Targeted Ransomware requires Identity upgrade

This week we are experiencing the latest iteration of ransomware after last month's Wannacry attack. Key takeaways are: Patch your systems and lock down you Admin level password privileges.

It not clear yet whether this latest attack is a Petya variant they are calling "Goldeneye" or some new ransomware. But the attack is hitting critical infrastructure including, the Ukraine Central Bank, Danish shipping company Maersk, Dutch transport company TNT, Russian oil giant Roseneft and one of the top law firms globally, DLA Piper.

The days of ransomware affecting single hosts are gone and we are now presented with self replicating worms that include weaponized payloads that can spread quickly. Now, this latest strain does not just rely on the Eternalblue exploit. According to Binary Defense, in the Ukraine, an accounting software called MeDoc was compromised and led to the infection. During the attack, psexec v1.98 is dropped into the system to see passwords in clear text and then a tool is used to leverage lsadump to pull passwords from memory. Automation, lateral movements on the network and passwords with Admin rights, enabled this attack to propagate.

This latest attack hit European and Australian locations, and Merck and Heritage Valley Health System in PA were also hit. Companies hit by the ransomware told employees to shut down all computers. Business interruption is the main impact from ransomware and the reason why we are seeing an escalation in attacks and the amounts sought in payment. What is the cost of shutting down operations for a national telco or electric utility?

Last week, a South Korean web hosting company Nayana, paid a $1 million ransom after an Erebus attack encrypted data on 153 linux servers, potentially affecting 3400 customers. They negotiated down from $1.6 million (550 bitcoin) to 397.6 Bitcoin. Last year an American Bar Association article on ransom cited an average payment of $4.5 million for a human ransom. What's to keep data from reaching parity with humans, when the cyber insurance policies will cover losses?

The average amount sought in this latest attack is $395 and reports say they likely have no kill switch. It also appears that this attack is more targeted, enabling hackers to handle manual bitcoin payments that are handled through email. Victims must email proof of payment to an email address to get a decryption key. Posteo email provider has closed the hacker email account, frustrating payment. They will no doubt find a work around to the payment process.

Access to systems/networks and authorization to services must move beyond passwords and two factor authentication. We need multi factor authorization (MFA) that includes something you have, something you know and something you are. Mobile devices enable us to use fingerprints, facial recognition, voice and behavioral characteristics to authenticate and identity proof a user before giving access to services.

Thankfully, these technologies are available now, not too pricey and being implemented by our Federal Government under NIST guidelines for Level of Assurance (LOA). Pilot tests that link access to federal services under the NIST Trusted Identities Group, with commercial transactions in banking and ecommerce, indicate that a Federated Identity solution has traction in the USA, similar to the UK identity verification program.

The guidance to avoid these attacks is solid: PATCH and test your back ups. You also need to know WHAT is inside the traffic on your network: you must monitor network sessions! And...you must know WHO is on your network and accessing your services: Identity Proofing.