Ransomware and Encryption Attacks
How Recent Attacks Can Inform Effective Prevention and Response Efforts
By: Jay Kramer
As organizations move towards the efficiencies of a “paperless office,” the very same internet-facing technologies that help create a more efficient and productive workplace can also greatly increase the risk of suffering a significant ransomware or encryption attack. While a great deal of technical literature is available about encryption attacks and ransomware, the goal of this article is to provide simple and practical answers to the following questions:
- Can my organization learn from recent encryption attacks to prevent an infection?
- How can my organization be better prepared to respond to a successful attack?
Lesson 1: The critical importance of patching
SAMSAM (MSIL/Samas) health care sector attacks. The ransomware variant SAMSAM (aka MSIL/Samas) is publicly reported to have infected health care organizations through vulnerabilities in outdated “JBoss” software. In addition to encrypting a network’s active files, SAMSAM searches for file extensions and directories containing backup files. Once located, SAMSAM often successfully encrypts or deletes backup files before proceeding with its encryption of active files, thus creating a “perfect storm” of malicious design elements.
WannaCry — 99 countries affected with malware in 27 different languages. On May 12, 2017, malware known as WannaCry, WCry or Wanna Decryptor infected tens of thousands of users in as many as 99 countries. The requested ransom associated with the attacks was .1781 bitcoin, or roughly $300. WannaCry gained access to victim networks through one of two primary means: RDP compromise or the exploitation of a critical Windows SMB vulnerability. In addition, WannaCry’s cryptographic loading method does not directly expose itself on disk, making it difficult to detect through most antivirus software scans. Interestingly, Microsoft released a security update for this “MS17-010” vulnerability on March 14, 2017, approximately one month before the widespread attacks referenced above.
The malicious binary Dharma. The ransomware variant Dharma is one of the more common in recent days, affecting numerous financial services and health care systems through its use of asymmetric cryptography. There are two separate versions of the Dharma variant, both of which use a combination of AES and RSA ciphers. The AES technology produces a public key to execute the encryption. It targets text documents, graphics databases, archives, audios, videos, and other file types. It appends a custom extension to the names of the encrypted items. The RSA cipher then generates and encrypts a private key that the attacker stores on a remote command and control server. During encryption, the explorer.exe process can become unresponsive, and like most other variants, Dharma generates a ransom note on the server’s desktop. Through a recent online leak of Dharma decryption software, an effective “decryptor” for Dharma is now widely available, obviating the need for the payment of a ransom in many cases.
Action Item: Review your organization’s patching protocols. The number of known ransomware variants continues to grow as opportunistic attackers target vulnerable organizations through the use of modified code and refined attack forms. According to Verizon’s 2017 Data Breach Incident Report, public administration organizations were the number one industry targeted by ransomware, with healthcare the second most targeted and financial services the third. On a positive note, SAMSAM and WannaCry attacks have been largely curtailed through public education and aggressive software patching campaigns. Keeping software up to date, however, requires careful planning and diligence. According to the Multi-State Information Sharing and Analysis Center (MS-ISAC), the primary infection vector in at least 95 percent of incidents was an unpatched vulnerability in an operating system, software, or plugin.
To prevent attacks through unpatched software, organizations should consider the use of a centralized patch management system. In addition, alerts from automated vulnerability scanning tools should be aligned to trigger an organization’s internal patching processes. Other measures, such as application white-listing and software restriction policies, should also be implemented to prevent the execution of programs in common ransomware locations, such as temporary folders.
Lesson 2: Control the use of administrative privileges
Petya malware — the attack on DLA Piper and others. On June 27, 2017, Petya malware spread across Europe and the United States, infecting international law firm DLA Piper, shipping giant Maersk, and several other global organizations. Instead of encrypting files one by one, Petya denied access to each infected system by attacking the network’s master file table and rendering the entire file system not readable. These attacks are believed to have propagated through a legitimate software updater for the tax accounting software MEDoc, and through a separate watering hole attack associated with Ukraine’s municipal website, Bahmut. Significantly, the compromise of just a single set of administrative credentials enabled the spread of Petya malware across entire networks. This highlights the critical need for organizations to both limit the granting of administrative credentials and to properly segment network environments.
