Ransomware - how prevalent and how to deal with it

wil

Just how prevalent is Ransomware in the real world? Have you or your company ever affected.
Today a large Ransomware event has caused chaos in up to 25 NHS hospitals forcing mass cancellations of operations etc.
http://www.mirror.co.uk/news/uk-news/nhs-cyber-attack-live-updates-10409420

Recently heard a security bod on the business show (RTE) claiming it was relatively common and his company was regularly assisting companies inflicted with Ransomware.
It could be suggested he might be drumming up business but he said not.
There appears to be a degree of secrecy in admitting to let alone reporting cyber attacks, hacking, Ransomware etc.
Many companies are paying rather than face considerable data loss, embarrassment or expense of bringing in third party experts.
On the other hand there is no guarantee of decryption if you pay.

The onus is continually on companies to expend resources on an everchanging indeterminable threat, yet the biggest weakness is the organic source, doing what humans do, clicking, copying, opening, forgetting etc.
If it's not fully automated it's reliant on humans. If it's fully automated it's got to be perfect to avoid exploits. It's a neverending catchup.

So apart from the usual security essentials what would be recommended to prevent Ransomware attacks being an issue.?
Are they usually humanly introduced or are there many examples of it being introduced through unpatched exploits.
Just how vulnerable is Win 7 now MS is reducing support?

In the event of a Ransomware attack, what would be recommended?

liamo

Yes, we have experienced it first-hand. Luckily, we were prepared and detected it very quickly and recovered very quickly. We have since added another layer of protection.

There are mainly two "attack vectors"

1. An email with an attachment that a user opens
2. A website that a user visits that has been seeded with malware.

The email attack is, by far, the more prevalent and successful.

How do you prevent it?

• Keep O/S up to date.
• Keep applications (including browser plug-ins) up to date.
• Anti-phishing, spam, etc filters
• User training - NO, really don't open that attachment.
• Anti-ransomware software

.

How do you recover?

• Anti-ransomware software - to detect and stop it
• Backups - most important because you can't rely on anyone else

.

In the event of a ransomware infection?

• Pull the network cable from the PC/Laptop
• Pull the power from the PC.
• If it's a laptop press the power button until it powers off.
• Call someone who knows what they're doing.

Yes we see it daily (I work for a leading IR company).

The difference with what was discovered today is that it's using a vulnerability in SMB to spread as a worm throughout a network. It's the first time anybody has seen ransomware spread like this and it's seriously bad stuff. Telefonica Spain were telling users to shut down systems to stop it spreading.

As the above post states phishing is most common but web infections via exploit kits and driveby downloads are also out there.

Should also state we don't really deal with ransomware but about 1 in 2 phone calls we get are related to ransomware attacks. I explain how they can best deal with it but we've rarely taken on ransomware cases unless it's a serious outbreak such as hospitals or gov agencies.

Darren 83

The company I work for got hit with ransom ware. We got constant emails with pdf attachments knew straight away what it was but some one in head office opened it and it spread to our other shops. Lucky enough it was recoverable.

I was amazed how we where targets as we recieved phone calls and knew our names " oh we where talking to so and so and we need to do pc check" and picked days when this person was off.

It made me rethink my own pc back up plan probally a bit overkill.

zom

Deleted User wrote: »

It's the first time anybody has seen ransomware spread like this and it's seriously bad stuff.

Pretty terrifying isn't it? And if you have any XP / 2008 / Vista in your network you can't disable it unless you loose file / printer access.

PeterTheNinth

We've seen it on quite a few sites.. Some sites twice or more. It boils down to one thing, do you have proper backups. If you have proper backups, then you will be back up and running pretty quickly. If you haven't you are in real trouble.

wil

PeterTheNinth wrote: »

We've seen it on quite a few sites.. Some sites twice or more. It boils down to one thing, do you have proper backups. If you have proper backups, then you will be back up and running pretty quickly. If you haven't you are in real trouble.

And as you probably know, having backups is just half the solution.
Being able to restore them is the other.

By that I mean you don't always know a backup is good until you restore it.
Many places just assume that just because they are conducting backups in whatever format that everything is fine. Come the restore, either it doesn't, or crucial data wasn't included in the backup or there are corrupted bits etc.

