Fool me once, shame on you. Fool me twice…
A service I subscribe to confirmed a recent problem was ransomware. They’re back, but it raised some questions in my mind.
If the ransomware authors were able to “infect” the system, then there must be a weakness somewhere that allowed them to access and take control of the system. Even if they had very recent full image backups and restored them within a few hours, it seems to me that whatever the weakness was would still be in place and the ransomware folks could simply attack again.
Are there any other things they could / should be doing to prevent a repeat of the attack?
Without knowing the specifics, it’s difficult for me to say what more they should be doing.
However, I can say this: it’s very likely that the most common cause for ransomware infections will remain present no matter what you do.
And it applies to you as well as the service(s) you might use.
Become a Patron of Ask Leo! and go ad-free!
Preventing a repeat of ransomware
There is no silver bullet. If you’ve fallen victim to ransomware (or any malware), it’s important to learn from the experience and improve your defenses. Keep software up to date, run up-to-date security software, stay educated, consider physical security, and back up. While there’s no way to completely eliminate the threat, take steps to become more secure and reduce the probability of a repeat.
You are the weakest link
I say this in the kindest way possible: you are the weakest link when it comes to security.
As am I.
As are all the people working at the service you use that fell victim to ransomware.
The single most common vector for malware — including ransomware — is people. No amount of security software, updates, or restrictive policies will prevent a determined individual from opening an attachment they shouldn’t, clicking a link they shouldn’t, or doing something else that ultimately allows malicious software to enter their computer or network.
Almost every ransomware story you read in the news is likely to trace its origin back to an employee fooled by a hacker.
Backups are critical, but not everything
Don’t get me wrong; backups remain absolutely critical to recovering from malware. They’re either a (relatively) quick way to restore entire systems and infrastructure, or a safety net that ensures data is not lost should everything need to be rebuilt from scratch.
What’s depressing to me is how often companies find out too late that backups are important, or that the backup system they thought was in place failed when needed.
Nonetheless, the bottom line is simple: restoring from backups doesn’t change people’s behavior. It’s important, but it won’t prevent the same thing from happening again.
Updates are critical, but not everything
The same applies to system updates and patches.
I would expect a corporate response to a ransomware attack to look something like this:1
- Panic.
- Disconnect machines from the network.
- Restore machine(s) from backups taken prior to the ransomware’s arrival or rebuild them from scratch as needed.
- Update all software on those machines to patch whatever vulnerability might have been exploited.
- Resume operations.
None of that “fixes” the root cause: someone accidentally doing something they shouldn’t. The bottom line remains the same: updating software doesn’t change people’s behavior.
Education is critical, but not enough
At this point, it’s easy to think that just educating everyone, particularly in the aftermath of an attack, would be the solution.
Even that’s not enough.
Education is critical, but it’ll never be perfect because people are never perfect. Mistakes will be made. It’s inevitable. I know I’ve come close to doing the wrong thing myself once or twice.
Hackers are crafty and getting craftier.
Yes, make sure that everyone knows what to look for, what to do, and what not to do. Just don’t assume you’re done. Even education may not change people’s behavior.
So what’s the solution? All of the above
As much as we want there to be a single solution that says, “Now we are safe”, there is no such thing.
There are only matters of degree.
Learn from the experience and get safer as a result. To the extent that you can, determine how the attack happened and then make sure you’re protected from that happening again.
In the case of user error, it’s often a case of “don’t do that again”2 education.
Do this
If you fall victim, the best way to prevent a repeat of ransomware is to learn from the experience. Once you’ve recovered, it all comes back to the usual litany of steps we keep reminding you of:
- Keep all software up to date.
- Run up-to-date security software.
- Stay educated.
- Consider physical security.
- Back up.
After a company suffers an attack, I would expect there to be renewed focus on that entire list.
Perhaps they should also subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips — including avoiding ransomware — in your inbox every week.
Podcast audio
Related Video
A while back one of my backup servers (NAS) was hit with a ransomware attack. [Buffalo Linkstation]
Fortunately, I lost virtually nothing and restored the server from a separate NAS. However, to this day I have no idea HOW they managed to do it. Behind a firewall and NAT. Well password protected. Obvious guess would be a computer networked to the NAS, but after extensive testing no malware was ever found.
So, while it was all rebuilt, and some changes have been made (password, port, etc.), I have limited confidence that it can’t happen again. Frankly, I suspect a flaw in the NAS software, but Buffalo has never responded to my email queries, and their software has not been updated in years.
Note: I am NOT affiliated with Ask-Leo in any way other than as a newsletter subscriber.
