• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

You Hack Me, I Hack You

October 14, 2019 By Emil Hozan

Is it ever appropriate to hack the hacker who hacked you? That is, is it ever right to hack back in retaliation? I’ll leave that question up to you but technically it is still illegal. However, in one case a victim-turned-vigilante not only served their own justice, but also shared some love with the impacted community as well.

On October 10, 2019, HackRead released a story about a fellow named Tobias who was infected with the Mushtik ransomware. This is a variant that targets network attached storage (NAS) devices, such as QNAP. After dishing out the ransom of 670 EUROs ($738.73 USD), Tobias took it upon himself to follow the breadcrumbs back to the command and control server. There Tobias was able to gather decryption keys and made a decryptor tool. Users simply have to check the ID in the ransom note against Tobias’ dump, then use their corresponding decryption key with the decryptor software.

One thing to note is that the fix targets units with Intel-based processors and not ARM-based processors. A work-around was to back up the encrypted files onto an external drive and try using an Ubuntu system. Many users have reported a successful decryption using the provided tools.

 

Key Takeaways

There is an easily avoidable solution to ransomware attacks: have multiple sets of backups. NAS devices are not backups, they’re simply storage pools holding data that offer convenient ways of accessing and managing said data. That’s not enough. It is vital to have additional backups, either to the Cloud or, more preferred, offline backups. Yes, offline backups. They are manually intensive, so to speak, in that you must plug in external drives, run the backup, then remove the external drives. As convenient as automated backups are, malware can often times detect these attached solutions and spread onto them as well. A good old manual backup, on a regular schedule, will help ensure you have the latest copy of your data ready to go in a time like this. It’s wise to use multiple external drives at that!

Share This:

Related

Filed Under: Editorial Articles Tagged With: hacking hackers, ransomware

Comments

  1. Domenic says

    October 15, 2019 at 12:02 pm

    Have offline backup capacities kept up with current hard drive/NAS capacities?

    Are repository backups such as offered by BorgBackup vulnerable to ransomeware?

    If your cloud storage is attached to an infected machine is that cloud not vulnerable?

    Reply
    • Emil Hozan says

      October 17, 2019 at 10:34 am

      Hello Domenic,

      Thank you for reading and engaging with this post! I also appreciate the great follow up questions! Allow me to expand on them:

      Regarding the offline capacity size.
      Let’s look at it like this: if your company were to be hit with ransomware, at a bear minimum, what critical data would you need to try and rebuild from? To clarify what I mean by “critical data,” if you didn’t have this critical data backed up and couldn’t afford the ransom it’d put you out of business. How large of a capacity is that data? This needs to be backed up at least twice; one online in the Cloud or elsewhere, and another offline.
      If at this point you realize that your critical data is so large in capacity and couldn’t possibly identically replicate it at least two times, then I’d strongly suggest looking into a plan for this.
      On the other side, if your critical data isn’t too large and could back it up at least two times, would backing up more data be too much of a burden on your company? The “more data” comes from backing up additional data that would ease the rebuilding process. To be clear, I’d imagine rebuilding from minimal data isn’t as easy as rebuilding when you have more data already backed up and only need to adjust a few things.

      Moving on to BorgBackup.
      First of all, wow, that’s an interesting tool that I wasn’t aware of! I briefly looked into it and liked what I saw. Backup deduplication is a great way to maximize what actually gets backed up without storing multiple, duplicate copies of data. That space adds up quickly, so using a backup option like this is a great idea! Thanks for bringing this to my attention and other readers.
      About it being vulnerable, really anything is vulnerable, right? Personally, I believe there are many vulnerabilities yet to be found, and at the very least yet to be disclosed. This is why I believe in backing up to multiple locations. That’s not to say that Borg couldn’t help either! This also ties into realizing nothing is 100% error-free and why layered security is the way to go.

      The same really applies to your chosen Cloud option.
      How is the backup configured, what measures are there involved to ensure backups stay clean on your part and does the Cloud provider offer any sort of protection, etc. One additional aplicatory saying is: don’t leave all your eggs in one basket.

      All in all, great questions. I hope this helped somewhat.

      Regards,
      Emil Hozan

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use