STE VE CASSIDY
Steve provides advice on how to fight the invisible ransomware war, before blasting his way through a friend’s folder full of locked files
Steve provides advice on how to fight the invisible ransomware war, before blasting his way through a friend’s folder full of locked files.
The big problem with this war is that it’s invisible. Cybersecurity has rushed to the centre of the stage in 2021, but you have to look for peripheral signs that obliquely point to it. Take my email inbox. A third of the press releases sent to me are rather unsavoury attempts to gain coverage for some security product or service, by claiming that someone else’s disaster could have been averted or better cleaned up if they had bought in to the latest smart security product.
I don’t buy into the premise behind these releases. I’m expected to believe that, by stumbling into a hosting relationship with some marginally competent cloud providers, a global business would be protected by the right security product mix, and that it could then delegate any responsibility for the intrusion, encryption and destruction that would follow from a major attack? Please.
Global businesses can take advice from many sources, spend money in many different ways, rely on radically different types of defence. Unfortunately, they still have to hire and work with human beings. When they parade through the world’s peanut galleries because someone claims to have copies of some of their business data, it’s almost certain that the actions of the workers will have contained the opening through which the bad guys got their prize. The chief information security officer in a big brand-name enterprise won’t be found in the server or switch rooms: they’re more likely to be in the staff canteen, trying to spot the loud-butmisguided types who think that they’re employed by a ship of fools who merely lack their pearls of wisdom to plug every hole and fix every bug.
Although it’s not just the shop floor that ought to be within the checklist of a CISO. It looks like 2021 is the year when the politicians arrive. One of the press releases in my inbox announces the launch of the EU’s Joint Cyber Unit. I don’t expect to see effective measures come from this institution any time before we put a human on Mars, but its creation is an indication of the growing idea that many attacks we see are transnational and often cut off from any law enforcement purview or responses.
I may not be completely au fait with every twist and turn of inter-EU relationships, but I’m reasonably sure that when a Belgian hacker collective attacks a coffee importer in Vienna, it takes quite a lot of cajoling and persuading before the Belgian police will agree that they have a duty to assist in the investigation. The Joint Cyber Unit is designed to get over those local reluctances – and they are the major stumbling block that I had expected to find, based on the various meetings I’ve attended.
“What, you, Steve, are invited to anti-ransomware meetings?” Yes, even me. This isn’t grounds for false modesty; it’s an indication that the wider PC Pro community do turn out to matter a lot here. We – readers, writers, subscribers, podcasters – are good friends to have during a ransomware attack. The EU task force is being put together specifically to handle the stage that none of the software products can properly address: that period of remediation, when the line of communication between the IT room and the
“PC Pro readers and writers are good friends to have during a ransomware attack”
boardroom stays open and the really impactful and expertise-driven decisions happen at warp speed. This is when real sources and real trusted contributions are called in to help. And that’s us.
It’s okay, I’m not about to start
PC Pro Consulting Limited. I’m trying to point out that the ball is in our court. It’s not something that needs vast workforces, or coders: having a resilient plan that includes what you are going to do after the ransomware crew have been cut off from access to your servers isn’t something that requires a huge army of IT workers. Instead, it requires the properly skilled and experienced diagnostician to make the right call over some strange behaviour of the entire network, or to make the short phone call that signs up the company domains to the Cloudflare traffic management service portfolio. Knowing that Cloudflare has the easiest onboarding procedure is one of those simple bits of knowledge that makes all the difference in those dark hours of the post-ransom recovery process: and it’s our place as collectors of such isolated snippets that makes us so valuable in the ransomware recovery process.
Understanding how your own employer will react when the ransom attack comes is going to get more important. If you haven’t thought about keeping your work-in-progress on a keyring USB flash drive before then a bit of what-iffing at the next company meeting need not take up a lot of time, in providing just the most basic of recovery options. I know the objectors will say that this isn’t something that one can keep up forever. But, from the government meetings I’ve attended about ransomware, it seems pretty clear that we will get “threat assessments”, with periods of higher risk during nation-state spats and lower risk periods when those USB keys can be tidied up and readied for the next rising risk alert.
Looking across this picture, and thinking too about the grass-roots behaviour I’ve described in the “Stop the lock” section below, makes this sound like a very low-tech response to a large scale, highly sophisticated threat. I agree that it’s a little disconcerting to remark that the subject isn’t being addressed by some beneficent AI app that you can leave on your network like a rottweiler in the car park. But that, in my opinion, is the reality. We are in a period of low-tech solutions, and human habits and procedures are the best response we have.
Stop the lock
Getting users to agree on what the problem is with their PC has been a perennial bugbear for IT types. Back in the 1990s, when computing could still be thought of as a hobby, we’d all swap our favourite war stories of users with strange ideas about what goes on inside their machines.
A quick track-seek across the 4D fabric of the universe and here we are in the early 2020s. While the status of “computing” in people’s lives has changed enormously, there’s still the same old brain structures, the same psychology and the same wetware using the kit. That means I still get plaintive calls and emails from people telling me in great detail about how extremely important it is that they get their documents back, and then maybe four lines of description of the actual problem.
Everyone seems to be in agreement that lockdown has made this effect worse, whilst adding new and unexpected challenges that on the surface have nothing at all to do with the technology. Venting wider frustrations at the IT guy is a trap for both the IT guy and the supplicant user – but being under the stress of lockdown makes it more likely that this will happen. (Is it bad of me to consider those who have no spare computer at home to be somewhat eccentric in 2021?)
