Short, blunt, helpful, clear. Pretty much what you'd like every memo you've ever gotten to be. Me, I'm a huge fan of ransom notes and Nigerian scam emails. We can learn a lot from them.
I'm pretty sure that when you get one of these that you're dealing with a script. You pay .65880 BTC into its wallet, period. There is no negotiation with a script. What I've also heard is that you can trust the script because these guys want a good reputation. If it gets out that you paid and you didn't get unlocked then no one would pay.
If you don't want to pay on the backend then you have to back up on the front end. You should do that already. You should be able to take a sledge hammer to your laptop, buy another and not miss a beat. If you could do that then you could just reformat and reinstall.
Prevention is worth it. Protection is worth it. Paying? Well if you did the first two you wouldn't be asking that question. But .65880 Bitcoin equals about 463.97 USD. So you might want to get on the prevention+protection train.
Prevention will help you against viruses, keyloggers, etc that can cause a lot more economic harm.
Protection, backing up, will also help you in the case of theft or dropping your MPB out of its sleeve when you get out the car. Done both.
The ransomware scheme only works because the users actually get their files back and the prices are pretty reasonable for many victims. The perpetrators spend a lot of time on the ransomware and its backend. The better it works works, the more people will pay. They rely on people like us to spread the word that it's not a scam, it's real and it works.
Now that I think about it: It would really damage the whole ransomware scheme if there were fake / rogue versions that won't decrypt, wouldn't it?
This wouldn't really help, because much like spam, the costs are extraordinarily asymmetric, it costs essentially nothing to infect somebody and they need 1 payout in 100000 to make it worth it.
> Come to think of it, our news sources write bigger lies every day
Unfortunately they are also cut throat with regard to each other. The first paper that does this risks the rest of them running stories about that source scare mongering and deliberately spreading panic on behalf of [insert conspiracy theory and/or unpopular agency here].
I'm kind amazed at the tone deafness of several comments in this thread. I get that as a larger effect, reducing the success rate of scammers hurts their business, but if I'm dealing with someone who's been hit because they weren't adequately prepared, I'm gonna recommend they pay the ransom if they want their stuff back. Because I'm trying to recommend what's best for them. People could be losing their entire family's memories for the last two decades here. (I find for many consumers, photos is their singular valuable on their PC.)
Most of us in this thread ARE adequately prepared with backups, so it's easy to forget that yeah, someone should probably value their family memories over an infinitesimal effect on the scammer business by not paying. A lot of people here seem to suggest lying to or misleading people to believing they can't get their stuff back is a solution, while ignoring that it leaves people... unable to get their stuff back.
When Transmission had an infected release a couple of months ago, I remember reading that the malware had in-progress features to encrypt Time Machine drives. It gets installed, waits a couple of days, locks up your hard drive and any backup drives that you connect, and there's nothing to do about it.
That's enough to hose 99% of users, even the ones following traditionally sufficient practices. You're only safe if you have offsite backups with drives that didn't mount to your computer recently.
> You're only safe if you have offsite backups with drives that didn't mount to your computer recently.
Or if your backup solution is—from the perspective of the computer being backed up—an append-only store. Like a box of tapes, or Tarsnap using restricted keys, or Arq pointed at a versioned S3 bucket, or a NAS exposing an iSCSI target backed by an LVM thin pool LV with automatic daily snapshots.
Sadly, as far as I know, no turn-key hardware "home backup" or "home NAS" product is in that category, though.
I've seen this in practice - the two person business with a file server, and a NAS they backed up onto. For the size of the business, they were doing everything right.
Every time I say this, someone chimes in and says that in their office, they air gap tape drives and do all sorts of things with storage snapshots. If you're an enterprise - great. A large proportion of "two laptops" businesses have no backups at all, or a "I selectively place important things in Dropbox" setup. This team went and bought a NAS and setup backups. Good on them. It was sad to see cryptolocker take down both desktops, and all backups on the NAS.
The email he received sent him to a website with a convincing looking download, which came up 0/55 on virustotal. He even told me he wouldn't have run an executable - but it was a Word document. It can be truly depressing to see who cryptolocker affects sometimes.
Fortunately, there do exist several inexpensive and user-friendly incremental cloud backup solutions. For a few bucks a month you can back up everything to Cloudflare or Backblaze and be fine even if your primary copy and recent backups all get hosed.
I've contemplated setting up a small home server with write-only shares for backups, but ended up not doing it because of the cost and time. If there were a reasonably priced off-the-shelf product for this, I'd recommend it to everyone I know.
On the other hand, if there were an off-the-shelf product for this, it would probably have unpatched security issues two weeks after you bought it, and if it were in common use you'd see ransomware targeting it. Tough problem to solve if you're not running and maintaining your own devices.
I suppose tarsnap or S3 would be the way to go, I'm just not that into cloud backups. Maybe it's time to get over that.
> if there were an off-the-shelf product for this, it would probably have unpatched security issues two weeks after you bought it
I'm waiting for the NAS "appliance" that's actually running CoreOS, and then just relies on running the :latest tag of some popular Docker image (and not a fork of it that they'll forget to update eventually; the original upstream image), plus a bit of config-file glue generated into a shared volume from a web-UI service running in another container. (Bonus points if the second container is only started up, for an hour at a time, when you press a button on the NAS, WPS-style.)
Such a design is essentially the same as shipping the device's OS as "firmware" with auto-updates, but for the fact that the vendor themselves isn't anywhere within the path of creating or distributing those updates. Which, in the end, makes all the difference.
> You're only safe if you have offsite backups with drives that didn't mount to your computer recently.
Or doesn't mount to the source computer(s) at all.
My active machines push backups to intermediate locations, and the true backup locations pull from there and create snapshots. Status information used to verify the backup process is passed back the other way. The active machines don't (in fact can't) authenticate with the main backups and vice versa, reducing the likelihood that someone hacking into one can easily compromise the other at the same time.
I wouldn't expect the man on the street to muck around setting this up though, but many cloud backup solutions effectively do this if they don't have an easy "delete snapshot" API call or similar. I'm surprised that the "soft offline" backup side of it isn't marketed more actively. Maybe no one thinks they can adequately explain the benefit to the man on the street without putting them off by it being a little more complicated than a simple file copy.
The problem is, the file can get locked and still be available for backup. Smart enough malware will send an encrypted version when accessed over LAN while local access is unimpeded for some time. There is a reasonable chance that your backup will end up with encrypted files. This is why you need more than one.