Saw a case where an all singing backup system was never tested until a RAID failure. Corruptions in the RAID happened months before and propagated into the backups. Come the restore the only readable restore point was 3 months old.

Hotblack Desiato

Ouch. Yeah the only real way to test your backup strategy is to perform a bare metal restore and then instantly switch it into production. Nobody really does this.

Last week our CEO got a free gift - a USB key in the post with malware pre-loaded. Thankfully they had the sense to regard this as suspicious and swing it by the IT helpdesk.

We email everyone on a regular basis about dodgy emails, don't open attachments on sus emails and don't trust emails just because they appear to be from someone you know. We can't know how effective this is but can't not do it, either.

Much as I detest Windows our desktop and SMB teams are keeping them patched up to the latest level as soon as.

We're installing a sandboxing solution in the next couple of months, email attachments will be opened and executed and evaluated before they reach the inbox. The web will be dealt with with scans of downloads in the background, so as not to affect the browsing experience of the higher up people, who must not be inconvenienced in any way.

Of course this is really an arms race between the malware authors and the malware detectors, sandboxing is no use if the malware can detect it's running in a VM.

Deliverance XXV

Ransomware is only going to become more prevalant in the future because it is easy money. Having seen the attack first-hand - it is frighteningly quick in encrypting files. It can easily dominate a file server overnight.

As with above attack vectors come with email attachments, infected websites/website ads which gets through via drive by attacks and even via open RDP ports with no whitelisting on firewalls. I've seen the brute force attempts in the logs which was a little scary.

Somethings to add to help prevention and spread:

• Onsite and offsite backups. Preferably backup systems that have file level access to the file server but not vice-versa.
  
• Strong Windows passwords with appropriate password policies
  
• Staff training
  
• Strong email policies that look twice at email attachments
  
• Patched OS's, Abobe Reader/Flash/Java plugins, software applications and browsers.
  
• Up to date AV. Purchase anti-ransomware products if your budget allows it. This will monitor shared files for suspicious activity.
  
• Push web traffic through a proxy server to keep dodgy sites hard to access.
  
• Disable auto-run (better yet, disable disc drives/USB drives where absolutely not needed)
  
• No local administrator access for general users (this won't affect most ransomware varieties as they don't need it but it can help with other infections and stops users installing junk with crapware in the installers).
  
• IMO the most important - Least privilege access control on network shares. Apply read-only permissions unless ordered otherwise - No 'Everyone/Domain Users/Auth Users' permissions - use security groups with explicit users defined. Most ransomware varieties run under the account where the infection began so whatever access that user had access to will be a target. The new flavour from yesterday's outbreak seems to attack SMB vulnerabilities so there's a possibility that when it reaches the server running the SMB, it might be able to run as a system account.
  
• Actually the most important tip is to carry a golf club around with you - just to reinforce how serious this is for any users who click links and open email attachments on a whim.

Impetus

liamo wrote: »

• Anti-ransomware software

.

How can Anti-ransomware software be updated globally in a matter in minutes (having detected the malware). This malware attacked Asia first, then Europe, followed by the Americas = timezones.

Microsoft was up to speed in terms of protecting Windows 10 users in advance, for once. But users of other versions of the Windows platform appear to have been left to hang out and dry under the 70C/100% humidity of 'wannacry' & cie malware, depending on the version.

What about PCs in storage, offline, given out when needed, or PCs running older versions of Windows? This will be easily forgotten about in a few weeks time, unless the people behind it tweek the 'product' to change or delete the domain name 'kill switch'.

The insular media coverage in Ireland was dominated by the communist health system in Britain - and it is a tragedy that so many ill people were impacted. Why does a hospital need any 'internet of things' devices other than a patient entertainment system and VoIP phones at each bed, running on a separate internet connection. And why does a hospital, connected to the internet use software that is not covered by security and other updates from the developer.

The Portuguese police appear to have been on the ball alerting infrastructure services of the issue - unlike the EU or other nation states of the EU.

Impetus

wil wrote: »

And as you probably know, having backups is just half the solution.
Being able to restore them is the other.

By that I mean you don't always know a backup is good until you restore it.
Many places just assume that just because they are conducting backups in whatever format that everything is fine. Come the restore, either it doesn't, or crucial data wasn't included in the backup or there are corrupted bits etc.

