back to article Targeted, custom ransomware menace rears its ugly head

Attackers are manually deploying ransomware directly into target networks to maximise the damage and potential payout. Unlike "spray-and-pray" attacks such as WannaCrypt, which hit victims at random, targeted attacks that manually execute the ransomware enable criminals to ensure they have locked mission-critical files that …

  1. Anonymous Coward
    Anonymous Coward

    How much lockdown is enough?

    Of course you dont run all machines as admin! been known since day 1 , been implemented since computers took over the world , which i'll put at 1990.

    Security is however a balancing act between usability , conveniance and security . Like it or not. I'm sure most sysadmins would like to just disable all user accounts . There'd be a lot less risk then.

    In my place my betters and higher ups have decided no more using any of the following over the network: *

    regedit

    compmgmt.msc

    services.msc

    psexec

    WMI interface

    File sharing (C$)

    printmanagement.msc

    etc ad infinitum

    which basicly means the only way you are going to connect to a PC to fix it is to boot the user off so you can go in through the front door console session ,either remotely with rdp/sccm or in person.

    Too much lockdown? not enough? opinions welcome.

    *that list is for admins obviously, users are fully lockeddown , as they should be.

    1. Wensleydale Cheese

      Re: How much lockdown is enough?

      "Of course you dont run all machines as admin! been known since day 1 , been implemented since computers took over the world , which i'll put at 1990."

      Pity then that both Windows and macOS default to creating the first user at installation with full admin rights.

      1990 is fine for non-Windows systems, but Windows didn't get the concept of usernames, passwords and associated privileges until NT became popular, which meant 2000 or XP for the majority.

    2. Anonymous Coward
      Anonymous Coward

      Re: How much lockdown is enough?

      Ah... good old 'services.msc'.

      There are more CPU cycles used by that image than anything else on many systems. The number of times I have killed than process just to get the machine to behave again ... shudder. IT really is time for MS to take a long hard look at components like that and sort them out once and for all.

    3. netminder

      Re: How much lockdown is enough?

      Actually I think most admins would like to do away with password protected accounts so they didn't have to deal with resets.

  2. This post has been deleted by its author

  3. Anonymous Coward
    Linux

    Custom ransomware menace rears its ugly head

    This is what happens when you use that amateur open source socialist Linux instead of the industry standard legally compliant Microsoft® Windows™.

    1. lglethal Silver badge
      Thumb Down

      Sigh...

      I dont care what System you're using, but this is "Targeted Malware". Even if your firm was running 100% Linux, everything nice and secure, BUT you had something these bastards wanted - you WILL be targeted. Whether they get in or not comes down to how well you've educated your users and how well you've managed to lock things down.

      Stupidity in IT settings is not restricted to Windows Sysadmins - hell I've come across more than a few Linux sysadmins who failed in the Basics because they said "Oh I use Linux, I dont have to worry about that!"

      You can have a go at Microsoft for some of the open holes that the spray and pray type malware take advantage of, but Targeted Malware is targeted. If you have what they want, it doesnt matter if you're using Microsft, Apple, Linux, OS/2 or some other abomination - you will get targeted...

      1. Wensleydale Cheese

        Re: Sigh...

        I dont care what System you're using, but this is "Targeted Malware".

        Well said. Even air-gapped systems can fall prey to targeted attacks.

        See Ralph Langer on Stuxnet, where he suggests that compromising a laptop used by a hardware engineer might let the bad guys in.

        1. Destroy All Monsters Silver badge

          Re: Sigh...

          Even air-gapped systems can fall prey to targeted attacks.

          Well, you know, there are targeted attacks and then there are Targeted Attacks which demand a large investment up-front that even cybermobster are unlikely to deploy.

          1. Anonymous Coward
            Anonymous Coward

            Re: Sigh...

            "Well, you know, there are targeted attacks and then there are Targeted Attacks which demand a large investment up-front that even cybermobster are unlikely to deploy."

            Depends. A large up-front investment that results in an even larger or even non-monetary return (such as knocking a competing firm out of business) may be worth it to a certain firm.

    2. netminder

      Re: Custom ransomware menace rears its ugly head

      Looks like nobody got your sarcasm here. Sad.

      1. Updraft102

        Re: Custom ransomware menace rears its ugly head

        Oh, I think people did. He was making fun of the people who say Linux is bad and vulnerable

        because of (whatever)... but the point was that with a targeted attack, it doesn't make any difference. When the miscreants are targeting a specific victim, they tailor the attack for the system in question. They poke and probe the intended victim until something works. All of them have vulnerabilities (including potentially gullible employees who can be tricked into doing something they should not do), so it's just a matter of finding them.