Action Item: Strictly reduce accounts with administrative privilege. When attackers gain access to accounts with administrative privileges, they are able to access sensitive network data and further the exploitation of a network by installing keystroke loggers, sniffers, and remote control software to harvest additional data. To limit the chance an administrative account is compromised, administrative privileges should only be granted to those who need them to perform essential business functions. Audits of the use of administrative privileged functions should also be regularly conducted and monitoring should be employed to detect anomalous behavior on administrative accounts.
Action Item: Apply the principle of network segmentation. Categorize and separate your organization’s data based on its value or on its importance to operations. In addition, implement virtual environments and the physical and logical separation of networks and data where possible. In other words, separate your organization’s data and restrict permissions and accesses to limit the potential damage that can result from an attack.
Lesson 3 – Create an incident response plan that includes specific planning for encryption attacks
In the aftermath of a successful encryption attack, an organization will be unable to access important files or information within its network. For example, in the recent spate of Petya attacks, DLA Piper employees were without access to email or telephone systems for days. In addition, the firm's information technology team preemptively shut down many unaffected systems to limit the spread of the malware.
One of the critical questions regarding your organization’s preparedness to withstand a significant encryption attack should be, “Can my organization conduct its most ‘mission essential’ functions without access to email, the internal document system, or any other of the firm’s digital information?” In other words, after your firm activates its incident response plan and remediation efforts are underway, the question you may be faced with is whether your employees can operate under “Code White” conditions — that is, can your organization temporarily function without its usual network of computers? In the most extreme example, that might mean conducting all operations manually — hence the reference to the use of white paper notepads and pens and pencils.
Action Item: Update and revise your organization’s incident response plan. While it may seem unnecessary or unrealistic to prepare for a scenario in which a large portion of your network has been rendered inaccessible, consider that the crippling attacks on Sony Corp. , Saudi Aramco, or Maersk and DLA Piper are increasingly within the realm of possibility. In each of those events, the organization’s critical infrastructure was severely damaged and employees could not access the digital information necessary to conduct even the most basic daily business activities. A well-crafted incident response plan should therefore contemplate either partial or complete encryption scenarios and provide for immediate access and current and accurate information regarding:
- Designated first response staff (including key stakeholders, such as IT, legal, financial, HR, insurance, risk/compliance, corporate communications/public relations);
- Pre-positioned supplies and resources to allow mission essential functions to continue;
- Plans to engage key personnel and vendors to restore affected segments of the network from backup data; and
- Plans to transition back to normal operations when the incident has been mitigated.
Action Item: Review your organization’s backup protocols. Effective backup protocols are absolutely critical to surviving a significant encryption attack. Utilize a backup system that allows multiple iterations of the backups to be saved, in case backup copy becomes encrypted or the files within the backed up data are otherwise infected. Routinely test backups for data integrity and ensure that your technical staff is both trained on data recovery and integrated into your organization’s IRP. Training through tabletop exercises is an effective means to ensure that the organization’s operational plan to restore affected parts of the network will function properly when it is most needed.
Other Helpful Action Items: The Center for Internet Security and the MS-ISAC offer the following additional guidance to help you secure your network and to prevent or limit the damage from a successful encryption attack:
- Use antivirus and anti-spam solutions. Enable regular system and network scans with antivirus programs authorized to automatically update signatures. Implement an anti-spam solution to stop phishing emails from reaching the network. Consider adding a warning banner to all emails from external sources that reminds users of the dangers of clicking on links and opening attachments.
- Disable macros scripts. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications. These macros are a frequent encryption attack vector.
- Restrict internet access. Use a proxy server for internet access and consider ad-blocking software. Restrict access to common ransomware entry points, such as personal email accounts and social networking websites.
- Vet and monitor third parties that have remote access to the organization’s network and/or your connections to third parties to ensure they are diligent with cybersecurity best practices.
- Participate in cybersecurity information sharing. Programs and organizations, such as MS-ISAC and the FBI’s InfraGard and Domestic Security Alliance Council can provide the latest guidance on best practices, advisories, and information on the latest ransomware and encryption attacks.
- Establish relationships with federal law enforcement/national security organizations. The FBI maintains Cyber Task Forces in each of it 56 field offices nationwide. The United States Secret Service maintains a nationwide network of 46 Electronic Crimes Task Forces as well. These organizations publish additional bulletins and advisories based on trends culled from active cyber investigations. These materials, as well as access to periodic roundtables and working groups, can be obtained free of charge by contacting your local field office and requesting to be placed on cyber advisory distribution lists.