That only matters for content created after the malware was installed though, assuming the backups' snapshot interval is reasonable. The malware doesn't usually hang around very long, does it? If it's detected while it can still hide, it still has the decryption keys.
No, they (usually) work similar to PGP/GPG, i.e. each file is encrypted with a different AES key and the AES key is encrypted with a public RSA key. The original AES key for a particular file is immediately deleted from memory after the file is encrypted and the private RSA key (needed for decrypting the AES key that is stored in the file) only ever gets delivered to the system if the ransom is paid.
Exactly, but it will never be zero. There will always be scammers trying to get rich quick on the trust users have placed in the (more) honest scammers. All organized crime has to deal with some amount of posers trying to cash in on their reputation.
Sometimes the way they keep the dishonest guys in line is by attacking others who try to get in on the scheme. Traditionally this would be breaking people's knees, and I imagine well-organized cyber crime boils down to the same thing in the end.
> ... trust users have placed in the (more) honest scammers.
> Sometimes the way they keep the dishonest guys in line is by attacking others who try to get in on the scheme.
Are you really trying to frame some extortionists/scammers as honest and some as dishonest? How about they all are criminals, extorting money as they do from random people, they don't care about?
Some scammers can be honest. You might say "Transfer X amount of money to me. If you don't, you can never get your data back". Saying and acting on that doesn't make you dishonest, it makes you an asshole.
A trivial application of the principle of charity makes it obvious that the meaning here intended is 'truthful'. Splitting semantic hairs rather than discussing substance benefits no one.
Substantial discussion without accurate semantics is impossible, whereas splitting semantic hairs is substantial discussion in its own right. And the hairsplitting accuracy is necessary because the literal question of good and evil is hardly insignificant.
It is not insignificant but it is not the point of this discussion. The word honest was being used in a restricted context. One might argue that trustworthy might be a better word in this context but the meaning was clear nonetheless.
I've interacted with ransomware scammers on several occasions. Each time I couldn't help but be impressed by their operations. In one case, the scammers provided an email address for customer support once the victim paid the ransom. They were courteous, helpful and professional - more so than many customer response teams I've had to interact with in legitimate companies.
To be clear, I also don't recommend paying the ransom, but the work is often impressive.
To be fair, I think legitimate companies' customer support might be a bit more courteous and attentive if they personally stood to gain $500 from each dissatisfied person contacting them...
Although in this case they may be trying to reduce the volume of people who get the police involved. If they are pleasant to deal with throughout that seems likely to diminish people's enthusiasm for demanding legal consequences for the perpetrators.
Hmmm, thinks back to some of the support contracts I've been involved with (or heard about from trusted friends) with "big 4 consulting firms" or "enterprise IT partners".
It does. Regular customer support is on wage/salary, and otherwise have zero economical interest in helping people. Also, they're considered cost centre, which doesn't help.
Think of criminals doing ransomware as if it was a small startup, for which profits are strongly dependent on reputation, and where your "customer support" is actually handled by the founders themselves. They have every reason to help, because it literally keeps their business model alive.
That's great until the ransomware gets clever and encrypts your backups too.
I'm extremely skeptical of the people that say ransomware is good for the economy or whatever. Broken window fallacy. Sure it creates an incentive to protect against hackers. But isn't that a bit circular? Hackers are good because they create inventive to protect against hackers? Ransomware is by far the most economically damaging kind (and personally damaging, for all the people that lose their family photos...)
Theres a lot of blame to go around for this situation. Shitty anti virus companies that sell a false sense of security and barely work. The broken security model of windows and most software. How inconvenient and expensive it is to actually do backups, so because of most basic human psychology most people put it off... If they are even technically minded enough to know they should, and most people aren't. Programs that pollute my home folder and documents with garbage that increases the space necessary to backup (OK that's just my personal issue.)
I saved my dad from ransomware using the Crashplan backups I set up. Ransomware can't retroactively encrypt remote (incremental) backups (unless they hack the service). Admittedly, I now realize they could have deleted them, so I need to enable the password protection in the app, so nothing can be changed without the password. However, I don't think it's worth it for the builders to invest in that: the number of people that could rescue themselves in such a way is probably negligible.
The problem is once enough users start using services like that, then it becomes rational for them to invest in that. It's sort of like security through obscurity. There is no solution for the general population.
> Ransomware is by far the most economically damaging kind
is it though, compared to malware ? Consider an elderly person who gets infected with malware/spyware, making his user experience frustrating and confusing. 2 or 3 trips to the Geek Squad for $150 a visit and you're at the same financial loss as paying a ransom. I'm sure there are also people who just dont use their computers due to infections.
Plus, malware has got to be much more prevalent, at least for a long time it was, not sure what the state of it is now. So in total, I would wager that many more dollars have been spent for techs to remove it than have been spent on ransomware.
Backup encryption is already out there, even. Time Machine is a very popular solution, and implies a lot of desirable demographics (owns a Mac, set up something about as complicated as a BC wallet, probably has no other backup). So there have been some encryption schemes that stick around silently pending a Time Machine backup and then take out the files there too.
It's pretty hard to say that users "should be safe from this" - most of the solid solutions discussed in this thread are probably used by <5% of people, and maybe much less than that.
Use tools like Seafile and Owncloud that keep old versions and offsite. They offer both hosted service and self-installation option. The client notifies you that "files X,Y changed" which can make you notice anything untoward is happening to files you are not working with at the moment.
This happens quite often at medical offices. Five and even six digit ransoms are not unheard of. On the plus side, it helps encourage Windows updates and IT responsibility.
Now i'm really curious if they calculate the prices based on the files they encrypt. Do you know if it was some kind of spear phishing attack or just a regular ransomware variant? Any sources? thx!
My guess is it's pretty easy for them to report back the infected computer is part of a domain, for example, which most businesses using Windows would be on.
I've heard of some non-scripted ransomware that "phones home". If it points you to an email exchange with the scammer, there's room for a person to sound you out, maybe google you or work off your email address and information reported by the ransomware.
Another way then: create a script that sends hundreds of emails to the victim from different addresses (wallets) and different amounts; the victim cannot identify which email is from the actual scammer, therefore he will pay none and the scam chances of success would reduce, and with it -eventually- the number of scammers.
You should be able to take a sledge hammer to your laptop, buy another and not miss a beat.
For most I think that's the wrong target. Establishing & maintaining totally seamless, push-button rolling restore costs a lot of effort & money.