        1. Anonymous Coward
          Facepalm

          Re: Custom ransomware menace rears its ugly head

          > Oh, I think people did. He was making fun of the people who say Linux is bad and vulnerable ..

          No he wasn't, he was making fun of people who managed to write a whole article on targeted malware without once mention the vulnerable platform.

    3. AlbertH

      Re: Custom ransomware menace rears its ugly head

      This is what happens when you use that amateur open source socialist Linux instead of the industry standard legally compliant Microsoft® Windows™.

      Joking aside, it's interesting to look at the exclusions that Microsoft have in their corporate contracts.

      My lawyer recently had cause to examine these carefully and said that there's no way that any truly "diligent" company could sign up to one of these "legal" abominations. MS wash their hands of all Malware of all sorts. If you have any issue with their software or operating systems, it's pretty much your problem - you're on your own!

  4. Bitwiper

    running PCs at least privilege (best practice but may not prevent your .com from buckling)

    John Leyden wrote: "This would involve running PCs at least privilege (the security perils of running all machines as admin was, of course, illustrated the the recent NotPetya outbreak)"

    Does ANYONE have evidence that ALL computers trashed by NotPetya were operated -on a workdaily basis- by people with admin privileges? I seriously doubt that.

    Firstly, NotPetya apparenly spread bundled with a software update. Software installers (including updaters) typically run with elevated privileges. No interactively logged on user is needed to conpromise a computer if booby-trapped updates are provisioned automatically.

    Last but not least, NotPetya came with slightly altered Mimikatz code. If a PC or server is an AD member (common for anything bigger than SOHO), has credentials caching enabled (typically for 10 different accounts) and an admin has EVER logged into that computer, then PtH (Pass the Hash) will enable the malware to attack other conputers on the network using those cached admin credentials - regardless whether anyone is actually logged on to the compromised computer at the time.

    The world mostly got away with NotPetya, simply because its enrollers only targeted Ukranian companies. I expect PtH to be devastating on most company networks (in particular those running W7 - Redmond made PtH and PtT attacks harder to accomplish on W10).

    Curiously the media and most "experts" don't warn for this imminent mess; instead they suggest that "restricting user privs" (and/or "better AV", "educate users" etc.) will save your day. Good luck with that...

    Bitwiper

    P.S. tip: disable startup of the "Server" service (srv.sys) on any computer that is NOT a server.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Bitwiper

      "Does ANYONE have evidence that ALL computers trashed by NotPetya were operated -on a workdaily basis- by people with admin privileges?"

      All right, calm down, calm down. We've tweaked the sentence so it's a little sharper. Not every trashed machine had admin access, obviously. And giving people and software the least possible privs is a good thing, obviously.

      C.

  5. Bitwiper

    @diodesign

    Thanks for tweaking the sentence!

    Of course I agree that using privileged accounts (members of the Administrators group) should be limited to those specific tasks that mandate such privs.

    At the very least this blocks UAC bypass attacks (in particular if the UAC slider is at default position 3 or lower) while untargeted ransomware (typically without privilege attacks up their sleeve) will only affect files the specific user has write/delete permissions on, and the PC + any implemented security measures may not need re-imaging after malware has run.

    So yes, make it so, but don't count on it for targeted attacks. Privilege escalations are typically all over the place (regardless of OS) and patches typically get low criticality notes.

    Finally, I'm calm. I'm just extremely worried that way too many people think their networks are safe. Of course you can connect everything to everthing (such as companies all over Europe to branches in Ukraine) using 20+ years old technology (hardly improved because that would destroy legacy compatibility) and enjoy the benefits - while ignoring the risks.

  6. Amos1

    Old news. Remember back when...

    Some years ago a web app SQL injection attack used xp_cmdshell(), which used to be enabled by default on Microsoft SQL and never can really be removed, to install a service as SYSTEM on a SQL server? It transparently encrypted all data in the database as it was stored and decrypted it as it came out?

    Some months later the attackers deleted the decryption key, delivered the ransom demand and the SHTF. The company, which had a rock-solid backup strategy, ended up having to pay in full because their compliance-driven annual restore test was done, well, annually. The last unencrypted backup of all online transactions was months old and of no use.

    And then there was this recent event: http://www.itworldcanada.com/article/canadian-firm-pays-425000-to-recover-from-ransomware-attack/394844

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like