A beer for the the MIS staff for doing a good job!
Hopefully this will make other organisations look to their network architectures and backup arrangements before they get screwed.
The City of New Bedford, in Massachusetts, has found a way to deal with ransomware without paying: shoring up defenses, restoring from backups, and rebuilding systems. The attack on the American city's systems was identified on July 5, after employees noticed unusual network activity upon returning from the July 4th holiday, …
Yes. And paying the ransom isn't necessarily cheaper either.
If a machine has been compromised, the minimum you need to do is re-image it and restore the data from a known-good backup. You might use the decrypted files for those that can't be restored, but are you really going to trust a computer that was infected?
A friend of mine is an administrator at another company and their server was found to be listed on a darknet website. The Verfassungsschutz (Federal Office for the Protection of the Constitution) recommended that they destroy the drives and the motherboard of the server and restore to a new system from a secure, offline backup.
Thats massive overkill. Mark Russinovich bought this idea up on one of his talks. That the first port of call people do is wipe a system, but he said its not always required. Showed his tools in use hunting malware. He was the guy that found Sony's rootkit all those years ago.
Yes wiping is best practice. But destroying a mobo and drives after an attack is massive overkill and a waste.
On a server, providing company information, that has been infiltrated from outside without any alarm bells going off?
Can you be sure they haven't root-kitted the UEFI or the management board?
At one place, a user got hit by Goldeneye. We removed her hard disk, stuck a quarantine seal on it and re-imaged her laptop, she was up and working again in an hour. But for a server, I'd be more cautious.
They do not. These new bios infections do not overwrite the files, they create their own little pocket, the malware runs independent of the OS and cannot be seen by the OS, but it can see the files. This is from a Defcon presentation this year. Several of us asked bout flashing the BIOS, but that only overwrites the existing parts and won't touch the infection. I'm sure every AV company is working on detection methods. I have to say I have an older ROG2 MB and it has and independent Linux install in the bios that you don't need a HD for some basic things. Also heard of infections 5 years ago, but not as scary as todays.
IF you're extremely skilled and can hunt, identify, reverse and fully clean a system you can take the risk. I believe very few companies have such skills available. The safest path is to wipe and reinstall. Destroying motherboards and drivers depends on what they are being used for.
I worked at a particular well known tech company last year. They had a well funded and quite experienced security team. They felt that best practices called for destroying client devices that had even potentially been compromised. It was just too challenging to keep up with all the potential hacks and risks that each device was subject to, and that's not even getting into the issue of zero day attacks.
What utter BS
Mark Russinovich is not some infallible being.
Finding DRM created by a corporation behaving like maleware is not exactly the same as finding something which is state sponsored where remaining elusive is paramount
What is malware?
Something that does harm and is undesirable
I would argue that if what you're saying is true, malware would not exist, because it would be so easy to find. Finding a smoking gun doesnt mean its the only gun.
Agreed. In medicine, tissue samples are destroyed to prevent any risk of anything. Whether or not the risk is low is immaterial. If you destroy the samples, you destroy the risk.
If anyone wants to gamble their career on a potential risk that's fine...me though...nah. If I can remove the risk entirely, I will. If I can't, the client signs a waiver absolving me of consequences.
Yeah, nah, yeah, nah, yeah.
In my 20 year experience, I've rarely seen a 100% success from a tape restore. Tapes just don't get replaced often enough and aren't properly tested because...time.
Restoring terabytes from tape then checksumming everything wastes a hurrendous amount of time.
That said, your managed service provider loves tape backups because it's money for nothing.
Most businesses hated tapes
With good reason. They are time-consuming and pretty unreliable (even doing trial restores every couple of months won't catch all the bad tapes) and are generally a pain in the backside.
Hands up all those that have had a critical restore fail (or take far, far longer than it should) because the one tape that holds the most recent version of $DEAD_FILE is corrupted or otherwise unreadable?
[Hand up].
Even after reading that RYUK link, i'm unclear how software that doesent know administrative passwords can tear a network up
Sure , occasionally a massive vuln is found , like those colourfully named tools that wannacry used , and maybe theres some open network drives it can play in, but....
know what im sayin?
the link says at one point :
step2 - escalate priviledges until is an administrstator
yeah how?
I'd have thought ransomewares main area of success would be home computers where everyone and their dog (or teenage son) is an admin and will click anything, and have lots of irreplaceable docs and no backup.
There are enough vulnerabilities out there to escalate privileges. Malware can use unpatched buffer overflow vulnerabilities etc. to push up their rights for the local machine. If they can use an unpatched CIFS/SMB flaw, they can escalate their privileges on the remote file server as well.
Even without that, if you infect enough PCs and make it a co-ordinated attack on the network, you will get access to a vast majority of the shared user data on the network drives.