In today’s digital environment, organizations should plan for the possibility, or even the eventuality, of a ransomware or encryption attack. While the likelihood of an attack is greater now than at any time in the past, employing a multi-layered cyber defense that carefully implements the 20 industry-standard critical cybersecurity controls will greatly reduce the likelihood of a significant encryption attack. This data security posture will also prepare you to more quickly recover from an attack which encrypts all or part of your organization’s network.
Lewis Brisbois’ Data Privacy & Cybersecurity Practice Group has significant experience in managing responses to information security incidents. Our services include access to Lewis Brisbois' 24/7 data breach hotline and complete project management of the breach response process. This often includes a rapid initial assessment of a data security incident, digital forensics, crisis management and communications, consumer notification, and credit monitoring and/or identity protection services. The Lewis Brisbois national data breach response team is best in class and ready to immediately respond to any type of data security incident at anytime, anywhere.
Our team can also assist with a host of pre-breach and risk mitigation services, including the development of incident response plans mapped to the National Institute of Standards and Technology Computer Security Incident Handling Guide, Special Publication 800-61 Rev. 2. We can also assist in the development of tabletop exercises to ensure key stakeholders in your organization are prepared to exercise their roles and responsibilities in the incident response plan. Our planning process also includes assistance with the acquisition of cyber liability insurance, the facilitation and execution of master service agreements with breach response service providers (digital forensics services, consumer notification/call center services, credit monitoring/identity protection services, etc.), and introductions to appropriate law enforcement personnel.
We recognize that preparation is a critical phase in the incident response life cycle, and are well versed in helping clients prepare for all types of data security incidents. For more information on the services we can provide, please contact us any time on our Data Breach Response Hotline, 844.312.3961, or at our 24/7 Data Breach Response Team Email, firstname.lastname@example.org.
 The JBoss vulnerability, which proved to be the vector of intrusion in the recent SAMSAM attacks, was an open source version of software used to implement Java and other web-based applications. Many victims were unaware that this unpatched version of JBoss was even running within their environments.
 RDP, or Remote Desktop Protocol, is a proprietary Microsoft network communications protocol designed to facilitate remote access to virtual desktops, applications, and servers.
 The Server Message Block (SMB) Protocol is a network protocol whose main purpose is to enable file sharing. For more, see Microsoft SMB Protocol and CIFS Protocol Overview: https://msdn.microsoft.com/en-us/library/windows/desktop/aa36 5233(v=vs.85).aspx
 According to the SANS Institute, asymmetric cryptography is a modern type of “public key” cryptography in which the algorithms employ two different keys (a public key and a private key) and use a different component of the key pair for different steps of the algorithm.
 See: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ .
 See: https://www.cisecurity.org/white-papers/technical-white-paper-timely-patching-reduces-system-compromises/
 See: https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/
 A watering hole attack is one in which the attacker guesses or observes which websites the group often uses and infects one or more of them with malware.
 See Cyber Alert: Petya Ransomware, June 28, 2017: https://www.cisecurity.org/cyber-alert-petya-ransomware/
 See “Hackers Lay Claim to Saudi Aramco Attack”: https://mobile.nytimes.com/blogs/bits/2012/08/23/hackers-lay-claim-to-saudi-aramco-cyberattack/
 See “U.S. Said to Find North Korea Ordered Cyber Attack on Sony”: https://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html
 For example, to be able to effectively function following a significant encryption attack, the following items might be prepositioned in a strategically designated location to enable the firm’s critical tasks to continue: laptops for key personnel with preloaded macros and software, copies of staff directories and other important contact information, updated customer lists, critical billing information, and other important reference materials.
 For more information about FBI programs like InfraGard and the Domestic Security Alliance Council, see: https://www.fbi.gov/about/partnerships/office-of-private-sector, or contact your local FBI field office directly. To locate one of the 46 US Secret Service’s Electronic Crimes Task Forces, see: https://www.secretservice.gov/investigation/
 For more information on the 20 critical cybersecurity controls, see: https://learn.cisecurity.org/benchmarks.