Ransomware, should you pay or not?

Imagine you are working on your computer and suddenly it is locked. A message appears telling you unless you pay a ransom, your data will be leaked, or you are accused of having been involved in illegal acts.

The rise of ransomware is no surprise as it is easier for an attacker to execute and obtain money in comparison to other cyber attacks. Details on how to attack with ransomware might be released via RaaS (Ransomware as a Service) which enables even low skilled cyber thieves to launch ransomware attacks. Ransomware and associated money transfers are harder to trace for banks and law enforcement and Bitcoin has also helped making the money transfer less traceable.

Ransomware gets on your computer by several methods, downloading of attachments, social media apps and exposed web servers. How do you react if affected?

No easy decision. If you pay, you support crime. If you don’t pay, you get exposed or lose your data, it can even destroy your business. It’s easy to tell others not to pay, it is very different when you are the victim.

Be proactive and prepared! Here are some tips that can help minimize the problem and get you back on your feet quickly:

picture_disk_backupSimply do your backups!

  • Do your backups! Regularly, make it a habit! Really do it!
  • Upon an attack, immediately detach an attacked computer from the network.
  • Have multiple backups: Backup the whole machine, backup the project directory, backup the desktop, backup the home directories.
  • Retrieving from a dedicated project backup is much easier then retrieving a complete backup. However, in case of a ransom attack you will need the complete backup.
  • Keep your backups offline, and preferably offsite.
  • Have you ever simulated retrieving information from backup? Go through the pain once, while you are not nervous, pressed for time, or under stress to lose data. An unusual situation is easily a source of operator error and you might lose the backup as well.
  • One more step you can take for your protection, especially if you are a home-user and don’t have a second computer to do research after your computer is attacked:
    • Buy or reuse a cheap second disk (available under $50). Swap disks, install a working operating system or backup onto that extra disk. Check that it really works, and swap disks again. Now, if your computer later is hacked, you can swap disks a third time, put the cheap disk into your computer and have a working system to really browse for solutions to the problem. While your attacked main disk is safely removed, no further damage happens during browsing. Once you are calmed down, have done your research, and you know what you are doing next, you can mount both disks and treat the damaged main disk as a data disk and fix it while it is not running as main disk.
  • You should file a report with the FBI (

One might compare ransom demands with “protection” money paid to organized crime. Today, this is not true anymore.  “Protection-money” used to be for the local crime organization. When another crime organization entered a local area it used to result in crime wars. Victims had to pay the “protection fee” just to one, the local, organization.

Ransomware is different. It is global. Just because you paid your ransom to today’s hacker will not prevent any other hackers to unleash their own ransom malware onto you again tomorrow.

Here is a list of recent ransomware attacks (that have been exposed):

appeared in the first quarter of 2016. Interestingly enough, it excludes computers from ‘typical’ hacker countries. It also infects all connected networks and even makes the computer speak to you.

Simple Locker
is an Android ransomware and blocks access to your device, and is a copycat of Cryptolocker.

infected computers in healthcare facilities and hospitals in the United States, New Zealand, and Germany in 2016 by encrypting certain file types. It affects files not only on the main drive but also scans and infects all accessible network shares.

appeared in the last quarter of 2015, and compromised the networks of healthcare facilities in 2016.

threatens victims with arrest if they don’t pay up.

affected more than 500,000 users in 2013/14. Supposedly only 1.3% paid the ransom. Luckily, the decryption keys were made public for all other victims (source BBC).

What if…

Copyrigt FOX

What if Great Britain, Germany, Italy, Sweden,…  had WHS tamper-proofing technology?
Would the US be prevented from spying?  We are not in the business of getting our military technology by copy-cat and espionage of our allies, I hope. They need to prevent their secrets from leaking, both to their and to our enemies. However, any others who spy on the above countries would have less success if WHS technology would be in place.

What if China had our tamper-proofing technology?
Would we be prevented from spying?  Maybe.  I doubt that puts us back a lot, I think our technology is ahead.  It may put back some other countries. China may have slightly less motivation to speed up the arms race.  Good for the Chinese people, good for us.

What if Russia had our tamper-proofing technology?
Would we be prevented from spying?  Could be.  A small price to pay for other countries spying on Russia having a harder job. Russia may have slightly less motivation to speed up the arms race.  Good for the Russian people, good for us.

What if Iran, Iraq, ISIS…
I can’t see where that would cause real suffering for us, nor for anybody else, them included.

What if organized crime had our tamper-proofing technology?
We make code hard to reverse engineer, or to tamper with; we don’t make code easy to hide.  (The bad guys depend strongly on hiding their stuff.)

