Ransomware gets a lot faster by encrypting the master file table instead of the filesystem


#1

[Read the post]


#2

I haven’t seen many descriptions of how to avoid Ransomware, mostly because I haven’t bothered to look, cocooned in the apparent security of my Mac. But is it basically the same kind of internet-hygiene as for any other virus? i.e. Don’t be on Internet Explorer, don’t download weird files. Or are attacks more sophisticated now?


#3

It’s impossible to guard against all vectors for malware attacks, though practicing caution as you described can help. Your best defense against ransomware is a regular backup with versioning - that is, the backup should store previous versions of your files, in case you accidentally back up one that’s already been encrypted. Be aware that ransomware can also attack your cloud storage, such as Dropbox.


#4

Emailed Word docs seem the most common attack vector for successful ransomware attacks these days.


#5

An attack made all the more credible because people still send me attachments (Word and PDF files) for minimally formatted text ! Just past the relevant damn text into the email. Don’t attach it!!! Grrrr, ought to be a law…


#6

Most ransomware doesn’t need elevated privileges. This would, which makes it much less effective.

I’m waiting for ransomware the specifically targets full-disk encryption by re-encrypting the master keys.


#7

Ah, Word document viruses. Amazing how they’re still an issue after all these years. I still remember my first fights with them in the late 90s. One of the reasons one of my first steps with Word is to shut off macros, because who the heck is going to send me a text document that needs macros???


#8

It’s been a long time since I had to unerase a file, but isn’t this attack the equivalent to “recycle binning” the entire drive? Wouldn’t all the data be there and relatively easy to recover? Like a job not for the NSA but for Geek Squad?


#9

All the data’s there, but you have to figure out where one file stops and another starts, filenames, etc. I’ve had to do that a few times, but I usually ended up with a some files that are perfectly recovered and others that are gibberish. Software for it might have improved since then, though.

You could probably recover specific files of recognizable file types pretty easily, especially if they’re something simple like text files. But if you’re trying to get the entire OS install and all your data back into a working state, it could be a real crapshoot.


#10

The Word docs begin with the words “Enable macro if the data encoding is incorrect” followed by random garbled text.

edit to add: it seems the larger problem is either that MS has given VBA macros the ability to run downloaded executables or that people still use MS office. I can’t decide which is worse.


#11

…pardon me while I slam my head against this desk a few times. Just enable macros if my data encoding is incorrect afterwards.

And I thought the malware emails I keep seeing reports of with a message along the lines of “just run the executable if this email doesn’t open correctly” were bad…


#12

Ransomware has been around since 2005, 11 years. The new part in 2005 was the charging for access, the ransom part, the encrypting the filesystem or Master Boot Record or File Allocation Tables have been around since 1994. Viruses like Monkey and Slovak bomber would encrypt the Master Boot Record and/or files and your data would be inaccessible if they were removed improperly, but they didn’t charge for removal and access. This isn’t really a new trick. It is just a new variant.

Any smart ransomware would hit those first…THEN start on the files afterwords. I surprised that this combo isn’t the defacto method of attack.

Many of them already do. DiskDrill does for sure. It saves its own MFT for recovery.

While there isn’t a lot of info out yet, it appears that this is a windows specific vector and only affects NTFS on windows machines. EXT4 and HFS and all the other filesystems are out of the scope of this specific malware.


#13

I think it is brilliant social engineering - and I think that un-warned and had I received such an attachment, I might have fallen for it, partially because it is hard to believe that after all these years Word is still subject to macro trojans.

As far as the social engineering goes, I see similar messages all the time in legitimate situations, such as all the web pages that tell me to turn on java scripting, or warnings in emails that the email won’t format correctly if I have HTML turned off.


#14

There is nothing fundamentally new in terms of how ‘ransomeware’ gets onto the system, typically application or plugin exploits, or social engineering.

The one nasty little twist is that encrypting all your files isn’t a privileged activity from the perspective of your computer; so unlike the more traditional rootkits and such the attacker doesn’t need a privilege escalation vulnerability or to trick you into accepting a privilege escalation request. Some ransomware variants may use admin rights if they have them, just to dig in deeper or throw up scary bootsplash screens or whatever; but genre is founded on the fact that most of the files you actually care about are owned by you; while the Vital System Files are well protected; but can be restored in maybe an hour from install media.


#15

The really horrible part? I work in the IT department of a college campus. The chair of our Computer Science department has been hit by malware in just this way at least three times. Having taken a class or two with him, I’m really not sure why we even let him have a campus provided computer, but it’s certainly not my decision.


#16

You sir, need to live up to your name


#17

“Drive-by” infections from ad networks and emails that are a lot like Phishing messages are the 2 causes I’ve seen. Specifically emails trying to convince you they contain legal documents or other must reply data. I keep a Linux VM around to checking the file extension and erasing the emails from the webmail.

Having good backups and doing wipe/reinstall (or replace drive/reinstall) seem to be the best tactic for fixing it. When the ransomware starts revising the BIOS or writing to PRAMs elsewhere in the system (Videocard firmware for example) is when things will be really awful. It also doens’t seem to travel much out of the original infected PC.

A good ad-blocker is at least as important as a good antivirus program these days. Or you could upgrade to Linux :slight_smile:


#18

It’s aspirational. :smiley:

I consider myself a skeptic because I know I can be fooled, not because I think I can’t.


#19

Makes total sense, thanks.


#20

Isn’t the disk theoretically vulnerable as long as it’s partitioned with an MBR? It shouldn’t matter what filesystems the partitions contain.

I’m curious whether a similar attack could be made against a GPT or disklabel.