Saw a case where an all singing backup system was never tested until a RAID failure. Corruptions in the RAID happened months before and propagated into the backups. Come the restore the only readable restore point was 3 months old.

While I don't have to deal with complex systems, it seems to me that

a) one needs multiple backups using different media - including cloud (ie storage in different geo locations)

b) A mirror front end system dealing with online transactions arriving over the internet and from client terminals in-house.

c) When everything seems good to go next day, copy the mirror front facing system data to the bible system, and have other backups of the bible to restore to previous versions in the event of you missing something deferred/delayed nasty.

liamo

Impetus wrote: »

How can Anti-ransomware software be updated globally in a matter in minutes (having detected the malware). This malware attacked Asia first, then Europe, followed by the Americas = timezones.

Anti-ransomware software doesn't need to be updated with viral signatures - although it does help. It works by also monitoring the PC for Ransomware-like behaviour. It caches file activity and, if it detects multiple encryption events, it halts the process behind it and rolls back the encrypted files to their original state.

Microsoft was up to speed in terms of protecting Windows 10 users in advance, for once. But users of other versions of the Windows platform appear to have been left to hang out and dry under the 70C/100% humidity of 'wannacry' & cie malware, depending on the version.ate.

Well, my Windows 7 PC in work was updated with KB4012212 on March 15th (as were all of our office PCs).

What about PCs in storage, offline, given out when needed, or PCs running older versions of Windows? This will be easily forgotten about in a few weeks time, unless the people behind it tweek the 'product' to change or delete the domain name 'kill switch'.

Well, that's an issue for the organisation and their admins. It holds true for all malware not just this particular instance.

Mr Chuckles

wil wrote: »

Just how prevalent is Ransomware in the real world? Have you or your company ever affected.
Today a large Ransomware event has caused chaos in up to 25 NHS hospitals forcing mass cancellations of operations etc.
http://www.mirror.co.uk/news/uk-news/nhs-cyber-attack-live-updates-10409420

Recently heard a security bod on the business show (RTE) claiming it was relatively common and his company was regularly assisting companies inflicted with Ransomware.
It could be suggested he might be drumming up business but he said not.
There appears to be a degree of secrecy in admitting to let alone reporting cyber attacks, hacking, Ransomware etc.
Many companies are paying rather than face considerable data loss, embarrassment or expense of bringing in third party experts.
On the other hand there is no guarantee of decryption if you pay.

The onus is continually on companies to expend resources on an everchanging indeterminable threat, yet the biggest weakness is the organic source, doing what humans do, clicking, copying, opening, forgetting etc.
If it's not fully automated it's reliant on humans. If it's fully automated it's got to be perfect to avoid exploits. It's a neverending catchup.

So apart from the usual security essentials what would be recommended to prevent Ransomware attacks being an issue.?
Are they usually humanly introduced or are there many examples of it being introduced through unpatched exploits.
Just how vulnerable is Win 7 now MS is reducing support?

In the event of a Ransomware attack, what would be recommended?

It's quite prevalent, DIT and Beaumont Hospital were badly hit recently. Patching is all well and good, but I have seen a zero day exploit, which was a "drive by". Yahoo had ads in their webmail, which were compromised. When a user opened an ad, the payload was installed on their PC. Ransonwareware is a matter of when it happens rather than if. If you care about your data, don't leave it on file shares. Secure it in an ERP or document management system.

My tips are.

-On Windows server use FSRM to detect the files and notify people.
-Users should not use the company internet for personal use. Install a public hotspot, separate from the company network, for personal devices.
-Route mail through an external vendor such as Office 365/EOP, or mimecast.

zom

Mr Chuckles wrote: »

-Route mail through an external vendor such as Office 365/EOP, or mimecast.

Could you guarantee it's 100% safe ?

ED E

Hotblack Desiato wrote: »

Last week our CEO got a free gift - a USB key in the post with malware pre-loaded. Thankfully they had the sense to regard this as suspicious and swing it by the IT helpdesk.

Ohh that is so very very stuxnet. Clever buggers.

Mr Chuckles

zom wrote: »

Mr Chuckles wrote: »

-Route mail through an external vendor such as Office 365/EOP, or mimecast.

Could you guarantee it's 100% safe ?

