Kevin James - The IT Control Specialists

    A Bold New Threat: Network Ransomware

    “During the past few weeks, we have received information about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automatic execution of ransomware), the attackers gained persistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system several tools were used to find, encrypt, and delete the original files as well as any backups.

    These tools included utilities from Microsoft Sysinternals and parts of open-source projects. After the encryption of the files, a ransom note appears, demanding a payment in Bitcoins to retrieve the files. By separating particular functions from the ransomware binary, executing certain actions using free available tools and scripts, the adversaries tried to avoid detection as much as possible. This is unlike most ransomware cases that spread wherever possible. Targeted ransomware attacks have arrived.”

    Intel Security – Feb 2016 (Read the full report here)

    Understanding the Dangers of Cybercrime

    An increasing number of businesses, especially those in the Healthcare and Finance industries, are being targeted by a sophisticated new criminal threat. The reasons for these breaches seem to be motivated by so-called injustices, but are more likely part of a growing trend in trying to quantify how much data is actually worth.

    When these attacks first started, the price to unlock single systems was set at 1 Bitcoin per system, (£296.54 today), later attacks began charging 1.5 Bitcoin (£444.86) to unlock systems and even began offering bulk prices, releasing all keys for 22 Bitcoin (£6520.41). Craig Williams, Sr. Technical Leader / Security Outreach Manager at Cisco Talos, told Ars Technical UK that he believed the attackers were testing to see what the market would bear for ransom demands

    The idea behind the attacks seems to be a low-risk approach (where it is extremely difficult to trace the origin) with extremely high yield in terms of payoff. Many companies have some form of insurance in place for such an event, and so these criminals feel that what they are doing is essentially a victimless crime.

    Another speculation is that these attacks are just a distraction. While they can purposefully trigger a rush of anti-virus attacks in one area, diverting the attention of security or monitoring staff, they are able to take all the information from another area undetected and untraced. While unproven, this may be relevant as ‘leaks’ are becoming increasingly more common. It is not yet clear where recent developments such as the Panama Papers scandals originated, but it may be the case that attacks such as this, may have played a role. Indeed these types of attack may have less immediate effect than wipe attacks, as seen by Sony, but could have far more impacting and scary results in the longer term.

    “People think of the Hollywood version of the hacker groups somewhere in a dark room devising these really innovative and creative kinds of techniques. The reality is that most of the attack vectors are administrative vulnerabilities that creative and talented people have discovered over time, but they weren’t the work of some evil mastermind somewhere in a basement. The amount of software going into everything—including the Internet of Things, which is a booming marketplace—is just proliferating these vulnerabilities globally.”

    Getting Technical: SamSam: How it Works
    The attacks generally looked like this: first, a JBoss server is exploited using JexBoss, a tool developed for penetration testing. JexBoss can be used to scan for vulnerable sites, testing to see if the JMX management interface is accessible from the Internet. Specifically, it tests for whether the JMX console, Web console, and HTTP invoker interfaces have been left open. Properly configured, JMX should be limited to access from the local network, but the default installation of JBoss leaves the JMX interface exposed. Securing them then becomes an exercise for the system administrator. When vulnerable servers are found, JexBoss can use the exposed interfaces to install a remote shell on the targeted system—giving the attacker what amounts to an administrative level command prompt. JexBoss works on JBoss servers using any operating system, but the Samsam attackers were seeking JBoss installations running on Windows networks. And while the initial compromise of the servers was fairly push-button, much of what followed was manual Windows administration grunt work. In the next phase of their campaign against each victim, the Samsam attackers issued remote commands to download and install a number of utilities. There was some variation, but based on Cisco Talos and Dell SecureWorks these tools generally included: – ReGeorg, a Python-based SOCKS proxy (which, in turn, probably meant installing Python). – Mimikatz, a tool for sniffing Windows login credentials from the server’s memory. – The Hyena network scanning tool, a commercial administrative tool run that has an interface similar to Microsoft’s “File Explorer” and management console tools. Running Hyena would have required a Remote Desktop Protocol (RDP) session. – PsExec, a remote control tool that allows sets of commands to be executed across multiple target computers simultaneously. A collection of Visual Basic and batch scripts used to deliver the malware. Then came the reconnaissance. With the compromised server now essentially a window to the entire network of the victim, the attackers used captured administrative credentials to explore the networks and choose their targets for infection with Samsam. “In the customers we dealt with, it wasn’t a 100 percent infection of all systems,” Carvey said. “The best we could get for a number from one of our clients was ‘several of our 200 servers.’ Another client said 135 systems, and another said 143 systems—out of a significantly larger number of total endpoints in their infrastructure.” Carvey said he didn’t know exactly why those systems were targeted and not others. Carvey suggests it could have been that there were certain files found on the systems attackers ultimately went after. One thing is clear from how the attack played out at MedStar—the attackers went after servers, including domain servers. At a transportation company that called SecureWorks’ incident response team in, administrators discovered there was a problem only after they could no longer remotely administer some of the organization’s key servers. When the malware was finally deployed, it was done quickly. In some cases, it was installed via the PsExec tool, launching scripts to remotely install and activate the Samsam malware. “What we’ve seen is the use of simple VB scripts and batch files, all of which have been left behind,” Carey said. There’s also evidence that in some cases the attackers made RDP connections to systems from the compromised server to install the malware, Carvey added.