If one of the infected PCs is being used by a domain administrator, you have already lost, as it will have complete access - it can use the hidden, system level shares on the servers and other PCs to spread itself.
That is why best practice these days is never to log onto a local PC with domain level administrator rights and to have a separate PC / VM used purely for administration, with no other software on it and not used for email, data transfers or web browsing.
A home PC just isn't worth it. Most people wouldn't pay, and if they did, they wouldn't pay very much. You would be nickel and diming thousands of PCs to get the equivalent of one corporate take-down. That isn't to say that it can't/won't happen, but they aren't the primary target.
Finds local admin on one machines. Attempts to jump from that machine to another and discovers all local admin passwords are the same. Eventually finds a machine where a domain admin was once logged on. Uses mimicats to get the hash of the domain admin. Domain admin has an easy password. Cracks it. They now own the network with that domain admin account.
From there they can create dummy accounts and then delete logs. Then edit the odd service or two on some servers that give them readwrite persons on the service for write dac and write owner. This then gives them a hidden backdoor unless you're looking for that you wouldn't see it. They can then use that service, even as a non admin, to restart the service to run their own code. Then change the settings back leaving the write dac and write owner as their secret backdoor.
Someone got phished. This is how it starts. This is how they get a toehold. We used a system whereby we external snapshots on a device that could spin up any of the snapshots as a virtual machine. The system also kept those snapshots on a private cloud and could be spun up from there as well. Wi Dows has enough vulnerabilities that once on a machine, that's all it needs.
I can absolutely tell you that it does not need someone to be phished to gain access. We bought a company not long ago and discovered that at some point they'd been ransomwared (they got hit by CrySis). For some reason they'd left the encrypted files on the server under the assumption they'd be able to decrypt them at some future point. They restored from their backups, so I'm not sure what benefit keeping the encrypted files would have. Once we got their hardware setup at our head office we decided to keep the servers separate from ours, turns out that was a wise decision as they then got hit by Phobos. What's interesting though is that both ransomeware attacks use the same attack vector, by brute forcing their way through the firewall using an RDP vuln. After the first attack they'd failed to patch the firewall, leaving the attack vector wide open for a later attack. Also turns out they'd failed to patch the servers, which meant the RDP settings weren't secure either. Hindsight is wonderful, but looking back I'm so glad I took the decision to ensure the 2 domains were on separate networks.
It's easy to blame the IT staff, but more often the fault is at the top. When company heads don't see the value in their IT dept, they don't hire enough bodies to do more than just respond constant business-stopping emergencies. Or they may offer the bare minimum salary, and only get kids with no experience and minimal knowledge, so the company ends up getting the mess they deserve.
Even after reading that RYUK link, i'm unclear how software that doesent know administrative passwords can tear a network up
From personal experience of a polymorphic virus about ten years back i'd say that anything can do a heck of a lot of damage without needing administrative passwords.
Programs executed in userspace can encrypt everything on file shares that the users have access to. Obvious, since it happens all the time with ransomware. But less obviously they can also alter files to ammend a copy of a virus to it those files; which is worse, especially if it lies dormant for a set time before going live.
If you get everything on a file share with a virus attached and then an administrator opens anything on that file share then the payload executes, and you gain a new user to infect from. Shit hits the fan when somebody with domain admin privilages opens a file, since it then infects everything, everywhere.
Of course, it's actually easy to stop with tools available out of the box with windows; put a software restriction policy in saying you can run executables in %windows% or %program files%, but not anywhere else. Virus infections will come to an immediate and abrupt halt since even if an end user tries to run a trojan horse attached to an email it can't actually do anything.
Tell me about it. I was in charge of cleaning up all the firewall drops from systems in a *very* secure environment.
One of the AD servers was making outbound dns connections to public IP's (or rather trying to) so I alerted the AD admins. They couldn't stop it, so they ask M$ and they said, and I quote, "that's normal behavour". WTF?!
Credential stealing. It starts with low level credentials, moves to a network share, infects another machine, steals those credentials then onwards and upwards.
Usually a Trojan/dropper infects the network first before RYUK enters the network. That benign Trojan/dropper does all the recon first. Then when enough machines are infected RYUK is dropped.
step2 - escalate priviledges until is an administrstator
yeah how?
Take a look at the NVD. Microsoft have published 125 CVEs so far this year alone that describe privilege elevation vulnerabilities. That's 125 elevation mechanisms from Microsoft alone in the past nine months.
And that says nothing about the number of unpublished ones; about the number of vulnerabilities published in prior years that many organizations haven't patched yet; about the vast number of vulnerabilities in the vast number of third-party software packages running with excess privilege. Hell, plenty of people out there are habitually running web browsers elevated, because they can't be bothered not to.