No, it's a matter of minimizing the risk. User "computer use policies", play a part. If users are accessing Eircom mail or yahoo webmail, for personal use, then it is putting company data at risk. The approach I take is to prepare for when it happens rather than if, so look at how important the data is.

zom

All the story finished faster than it happen which is weird. Accidentally found "kill switch" stopped virus from further spreading just in time to save millions of Windows computers in USA:

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

Seems like UK have real hacking elite there who can find solution hundreds of virus experts from Russian couldn't (and Russia being mostly affected by this attack). 22-year old self-taught Brit did better than all Russia / China crowd. And to be clear - this is not first attack on Russians systems - there was similar attack at the and of last year so surely they are aware.

Anyway - Microsoft agreed to issue fix for old not supported systems like WinXP so there is nothing to worry about. We are covered - by Bill Gates and 22-year old hacker genius from UK:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

wil

zom wrote: »

All the story finished faster than it happen which is weird. Accidentally found "kill switch" stopped virus from further spreading just in time to save millions of Windows computers in USA:

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

Seems like UK have real hacking elite there who can find solution hundreds of virus experts from Russian couldn't (and Russia being mostly affected by this attack). 22-year old self-taught Brit did better than all Russia / China crowd. And to be clear - this is not first attack on Russians systems - there was similar attack at the and of last year so surely they are aware.

Anyway - Microsoft agreed to issue fix for old not supported systems like WinXP so there is nothing to worry about. We are covered - by Bill Gates and 22-year old hacker genius from UK:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

This was just a test run. You can be sure there will be more and varied attacks now this had such an affect. These guys never get bored,
I'd say many of these hackers drop in and out of government agencies depending on their bail conditions.

Impetus

According to an English magazine called "The Economist (newspaper)" it was not the registration of the xyz domain by a security person that stopped WannaCry (as a kill switch). The code included in the worm was to detect if it was in a sandbox - eg being examined forensically. In a sandbox it would have no access to the internet, and would close up shop to prevent further examination of the malware. Hence the malware kept pinging this unregistered domain to make sure it was alive in a real PC.

Of course there is nothing to stop forensic sandboxes from delivering fake ping responses to malware under examination in future.

Bacchus

Impetus wrote: »

According to an English magazine called "The Economist (newspaper)" it was not the registration of the xyz domain by a security person that stopped WannaCry (as a kill switch). The code included in the worm was to detect if it was in a sandbox - eg being examined forensically. In a sandbox it would have no access to the internet, and would close up shop to prevent further examination of the malware. Hence the malware kept pinging this unregistered domain to make sure it was alive in a real PC.

Of course there is nothing to stop forensic sandboxes from delivering fake ping responses to malware under examination in future.

Any links to this theory aside from the subscription paying Economist. How does a sandboxed instance of WannaCry (with no Internet access) halt the spread of all the other millions of instances of it?


Interesting read from Schneier btw on where ransomware is heading... https://www.schneier.com/blog/archives/2017/05/the_future_of_r.html

kkontour

Bacchus wrote: »

How does a sandboxed instance of WannaCry (with no Internet access) halt the spread of all the other millions of instances of it?
........

My understanding is wannacry would check for the existence on the non-valid webserver and if it got no response it would continue the encryption process.
In general,a sandbox environment would detect the web request and respond, even to non existent domains, thus the malware author used this as a simple method to detect the sandbox,
no response to domain= real PC,
response = sandbox.
When MalwareTech registered the domain and created the website all malware infections assumed it was in a sandbox and so halted the encryption process.

ItHurtsWhenIP

kkontour wrote: »

My understanding is wannacry would check for the existence on the non-valid webserver and if it got no response it would continue the encryption process.
In general,a sandbox environment would detect the web request and respond, even to non existent domains, thus the malware author used this as a simple method to detect the sandbox,
no response to domain= real PC,
response = sandbox.
When MalwareTech registered the domain and created the website all malware infections assumed it was in a sandbox and so halted the encryption process.

That is my understanding too.

I wouldn't trust any "tech" journalist, particularly of a paper that would appear to be about economics, to report properly on an infosec incident of this nature. Most of the reportage on WannaCry has been hideously inaccurate and hyperbolic from such "tech" journalists.

