Ludovic Frank - Freelance developer

Ransomware, how to protect yourself? Prevention or cure?

ionicons-v5-k Ludovic Frank Nov 23, 2020
63 reads Level: intermediate

The idea for this article came to me when I was looking at the Zataz home page. Indeed, in these times of crisis, ransomware attacks don't seem to stop.
The aim of this article is to explain what ransomware is, how it works and how to protect yourself against it. And how to protect yourself?
I'm not going to cover everything, because ransomware comes in all shapes and sizes.
For example, the "Ryuk" ransomware is of the very violent kind...

Asymmetric encryption

Before talking about ransomware itself, we need to talk about the basics of how it works. In computing, there's what's known as asymmetric encryption (there's a link to it in the "technology watch" section).). To put it simply, asymmetric encryption relies on two keys (files containing text being a digital key), a public key and a private key, a public key being linked to its private key and vice versa.
the link between the two is a bit like a physical lock and a physical key: a key works in a lock, and a lock accepts only one key (basically, of course, there are more complex physical locks and physical keys).

The private key

As its name suggests, this key is "private", meaning that it should not normally be divulged. Without this private key, it is impossible to recover data encrypted by a corresponding public key.
The private key can be used for other purposes, such as signing data or generating the corresponding public key (if lost, for example), but in the case of ransomware, this part is of less interest to us.

The public key

This can be divulged, and is used to encrypt data that can only be decrypted by the owner of the private key. It can also be used to verify that data has been signed by the corresponding private key.... as with the private key, this part is of less interest to us in the case of ransomware.

Was asymmetric encryption created for ransomware?

Fortunately, no. Asymmetric encryption is used everywhere, and even on this page you've used it without realizing it. Look at the address bar, see the little padlock? This padlock means that my site operates in HTTPS, so you're securely connected to my server. When your browser connects to my server to retrieve the page, my server sends it its public key (my SSL certificate containing the domain name developpeur-freelance.io domain name). Once your browser has my public key, it can begin the "handshake": your browser and my server talk for a few milliseconds, using asymmetric encryption, to decide on a key.to decide on a symmetrical key to use for the rest of the communication (asymmetrical encryption is slower than symmetrical).
Once they agree, they use a key they both know to continue communication for a set time (this parameter is chosen by me in my server configuration).

This is just one example of how asymmetric encryption is used, but it's really everywhere, for example when you connect to a remote server using "SSH", in Windows (and other operating systems) when you launch a software program, or when you use a remote control.operating systems), when you launch a program, it is signed with a private key, and Windows uses the public key to verify the signature and data integrity (to prevent malware)... etc. everywhere!. etc. everywhere! :p

The essence of ransomware

Now that you've briefly understood what asymmetric encryption is, it should be easy for you to understand the basic workings of ransomware.

The ransomware will request (from a remote server, for example) the generation of a set of private and public keys, and the remote server will communicate only the public key to the ransomware.of course, the remote server will NOT give it access to the associated private key.... and that's the whole point of malware. Once it has encrypted everything it can (be it a local machine or the entire company network), it will display a message asking you to pay very large sums to recover the data. Encryption times vary, with the most sophisticated ransomware capable of encrypting a machine in ... 5 minutes, yes, it's totally bluffing.

So, do you get the idea? When a victim pays to get their data back, well... they're simply paying to get back the private key associated with the public key used during encryption to decrypt the data.

How do you catch ransomware?

Here, I'm only going to cover the classic cases, because, as explained above, there are far more sophisticated methods, and new ones are appearing every day... for example, by exploiting security flaws in operating systems - even if Microsoft is doing an excellent job in this area (let's face it) - some information systems are not up to date, and therefore vulnerable to certain flaws that are exploited by sophisticated software.

The classics are often the same:

  • The attachment in a strange e-mail: Don't open any dubious attachment. Even if you know the sender, it's not impossible that he or she has been hacked and is therefore sending you a malicious file unintentionally.
  • If you find a USB key on the floor, never insert a USB key of unknown origin into your machine. There are USB sticks that emulate a keyboard, enabling you to execute commands on your machine very quickly, and there are even some that simply "fry" the machine into which they are inserted.
  • When surfing the Internet, don't click on anything and everything, don't download anything ... etc., stay vigilant.

Ransomware, how to protect yourself?

There's no miracle solution, the only thing is prevention. Once an attack is underway, it can be very complicated, which is why more than a quarter of victims pay the ransom.

Keep your information system up to date

I'm not talking about Microsoft feature upgrades, which are best postponed in a corporate environment, but about security patches, such as the famous "Patch Thuesday". Blocking security updates is never a good idea.

Training employees

It's important to train your staff in IT security. An employee who clicks carelessly on the wrong attachment, or inserts a USB stick, will do so.An employee who clicks carelessly on the wrong attachment or inserts a USB stick will do so, because "he doesn't know", and then, later on, he'll be in a tricky situation, because he'll "blame himself" for having done so. Yes, but he didn't know. It's not his job, and he hasn't had the necessary training.

Having an effective backup strategy

In my opinion, this is the key point. Backup, often neglected, is an extremely important point, but it must be done correctly.
Let me explain, for example, if your backup is located on the same open-access network as your original files. Well, this backup is ABSOLUTELY useless... In fact, ransomware will encrypt or delete this backup... and you're right back where you started.

Several ideas for an effective backup:

  • Backups must be incremental, and it must be possible to go back in time (for example, one day before the attack?). Even if the backup system foolishly backs up files once they have been encrypted, it will be possible to go back in time, before they were encrypted.
  • Off-line backup: Back up data punctually and store it on a machine (or hard disk) not connected to the network, or on a separate network.
  • "Push" backups to a remote machine while preventing the "listing" or deletion of remote data, and allowing only new backup data to be sent, without allowing it to delete existing backups.

A concrete example of efficient backup :
Let me explain how one of my backup systems works.
Every night, the contents of my servers are backed up encrypted and incrementally on dedicated machines, with each server having its own account to limit damage in the event of a problem. As explained above, the problem is that if a server is compromised, malicious software will be able to access remote backups, so how do we deal with this?

The machines used for backups have a "file system" designed for this purpose, called "BTRFS"."So if a server is compromised and the attacker deletes the "remote backups", he can't delete the snapshots... he thinks he's deleted everything, but in fact he hasn't. But that's not enough.
But that's not enough, if the backup server itself is compromised, if the attacker is very sophisticated he'll get the IP address (not publicly broadcast) of the backup server and try to attack it directly... So, how do we deal with this?

Every day, another machine that is not exposed to the Internet connects to the backup machines and makes a copy of the data contained on the backup machines and sends it to another site ("in the Cloud"). This machine has no open ports, no authorized inbound connections, and since it connects to the backup machines (and not the backup machines that connect to it), if the backup servers are completely compromised, the attacker will be able to access the data from the backup machines.If the backup servers are completely compromised, the attacker will NOT be able to access this machine, since at no time do the backup machines connect to it (and therefore no authentication data is stored on the backup machines). The technology used for the backup on another site gives me a 90-day history on each saved data (in addition to the previous hysterization).

Finally, from time to time (once a month), I copy the backed-up data to an external disk, which is always offline.

Conclusion

That's it, this article is coming to an end. I've tried to make a rather specialized subject as easy to understand as possible, and I've deliberately omitted certain subjects to keep them accessible and understandable to as many people as possible.