In the event of failure (which is not guaranteed), you burn a day or three getting things back to normal. So long as failures are rare, this can be cheaper (though availability suffers)
> When [you are infected with ransomware], you can’t get to the data unless you pay a ransom. However this is not guaranteed and you should never pay!
What bothers me about their advice is that it is only correct macroeconomically. For your particular case it could be the best solution to just pay - as even police departments have done before.
It also ignores that it is in cybercriminals' best interest to let you decrypt after you paid: They need their victims to trust them, and they have nothing to gain from keeping the files encrypted after payment.
It's been pointed out in the past that most ransomware services have better customer support than paid services. That's because they stand to gain $XXX from each successful interaction and they stand to lose substantially more if they have a reputation of not returning the data.
It's such a perfect example of how human systems are molded by underlying incentives.
Of course, the incentives themselves arise within immense cultural and technological contexts. Hopefully one day we see further past the dense fog of complexity. Assuming we aren't adding to it at a faster rate...
> Of course, the incentives themselves arise within immense cultural and technological contexts.
To twist it even further, note that the shifts of culture and technology are directed by aggregated incentives of people. What a nice and strong feedback loop there. Only shows how little control societies have over where they're going.
In a twisted sort of way, a person could destroy trust that paying the ransom will actually get your data back. Someone could create ransomware that will never decrypt, even after the ransom is paid. Once the victims know the dishonest ransomware is out there, that may ruin the revenue towards the "honest" ransomware.
Or better yet, only unlocks after you _haven't_ paid the bitcoin ransom in the allotted time period. If you just decrypt now it's Pascal's wager and the buy-in is $500, so most people buy and worst case scenario the guy who hit you was a dick trying to prove a larger point, but if the cultural narrative is "don't help the criminals / don't negotiate with terrorists!" then it would be rational and societally acceptable not to pay the ransom.
> "Once it executes it, it pops up a ransom message looking like any other ransomware," Earl Carter, security research engineer at Cisco Talos, told Ars. "But then what happens is it forces a reboot, and it just deletes all the files. It doesn't try to encrypt anything—it just deletes them all."
They have to weigh in the risk of getting caught, especially if they piss off enough people. So one paying victim may not be enough for a criminal to go this route.
Bribing a LEO seems to be a risky business - how risky depends on the conditions. If you're the only one bribing an officer, you'd better ensure you have that consistent cashflow. It's easier if everyone is bribing the police. But still, the moment you interact with law enforcement, you appear on their radar. It's always better to avoid that unless absolutely necessary.
> Due to the nature of the internet and social media there is an ever decreasing chance of flying under the radar.
I disagree with this statement though. I think that Internet as it is now only makes it easier to fly under the radar - simply because people generate such a huge amount of noise that it's barely possible to handle. As long as you don't get too greedy, you can get away with a lot, simply because nobody is going to bother looking for you (hence e.g. spam).
I should clarify that while the simple existence of the Internet doesn't make getting caught more likely, social media at least increases the chance of someone on the related social graph seeing something, and reporting it.
Kind of surprised no one's actually done this. I mean, there has to be at least a few really bored trolls and griefers out there who mess around with people's systems for 'fun' rather than money. I'm sure some teen in an ex soviet state somewhere would find it funny to watch someone have a breakdown when their cash doesn't get them their work back.
Or that some criminal group/mafia would use it to try and 'sink' their rivals. After all, a gang in competition with whoever makes these malware programs would probably love to shut down their revenue from ransomware. With say, their rivals name attached to the cruel hoax.
Still, I suspect something like this will happen at one point.
...it now occurs to me that if, using one of the million or so compromised ad networks, you wrote something would pop up the following message in people's browsers:
"Hi there! Your computer has been infected with a virus which will encrypt one file on your computer at random each day. You can stop this, and decrypt all the files by paying X to bitcoin wallet Y. Don't wait too long, because if you wait too long, we might encrypt some system file and it won't boot any more."
and which did nothing else whatsoever
...then you'd probably actually get some income.
It'd be an interesting (if ethically awful) sociological experiment to find out exactly how much. Returning people's money afterwards, of course.
My neighbour came to me last week to ask for help. Exactly that had happened to him, from of all things a Facebook ad. It was a simple matter of killing the browser, but it had put up a phone number for "support" that he had already called, but which was busy... so I guess they were having a fair amount of success. Wish I'd taken a photo.
Couldn't you do the same thing with less of a human cost by merely telling people about cases where the ransomware was unreliable, and refusing to spread the information that it was reliable?
Or we could be slightly less nefarious and create ransomware that decrypts everyone's stuff after the allotted time but leaves a congratulatory "thank you for not cooperating with criminals" message to the people that didn't pay...
> Or we could be slightly less nefarious and create ransomware that decrypts everyone's stuff after the allotted time but leaves a congratulatory "thank you for not cooperating with criminals" message to the people that didn't pay...
Please don't do this. People (some would call them victims of cyber crime but not me) are EVIL and if they can trace it back to you, they will sue you. Doing this is not a good idea except as a thought experiment.
It is probably obvious to a lot of people but there are still good people out there who believe in the goodness of people so I thought I should spell it out.
I agree, creating malicious software designed to seriously inconvenience people and demand money from them is not a good idea. Never mind being sued, creating and distributing viruses is a felony in most jurisdictions even if it doesn't look like extortion. But on a scale of bad ideas, ransomware that appears to reward you for ignoring it is still a slightly less bad way of encouraging people to ignore ransom demands than ransomware that just punishes everyone
> What bothers me about their advice is that it is only correct macroeconomically.
That's because it's the correct advice. Ransom is a very old business, and experience throughout history shows you should never pay the danegeld[1].
> ignores that it is in cybercriminals' best interest to let you decrypt after you paid
That isn't being ignored. Paying the ransom is short-term thinking. Of course they will let you decrypt. By paying them you establish yourself as an easy/reliable mark that will probably pay again in the future. Paying would only make sense if you could somehow guarantee it was an isolated event.
Not only that, they know people close to you are potential targets as well (e.g. your mail contacts, facebook contacts), because most likely than not they are in the same economical bracket and are just as "savvy" technologically speaking.
You can guarantee that it is an isolated event by backing up your files in the future. I imagine most victims are embarrassed and try to think of it as an expensive lesson.
It doesn't ignore any of the things you said. Yes, it's most likely better for you to pay. This kind of selfish thinking is, like many other kind of selfish thinking, what enables this type of crime in the first place.
