“During the past few weeks, we have received information about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automatic execution of ransomware), the attackers gained persistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system several tools were used to find, encrypt, and delete the original files as well as any backups.
These tools included utilities from Microsoft Sysinternals and parts of open-source projects. After the encryption of the files, a ransom note appears, demanding a payment in Bitcoins to retrieve the files. By separating particular functions from the ransomware binary, executing certain actions using free available tools and scripts, the adversaries tried to avoid detection as much as possible. This is unlike most ransomware cases that spread wherever possible. Targeted ransomware attacks have arrived.”
Intel Security – Feb 2016 (Read the full report here)
Understanding the Dangers of Cybercrime
An increasing number of businesses, especially those in the Healthcare and Finance industries, are being targeted by a sophisticated new criminal threat. The reasons for these breaches seem to be motivated by so-called injustices, but are more likely part of a growing trend in trying to quantify how much data is actually worth.
When these attacks first started, the price to unlock single systems was set at 1 Bitcoin per system, (£296.54 today), later attacks began charging 1.5 Bitcoin (£444.86) to unlock systems and even began offering bulk prices, releasing all keys for 22 Bitcoin (£6520.41). Craig Williams, Sr. Technical Leader / Security Outreach Manager at Cisco Talos, told Ars Technical UK that he believed the attackers were testing to see what the market would bear for ransom demands
The idea behind the attacks seems to be a low-risk approach (where it is extremely difficult to trace the origin) with extremely high yield in terms of payoff. Many companies have some form of insurance in place for such an event, and so these criminals feel that what they are doing is essentially a victimless crime.
Another speculation is that these attacks are just a distraction. While they can purposefully trigger a rush of anti-virus attacks in one area, diverting the attention of security or monitoring staff, they are able to take all the information from another area undetected and untraced. While unproven, this may be relevant as ‘leaks’ are becoming increasingly more common. It is not yet clear where recent developments such as the Panama Papers scandals originated, but it may be the case that attacks such as this, may have played a role. Indeed these types of attack may have less immediate effect than wipe attacks, as seen by Sony, but could have far more impacting and scary results in the longer term.
“People think of the Hollywood version of the hacker groups somewhere in a dark room devising these really innovative and creative kinds of techniques. The reality is that most of the attack vectors are administrative vulnerabilities that creative and talented people have discovered over time, but they weren’t the work of some evil mastermind somewhere in a basement. The amount of software going into everything—including the Internet of Things, which is a booming marketplace—is just proliferating these vulnerabilities globally.”
Getting Technical: SamSam: How it Works
The above extract was taken from ARS Technical UK. Apr 09, 2016.
Grasping the Issue: Why this could be very bad
Today, there are over 5 Billion devices connected to the IoT or ‘Internet of Things’. This includes phones, cameras and recording devices, not to mention biometric scanners, locks and other security devices. In the past, having a virus meant hacking your way onto one device. Today though, hacking a network provides access along the full platform of devices and software held on that network.
Just ask yourself: How much would you pay to have your phone unlocked, or for access to CRM tools such as Salesforce, or even to your website. How about being able to turn your car on, or being able to get into your house? With more and more factors vital to business and life in general offloaded to the cloud: things like digital keycards, accounting software, operational software and reliance on websites, the danger increases. This issue is not being properly addressed because there is only one solution: not to have all these devices and locations held on one network. This is because it makes life very complicated, and very expensive.
It also means admitting that administrative tools, hard coded into Windows, are the main exploit for Windows systems. This would not only be devastating to the company, but might also demonstrate once and for all, that Windows may have areas which are simply too exposed to be readily effective in the world of tomorrow.
Equally as damaging is the admission that open-source software, designed to exploit Windows security, is out there and available for anyone to get their hands on.
Solution: Lockdown Security Updates
The big question now is how to prevent this, and how to stop it. Today, the law has not yet caught up to data protection in the modern age. However, with a raft of legislation about to be passed, Businesses who have their data stolen will be vulnerable to prosecution in not taking the required steps to fully secure the data and protect their clients.
Essentially, IT protection strategies will become a part of business continuity, where a company must recover from this increasingly likely threat quickly, undamaged and without exposure to future data theft or business damage.
The tools to make these things happen already exist, and for the most part are being deployed successfully around the world. In this sense the most well-protected organisations are small to medium sized businesses who outsource their IT to a managed services provider with network administration software. As standard, many of these companies already own the tools required to halt and recover from these attacks.
These tools include:
Endpoint Security and Monitoring Software: A solution which deploys an agent to sit on machines to monitor and report on activity or issues. This solution can recognise faults instantly and detect attacks before they can do any damage. Administrators can block specific users in real-time and track activity to ensure all data is protected, or tracked if removed from the system.
Virtualized Servers, Regular Snapshotting, and Enterprise Data Backup Plan: These tools, properly configured, make it relatively easy for administrators to access systems via a secured back-door, utilise restore points, halt all manner of brute force attacks and have a plan in place to ensure valuable data has complete protection, either within further layers of security or on a separate network location. This way, when ransomware attacks happen, all of the damaging effects are quickly negated.
Unified Threat Management (UTM): An expansive and powerful solution which offers real-time web content analysis tool which filters out any and all potential threats to the network and user. In addition, a UTM solution also works on anonymous mobile devices for BYOD and can be configured in line with company policy.
Unfortunately these things cost money and time. More importantly though, they require the adoption of a security focused approach to IT spending. The developments in this area will be compelling, but with the relatively low comparable cost of paying out ransoms—at least so far—some executives might decide it’s worth the risk.
To ensure your IT systems are fully protected, call our security team on 01268 627111.