Now, I’m no expert and I don’t know anything about your Buffalo Linkstation, but after reading your post, my first reaction was: Why don’t you look for a different solution, either by replacing the software on the affected NAS device, or by replacing the affected device itself with a newer one from a different provider that is known to issue security updates?
It also occurs to me that if the software (OS) on the affected NAS device is not proprietary, it may be based on some version of GNU/Linux. Perhaps you (or your IT team) should check the NAS Server’s OS out to see what it is (if this has not been done yet), and if the device’s OS is a GNU/Linux distribution, go get the latest release from the distribution’s website.
How you proceed is your decision, but if I were in your shoes, the facts that Buffalo has not responded to your inquiries, and that they have not updated/upgraded their software/firmware in years strongly suggests to me that a change of course is indicated.
I hope this helps (My2Cents),
Ernie
I see the answer to ransom wear is government involvement. The government has the resources to identify the culprit. There needs to be a law that these hackers will be hanged. I know this will upset the snowflakes. If they are in a foreign country the “spy” network has the means of seeing these people will never see another sunrise. I think this would solve over 99% of ransom ware problems. All this could be done to protect National Security.
We’d be having a few hundred hangings a day. And ransomware won’t stop.
I fell victim to ransomware twice over the years. It was pretty crude so I managed to outsmart it both times though I never figured out how it got in. Unfortunately I’ve also been a victim of Microsoft Update crashing my Surface twice. Unfortunately, I didn’t recover completely from Microsoft Update. Re-install lost files not backed up. “Update security and backup” begs the question, how to defend against Update crashes?
FWIW, I back up my computer two ways here. My desktop is my primary/production machine. I sync it with OneDrive, so all my files are stored offsite (away from my home). I also use Macrium Reflect to back up my computer. I do a monthly full system backup, and a daily differential backup, stored locally on a BitLocker encrypted drive. When I encrypted the drive, one of the options I chose was a fairly long password I can use to access the drive from within the Macrium Recovery environment. Even though I will never forget the password (It is a phrase I created), I have it written down and stored in my home office safe, just in case. With this setup, even if I have to perform a fresh install of Windows, all my files will become available to me after the installation completes, assuming I use the same Microsoft Account I used prior to the fresh installation to log in.
My backup regimen guards me from Microsoft Backup crashes (although I have never suffered one as far as I know) as well as any other malady that may come my way, and even if I have/decide to replace my computer, after I log into a new one (using my same Microsoft Account), because I sync with OneDrive, all my files will be available on it.
I don’t know of any way to guard against Microsoft Update related crashes, but at least, with a good backup regimen, you can recover completely with no data loss.
What you do with this is up to you, but I hope it helps,
Ernie
I’m a senior citizen in my lower seventies. I have no affiliation with any business or government entity. I use my personal computer for my own reasons (entertainment, learning, etc.). With that said, I scrupulously maintain my computer’s security by keeping it up to date and using Microsoft Defender (I think that’s the correct name today:)) antimalware (because it is rated as being one of the best antimalware solutions, it comes preinstalled with Windows, and it doesn’t hurt that it is free). I enable BitLocker encryption on all my drives, I enable Controlled Folder Access (Ransomware Protection) even though Microsoft Defender > Virus & Threat Protection told me that there was no action needed before I enabled it, and Microsoft Defender Application Guard to harden my system’s security posture, so I am confident that my PC is about as secure as it can be while remaining connected to the Internet, but these steps are only the smaller half of what I do to remain safe while connected to the Internet.
I call the largest half of my security regimen “Cognitive Security”.
These are my Cognitive Security rules:
Rule number One: “Be Skeptical! – be VERY skeptical!”
Rule number Two: “Trust nothing you view, read, or hear that originates from the Internet” (AKA: Zero Trust).
Rule number Three: “Never trust strangers. A stranger is anyone you have not met or do not know and trust in person (real life)”
Rule number Four: “Never click ANY link without knowing where it’s taking you.”
Four rules may seem simple but adhering to them may require a significant change in thinking AND behavior. Let’s dig into them a bit, and perhaps you can develop a few of your own.
Rule number One: A skeptical attitude is foreign to most people. It requires you to question EVERYTHING. That can entail a lot of work, but with a skeptical attitude, you are much less likely to get into trouble.
Rule number Two (Zero Trust): This rule builds on Rule number One and is enhanced by Rule number Three. Interpret EVERYTHING you see, read, or hear on the Internet as if it may be a potential attack vector (an attack vector is essentially a path into your computer).
