Posted on

Fall 2020: Ransomware Still Hurts

I was at cruising altitude over the mid-west the first and only time I watched ransomware bite a victim. I had tried not to listen as the lady sitting next to me placed a call using the old-style in-flight cell phone mounted on the bulkhead in front of us. I used to fight for those delightful 737 bulkhead seats with a few inches extra leg room. Later, she asked me if I knew what to do about the blue screen on her laptop. I would have told her not to make the call if she had asked me earlier. A full-screen message in fixedsys hardware font instructed her to call a 900 number to fix her laptop. She said she had been charged a hundred dollars for the call and she gave them her credit card number. Clearly exasperated, she still couldn’t use her laptop.

Oh boy, I thought. This person is in for trouble.

That must have been over twenty years ago. Ransomware attacks have become more frequent and vicious in 2020. IT departments are more familiar with ransomware and better at recovery, but the attacks are still nasty: the cost of each attack on U.S. businesses averaged over three-quarters of a million dollars, which I suspect is under-reported because cyber-insurance often pays up on ransom demands, but insurers don’t like to reveal that they are easy targets. Despite the costs, close to 95% of victims get their data back. The majority restored their data from backups, but over a quarter paid the ransom. See the Sophos 2020 ransomware report.

Attacks on federal, state, and local government have increased and voting places are subject to disruption through ransomware. There are hints that this increase is from cyberattacks from hostile countries, but there is also big money in hacking, so don’t discount greed as motivation.

What Is Ransomware?

Ransomware is a malicious attack on a device that disables the device and extracts some form of payment from the device owner to return the device to normal. As hacks go, ransomware is a relatively simple way for unorganized hackers to extract money from computer networks. Unlike the lady on the plane’s case, hackers usually encrypt critical data and demand payment for decrypting it. Ransomware has encrypted hospital data files and caused at least one death. Payment is usually in the form of cryptocurrency, which is harder to trace than common credit card payments and cash transfers, but not impossible.

Ransomware’s starting point is usually social engineering in the form of a phishing expedition, email that tricks users into installing malicious code. The sudden transition to working from home this year has increased confusion at work, particularly around IT, which is a gift to hackers. Unfamiliar work equipment and routines have made tricking users into unwise clicks easier. Fake invoices and made up court cases are favorite phishing tackle for luring in unsuspecting victims.

These days, who can resist a friend’s urges to click on a tear-jerking web site or a friendly IT guy asking for your password? Make sure the person asking is your friend, not a masquerading criminal and be extremely cautious about giving out credentials like passwords. Make anyone who asks for them explain exactly why they need it and don’t be shy about making phone calls for verification.

Good News for Individuals

I have not seen reports that ransomware attacks on individuals have increased, perhaps because hacking businesses, healthcare facilities, and government is more lucrative. IBM reports a shift toward deep-pocketed large corporations as targets, especially manufacturing, which is perceived as more sensitive to downtime.

Still, I haven’t heaved any sighs of relief: easy DIY ransomware kits are easy to buy and do not require much expertise to implement, encouraging amateurs to try their hand at terrorizing their friends and neighbors and the pandemic has made keeping your cool under attack more difficult.

Protect Yourself

Your most effective protection from infection is not to get infected. To protect yourself follow elementary computer hygiene:

Elementary Computer Hygiene
  • Beware of social engineering
  • Use strong passwords
  • Download and install with caution
  • Patch operating systems and applications
  • Avoid dodgy sites
  • Scan regularly for malware

For more explanation of elementary computer hygiene, see Six Rules for Online Security.

Windows Defender Anti-Ransomware

Windows 10 anti-ransomware facilities is excellent in theory, but can be annoying in practice.

Ransomware protection is buried in Settings under “Update and Security.” Choose “Windows Security” from the menu on the left, then click “Virus & threat protection.” A new window will pop. You may have to scroll down to see “Ransomware protection.” Click “Manage ransomware protection.” Turn the “Controlled folder access” switch on.

With “Controlled folder access” on, Windows 10 blocks unrecognized programs from accessing files in a set of critical directories (folders). In theory, this will prevent ransomware from touching your treasured data and documents. How well this will work in practice depends on how well your use of your computer corresponds to Microsoft’s notion of typical usage. If you install lots of applications and add folders for yourself outside the norm, you may have to change the lists of protected folders and permitted programs.

If your computing life is pure vanilla, or you continually configure controlled folder access to your usage of your system as your usage changes, this is excellent protection; exactly what a good IT department does to protect corporate assets. But if you don’t take the trouble to keep the system properly configured, it will drive you up a wall.