What if the US would use our tamper-proofing technology?
what-ifFewer secrets would be lost through reverse engineering. There would be less fear software sabotage.  Our defense technology wouldn’t really be more potent, but it would last longer until it is outdated.  Cyber-criminals would need to work harder on any software that has been protected with WHS technology.  Less profit for cyber-criminals will certainly not cause more crime.

What if software producers, movie producers had our technologies to protect their copyrights? There could be more revenue where it belongs, and less revenue for stolen copies.

Decoys, take 2

About a year ago I blogged strategically on decoys but I promised a second post.  Here it is.  Quite simply almost out of the user-manual, there are many levels of how our  tamper-proofing implementation makes use of decoys.

Some instructions are like red flags, they only  occur in “suspicious” circumstances. dummy_car Besides generating such instructions on the fly, our tool generates a few of these instruction in a whole bunch of places, adding just a small container of extra needles to the  proverbial hay stack.  Let the attacker guess which  the right needle is.

Not just instructions maybe be recognized, the same is true for instruction patterns.  In fact, looking for pattern is a common attack method. (While this is not topic relevant, rest assured there is quite some effort in the tool to avoid patterns).  More relevant to the topic: when some vanilla extra code is needed somewhere, the tool can nicely generate known patterns it otherwise tries to avoid.

And of course, extra, never executed code can be added. Let the attacker spend the appropriate extra effort.  Software engineers can easily forget how resourceful and clever attackers are.  Attackers worth that name will use good statistics of instructions used or groups of instructions and find out that some code just doesn’t quite look right. The most clever solution to get code with a particular distribution for a specific application is also the most simple one:  Just let the programmer specify some extra binary input files of his choice, the tool will simply use those instructions and not worry about any math, statistics, or being fancy.  Using code found in the real application to be protected as decoys however would be a rather stupid idea.

Extra code might be more than a bundle of instructions to look at:  We distinguish such simple extra instruction sequences from more clever instruction sequences which also get executed and have not much effect. But unlike the former, such code will really be executed in the running application.

Don’t forget: the tool only does the tool’s work; to really fool an attacker the programmer can help with extra decoys really looking attractive.  This touches one of our standard mantras: an application doesn’t need to be changed at all to be protected, but when a real first class, high level protection is desired, efforts of the tool can be highly augmented by a programmer who knows what he is doing.

Troubles with Debuggers

A simple measure against crackers is detecting whether a program is being debugged. There is a race between defense adding new recognition features and attackers finding ways to fool defenders.antidebug In fact, White Hawk Software does not have the illusion we can always recognize when an attacker uses a debugger. So we use a large number of different methods, annoying any attacker so that he just never knows when he is finished after finding the next hurdle.

For an extra kick the WHS protected program makes its defense in such a subtle way, that the attacker might not recognize the defense. Maybe a wrong algorithm is chosen, or the precision will become dismal… Sadly, we cannot create subtle misbehavior automatically: in practice it turns out to either not be subtle enough, or not to disturb the attacker at all. Real subtlety is the domain for manual protections and therefore restricted for use in very high-end defenses. Here, White Hawk Software can offer to give the user enough control and enable manual creation and integration of such a protection. One thing however we can do automatically: Add a delay between detection and acting, so the attacker might not see the spot where his presence has been detected. Another trick against scripted attackers is to not always trigger but to use some randomness.

We want to present some tricks to recognize a debugger. The absolute last thing we want to do is educating attackers, and that is indeed not happening. Rest assured, attackers already know about what is written here, it’s ok to also let the other people know. By the way: When researching known anti-debugger tricks we have found a large number to be broken. Traditionally it is the good guy which uses a debugger, and malware trying to prevent debugging. For this reason (at least we occasionally think so) text-books describe detection methods which don’t quite work completely. We will stay within that tradition, we will stay far too general and high-level to risk exposure of new information to criminals.

There are very different classes of debuggers. For example: Breakpoints can be created by modifying the code. Breakpoints can be implemented in hardware. A debugger can stop all threads, or could stop just one single thread. An emulated processor could be used. The program could be run on special hardware for debugging. No single measure will recognizes all.

Finally, here are some ways to detect your program may be debugged

  • The operating system has an API to detect debuggers. Look for that call.
  • There are some bits set by debuggers which can be checked directly without using the API. (E.g. Windows Process Environment Block)
  • Recognize presence of trap instructions. (And don’t trip over data with the same encoding.)
  • Special-purpose breakpoint registers can be “used” by us, so use by a debugger becomes conflicted.
  • Debuggers themselves can have bugs which are known and exploited by malware.  (But eventually those will become fixed.)
  • Enumerate the running processes and recognize a few known debuggers.
  • Recognize the user-interface of a debugger on the monitor.
  • Check the execution timing, recognize the slowdown from single stepping. (But ignore page faults.)
  • In Windows, only one debugger can be “attached”: attach yourself first.
  • Execution inside a special sandbox might be recognized by the environment looking too simple.
  • Check or damage the content of interrupt or trap vectors used for debugging.
  • Create an artificial bug, and try to catch that bug. A debugger may snatch the bug away, expose the bug to the user, and itself to the protected application.
  • Certain special instruction sequences cannot be single stepped. Does the debugger know?
  • Some measures use unusual instructions, being visible like red flags. We use decoys to hide the ones that are really used for anti-debug in a pile of fakes.