Sure the criminals will release your files. Just like with regular, "meatspace" ransom, only a stupid criminal would not release hostages after having their demands met. It's in their best interest to do so. But if people by default don't give in to ransom threats, the whole business model becomes unviable for criminals.
So yeah, this advice is kind of like with vaccination and quarantines - it's not just about you. It's about all of us.
I'd say just like in real life, stupid criminals exist. If criminal A says to criminal B "I'll sell you a solution that encrypts their files and I'll host the decryptor for 5$ a month" I can totally see a dumb criminal B being fully willing to rely on the reputation of ransomware as working to not pay that 5$ a month.
To a certain criminal any effort no matter how miniscule at all in actually providing a way to decrypt the files is useless, and I think with the reputation that's spread about ransomware we're at a point where more scammers will start to piggyback on reputation and stop following through
> For your particular case it could be the best solution to just pay - as even police departments have done before.
It could be the best solution for you to pay - if you don't care that you'll finance the attacks on other people and cause more harm overall.
So yes, from a purely egoistic perspective it makes sense.
The question you should ask is not "is it worth paying xxx for my data?", it's "is it worth paying xxx for my data and destroy the data of someone else?".
One option gives an immediate, personally beneficial effect - "you get your files back".
The other option gives you an immediate, personal loss - "your files are gone" - together with an all but unobservable, mid- to longterm benefit for society.
You can of course hope for the majority to take the second option, but hope is the first step on the path to disappointment.
But your individual case isn't going to affect their behavior. If you wanted to change the situation, not paying simply isn't going far enough. You'd need to coordinate with other potential victims or do something like this website and spread defenses. Without putting effort into organization, your thinking that you've helped others is pure egoism because these schemes only require a few people to pay to be profitable.
Welcome to the real world. It's twisted in exactly this, game-theoretical way.
In case of ransomware, criminals are exploiting the very difficulty of victims to coordinate their actions. They depend on you paying instead of solving it yourself, educating others, or even simply calling the police. In other words, they profit directly off people's short-term, selfish thinking. The advice of defaulting to not paying is sound because if enough people follow it, the whole ransom stops being viable, which makes ransomware attacks stop coming.
The same, by the way, is the tried and true way of dealing with regular, meatspace, "I kidnapped your daughter" ransom cases.
> But your individual case isn't going to affect their behavior.
It isn't going to affect them much. But as anybody who runs a business knows, the difference between loss and profit generally hinges on a number of sensitive factors. Note, for example, that drug dealing pays so poorly that many drug dealers live with their moms:
They don't need anyone to trust them and they have nothing to gain from decrypting your files.
They may be a 14 year old kid who ran some kit that somebody else made. If they collect $50 from 25 people, they will be stoked.
Or they may be a sophisticated criminal organization that want to built long term viability.
It's impossible to know which it is. But it is guaranteed that they are criminal and inherently untrustworthy. It is also guaranteed that any money you pay will finance the next wave of more sophisticated malware.
So, no, you cannot trust them to do good. You can trust them to do bad. Now, make your microeconimic choice.
That problem comes up with collective action all the time. Workers rights in developing countries for example... if all of the workers banded together to resist their employer's unfair treatment then... blah blah blah.. but in reality average people are awful at joining together to create a change that results in a greater good. When people are isolated and feel the impact of some injustice, they tend to give up fairly quickly without any thought given to what would be best for the greater good. That's my experience of life anyway. Rationality doesn't work very well in abstracted problems that involve reasoning about how you should suffer in this moment for the greater good of everyone suffering such moments. So the scammers are smart to make the cost of cooperating fairly low in a lot of cases. It's definitely easier to pay up than to try to make a federal case out of it. And honestly your inconvenience is not going to cause the wheels of law enforcement to spin fast to figure out which international gang is targeting you. If you don't pay you probably won't ever get anything back and law enforcement won't do anything about it. So really what's the point of personal heroics here other than rational arguments about what the right move would be from a game theoretic point of view? Just pay and move on.
This comment contains a policy suggestion. I want it to become law in the United States and elsewhere.
I can't quite use the word "literally" but I almost can so I'll do so anyway: if you pay a ransom, you are literally paying for your party to attack someone else. And you are actually literally (not metaphorically) funding their next attack.
Paying a ransom should be a criminal act that is twenty times worse than asking for one. It should be illegal for the exact same reason that possession of stolen goods is illegal.
On a microeconomic level it might make sense for you personally to buy stolen goods off the street: the existence of the laws making you a criminal if you do no longer makes this true.
If you drive a car you are literally contributing to global warming. If you pay taxes you are literally funding bombs and missiles. If you download big files you are literally taking bandwidth away from your neighbors.
You are not drawing any policy conclusions from your statements.
You state that "if you drive a car you are literally contributing to global warming" which implies the policy statement "if it is illegal to drive a car, contribution to global warming decreases" and use this to imply it's not a rational argument to make it illegal to drive cars.
To your great surprise, I will now state that it is actually already illegal to drive cars, and it actually does have the exact effect that you say is not a rational conclusion:
Today, today, it is literally illegal to drive a car....which doesn't meet EPA standards! As a direct effect, people do not buy and drive cars which fail emissions standards.
So, yes, the exact policy suggestion that you don't go quite as far as to argue for actually is being enforced and actually demonstrably has the exact effect that you (only imply) doesn't happen.
Since you don't even imply any policy conclusions for the other two points I can't address them, I have no idea why you would mention them.
(If the government made it illegal to collect or pay taxes, obviously its tax base would evaporate overnight, this goes without saying, nobody would illegally pay money to the government out of civic duty despite its now being illegal to do so.)
None of those are hyperbolic, they are just true facts. Understanding the macroeconomic demand you are participating in isn't hyperbolic.
Buying elephant tusks promotes the killing of elephants, regardless of where they came from because the demand you created supports a price in favor of bad actors as well.
Anyone down voting this should read Thomas Schilling's Strategy of Conflict. At one point in time in England it was punishable by death to pay ransom to pirates.
This is a good and important point. However is data ransom this kind of duress?
In a sense, paying a ransom is taking the law into your own hands -- rather than say to the FBI, "criminals have asked me for ransom" you are interacting with the criminals directly.
On a literal level you are literally transferring cold hard cash to them.
You make a good argument for why the policy suggestion I made is not a good idea, but I am not entirely convinced by it. As a rule it is not a good idea to engage in vigilante behavior.