And if an attack just gets local elevation (by compromising a local-admin user account, or a service running as LOCAL_SYSTEM, etc), then it's not difficult to social-engineer a domain admin from logging in (usually by making things malfunction until the user calls the help desk), and then using Mimikatz or similar to harvest the creds.
Other OSes are for the most part not in much better shape. Even, say, z/OS, where a number of organizations have famously been compromised due to insufficient control over APF-authorized libraries that let attackers elevate. (Mainframe security researchers such as Dominic White and Phillip Young have documented and analyzed these attacks; the details are readily available.)
That would be nice, but I doubt it.
If you could get only one or two paying victims a year you'd still get $500k+. Tax free. On top of that, if the criminal is based in some island nation even a lower amount would allow them to live like kings.
Much like with telemarketing calls and phone scams. The success ratio is staggeringly low, but it still pays off.
Exactly. The economics of ransomware strongly favor continuing the attacks even if individual attacks have a low success rate. Just like spam and classic 419-style phishing.
A while back I got severely down-voted for for posting this, but I still believe in it.
I think a Federal law should be passed making it illegal (jail time) to pay a ransom for data/systems. This would, hopefully, result in:
1) IT managers and system admins would know that there is not an option to "just pay the ransom". Maybe they would actually get their shit together and properly secure their systems like this city did?
2) The criminals would find that their income suddenly stopped coming in from ransomware.
The big problem right now is that the attitude of "oh well, our insurance will just pay the ransom for us" is perpetuating the problem. And as long as the cyber-criminals keep getting rich from it, it's never going to stop.
I can't decide whether I'm in favor of this, but it's an interesting thought.
It would be better, I think, to criminalize negligence. Not only for the companies, but also for its officers. If it can be proven that they were personally aware (or made aware) and still declined to take action there should be fines and possibly jail time. Too often breaches are blamed on the lower echelons, while they in fact often reported vulnerabilities to management without any action resulting. At one point there was a bill to this effect pending in Massachusetts, but I don't think it passed.
Secondly, insurance companies should require due diligence and decline the claim if a company has failed in this regard.
Thirdly, auditors (government, insurance, and third party) need to talk to the people 'on the floor' - below the level of manager. Under oath, preferably. Now THAT would yield some shocking information.
If it can be proven that they were personally aware (or made aware) and still declined to take action there should be fines and possibly jail time.
That's been the downfall of many laws. It's extremely difficult, bordering on impossible to prove someone was aware of something.
No matter how many e-mails, it's easy to say they didn't see them, or (if they replied) skipped over the important parts. It's trivial to insist that verbal conversations never happened, or your recollection of the discussion was very different than the dozens of other witnesses'.
That's why lawyers make so much money. So many laws can be weaselled out of, with sufficient effort and lack of scruples.
> So many laws can be weaselled out of, with sufficient effort and lack of scruples.
Effort generally not even required. When they have no morals, scruples, (soul, etc.) and are willing to compound lies on top of lies, even under oath, it's a tough nut to crack.
Corporate execs, politicians, etc. have made a killing (sometimes literally) abusing the assumption that laws will be followed, people act in good faith, etc.
It is human nature to take bigger risks when you believe you have safety mechanisms to catch things. People come to rely on their safety systems - and then push them beyond their limits.
What you wouldn't do in bare feet - you would do in steel toe-capped boots. Unfortunately that might lead you to either overestimate the strength of your caps - or forget you are wearing ordinary boots.
as long as the cyber-criminals keep getting rich from it, it's never going to stop
It's never going to stop, period. The rate of return can be very low and ransomware will still make economic sense for the attackers. Their costs (including risk) are already very low, and their marginal costs for attempting more infections are nearly zero. So it only makes sense to continue trying to infect systems even if the vast majority of victims don't pay.
And it's likely that already a significant portion of the attacks are being carried out automatically by botnets. It's even possible that whoever controlled some of the receiving cryptocurrency accounts has lost access to them one way or another, and some ransoms are simply becoming orphaned cryptocoin - lost money. We know this has happened in some other attack categories, where zombie botnets continue to attack systems with no humans still operating C&C for them.
And historically outlawing behaviors motivated by immediate need (real or perceived) has not been very successful. It hasn't helped with addictive behaviors. It hasn't done much to curb bribery or extortion payments in other domains.
Prosecuting people for paying ransoms would be politically unpopular.
"For New Bedford, no ransom was paid but Mitchell said he expects further costs in terms of MIS staffing."
So, the reward for the MIS team that recovered without ransom is reductions in staff? That's the short-sighted decision-making I know and ... well, not love ... from civil servant budget people!
You were treated out of network (heh) and four specialists were called in - although you knew nothing of that decision. The total cost of treating your malwaria, is $250.000, of which we think $1000 is a fair contribution from us, your insurers.