Last week we wrote about “ransomware from afar” – attacks in which cybercrooks apparently aim ransomware at you across the internet.
Whether they hack someone else’s computer on which to run the malware program, or deliberately set up a sacrificial laptop or virtual machine (software-based computer) of their own, the outcome is the same.
The point is that many ransomware samples, with no modification or reprogramming needed, automatically scramble any and all connected drives they can see when the malware kicks off.
That pretty much guarantees that your C: drive will get zapped, because almost every Windows user has one of those, but if you also have an S: drive, for example, mapped across the network to access the company’s shared server folders…
…then you can kiss all that data goodbye, too.
The servers get affected even though it’s you who’s infected.
In other words, if the crooks can find any devices on your network that have inadvertently been shared out on the internet, and if they can guess your password, then they can map your files as a shared drive on their sacrificial computer.
Then they can take you down with ransomware, without any malware infection ever showing up on your devices.
Those shared folders could be on your laptop or on your NAS (network attached storage) device, but the outcome is the same: an extortion demand offering to let you “buy” the decryption key to get your precious files back.
Learn how this sort of attack can happen, and how to stop it:
(Watch directly on YouTube if the video won’t play here.)
By the way, if you like the shirt in the video (who doesn’t?), head to https://shop.sophos.com/ to buy one of your own.
Anthony Maw
This is rubbish click-bait material total waste of time watching it. I expect better from Sophos. Sorry to be so frank but the scenarios described by this actor/expert are just not realistic.
Paul Ducklin
And yet: Shodan reveals anywhere from tens to hundreds of thousands of exposed Samba shares at any moment (try it yourself); crooks know how to use Shodan to find them; people still choose poor passwords that are easily guessed; and deliberate remote ransomware attacks do indeed seem to be happening.
So for all that “the scenarios described are not realistic” they are nevertheless real.
Put that in your hypercritical pipe and smoke it!
Athanasios Kalavritinos
Are you saying people don’t use DMZ? I’ve seen it recommended on forums many times.
I don’t see why it’s so far fetched that hackers could get in this way. Seems trivial to me and could be automated.
Paul Ducklin
For “could be” I think you can probably say “already has been” :-(
Gwen Bee
I have my personal files on a USB drive with full drive encryption. I see on my Windows 10 laptop that the drive is not shared. Does this mean that the drive is “safe” from ransomware?
For that matter, I notice that the Windows drive (c:\) is not shared either. Safe?
Paul Ducklin
If C$ is not shared (use the command line to check) then it can’t be reached over the network by file sharing, which is good.
If your USB drive is not unlocked via BitLocker then its data can’t be viewed (raw encrypted data is just so much shredded cabbage).
If your USB drive is nevertheless plugged in then it could be wiped (for example by being reformatted with disk manager) by someone with the right level of access – such as malware running as Admin.
So I recommend that you unplug the drive when you are not using it. It’s a simple precaution that will prevent accidents.
Gwen Bee
Another comment/question: I have a SSD drive attached to my Lenovo dock by USB. This drive is fully encrypted with Bitlocker on Windows 10 (side note: I don’t like Bitlocker) and is a back-up for my primary data drive (encrypted). Is the Bitlocker SSD drive vulnerable if it is physically attached to the computer but is not mounted (ie: not loaded into Bitlocker)?
Windows 10 recognizes this drive as being a “Bitlocker” drive, whereas USB thumb drives I have encrypted with Truecrypt and its descendants are only recognized as “there’s something present but we don’t know what it is”.
Thanks!
Paul Ducklin
If you haven’t entered the passcode to unlock the encrypted device then the individual files on it are essentially invisible to everyone (including the operating system). It’s just a low-level hardware device containing a sequence of incomprehensible data sectors.
But there is no point in leaving a removable drive (the hint is in the name) plugged in and accessible as a physical device when you are not using it. The best that can happen to it is nothing and the worst is that you (or a crook with Administrator powers) might do a low-level wipe of it by mistake.
Unplug it when not in use.
Matt Parkes
For those in the UK and possibly further afield using consumer grade routers provided by the ISP such as Sky TV or Virgin Media in the UK, I don’t think the built in firewalls in these devices work based on the support forums. I know the ones on mine certainly don’t and there is no DMZ or ACL’s to be configured. You need to buy your own router and turn the ISP one into modem only mode and then set up and segment devices and the internet gateway properly – would be great to see an article or series of articles from you guys on this aimed at consumers. What do you think?
Paul Ducklin
Yes :-)
We already touched on the “put your own router behind the ISP’s router” in a recent podcast, for those interested in learning more right now:
https://nakedsecurity.sophos.com/2019/03/27/ep-025-business-email-compromise-and-iot-surprises-podcast/
(Fast forward to 13’30” for the section on IoT, UPnP, routers and locking things down.)
Dick
Why would encrypting your data keep it safe from malware encrypting it again, or am I missing a point here?
Paul Ducklin
It doesn’t. An encrypted file is no use to the crooks, but if it gets encrypted again by those crooks, it’s no use to you, either. The main purpose of keeping data encrypted – especially backups – is to prevent it being *read* by someone who isn’t supposed to see it, rather than to prevent someone *overwriting* it and thereby destroying it. In short, encrypt always and anyway… just as the T-shirt says.