    The above extract was taken from ARS Technical UK. Apr 09, 2016.

    Grasping the Issue: Why this could be very bad

    Today, there are over 5 Billion devices connected to the IoT or ‘Internet of Things’. This includes phones, cameras and recording devices, not to mention biometric scanners, locks and other security devices. In the past, having a virus meant hacking your way onto one device. Today though, hacking a network provides access along the full platform of devices and software held on that network.


    Just ask yourself: How much would you pay to have your phone unlocked, or for access to CRM tools such as Salesforce, or even to your website. How about being able to turn your car on, or being able to get into your house? With more and more factors vital to business and life in general offloaded to the cloud: things like digital keycards, accounting software, operational software and reliance on websites, the danger increases. This issue is not being properly addressed because there is only one solution: not to have all these devices and locations held on one network. This is because it makes life very complicated, and very expensive.

    It also means admitting that administrative tools, hard coded into Windows, are the main exploit for Windows systems. This would not only be devastating to the company, but might also demonstrate once and for all, that Windows may have areas which are simply too exposed to be readily effective in the world of tomorrow.

    Equally as damaging is the admission that open-source software, designed to exploit Windows security, is out there and available for anyone to get their hands on.


    Solution: Lockdown Security Updates

    The big question now is how to prevent this, and how to stop it. Today, the law has not yet caught up to data protection in the modern age. However, with a raft of legislation about to be passed, Businesses who have their data stolen will be vulnerable to prosecution in not taking the required steps to fully secure the data and protect their clients.


    Essentially, IT protection strategies will become a part of business continuity, where a company must recover from this increasingly likely threat quickly, undamaged and without exposure to future data theft or business damage.

    The tools to make these things happen already exist, and for the most part are being deployed successfully around the world. In this sense the most well-protected organisations are small to medium sized businesses who outsource their IT to a managed services provider with network administration software. As standard, many of these companies already own the tools required to halt and recover from these attacks.

    These tools include:

    Endpoint Security and Monitoring Software: A solution which deploys an agent to sit on machines to monitor and report on activity or issues. This solution can recognise faults instantly and detect attacks before they can do any damage. Administrators can block specific users in real-time and track activity to ensure all data is protected, or tracked if removed from the system.

    Virtualized Servers, Regular Snapshotting, and Enterprise Data Backup Plan: These tools, properly configured, make it relatively easy for administrators to access systems via a secured back-door, utilise restore points, halt all manner of brute force attacks and have a plan in place to ensure valuable data has complete protection, either within further layers of security or on a separate network location. This way, when ransomware attacks happen, all of the damaging effects are quickly negated.

    Unified Threat Management (UTM): An expansive and powerful solution which offers real-time web content analysis tool which filters out any and all potential threats to the network and user. In addition, a UTM solution also works on anonymous mobile devices for BYOD and can be configured in line with company policy.

    Unfortunately these things cost money and time. More importantly though, they require the adoption of a security focused approach to IT spending. The developments in this area will be compelling, but with the relatively low comparable cost of paying out ransoms—at least so far—some executives might decide it’s worth the risk.

    To ensure your IT systems are fully protected, call our security team on 01268 627111.

    1 comment on “A Bold New Threat: Network Ransomware”

    Leave a Comment

    Your email address will not be published. Required fields are marked *