Rule number Three: Always remember that everyone you ‘meet’ on the Internet is a stranger, even if they represent themselves as someone you know in real life, until you can confirm that they are really who they say they are. Remember when you were little, and your mom told you “Don’t trust strangers!” (Stranger Danger)? That was good advice then, and it is even better advice today. Everyone, including you, including me, has some sort of agenda, and what we say/do is influenced by it, so consider who the author of what you see/hear/read is as you evaluate the content (oh, and evaluate everything for yourself).
Rule number Four: All links, either on a web page, or in an email, consist of two fundamental parts, the label that you see, and the URI (Internet address) the link takes you to. Most email clients and web browsers display the URI of a link when you hover your mouse over it (I don’t surf the Internet on my phone, so I don’t know how to display the URI of a link there yet) in Windows, either in a Win-tip pop-up or on the Status Bar (bottom of the window).
For example, when I hover my mouse over the link to this article in my Ask Leo newsletter, I see:
“https://askleo.com/142924?awt_a=7qbL&awt_l=Pdu59&awt_m=J3dixvtgMZdfbL&utm_source=newsletter&utm_campaign=20220222&utm_medium=email”
in a pop-up Win-tip. For my purposes, the important part is “https://askleo.com/”. It tells me that the link is taking me to the Ask Leo website with a secure (encrypted) connection (https). Part of what follows directs my web browser to the destination page on the Ask Leo website (this article). The remainder informs the website that the link comes from an email newsletter dated today, 2022-02-22 (yyyy-mm-dd), but I cannot decipher the part between the article identifier (142924?) and the source data (&utm_source=). The components I have not deciphered are “awt_a, awt_l, and awt_m” so I don’t know what they reference, but after performing an Internet search, I learned that ‘awt’ stands for the Java “Abstract Window Toolkit”, and that awt_m may refer to the layout manager being used, and that awt_l may refer to the label being displayed. As for awt_a, I did not find anything about it in the very short AWT tutorial I looked at “https://www.javatpoint.com/java-awt”. You can go and read it for yourself if you want to.
For me, the bottom line is that since I trust Leo (I have read his newsletter for longer than I care to divulge here), and the link directs my web browser to the Ask Leo website, I can trust that this link is safe for me to click. I check every link before I click it because you can never know that some miscreant has not intercepted the email and altered its content. Even though I have learned to trust Leo over the years, nothing has taught me to trust the email transport system that gets the newsletter from Leo’s website to my email Inbox. I’m sorry for rambling on a bit (perhaps) too much.
Ernie
awt are items added by my email service provider: AWeber. They’re what allow me to see which links are actively clicked on, and from which newsletter they came.
Excellent advice Ernie. Perhaps we septuagenarians have turned skepticism into a way of life. It got us here safely to our seventies so it has merit and has served us well. I agree with everything you suggested and now follow the same rules. In my younger day (well relatively anyway – I was 55, I got hit with a rootkit, and that really woke me up.
The other thing I do, which I imagine you also do, is clone my hard drive (SSD) weekly and store it offline. I do a second SSD now too, because in the old days I used spinning HHDs and discovered to my dread that HDDs don’t store well, so even though I’m 100% SSD now, the habit has stuck. Can’t be too careful. The sharks are getting bigger.
After my brother lost his computer due to ransomware, I convinced him to duel boot Windows and Linux Mint so that he could use Linux for Internet activity. The Internet is where most people spend most of their time. Windows malware cannot see Linux. Its a different file system. He uses the same browser that he used in Windows so no learning curve. That doesn’t mean my brother is bullet proof. He still has to practice safe computing; but Linux is relatively safer than windows. It might sound like a clunky solution, but with practice it works well. Add Macrium full system backups for good protection.
I recently changed credit card and was updating credit card data on several shopping sites. After entering new credit card on first site, my computer offered to auto-enter credit card data on next sites. This worries me!!! It means my computer has stored my credit card data without asking for permission, and someone may be able to get it. WHAT CAN I DO TO PREVENT MY COMPUTER FROM STORING SUCH INFO, AND HOW I CLEAN THE INFO ALREADY STORED?
Which browser are you using? It’s best to block your browser from saving passwords, credit card numbers, or any financial information. It’s safer to us a password manager for that. LastPass can save encrypted credit card information.
Is It Safe to Let Your Browser Remember Passwords?
This article from Major Geeks explains how to remove saved passwords from popular browsers.
How to Remove or Edit Saved Credit Card Information in Chrome, Firefox, IE, and Edge
Firefox, Windows 10.
The Major Geeks article I linked to explains how to block and remove stored passwords and credit card data from Firefox.
Check the settings for whatever web browser you’re using. It’s the browser that does this, and they all have options ot turn off and clear the information.