Bacchus

kkontour wrote: »

My understanding is wannacry would check for the existence on the non-valid webserver and if it got no response it would continue the encryption process.
In general,a sandbox environment would detect the web request and respond, even to non existent domains, thus the malware author used this as a simple method to detect the sandbox,
no response to domain= real PC,
response = sandbox.
When MalwareTech registered the domain and created the website all malware infections assumed it was in a sandbox and so halted the encryption process.

So it WAS the registration of the domain that acted as a kill switch as has been the story from start. The whole sandbox testing is besides the point really which brings me back to what exactly The Economist is suggesting happened if it WASN'T the registration of the domain that killed the spread of WannaCry. Unfortunately, I can't see (or find) the article so only have Impetus's insight to go on.

Darren 83

Out of curiostity how many think there system would be safe against a ransom attack and what steps have you took to do so?

nate.drake

Darren 83 wrote: »

Out of curiostity how many think there system would be safe against a ransom attack and what steps have you took to do so?

1. Use Linux
2. Run updates as soon as they become available.
3. Keep regular backups.

I thank you!

Update : I should clarify that I don't mean this will protect my system from all types of ransomware but if you're keeping regular backups you can simply roll your system back to a point before the problem occurred.

Darren 83

I have Bitdefender and Malwarbytes If that fails to block any ransomwere.

My back up is

4tb hard drive: kept in my safe has all the files folders and disk images stored, only took out when doing a back up

2tb hdd: All files and a few images kept at parents

2 x1tb hdd same as above but kept at work/home, all enprypted swap these around each week.

Also upgraded my ssd so keep a updated clone every 3 months so can swap out if needed.

nate.drake

Bacchus wrote: »

So it WAS the registration of the domain that acted as a kill switch as has been the story from start. The whole sandbox testing is besides the point really which brings me back to what exactly The Economist is suggesting happened if it WASN'T the registration of the domain that killed the spread of WannaCry. Unfortunately, I can't see (or find) the article so only have Impetus's insight to go on.

Do you mean MalwareTech's own blog entry on this?

To quote the man himself:

The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.
In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).


I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registartion of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware.



Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.


One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly importiant that any unpatched systems are patched as quickly as possible.

Bacchus

nate.drake wrote: »

Do you mean MalwareTech's own blog entry on this?

To quote the man himself:

Not knowing what article the other posters were referring too, I cannot confirm nor deny if that's the article being referred to.

On that quoted piece though, that reasoning is perfectly fine and in line with my understanding (and kkontours explanation). Of course an attacker could remove (or change) the domain check and launch another attack.

What I don't see clarified is the suggestion from the poster below (via an apparent article in The Economist) that the domain registration was not what killed WannaCry. The explanation of why the domain checking was happening (to detect being sandboxed) is fine but it was still the registration of the domain that stopped WannaCry.

nate.drake

Bacchus wrote: »

Not knowing what article the other posters were referring too, I cannot confirm nor deny if that's the article being referred to.

On that quoted piece though, that reasoning is perfectly fine and in line with my understanding (and kkontours explanation). Of course an attacker could remove (or change) the domain check and launch another attack.

What I don't see clarified is the suggestion from the poster below (via an apparent article in The Economist) that the domain registration was not what killed WannaCry. The explanation of why the domain checking was happening (to detect being sandboxed) is fine but it was still the registration of the domain that stopped WannaCry.

A very good point Bacchus - I think part of the problem is our very human knack of ascribing names (and sometimes pictures) to malware, while ignoring the fact, as you've pointed out, that any bedroom programmer could create a version of this without the domain name check.

Registering the domain certainly stopped that particular incarnation of Wannacry. If someone releases a new version, while the code will be virtually identical, no doubt we'll give it a new name ('needtolaugh'? :-D) then talk about how we stopped that one too...!

Hotblack Desiato

Darren 83 wrote: »

Out of curiostity how many think there system would be safe against a ransom attack and what steps have you took to do so?

The only real defence is to have a robust off-line backup strategy and practice regular restores from those backups. If it's not malware that gets you then sooner or later it'll be hardware failures or sysadmin screwups.

rgmartin91

Yet another major attack that is rippling across the world - is this going to become a regular now?

http://www.newstalk.com/Irishbased-firms-hit-by-latest-ransomware-cyberattack


If anyone is any doubt as to just how prevalent hacking has become, check this out. It's a live stream of cyber attacks as they happen :eek:

https://brandon.global/cyber-attacks-live#cybersecurity