Lawmakers and judges would have to use their discretion here and come up with quite nuanced laws.
That last sentence was really uncalled-for. I think you don't really understand that I was discussing an economic argument.
Regarding putting a cramp in your style - how about if a thief has stolen your phone with valuable something on it that isn't anywhere else, but you have an application that tells you where the phone is and you own a shotgun. Can you go and get your phone back by force if in your calculation it has a higher chance of actually solving your immediate problem, than involving the police? Why or why not? It's your phone. The thief knows what he did. The thief knows that it's yours.
I am not saying that there is no argument on your side of letting people take care of issues directly with criminals (whether by force or transferring ransoms), but there are important arguments on the other side as well. It's certainly not so clear-cut that you can start ending with petty insults (and please check your reply to be substantive if you reply to this.)
But are the police or the FBI going to investigate your ransomware-locked computer when there are thousands of cases of this happening a year? The ransomware is usually running from a script. There is no guy wearing a ski mask on the other end watching the wallet. These groups aren't the same as a sketchy guy on the other side of town with your stolen laptop or phone, ready for the police to find him and recover your goods.
So what option does your average user have when confronted with a situation like this? They could call up the police and report it for statistics sake but the police aren't going to be able to fix the problem nor would they really care (unless you're the mayor or some prominent politician). The bad guy is probably not in the same country and there's no way to identify them anyway. Maybe you could figure out the hacking group but if you knew the actual identities then why aren't you working for Interpol already? Also maybe try using a site like in the link to check if the ransomware is compromised. But most likely, you just have to pay the ransom, get back your stuff, and learn an expensive lesson in how important regular backups, online and offline, can be.
You could just not pay it. The hacking group doesn't get their money but it's not like it cost much to run the attack in the first place. They will have someone's data out there that is much more valuable to the victim that will pay.
I compare this to leaving your bike unattended in a public place. Maybe you did a good job trying to lock it up but the thief hacksawed through your cheap lock. Or maybe you just left it unlocked. Either way, your bike is gone. Maybe buy a much stronger lock or two in the future. In this analogy, you aren't getting your bike back. You just have to spend the cash on a new one, expensive but hey, you need a bike to get to/do your job. You can report it stolen but unless there is some big bust and they find the guy, the thief is going to get away with it. Complaining that someone stole your bike isn't going to solve the issue. It sucks that the thief will profit off your loss but the data/bike is already gone. You aren't getting it back unless you drop the cash on a new bike/decryption key. The lesson is that you are going to either have to never ride a bike again (or use a computer, both unlikely) or you will have to use better security to prevent theft of your valuables.
Crime does pay, a lot. People get away with theft like this all the time and there's not much an individual can do except try harder in the future to defend themselves against theft in the future. Secure your computer better, run backups, don't do dumb stuff (like run unknown software or leave a bike unlocked).
>The ransomware is usually running from a script. There is no guy wearing a ski mask on the other end watching the wallet.
Yes, there is a guy (a bad guy) wearing a ski mask on the other end. If you do this, then you're the bad guy. Then you're a criminal. Not in some abstract way or an analogy, you're actually nearly literally a "bad guy wearing a ski mask" and the reason bad guys do this is to hide their identity while they commit crime, steps which you if you do this also take. It's very black and white.
> These groups aren't the same as a sketchy guy on the other side of town with your stolen laptop or phone, ready for the police to find him and recover your goods.
Yes they are.
> They could call up the police and report it for statistics sake but the police aren't going to be able to fix the problem nor would they really care (unless you're the mayor or some prominent politician). The bad guy is probably not in the same country and there's no way to identify them anyway. Maybe you could figure out the hacking group but if you knew the actual identities then why aren't you working for Interpol already? Also maybe try using a site like in the link to check if the ransomware is compromised. But most likely, you just have to pay the ransom, get back your stuff, and learn an expensive lesson in how important regular backups, online and offline, can be.
This is a very "wild west" mentality - 'there is no rule of law anyway!'. But that isn't quite right, is it? In point of fact the FBI actually does run a site where you can get ransomware keys recovered, it was covered here on HN.
Let's actually look at the wild west. What is the wild west today - California. Can a criminal just walk up to someone who is unarmed and go rob them, like in the 'wild west' days? Do people have to dual with each other and so forth?
No. While there was a period of unlaw (or at least films portray this) it gave way to the rule of law, which is normal and sane. (I could be completely wrong, I don't know any historical information about the wild west, I'm literally going on movies.) Californians walk around unarmed. it's not like in those movies, or in some kind of gang violence warzone.
I can't make extremely nuanced judgments and policy suggestions, I am just saying that you don't have to necessarily accept that there is "nothing that could be done." Laws exist for a reason. Moreover, it takes a high level of sophistication to write programs. If people are funding you to do that by simply meeting your request, you would start thinking of them like your clients (after all, they're paying you!!). If instead they turn you over to the FBI and Interpol, and write you an angry letter that you are a criminal gang member and wtf are you doing, are you really going to get up the next morning, crack open MSVC++ and think about creating your next crime?
I'm not saying this from the point of view of some trigger-happy district attorney. I'm telling you as one HN reader to another that they are way, way on the side of "bad guy in a ski mask", it's not even close to being a judgment call. No, nothing separates them from going down to their local financial district wherever they're located and and stealing someone's laptop. It's exactly the same.
> I compare this to leaving your bike unattended in a public place. Maybe you did a good job trying to lock it up but the thief hacksawed through your cheap lock. Or maybe you just left it unlocked.
First of all, I'd like to acknowledge that analogies including this one are incredibly useful in law when it comes time to make policy decisions, and sometimes can capture many real-world consequences. I don't want to sound like I have the answer to whether your way of thinking is correct or incorrect or what it is missing.
I would like you to consider a couple of effects: "crimes of opportunity" -- is there a difference (as someone else pointed out in this thread or another one) between leaving a laptop in the front seat of a car and locking it, and doing the same thing but throwing a coat over it? Clearly in terms of legal consequences there may not be much difference, if someone smashes open a car window and takes a laptop it's similar. But for the purposes of the analogy, you may want to consider "crimes of opportunity" in your thinking. My personal impression is that writing or using ransomware isn't nearly in the same boat - you don't accidentally use highly valuable programming skills to create ransomware; you don't accidentally take extremely sophisticated and detailed steps to hide from Interpol, the FBI, and others, and perform ransomware attacks, in a context in which most of the Internet is well agreed that governments are able to exercise certain deeply embedded back doors in many extraordinary cases -- what I mean is that the guy in the ski mask doesn't "happen to have" a ski mask on, they would have to take extraordinarily detailed steps to perform their crimes. It's a criminal thing.
