS, that’s not fair. The exploit that made it possible was discovered and weaponized by the NSA. Instead of sharing the info about a potential weakness with Microsoft, the NSA kept it hidden under the silverware in a drawer in the kitchen. Shock! It was stolen and published online.

Microsoft President Brad Smith posted an article on Sunday making the quite reasonable point that governments should stop stockpiling vulnerabilities. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.” Good point.

Once it became public, Microsoft issued a patch for it in March. That’s why it doesn’t affect you. Your computer is up to date and the virus can’t hurt it.

This happens all the time. We complain about the darned updates, always restarting our computers at inconvenient times, boo hoo. Suck it up. Every operating system and every program is under relentless attack, looking for weaknesses, some way to break the system in a way that lets the bad guys take control of something. Microsoft, Apple, Google, Adobe: all are constantly rewriting their systems to prevent a newly discovered attack from working. It requires nonstop updates. We have to accept that and install the updates promptly and trust that the companies are one step ahead of the bad guys, which is no easy feat.

Why are so many computers unpatched? Two reasons:

Large companies have to be conservative about installing patches. A poorly written patch can bring down the company’s computers just as effectively as a virus. The IT departments test updates obsessively before rolling them out. It’s time consuming but it’s necessary.

The other reason is a little harder to defend. Government agencies and big companies sometimes delay upgrades because they don’t have any money. The British government decided to keep using Windows XP computers in many agencies, including parts of the National Health Service. Even worse, it decided not to purchase an extended support contract for Windows XP in 2015 to save some money. Today this seems the teensiest bit shortsighted. I suspect we will all sleep better if we don’t know how many US and state government agencies are running Windows XP computers.

Charles Stross, a well-known SF writer, wrote up Friday’s events in the form of a rejection letter for a novel that is so wildly implausible that no one would ever believe it. This is a completely accurate summary from Stross:

“One is supposed to believe that evil genius hackers (unidentified) using code stolen from the most secretive of espionage organizations by some third party (also unidentified) and released for free on the internet, took someone else’s poor quality malware (author unidentified) and turned it into a cyber first-strike weapon that causes carnage worldwide because millions of responsible computer operators fail to apply vital software security patches for months after they’re released? This beggars plausibility.

“But then it gets worse.

“In the foreground, ambulance despatch systems are going down: clinical information systems are offline: hospitals are declaring major incidents and trying to revert to paper and pen: operations are cancelled except in case of life-threatening emergencies because doctors can’t review X-rays and medical records: the entire Telefonica cellphone network stops being able to handle billing and orders in Spain: FedEx’s parcel network is inaccessible: Deutsche Bahn train signaling is disrupted across half of Europe …

“And a mild-mannered British computer security expert who is on his week off gets home from lunch with a friend, checks a work website (implausible! He’s on holiday!), sees something odd, and kills the world-threatening zero day exploit dead by registering a domain? And then takes a couple of hours to realize that the evil genius responsible for a global terror attack helpfully left an “off” switch that anyone could flip?

“I’m sorry, this is just silly.”

 


Eek! Scary monsters! What can I do?

What should you do? I’m glad you asked.

You should be scared to death to touch anything on a computer.

Not because of WannaCry. It can’t affect you, remember? Your computer installs updates from Microsoft automatically. You’ve been patched for months. If you’re a Bruceb Consulting client, then Bruceb Remote Management is also keeping other programs up to date.

The reason you should be afraid is because the bad guys are on a rampage, flooding inboxes with phony messages that are virtually indistinguishable from legitimate messages. This is one typical scenario these days:

•  A message comes in that appears to be from Microsoft or Google or Amazon or Facebook or Apple or your bank. For some plausible sounding reason, you’re invited to click a link in the message. The message appears to be legitimate in every respect. The bad guys are learning how easy it is to copy real messages – layout, logos, formatting, everything.

•  You click the link and you’re taken to a login screen for Microsoft, Google, etc. You type in your password.

•  As simple as that, the bad guys have complete access to your account. Surprise! It wasn’t really a Microsoft or Google login page. The bad guys can copy those as easily as they can copy the company’s email messages.

Now the bad guys can scoop out the contents of your email folders, or spam everyone in your Facebook address book, or muck up your Amazon account, or empty your bank account, or whatever occurs to them next.

Notice that this does not involve a virus. Nothing is installed on your computer. Antivirus software has nothing to do with this. It’s important to run security software but this is just one example to show you that the bad guys bypass ten security programs before breakfast.

There are two giveaways in  most of the phony email messages. It is up to you to be paranoid enough to check them!

The sender’s email address (the actual address, not the displayed name) is frequently not right. It doesn’t match the company supposedly sending the message.

And almost always, hovering over the link exposes that it goes somewhere eccentric that is obviously not Google or Microsoft or whatever.

Here are four examples that clients forwarded in the last week. Nitpick all you like about the giveaways. Convince yourself that you would never fall for them. And then be just as suspicious of the next one that arrives in your mailbox!

Sample virus email

Sample virus email

Sample virus email

Sample virus email

Sample virus email

Not scared yet? Go read about the malware that spread like wildfire two weeks ago. It arrived in a completely legitimate appearing Google message from someone known to the recipient, offering to share a Google Docs file. Clicking the link led to the official, legitimate, completely correct Google login screen, using Google’s authentication servers. But the bad guys were using a kink in the system that required only one more click on a typical message (“Give this app permission to . . . “), the kind that we click OK on without a moment’s thought. With that, the bad guys were in complete control of the Google account – mail, documents, contact lists, all of it. Google plugged the hole reasonably promptly. It would have been easy to fall for that one (it hit many journalists).

Sigh.

Read the Rules For Computer And Online Safety, and be careful out there!