Is it ever appropriate to hack the hacker who hacked you? That is, is it ever right to hack back in retaliation? I’ll leave that question up to you but technically it is still illegal. However, in one case a victim-turned-vigilante not only served their own justice, but also shared some love with the impacted community as well.
On October 10, 2019, HackRead released a story about a fellow named Tobias who was infected with the Mushtik ransomware. This is a variant that targets network attached storage (NAS) devices, such as QNAP. After dishing out the ransom of 670 EUROs ($738.73 USD), Tobias took it upon himself to follow the breadcrumbs back to the command and control server. There Tobias was able to gather decryption keys and made a decryptor tool. Users simply have to check the ID in the ransom note against Tobias’ dump, then use their corresponding decryption key with the decryptor software.
One thing to note is that the fix targets units with Intel-based processors and not ARM-based processors. A work-around was to back up the encrypted files onto an external drive and try using an Ubuntu system. Many users have reported a successful decryption using the provided tools.
Key Takeaways
There is an easily avoidable solution to ransomware attacks: have multiple sets of backups. NAS devices are not backups, they’re simply storage pools holding data that offer convenient ways of accessing and managing said data. That’s not enough. It is vital to have additional backups, either to the Cloud or, more preferred, offline backups. Yes, offline backups. They are manually intensive, so to speak, in that you must plug in external drives, run the backup, then remove the external drives. As convenient as automated backups are, malware can often times detect these attached solutions and spread onto them as well. A good old manual backup, on a regular schedule, will help ensure you have the latest copy of your data ready to go in a time like this. It’s wise to use multiple external drives at that!
Domenic says
Have offline backup capacities kept up with current hard drive/NAS capacities?
Are repository backups such as offered by BorgBackup vulnerable to ransomeware?
If your cloud storage is attached to an infected machine is that cloud not vulnerable?
Emil Hozan says
Hello Domenic,
Thank you for reading and engaging with this post! I also appreciate the great follow up questions! Allow me to expand on them:
Regarding the offline capacity size.
Let’s look at it like this: if your company were to be hit with ransomware, at a bear minimum, what critical data would you need to try and rebuild from? To clarify what I mean by “critical data,” if you didn’t have this critical data backed up and couldn’t afford the ransom it’d put you out of business. How large of a capacity is that data? This needs to be backed up at least twice; one online in the Cloud or elsewhere, and another offline.
If at this point you realize that your critical data is so large in capacity and couldn’t possibly identically replicate it at least two times, then I’d strongly suggest looking into a plan for this.
On the other side, if your critical data isn’t too large and could back it up at least two times, would backing up more data be too much of a burden on your company? The “more data” comes from backing up additional data that would ease the rebuilding process. To be clear, I’d imagine rebuilding from minimal data isn’t as easy as rebuilding when you have more data already backed up and only need to adjust a few things.
Moving on to BorgBackup.
First of all, wow, that’s an interesting tool that I wasn’t aware of! I briefly looked into it and liked what I saw. Backup deduplication is a great way to maximize what actually gets backed up without storing multiple, duplicate copies of data. That space adds up quickly, so using a backup option like this is a great idea! Thanks for bringing this to my attention and other readers.
About it being vulnerable, really anything is vulnerable, right? Personally, I believe there are many vulnerabilities yet to be found, and at the very least yet to be disclosed. This is why I believe in backing up to multiple locations. That’s not to say that Borg couldn’t help either! This also ties into realizing nothing is 100% error-free and why layered security is the way to go.
The same really applies to your chosen Cloud option.
How is the backup configured, what measures are there involved to ensure backups stay clean on your part and does the Cloud provider offer any sort of protection, etc. One additional aplicatory saying is: don’t leave all your eggs in one basket.
All in all, great questions. I hope this helped somewhat.
Regards,
Emil Hozan