>Crime does pay, a lot. People get away with theft like this all the time and there's not much an individual can do except try harder in the future to defend themselves against theft in the future. Secure your computer better, run backups, don't do dumb stuff (like run unknown software or leave a bike unlocked).
I don't understand why you don't also consider the role in law enforcement agencies and their actions. The Internet isn't exactly a lawless place. Law enforcement, which includes international cooperation among many governments (Interpol being one example of this), has sophisticated tools. These are undermined by any victims funding the crime.
I mentioned above the programmer firing up MSVC++ and writing their next ransomware project. Would you do it? Probably not.
But for many programmers, the calculus would change -- immensely -- if the question is, can a criminal get you to do for $80,000. If you divide that by 1,000 victims, that is just $80. So the question is, "Would you do it for $80,000, given moftz's world view that you're not some guy in a ski mask, and there's no international law anyway" OR "Would you do it for $80,000, given that many of your users will refer you to international law enforcement, and send you angry letters about the kind of criminal scum that you're acting as, and your country and others will stop you and you will have to defend yourself criminally. because you are a criminal."
That is a different equation entirely. If we accept the worldview you argued for, this creates the former, very dangerous and wild-west, and horrific scenario -- if we accept the latter scenario, few programmers would be motivated to act so unethically.
It's our choice as people of the world what kind of world we want to live in. Absent rule of law, "might makes right", but that's why there are laws everywhere and most people aren't affected by them, until they get into the kind of criminal behavior that we're discussing now.
It's a very clear line. It's not even close to requiring any interpretation.
The suggestion that people need to "protect their stuff" -- when as a matter of the state of the art this is actually pretty much literally impossible -- muddies of the issue.
About prevention there is something more that I am not sure has been mentioned, some tools are taking a new, broader approach to the problem, which is to constantly monitor for encrypted files and stop the associated processes, this way often limiting the loss to a few files, these are the links:
In principle it's super easy to detect, encrypted files look like random data and it's unlikely users would be replacing every file with random data on purpose. Its a never ending war though. If you got enough users to do this, the hackers would then switch to encryption that mimics what normal files look like to fool the detector.
I've had plenty of people lose vital files on borked hard disks and pay thousands to get those files back via drive recovery firms. I've only had one person ask me about ransomed files whom I advised to pay the $400-ish demanded.
I told him that most of my clients pay 10x as much to learn how important backups are.
All data storage devices will fail. What will you do when yours does?
The worst place I have seen this is in scientific labs. Professors and graduate students are terrible about keeping backups, making data easy to understand to others, and maintaining data.
My old professor lost more than 2 years of work when one grad student in our had a car crash and his laptop was destroyed in the crash.
I've observed the same. It's baffling, and I don't understand why. Maybe they are in a nasty spot of workers who are non-techie but 100% reliant on tech?
It's not the ideal thing for people here on HN, but it's pretty much the ideal thing to send to your non/semi-technical boss or stakeholder at your company who isn't taking ransomware seriously.
Is there any case where versioned backups wouldn't completely solve a ransomware situation?
Assuming, of course, that the ransomware doesn't somehow spider out and compromise all your past backups as well. Let's assume your past backup versions are safe.
Are the versioned backups physically separated from the infected machine? Otherwise what stops it from just encrypting your backups hard drives as well, everytime you connect them?
Yes – good backups would be somewhat resistant to malicious tampering, so that old versions are not immediately lost no matter what happens on the source computer.
For protection, I put all my files I care about on Dropbox. Is that enough? It's enough for backup for most things, but I worry attackers would be smart enough to kill it and also the old revisions that Dropbox stores.
For mass deletes that are cumbersome to recover using Dropbox's interface, that article mentions you can contact customer support to get assistance recovering from mass deletion events.
That actually happened to me. Friends of mine run a business I did some low level setting up of IT and design work for. Recommended they use Dropbox for important data in a folder I shared with them. One day, I keep getting notifications from Dropbox. Temporarily disable it on my machine because it annoyed the heck out of me. A few hour later, I get the "I think we have a virus" call.
Turns out that me being annoyed means I now have a fully intact version of the data and nobody had to pay anything.
Hence my question. They'll ransom my Dropbox but Dropbox keeps deleted files and old versions around, so I'd be safe unless they specifically target Dropbox and Dropbox can't mitigate it.
Last time I used Dropbox, you can always get deleted versions back. They might make it difficult though, spamming the log with a gazillion created/deleted files. And maybe there is actually a limitation of, say, 10 deleted versions of the same file path (that might make sense)... but I don't remember seeing any of those limitations last time I looked at it (which was a few years ago).
But if you are a concerned customer, why don't you just head over to their help pages and see what the features and limits regarding history and file deletion are?
If there are certain restrictions to how far you can go back, they will likely find a way around that. If it's 10 versions of the same file path, they'll overwrite each path with a different single-byte file 11 times.
I like the message but it ticked me off that the prevention methods they introduce (backup to cloud and/or use physical media) is coincidentally somewhat related to the sponsors: AWS and Barracuda.
Is using a VM to surf the web a reasonable answer? Are there any VMs (for my MBP for example) that are reasonably fast, don't take a lot of battery, and not clumsy?
Can't this be built into the OS so I don't actually have to do it?
Something like this is built into Android and iPhone. As all major desktop OSes are only good in protecting one user from another mobile OSes run every application under its own user account. So vulnerability in an image viewer would not give an attacker access to other apps' data. But the system is not perfect, for example the kernel can still be attacked (and as we know a lot of vulnerabilities were found in Linux in recent years) and on Android the files on sdcard partition are not protected at all.
But desktop OSes don't do anything at all to protect the user. They allow the user to run a program by just clicking a link in email or web browser and this program has full access to all their data as does the PDF viewer or Java plugin in a browser. The desktop operating systems still use security models from mainframe era.
> So vulnerability in an image viewer would not give an attacker access to other apps' data.
By having separate user's per app, apps can't read each others' files by default. If one app has a vulnerability that can be used to acquire root, that app can read all files after disabling SELinux.
> If one app has a vulnerability that can be used to acquire root
To get root privileges you need to attack the kernel (or the application that has those privileges). Having a bug in an image viewer is not enough.
