15 Jul Ransomware Attacks – Harsh Lessons & Surprising Insights
In the wake of the recent WannaCry and Petya-variants ransomware attacks around the world, including the earlier high-profile CryptoLocker, both victims and security researchers are learning valuable lessons about data protection and malware techniques.
Unpatched software
Security vulnerabilities existing in old or outdated client software creates entry points in systems, especially when combined with spear phishing attacks or drive-by-downloads.
Explainer: How malware spreads via vulnerable software
While a “phishing” attack tries to capture usernames and passwords by impersonating a legitimate login form, a “spear phishing” attack attempts to directly target specific employees (often addressing their real name) and tricking them into opening malicious documents disguised as a business document. A specially crafted document can exploit bugs in the software to cause arbitrary code to be executed, either contained within the document or downloaded from the internet.
A drive-by-download attack uses either a specially crafted image file or JavaScript code to exploit bugs in the web browser causing arbitrary code to be executed. Frighteningly, you don’t even need to click on download links if your browser is exploitable, since the malicious image or JavaScript is displayed automatically. Even on otherwise legitimate websites compromised advertising could lead to drive-by-download attacks. Of course, keeping your system and browser up to date can help to reduce the likelihood of these attacks.
Commonly exploited software includes Adobe Reader, Adobe Flash Player, Microsoft Office, Oracle’s Java. According to research by Flexera, “…approximately 50% of average PC users run unpatched, vulnerable versions of the top 4 installed applications.”
Non-patchable systems – End of Life!
The WannaCry malware exploited a Windows vulnerability which has been named, “ETERNALBLUE”. This vulnerability and tools exploiting it came out of a release of hacking tools used by the NSA which has been leaked and released by a hacking group called The Shadow Brokers. While Microsoft did release a patch in March 2017, for the vulnerability that EternalBlue exploits, patches for older Windows versions weren’t made available, but were – and are – still being used, particularly in enterprise and hospitals. In response to the WannaCry attacks, Microsoft offered emergency patches for the software bug for Windows XP and Server 2003 and older Windows 7 and 8 versions.
While Microsoft released a patch for EOL Windows versions, this is not a common practice of course, and remaining on unsupported systems just increases the likelihood of being attacked.
Malware is using legitimate tools to spread
Petya and its variants spread within networks by leveraging Windows diagnostic tools like Windows Management Instrumentation and PsExec. Once a single computer within a network is infected, Petya could spread to other, even patched, computers within the organisation. The redeeming caveat here is that disabling access to these tools via system policies or user access could prevent its spread. If WMI or PsExec is allowed to run, Nyetya (a Petya variant) has been observed using techniques based on open source tool Mimikatz to retrieve user credentials according to Talos Intelligence.
Hijacking software update mechanisms
One interesting technique Petya used to spread around the internet initially was via an update mechanism for a popular accounting package used by Ukrainian businesses. Matthew Green, professor of computer science at John Hopkins University points out that the Ukrainian accounting software in question, MeDoc, didn’t implement any mechanisms to prevent their software updates from being hijacked. If an attacker could intercept software updates via network traffic, the update package would contain malicious software instead. A basic way to prevent this is to cryptographically sign the update packages so that any corruptions can be detected and the system wouldn’t install the bad update.
Backup (And test it!)
According to research by Carbonite and The Ponemon Institute, around 48% of infected companies surveyed paid the ransom, while 42% of victims were able to recover from the infection without paying the demand. Without regular backups in place, businesses are left to either pay the ransom or suffer the reputational and financial consequences due to loss of data and operational downtime. Paying the ransom is akin to giving in to the terrorists, which can have the effect of further encouraging such behaviour or funding other crime. With complete backups available, a business would only need to be down for as long as a restore from backup would take. A popular backup rule is “3-2-1”:
- 3 copies of all important data
- 2 backups in different formats each (and from the original data).
- 1 backup should be off-site.
As well as performing the backups regularly, they also should be tested. Some reasons include:
- The backup media physically breaking down with age
- Files missed in the original backup
- Valid backups but no software to read them anymore.
- The actual data files can’t read by current software.
Staff Training
One the most important factors in information and corporate security is the individual user. Staff should be trained to recognise potential threats such as malicious email attachments or USB memory devices not from a reputable source. Even if proper security restrictions are in place to prevent email attachments or file downloads, support staff could be compelled to lift such restrictions, rendering them rather ineffective. Policies should be enacted to limit such occurrences.
It would be a good idea to have a plan for recovering from ransomware and limiting its spread once detected.
Need help developing a layered protection approach? Contact CT4 for Malware protection and security services assistance. CT4 have the experience and technical knowledge to help protect your business from these and other threats using cloud technology.