From “Spray and Pray” to the “big hunting game”- Knocking out the big bad wolf of Ransomware
March 8, 2019-Hilde Merete Aasheim, the CEO of Norsk Hydro, woke up to a 4 AM from her security. No, this wasn’t a security drill they told her. 170 Norsk Hydro sites had been hit with ransomware GoGalocker. Hydro’s data had been encrypted with RSA 4096- and AES 256-bit encryption, which made it nearly impossible to decrypt without the key. Additionally, the GoGalocker attackers had left a ransom note documenting their demands: the victim had to pay or permanently lose access to their data. The longer it took Hydro to pay, the ransom note said, the more money it would cost them.
Welcome to the big bad world of #Ransomware. Ransomware is a type of #malware that encrypts the victim’s data in a bid to make them cough up an extravagant amount of money for the decryption key. The payment is normally demanded in Bitcoins (1 Bitcoin is equal to approximately 24000 US dollars).
Until a few years back Ransomware was a low-level cybercrime where the perpetrators used a Spray and Pray technique, where they spammed thousands of users with the malware, hoping that the users would infect themselves. Most of the malware was intercepted and weeded out by antivirus and endpoint technologies. Criminals only succeeded when the victims had not updated their machines with the anti-virus software. Unfortunately, Ransomware is no longer a low-level threat and is being used by attackers to cripple Government and commercial enterprises. Let us focus on the method of operation used by the “big game hunting” attackers-
1.??????Phishing: A #phishing mail is sent delivering an MS DOC file, that uses Macros to deliver malicious code onto the victim’s system.
2.??????Downloading Shell code: Two Microsoft Power Shell scripts run on the infected host downloading the shell code from which the attackers can exploit the system vulnerabilities.
3.??????Cobalt Strike: The beacon hack tool from Cobalt Strike- a penetration testing suite is used to create a connection with the servers
4.??????Reverse shell- A reverse shell is created to take control of the victim’s machine
5.??????Network enumeration- The attacker gains privileged information from the victim’s machine such as user names, machine names, network resources, shares, and services
6.??????Privilege escalation- Attackers bypass the proper authorization channels and gain access to data.
7.??????Batch files – Files that run and disable endpoint protection and passwords are changed to an attacker-determined value
8.??????Ransomware distribution- Ransomware is distributed and executed through the system with the aid of legitimate admin tools
9.??????Ransom Note- A demand is made to the victim to pay for the decryption key
How to stock up your defenses against Ransomware-
a.??????Principle of least privilege- Provide user access strictly to the scope of their work responsibilities. Admin access should never be provided unless there is a critical business need.
b.?????Restrict Emails to plain text- Ban HTML-based emails. This will prevent the user from clicking malicious links.
c.??????Limit the type of email attachments- The user should not be given access to .rar, .dll, or .exe files through emails. Have these kinds of needs been addressed, through an internal requests tool? Educate employees that such extensions are never to be opened when received through emails or through any other external source of communication.
A ransomware attack is crippling and compromises the company’s data as well as that of its clients.?A defensive strategy is the best recourse against Ransomware. However, in case of an attack, both #cybersecurity and law enforcement experts agree that you should never pay a Ransomware attacker. Paying attackers only encourages them to engage in more nefarious activities. Secondly, there is no guarantee that they will honor their part of the deal once the money is received, they could just live the victim in a lurch. Lastly, even if they provide a key there is no guarantee that the sanctity of the data has not been violated already.
Norsk Hydro stayed put and did not pay the attacker. They almost immediately went public and told the world what was happening. Sharing this information helped other organizations prep up better against the threat. If more organizations take this approach and say no to caving into Ransomware demands, it will discourage attackers from carrying out such threats.
Visit: www.i3intl.com