You can try to make obtaining root privileges more complicated only by reducing the attack surface with restricting system calls each application is allowed to make or with redesigning the kernel so that less code is executed in ring 0 (microkernel architecture).
But recent vulnerabilities like Dirty COW or rowhammer could work even in this case.
There are indeed approaches by Microsoft to run some IE edge processes in micro VMs.
The hard part is figuring out how much communication to allow with the rest of the OS. Do you want to allow sites to set cookies? For every domain, or just for the target domain? If the latter, what happens with a cookie set after a redirect to a different domain? Do you want to allow downloads to reach the host OS?
The more secure you make things, the more usability suffers, so you have to think really hard about all such problems.
I see no problem with downloads. Saving a file can be implemented with a helper that has access to disk but doesn't have other permissions (like accessing the network). The path to save a file is chosen by a user.
The developers either care too much about compatibility with legacy software or just don't want to invest into implementing more secure environment. Patching existing software seems to be much cheaper.
Qubes OS actually aims at this, if you're serious about security.
Of course, there is absolutely no way to completely suppress any attack surface, but compartmentalization can help.
Remember if your backup solution is a USB drive, you actually need at least two USB drives, with at least one of them disconnected from your computer at all times. If you only have one, the virus will encrypt that one along with your computer. That needs to be spelled out, because people intuitively think backing up to a single USB drive is sufficient.
If you are willing to pay the ransomware demands who are you going to pay when your HDD fails? I'm not saying ransomware isn't a problem in itself but from a user's perspective it's indistinguishable from HDD failure and should be dealt with by using backups.
How can a ransomware infect my computer when I visit a website? This site claims it can happen. I understand how the attachment version works but not this one. I'm a security newb.
Some websites can use security vulnerabilities in different parts of the browser (rendering, image format parsers, Javascript, PDF, fonts, and everything else supported by the browser) to run code on your machine.
For a concrete example of what exploitation of a JS engine bug looks like, PlaidCTF2016 had a challenge that allowed people to run JS in a patched version of V8 that deliberately introduced a bug in array index checking, with the goal being to run x86 machine code.
While a bug in most of the components you mention are bad by themselves, their impact is magnified by the presence of javascript, which allows an attacker to interleave calculations and interactions with the buggy components,
bypassing many mitigations.
But in the context of ransomware, the advice presented here is game-theoretically sound (and proven by thousands of years of experience in dealing with criminals demanding ransom), so I do trust it.
Not the big ones that are well-known names in the PC market. There are quite some shady security software vendors out there, and a handful very competent ones that I trust if I have to.
The bad ones are typically well-known desktop anti virus scanners that try to score by showing you a high number of threats they allegedly defeated. If you look at those threats in detail, they turn out to be browser cookies, or bookmarks, or something similarly trivial.
A good (but not exhaustive) test is to look at what the vendors promise. If they promise you full protection of your machine or network, you know they are full of shit. If they talk only about one aspect (identifying attackers, reducing the attack surface on a browser), things start to look better.
I don't trust them to make good quality software which works quietly and efficiently in my interest.
They basically sell a security theatre product where their motivations are to popup "PROTECTED BY ____" at all times so I don't forget it exists, and to look busy - typically by scanning the same files over and over even though they haven't changed in months - and to hook into everything to add more sales buzzwords to their product.
The original purpose of Bitcoin was to create digital cash. It is possible to track the transaction history of funds in a bitcoin address, but there is currently no central authority who can blacklist/lock addresses, and most of the major participants in the bitcoin system (users, miners, exchange operators, darknet drug markets) are not interested in changing that.
Correct, there is no coordinated way to do that right now. Because the blockchain is public, we can tell if coins came from a known bad address or not, but there's no central repository that lists bad actors afaik and the reference client at least doesn't support refusing to trade coins that are "tainted" by a certain address.
I imagine the Bitcoin community would be pretty resistant to attempts to establish something like that, since a lot of the bitcoin ethos is based in distrust for centralized authorities.
The pro-active approach would be, actually ditch your current setup every 3 months. Like others have said, you shouldn't be keeping valuables around on your laptop.
Incidentally, this is (or used to be) the trial period for a copy of Windows.
Generally I find the data I care about is k in size, the terabytes I seem to accumulate are mostly garbage.
Given how large the size of drives of today are, and how small the data that means anything to any of us remains, the size of storage space and the almost effortless ability to replicate are the primary indication of ransomwares general irrelevance.
So a thought on why attackers make "flawed" ransomware. They want to get paid as soon as possible, and a target pays a potentially heavy opportunity cost for noncompliance (waiting for someone to break the rw). The opt-outs are already not going to be "customers", and the "customers" you do get would pay even if they were only going to be locked out for 3 months. You get no extra money for making unbreakable ransomware
Edit: this may be similar economically to the Nigerian prices' aversion to English class.
Do Google Drive / Dropbox cloud backups help in this situation? Or do the encrypted versions propagate into the cloud and irreversibly overwrite the plaintext versions?
I started writing about this but just a personal safeward. Yesterday I dropped my phone by accident, it cracked and doesn't work anymore. But besides the monetary loss, everything was backed-up from the day before so no problem.
Would a NAS like QNAP/Synology be sufficient, with proper maintenance (updates, antivirus scanning, credentials)? Trying to think of what I could be mindful of here.
It's a very big problem, Cryptolocker in 2013 was able to score it's creators around $27 million. That was 3 years ago, it's a pretty dangerous and persistent threat.
What an incredibly uninformed comment. I'm a Mac guy through and through, but if you think that most Mac users use Time Machine or that no Windows users use backup software, you need to spend more time in the real world.
That supposes that the backup is local, I have a time capsule (remote) and I also plug once every other day an external hard-drive for my time machine backups.
It's primarily a Windows thing, but it only happens because Windows is the most popular desktop OS. Mac users sound like a pretty good target though, so I'd expect to see more MacOS-targeted malware in the future.
It's legit. Informational website about ransomware and what to do in case your device is affected. Apparently sponsored/endorsed/whatever by Europol, the Dutch Police, Kaspersky, Intel, AWS and Barracuda.
If someone has a vulnerability that will break out of your web browser's sandbox, they're not going to waste it on this site.
And the ransomware that can be decrypted with this site is because of the author's incompetence. It's not hard to write secure ransomware, but they somehow failed very badly. Anyone should be able to easily protect this site.