For me, the strangest part of dealing with those obliged to work from home on their personal equipment is the apparent need to predict and own the eventual cause of their woes. “It’s always been a bit slow on this rubbish memory,” they say, or “yes, I borrowed the idea of four antivirus products installed together from an article on security chaining, you know” (that last one took hours to explain, because the poor chap didn’t understand that the “chain” is a literal physical collection of PCs, each one specialising in one detector package and the data flowing through the whole chain). That guy’s mistaken assertion was founded on a basic truth about our personal computers: one that hasn’t changed singe Windows for Workgroups, or even before that.
It’s all about the locking.
I was reminded of this incident by another plaintiff suffering from unintended outcomes as a Microsoft 365 user. 365 now installs (and is installed by) a service called Office Click-to-Run, a noble idea scuppered by a 30-year-old simple truth. That being, it doesn’t matter how fast your PC is if your apps and operating system keep locking you out of accessing a file.
A lock, for those who never struggled with dBase or Novell servers, is a file system marker that restricts access to files or folders according to the identity of the accessing machine. Files have
“It doesn’t matter how fast your PC is if your apps and OS keep locking you out”
owners, and even access control lists (ACLs), but they also become effectively temporarily “owned” by other entities – processes, apps, other computers and so on. Being able to issue a lock on a file is a central part of the ability of ransomware to exert any power over anybody: it’s using the operating system against the owner and their data. Locks are made fractionally easier to handle by highperformance PCs and storage, but only the most entrenched fool would try to claim that this made the problem of locking somehow solved.
So, my unhappy user had a very slow computer. An all-in-one machine from Lenovo, with a 1TB
SSD and an Intel Core i5 processor, plus a small selection of freebie trial copies of software that the 1990s retail computing buyer would have had no trouble recognising: McAfee Internet Security, several app store utilities, and a brand-new copy of Office. It ran like an absolute dog.
One would be forgiven for observing just how little had changed over the decades when it comes to startup delays, app launch malaise and outright inaccessibility of a whole lot of parts of the OS and the data.
The surface culprit was McAfee – or at least, once I figured out that there was a licenced, downloaded and different antivirus product also installed, I was able to show that McAfee was in a curious, half-active “end of demo” configuration. Icon still in the taskbar, but everything’s allegedly turned off because the free trial period had expired. I assume that someone inside the Windows dev team is very pleased with the work that permits more than one security product to be mostly active most of the time. The bit I have trouble with is the insistence on a dirty departure: if your licence runs out, your machine will be prone to slowing down and the culprit software won’t make its contribution at all obvious.
This develops teeth once Office and Click-to-Run are added to the mix. I found thousands of files in / windows/temp, all with Click-to-Run names and only the last few actually in use by the Click-to-Run service. Whatever bit of code was responsible for writing those files (mostly logs) didn’t cope well with temporary folders containing large numbers of earlier files; it’s as if the code wanted to finger-count its way through to the most recent logfile. Sto Stop the service, nuke the contents of th the directory, and a miracle is declare declared.
The problem under t the hood here is that none of the activ active parts of the operating system believ believe there could ever be anything as stup stupid as a directory that contains thousands of useless files, held locked locke by an antivirus product that t tells you it’s been deactivated. So, w when that directory needs to be ac accessed, written to, saved and cl closed again, the OS isn’t using a “defensive” access method. Those who were taught programming at school will remember the exci excitement of following a file-access e example coding exercise: even h humble old green-screen BASIC would quickly teach a painful and irritating lesson about the sheer inefficiency available in picking up basic, everyday ideas like reading from and writing to files. Doing it in interpreted loops was possible, of course, but excruciatingly slow. And those lessons still apply today. The same goof-up coding your file access will have the very same effect on a brand spanking new, solid-state Lenovo as it does on an IBM PC at 4.77MHz with floppy disk storage.
Explaining this problem to my friend took a long time. She found it incredible that any modern-day function would be guarded by a halfcentury history of different ways of doing the same job, and being one of those people who can’t leave a matter alone until all the relevant angles have been explored and pain shared, I had enough time to actually empty the offending folder. And fully remove McAfee, and disable Click-toRun services, and blow past the various warnings telling me I had no permissions in this or that folder, because I most certainly did, at least for the purposes of deleting a load of chuff.
To understand the causes of unhappiness in most home computer users, one has to be completely clear about the nature of something called “emergent behaviour”. Just because the person who coded the Click-toRun directory access didn’t think about the almost open warfare environment common on home and SME marketplace delivery configurations, does not mean they “wanted” their code to run slow or “sells better hardware this way” (this type of slow iteration in file access results in speeds staying about the same no matter the spec of machine). It means that the faulty behaviour only becomes apparent once two or three other contributory factors are also present.
The locking behaviour gets more attention under a security heading, I think unfairly. Maybe because “locked” takes on a whole new drama and impact when it’s not you who did the locking – and there’s always the powerful impulse in security circles to over-dramatise the problem. There used to be utilities that let you see locks being issued and released, but these days there has been a bit of a jargon overlap, with the result that searching for a “lock utility” shows you zillions of pages of little apps that purport to protect your files by hiding and locking them, preventing access to those who don’t know which app was used or don’t have the right password(s). The last thing most people need is to browse through the locks flooding their OS, let alone delete them. So don’t be tempted.
“‘Locked’ takes on a whole new drama and impact when it’s not you who did the locking”