I use Windows ransomware protection and like it. However, the fact is, an individual who follows basic computer hygiene is not likely to suffer a ransomware attack and the trouble to keep this facility configured may not be worth the trouble. Protected folders decrease your risk, but not as much as basic hygiene.

When You Are Attacked

If you are invaded by ransomware, backups are your best assurance of successful recovery from an attack, but they must also be protected. Using cloud storage, such as DropBox, Microsoft OneDrive, or Google Drive help, but are not absolutely foolproof. Smart hackers encrypt your backup copies as well as your originals. This is why simply copying your files to another disk drive on your desktop is not adequate protection. Secured cloud backups are much safer. An external disk drive that you switch off or disconnect when not in use is not convenient, but ransomware can’t get to a disconnected or powered-down drive.

A vulnerable file contains anything that will cause you distress if lost. Oddly, if you bought the content, you probably don’t have to worry much about backing it up. You can almost always get a replacement copy, but material you created yourself, paid someone to create for you, or were given as a gift, is often hard or impossible to recreate. Photo, videos, and sound recordings are in this category.

Don’t fall into the trap of blind faith in your backups. Your enemies are broken media and backup programs that don’t copy everything you value. Test them periodically. Make sure they are actually backing up your critical files. A business with valuable assets at stake should rehearse restoration. But they seldom do.

Phones, Tablets, and Apple

Personally, I don’t worry about ransomware on my phone because I don’t keep much data there. If I am ever hit with ransomware on my phone, I plan to do a hard factory reset, restore my contacts and stored photos from the cloud and go on my way. Whether you need to worry about ransomware attacks on your tablets depends on how you use them. I have two Microsoft Surface tablets that I use much like laptops. I protect them as if they were a laptop or a desktop.

I am not a heavy Apple user or an expert, but Apples have no special protection against ransomware, although the Apple “walled garden” enforces basic hygiene somewhat better than Windows, so they may be a bit less susceptible.

Final Word

Elementary computer hygiene is the secret to avoiding ransomware and a host of other computer problems. I never knew the outcome of the episode with the woman sitting next to me, but her first mistake was ignoring hygiene rule one: she was socially engineered into making that phone call.

Posted on

New Normal: Covid Phishing

It’s summertime and the living’s easy… The covid-19 weather is perfect for successful phishing expeditions, emails designed to trick you into jeopardizing your computer, your finances, or your business.

The other morning, after scanning incoming email, and doom scrolling the news (checking for new trouble on the current events horizon), I went to the kitchen for a glass of water. Ten minutes later, I returned to my desk with a dry throat. I had put the breakfast dishes in the dishwasher, taken out the trash, and watered the rose bush, but I forgot to get a glass of water. Preoccupation with the virus and the economy has turned my life into struggle to stay on subject, and from what I read, I am not alone.

I got an email yesterday from PayPal about a charge to my account. That was strange. I don’t have a PayPal account. My wife and I do use PayPal, but the account is in her name because in our marriage’s division of labor, I wash the dishes and she pays the bills. Luckily, I focused my concentration long enough to spot some clues that the email was not from PayPal. I forwarded the email to PayPal’s phishing detection email address. A few minutes later I was rewarded with a return email confirming my suspicion. I permanently deleted the phony email and breathed the sigh of relief that comes after dodging a bullet.

That was close. I could easily have missed the clues in my currently distracted state and clicked on a link in the email, starting down a path toward a hacked computer, a ton of hassle, and likely a hit on our bank account.

This evening, instead of doing the dinner dishes, I’ll sidetrack into some hints on how to detect a phishing attempt.

Rule #1 when dealing with phishing attempts: when reading any email, don’t click on anything, don’t allow images to display, don’t call phone numbers, or send messages until you are sure the email is genuine and not a phishing expedition.

Your email client, the computer application you use to view emails, should be configured not to automatically display images from untrusted sources. This is the default for most clients. If a box pops up asking if you want images displayed, take a second to think: can I trust this sender? The problem is that when your computer reads an image file, it runs a program to convert the zeroes and ones in the file into an image you can see. Hackers doctor images to run malicious code embedded in the image file. Your operating system and email client makes this difficult, but hackers are always looking for new ways to do this kind of stuff.