Because ransomware criminals would probably love to take over that site and start distributing ransomware or other malware from it. And I have no way to judge how well that site's owners have protected it from that sort of attack. When I'm in doubt, I tend to err on the side of caution.
The better advice is imo to keep your browser up-to-date. JS exploits have been come increasingly rare these days, mostly due to Chrome's excellent example of patching quickly and paying good money for exploits (e.g. Pwn2Own). JS 0days are imo far too valuable now to waste them on normal users. So no, disabling JS wouldn't make much sense, if your have an evergreen browser.
Disable Flash & Java and try to minimize downloads is the security advice I give nowadays. Also don't install anything unless you absolutely have to (there are plenty of good in-browser options for programs we used to install, e.g. for file conversion).
JS is not the only attack surface in a browser. There have been exploitable bugs in image parsers, font renderers, etc. Tracking is possible without JS as well.
I used to do this on linux, as I had copies of my windows VM and I would just browse from the windows box on another screen and then work from the linux one on the main screen
Or better still noScript blocks all js by default and you only whitelist the sites you trust. Throw in a Ghostery for cookies and you are reasonably good to go.
It isn't just badly made ransomware; in some cases people have stolen the master key or the responsible party has released it. In other cases C&C servers have been seized and keys recovered that way.
Ransomware exists thanks to a fundamental mistake in the Unix (+Windows, +others) model that a process' rights to the filesystem automatically inherit from the user's rights. Imagine if all processes running under the same user shared the same address space!
There is absolutely no reason some random piece of code downloaded from the internet should have access to my home directory, let alone the rest of the filesystem, without my explicit authorization.
The future is macOS sandbox / linux cgroup by default for all processes.
The macOS solution of presenting the user a system-controlled open dialog that then grants access to the selected path outside the container is elegant and not too intrusive.
Taken a step further, it is obvious that CoW filesystems need to be standard and all activity taken by a process should be recorded in snapshots that get coalesced over time. If a rogue process does cause damage it should be possible to roll back just that process' most recent changes to the filesystem.
I'm really quite surprised that there are no big and used by default user facing sandboxing solutions for the major OSes out there.
With dynamic prompts akin to the firewall prompts familiar from Windows/Mac.
'The program "Chrome" wants to create the file "/home/username/.config/chrome/config". Allow "Chrome" to access [just this file / the diretory ~/.config/chrome / the diretory /home/username]'
'WARNING: The program "totally_legit_for_reals" wants to overwrite the file ~/.xinitrc. This is potentially dangerous. Allow access? -> Are you sure?'
'ALERT: the unknown program "xxx" has gained superuser privileges and wants to overwrite a critical system file System32/whatever.dll. This is very dangerous....'
Then again, non techie users usually ignore all those prompts and just click accept.
Just look at the mess that is Android permissions. Almost no one actually checks them or rejects apps that ask for way too much.
I'd still really like a kernel level protection mechanism that requires granting each executable the capabilities it requests, with dynamic pin the Linux world there are SELinux, AppArmor grsecurity, which are often cumbersome to use).
A more robust idea might be a versioned filesystem. Somebody hacks your browser, it overrides your files - no matter, you just rollback to yesterday's version. Of course, that'd require more diskspace, but diskspace is getting cheaper and most of it is used for content that is completely static (like games or photos or videos - not edited much unless you're a professional working with it). Also probably would be a bit slower but I think it can be solved.
I think there are a number of implementations of such things, but none mainstream enough.
Hell, I'm a technical user and after a couple of days running Comodo firewall (which does prompt in a similar way to your examples) I turned it off because I was sick of the prompts and just wanted to use my machine.
What you say is true, however I am afraid permissions are not the solution either. Look at android ecosystem - they have tons of permissions, but who actually looks at them? People just click "accept" 99.9% of the time. Same will be on desktop OSes. Granted, more granular permissions make Android somewhat safer - but it also makes many things harder to do. If you did this on desktop, users would scream and demand to make it "convenient" - which would lead to them clicking "accept" where they shouldn't.
The problem is it's very hard to distinguish legit from non-legit without asking the user. Users do a lot of stuff and malware can mimick any of it. And if you do ask the user, the malware can make the user answer yes - usually by means as simple as "The OS will be displaying a confirmation dialog, please click YES for this program to work". Yes, it won't work with 100% of people, but it's a game of numbers - it will work for significant number of them.
Nope, 95/98 and IIRC 3.11 are true multi-tasking systems, the processes do not share the RAM address space.
However, everything up to, but not including, Windows 2000 (and its predecessor Windows NT) suffers from ALL local users having effectively admin rights on the machines. Not only that the OS doesn't support user permissions, also the underlying file system FAT32 does not store UID/GID or anything, except the file flags "read only"/"system"/"hidden".
Only Windows NT and above (2000, XP, Vista, 7, 8, 10) are secured in this way. Caveat: NT, 2k and XP allowed installations on FAT32, which nullified many protections.
Police officers in the UK don't even carry guns!
They do just fine without them.
Only specially "firearms units" carry them.
While that's very unusual even in Europe, it goes to show that as long as not every idiot can buy a gun, things are just fine without such a deadly weapon.
Most guns are designed to kill people. Very few guns are designed to disable laptops. GP's point would have been valid if he had said "typical and pathetic" or "cliched and unimaginative" rather than "shocking and abhorrent". b^)
https://d1b10bmlvqabco.cloudfront.net/attach/is23h8nx8ff3jw/...
Short, blunt, helpful, clear. Pretty much what you'd like every memo you've ever gotten to be. Me, I'm a huge fan of ransom notes and Nigerian scam emails. We can learn a lot from them.
I'm pretty sure that when you get one of these that you're dealing with a script. You pay .65880 BTC into its wallet, period. There is no negotiation with a script. What I've also heard is that you can trust the script because these guys want a good reputation. If it gets out that you paid and you didn't get unlocked then no one would pay.
If you don't want to pay on the backend then you have to back up on the front end. You should do that already. You should be able to take a sledge hammer to your laptop, buy another and not miss a beat. If you could do that then you could just reformat and reinstall.
Prevention is worth it. Protection is worth it. Paying? Well if you did the first two you wouldn't be asking that question. But .65880 Bitcoin equals about 463.97 USD. So you might want to get on the prevention+protection train.
Prevention will help you against viruses, keyloggers, etc that can cause a lot more economic harm.
Protection, backing up, will also help you in the case of theft or dropping your MPB out of its sleeve when you get out the car. Done both.