A few references:
Any internet-search can show these anti-debugger tricks and more methods. Here are some we have used.

Waging War on Hackers

For the 2015 State of the Union address, cyber security played an important role.  New laws go-to-jailwere proposed.  Such laws are not unproblematic however.  Rob Graham made some interesting comments in the “Wired Magazine” about what might happen with such laws.  That is how governments, ours included, seem to act.  I would never think the bad consequences were intentional.  I think this is nothing more than a simple over-reaction to a problem which seems to get out of hand.  Hacking is the new scare.  People are either totally unprepared, or deadly scared.  Neither is rational.  Enacting laws when scared is almost a guarantee for enacting bad laws.  I recommend punishing performing a crime, but don’t make the punishment depending on the technology and on how scared the victims are.

In our opinion, there are better solutions to cyber-space problems.  The essence of the best solutions lie probably both in the social and economical adjustments.  However, the part of the solution a startup company like ours can safely provide is on the technological site.  With some good technological solution there wouldn’t be a need for overreacting and society would by kinder and safer.
There rarely is a one technology which fixes all. However, there are several technologies which can make a difference.  Tamper proofing your software for example. It may still be overkill for simple problems like stealing from buggy websites.  But tamper proofing is ideal for critical software.  Maybe this method of protecwe_the_peopletion will become standard and thus can easily be affordable, so it can be implemented everywhere, but not yet.  Tamper proofing may not be the only solution, but it is a good one.

Compare your digital treasures to your nest egg of savings.  Do you pile your money on the front lawn, make tougher laws and blame the neighbors when the pile is gone in the morning?  No, you put your money in a safe box or into a bank.  Equally, commercial software users and producers just need to do their part of due diligence in protecting software.

How to use encryption

Another short blog-entry which isn’t really for software producers, but aimed at everyday software users:  I found it more difficult then necessary to setup encryption.  Here is what I did, maybe this can help somebody.

Encryption is a really big deal.  If you already do this and worry about real classified stuff, don’t read on.  You already know how to handle encryption and these simple instructions may be useless for you.Data-Encryption-300x225

If you simply load your security certificates into your browser and are happy, you can also stop wasting your time reading this blog.  That is probably good enough for many users.

People inbetween (like me) just think the standard processes to use encryption are too complex.  The system may be foolproof, but it for sure fails to convince me that the stuff I’m sending around doesn’t contain my private keys. I may have an ultra secure certificate, but why should I think my computer keeps it really secret?  Some unknown code in my browser somehow uses a certificate, paints nicely closed locks on the monitor and what not.  But I know my normal desktop computer is not safe.   I know my virus checking program does safely catch about 60% of the simpler viruses (and secretly deletes binaries of tamper-proofed test program which it usually assumes to be malicious.)

Getting concrete:  a few programs which are really simple to use, so simple you might avoid making mistakes of your own.  So simple that their code is self contained and far away from most malware already having attacked your computer.

1) Encrypting or decrypting any file.   That program creates a window.  You give it the password and simply drag and drop files into it.  In the middle of the page it says “Download EW-Public”.  Unzip the file you download and create a directory.  No installation is required.  The directory contains simple instructions.

2) To encrypt or decrypt just lines of text, e.g. within an email message.  The recommended program creates a window with a form-field for the password.  To use that program, use drag and drop as with the other program, only this time use lines of text, instead of complete files.  Use what they call the “Lean” version. The simpler a program is, the less chances you have of making errors.  You can make a local copy.  No installation is required.  The directory contains the full program and simple instructions.

3) When security really matters, there exists a program which can be used to make an otherwise unsafe computer safe.  How?  Use is simple: you reboot your computer into that program.  You get a “desktop” which is safe and completely separated from your file system.  Among other security tools, this program already contains both encryption applications mentioned above.  Get one of the “LPS-Public ISO Images”.



And now for the grand finale:  Watch the short movie:  “Signs that your software needs better protection.”

North Korea says: No, We Didn’t Hack Sony.

Recently a new cyber crime story gets reported every week. This week’s news on cybercrime is about an attack at Sony Pictures Entertainment, among other problems making movies publicly available, and creating substantial damage.