Here are a few points to consider:

  • Criminals know that many of us worry a lot these days and they know how to take advantage of your fraught state. If you receive an email that raises a worrisome possibility, think twice, turn up your fraud sensors. The fact that I do not have a PayPal account in my name was a whopping clue, but I could have missed it because the email brought up a disturbing possibility: it claimed someone had charged an expensive video game to my account. Exactly what would happen if a criminal script kiddy got access to my PayPal account. In my current distractible state, the haze of worry could easily draw my attention from the precautions I would ordinarily have taken.
  • Phishermen try to force your hand. Click HERE. Call THIS NUMBER. You must respond NOW. Emails that feel like frantic attempts to get a response, are suspect. My wife and I do buy video games occasionally, mostly for our grandsons. The charge could have been legitimate, but this email insisted that I click or call immediately. That is not normal. A legitimate warning would simply point out unexpected charges; not insist on immediate action. Again, cause for doubt.
  • Look at links and email addresses carefully. On most browsers, when you hover over a “live” link, the actual address will pop up somewhere, usually the lower left corner of the window. Look at those little popups. When reading internet addresses, the most significant part of the address is to the right. “support.microsoft.com” is the support division of Microsoft Corporation. “microsoft.suport.ru” is some unknown “suport” site in Russia that has nothing to do with Microsoft. Also, be on the alert for subtle typos and misspellings. If you see “mcrosoft.com” you can be pretty sure some hacker is trying to trick you.
  • When you have doubts, suspicions, or tiny qualms, you can always contact the sender and ask. But not via links, numbers, or addresses in the suspect email. I googled “PayPal phishing” and quickly found instructions for dealing with suspicious PayPal emails from the official PayPal site.

The summer of 2020 is tough. Don’t make it worse by letting some crudball take advantage of your concern for yourself and your neighbors.

Posted on

Zoom Steps Up

If you host Zoom meetings you probably received an email from Zoom today. They’ve made some changes to the default settings for meetings that will appear Sunday, April 5. Good changes. Bravo! Let’s hope they continue to step up.

With the announced changes, Zoom defaults to meetings with waiting rooms and passwords. These defaults will make zoom-bombing harder. I hope the Zoom devos are also fixing some of the other troubles that are not so obvious to users. This is the way I expect responsible software developers to work.

The Zoom interface is well-designed. I’ve been comparing online meeting platforms this week and Zoom is still tops with me, both in ease of use and performance. Without instrumentation, getting a meaningful read on performance is difficult because it depends on network conditions at least as much as the meeting platform. However, in my limited experience, Zoom yields a smoother meeting with fewer jerks and breakups than other platforms I’ve tried since social distancing began. Online synchronized swimming instructors take note.

Go Zoom!

Posted on

Zoom Redux—More Issues

This morning, I heard about another point of caution with Zoom. I’ve added two bullets to yesterday’s post on using Zoom. I will discuss them here. Also, if you are contemplating using Zoom in your business, you may want to read my note to businesses below.

Unsafe links

Unsafe links can appear in the Zoom chat windows that folks use for sidebar text conversations during meetings. Participants can place live links in their chat. If hackers insert a link that refers to the local network, clicking the link can reveal credentials for logging onto computers on your local network.

By using a web browser rather than the app, you can avoid this issue. However, Zoom can be persistent in trying to get you to use their app. If you don’t know your way around computing, you might be using the app and not realize it.

Zoom is said to be working on a fix, but until the fix is in place, don’t click on links in Zoom chats. Not all links in chat are dangerous, and not all local networks are vulnerable. For example, clicking on an HTTPS link to a well-known public site is likely to be safe. Also, if your local network has the port 445 (the SMB port) locked down you aren’t vulnerable. If this is gobbledygook to you, just don’t click on links in Zoom chats unless you are certain that the participant who posted the link is who they say they are, and you trust them. In fact, you should always be cautious about clicking on any link anywhere. If you don’t have a good reason and are not sure where the link will take you, any link can lead to danger.

Waiting rooms

I also added a bullet suggesting using Waiting Rooms. Instead of allowing anyone with a link to directly enter a meeting, participants enter the waiting room and wait until the host invites them in. This gives the host more control of who enters the meeting. Strictly controlling meeting links and meeting IDs is more important, but when you are forced to make a meeting accessible to participants you can’t control via distribution of the meeting links and IDs, a waiting room is helpful.

A note to businesses

The recommendations here do not apply to businesses, which face problems that individual users do not. A business with substantial networked assets must protect those assets. In the rapid transition to working from home that is going on now, businesses are forced to give employees access to assets, like shared documents and applications, held in their private network. Remote workers access these assets from outside the traditional business perimeter. Zoom may appear to be a ready and easy-to-use solution, but there are other solutions that have been used longer in business environment and have undergone more rigorous vetting as methods of sharing resources. For example, Zoom’s unsafe links are based on file-sharing vulnerabilities that IT pros have dealt with for decades.

Zoom’s data sharing proclivities are annoying to individuals, but may be outright threats to businesses.

Treat Zoom cautiously as easy-to-use meeting software. You will probably need more than Zoom to support your newly remote workers. Don’t try to stretch Zoom farther than it was designed. Invest in training and more robust solutions when you need them. You will not regret that decision.