Cute dog and girl, most likely from movie.
Picture from linked web page., most likely from movie

An important aspect of most cyber crime is the fact that hacks usually cannot be attributed to the real source. Just because a computer was attacked by another computer, maybe in North Korea or maybe somewhere else doesn’t confirm the real source. That computer may itself be an innocent victim and may have been used by another computer in some other part of the world. There can be a chain of tens and more computers. Even aunt Emma’s computer may be part of such a chain. Therefore it is a very bad idea for most people to start counterattacking cyber criminals by themselves.

This attack is different from old fashioned cyber-crime in what it tries to do. It is not simply stealing some money were the loss of the victim matches the gains of the criminal; it is not simply leaking credit card numbers. The loss to Sony is “strategic”: The loss for Sony isn’t what is gone and has been stolen. The loss in this case is directly hurting Sony in its ability to do further business. As of today, such crimes are common place in newspaper talk about state-actors, cyber-“terrorism” and in hype like cyber-“war”. What is new and unusual here is that such losses are inflicted on normal, commercial business enterprises.

Adding several layers of protection could significantly minimize the risk of such attacks. Obfuscation of your code as provided by White Hawk Software can be one of these protective layers.

For more about this incident see:

Cyber security for consumers and other people

White Hawk Software provides serious high end protections. Our solutions are aimed at software producers. This post, while serious, is however aimed at individuals and families, with and without security background.

Closed gate. Origin of pic is not known.
In the event of an emergency are you prepared? Know who to Call, where to Meet, what to Pack.
This is about the real world; nothing virtual or cyber.
The Internet is a powerful and useful tool, but in the same spirit that you shouldn’t drive without buckling your seat belt or ride a bike without a helmet, you shouldn’t go online without taking some basic precautions.
Avoid scams. Secure your computer. Protect kids online. Be smart online and more.
Looks Too Good To Be
Every day consumers receive offers that just sound too good to be true. In the past, these offers came through the mail or by telephone. Now the con-artists and swindlers have found a new avenue to pitch their frauds — the Internet.
Stop. Think. Connect. Toolkit
The majority of cybercriminals are indiscriminate**; they target vulnerable computer systems regardless of whether the systems are part of a Fortune 500 company, a small business, or belong to a home user. Cybersecurity is a shared responsibility in which all have a role to play. This toolkit provides basic resources just for that.
(**In contrast: White Hawk Software addresses the much smaller, much more sophisticated, and possibly very discriminating segment of cyber criminals.)
Internet Crime Complaint Center (IC3)
The IC3 accepts online Internet crime complaints from either the actual victim or from a third party.
Useful and comprehensive advice about common security issues also for non-technical computer users.
“Cybersecurity Lab ” (Public Broadcasting Service, a television network )
Practice lab to take cybersecurity into your own hands. You’ll defend a company that is the target of increasingly sophisticated cyber attacks. Your task is to strengthen the cyber defenses and thwart the attackers by completing a series of cybersecurity challenges. You’ll crack passwords, craft code, and defeat malicious hackers.
Bruce Schneier is one of the most vocal but also most knowledgeable people in the cyber security arena.
CVE is a dictionary of publicly known information security vulnerabilities and exposures.
When you really need help…
InfraGard is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.
United States Computer Emergency Readiness Team
The big guns.
Cybersecurity at Homeland Security.
Our favorite company on serious tamper-proofing software when security really matters.


Cost of cyber-crime $400 billion

An interesting report has been released from the Center for Strategic and International Studies and McAffe.

Net Losses: Estimating the Global Cost of Cybercrime
Economic impact of cybercrime II


“We estimate that the likely annual cost to the global economy from cybercrime is more than $400 billion.”

Do you have a clue how much notes2money that is?
According to the report:  more than the national income of most countries

Like most bloggers I cannot judge whether this number is too high or too low.  Lots of arguments for either side might be made.  Given the title, I assume that these numbers are the losses only and do not include the cyber security costs implied for preventing the losses from becoming larger.  The report also states that a large fraction of damages are not reported and that statistics in different countries are quite different.

I found the following table interesting, putting the costs into some perspective:

Activity               Cost As % of GDP
 Maritime Piracy        0.02% (global)
 Transnational Crime    1.2% (global)
 Counterfeiting/Piracy  0.89% (global)
 Pilferage              1.5% (US)
 Car Crashes            1.0% (US)
 Narcotics              0.9% (global)
 Cybercrime             0.8% (global)

It would be interesting for White Hawk to know what part of these losses are considered caused by insufficient tamper-proofing.

For several reasons we cannot answer that question:

  • The report is not detailed enough.
  • Certain (probably more correct: most) losses could have been prevented by multiple solutions.
  • As classical security companies don’t do tamper proofing, there is no appropriate category in the report.

And even if we could answer the question… who would believe us?

Lastly, in protecting critical infrastructure, knowing the possible damage can be more of a driving factor then the past damage specially when the really bad things didn’t happen.