Ransomware is a major threat to businesses, governments, and individuals. It is a type of malware that targets computer systems and encrypts the files on them. The attackers then demand payment, usually in the form of cryptocurrency, for the decryption keys. Ransomware attacks have become increasingly common, and they can have serious consequences if not addressed quickly and effectively. In this blog post, we will explore the dangers posed by ransomware and the importance of incident response in dealing with cyber threats.
What is Ransomware?
Ransomware is a type of malware that encrypts the files on a computer system and demands payment for the decryption keys. There are different types of ransomware, but they all work in a similar way: once the malware infects a system, it encrypts the files and displays a message on the victim’s screen, demanding payment in exchange for the decryption keys. In many cases, the attackers threaten to delete the files if the ransom is not paid.
Ransomware attacks can be devastating for organizations and individuals. They can cause major disruptions to business operations, resulting in financial losses and reputational damage. In some cases, they can also result in the loss of sensitive data, which can have legal and regulatory implications.
How Does Ransomware Spread?
Ransomware can spread in a variety of ways, including through phishing emails, malicious websites, and infected software. It often exploits vulnerabilities in outdated software or operating systems. Once ransomware infects a system, it can quickly spread to other connected devices or network resources.
Why Is Incident Response Important?
Incident response is the process of responding to cyber threats and minimizing their impact. It involves a coordinated effort between IT professionals, security teams, and other stakeholders to detect, contain, and mitigate the damage caused by a cyber attack.
An effective incident response plan is critical for dealing with ransomware attacks. It can help organizations minimize the impact of an attack and reduce the time it takes to recover from it. A good incident response plan should include the following steps:
1. Detection: The first step in incident response is detecting the attack. This can be done with the help of security tools, monitoring systems, and user reports.
2. Containment: Once an attack has been detected, the next step is to contain it. This involves isolating the infected systems or devices to prevent the attack from spreading further.
3. Investigation: After the attack has been contained, the next step is to investigate it. This involves identifying the type of ransomware, how it entered the system, and what files have been encrypted.
4. Recovery: Once the investigation is complete, the next step is to recover from the attack. This involves restoring the affected systems or devices from backups, decrypting files, and patching vulnerabilities that were exploited by the attackers.
5. Post-incident analysis: The final step is to conduct a post-incident analysis to identify areas for improvement in the incident response plan.
Conclusion
Ransomware is a serious threat to organizations and individuals. It can cause significant financial and reputational damage, as well as the loss of sensitive data. Incident response is critical for dealing with ransomware attacks and minimizing their impact.
To protect against ransomware, organizations should take a proactive approach to cybersecurity. This includes keeping software up-to-date, training employees on how to recognize phishing attacks, and implementing security measures such as firewalls and antivirus software.
In conclusion, ransomware attacks are here to stay, and the best defense is a good offense. By being prepared and having an effective incident response plan in place, organizations can reduce the risk of a successful attack and minimize its impact if one does occur.
In the face of increasing ransomware attacks, it has become essential to understand the necessary steps to respond to such threats effectively. If you suspect ransomware on your system, it’s imperative to take prompt action and follow the appropriate response steps to minimize the impact and recover data. Firstly, it’s crucial to disconnect the infected system from the internet to prevent further propagation of the ransomware throughout the network. Next, you must identify the type of ransomware via its extension or ransom note left on the system. It’s important to gather as much information as possible about the ransomware to determine the appropriate response.
If adequate backups of the affected data are available, it’s essential to restore them immediately. Ensure that you verify their integrity and perform a scan for any remaining traces of the ransomware. If backups aren’t available, consult with IT security professionals for possible decryption tools or approaches. However, using decryption tools can be risky and may result in additional system damage, so it should only be attempted under expert guidance.
If ransom payment is considered, it is strongly advised to consult law enforcement and IT security experts before proceeding. Ransom payment may not guarantee the safe recovery of data and can incentivize further ransomware attacks. After recovery, it’s essential to assess and improve system security to prevent future ransomware threats. Regularly updating software, implementing firewalls and antivirus programs, and educating employees on best cybersecurity practices can significantly reduce the risk of ransomware attacks.
To sum it up, responding to ransomware requires a quick response, identifying the ransomware type, restoring backups, consulting IT security professionals for decryption, considering legal and expert advice before making ransom payment, and implementing improved system security measures. Taking these steps can ensure an effective response to ransomware attacks and protect data from future threats.
Well not really, but I’m going to write a series of posts that will all tie together, which can be a very useful tool for anyone interested in having a security home lab, or even in a new or established security operations centre.
I am going to be using open source software, and showing how they can be used together and create a pretty awesome environment, that in my opinion rivals or if not better than many of the paid and expensive tools in the security industry.
Over the next few weeks and months, I will create guides for the following.
I’m not necessary going to create guides in the order listed above, however I will be starting with cuckoo.
Cuckoo is a fun place to start as you can get a pretty awesome malware sandbox analysis tool up and running in a fairly short amount of time, and see real results and benefits from it. There are so many ways you can customise it and get it working for how you want it in your own environment. Why pay a 3rd party for your malware analysis when you can have a free and powerful version of your own.
Anyhow, enough jibber jabbing. Time for the first update!
The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.
This is another good article and write up by Talos.
Gives a lot more useful insight as to how this happened, another good read, will be interesting to see how this continues to develop over the next few days and weeks.
I came across an interesting article today, with regards to the Petya / NotPetya cyber attack from last week. This is a very good write up and analysis of how the organisation M.E.Doc appears to have been compromised and used to spread the malware in a series of updates for the software it produces.
This demonstrates how devastating these types of compromises can be and as a defender can make it very difficult to identify and stop this type of attack from happening, if you happen to be the target of said attack.
On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C(aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors’ intention was to cause damage, so they did all that they could to make data decryption very unlikely.
Another good write up by bleeping computer that contains more information.
Last week, a blog post from a Ukrainian web developer went viral, after it hinted that the real culprit behind the hacked server could have been M.E.Doc’s web host, Wnet, a company that has been accused of having ties to Russia’s intelligence service (FSB).
An investigation into the man’s accusations revealed that the SBU had raided the web host on June 1, for “illegal traffic routing to Crimea in favor of Russian special services.”
I’ll just put this up here to summarise what happened and how.
We assume 1 PC was infected, that machine provided the virus with some credentials. Could have been a workstation admin’s account, giving the virus admin rights to all PCs in the local area. Over time, it must have picked up Domain Admin rights as it spread, then hitting Domain Controllers and all other Windows servers with it’s PSEXEC/WMIC code. The rest is history. We lost PCs that were encrypted with McAfee Disk Encryption due to corrupted MBR, PCs that were not encrypted with McAfee showed the ransom message.
This is a good demonstration of making sure everything is 100% patched and not nearly patched. It is difficult to keep older machines patched and updated in an enterprise environment, however when these systems are designed and implemented, we should be thinking and taking into consideration how we are going to update them and keep them secure, otherwise we will have to deal with the events described above, again and again.
During the afternoon it emerged that the “PetrWrap/Petya” malware is currently spreading quickly in many places, including Ukraine.
Here are the facts that we can contribute to “PetrWrap/Petya”:
– Since midday it is no longer possible for the blackmailers to access the email account or send emails.
– Sending emails to the account is no longer possible either.
It’s never a good idea to pay the ransom, even if they had the intention to give you your decryption code, they are not even going to be receiving your email.
This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners.
We are grateful for the help of all those who sent us the data, links and information.
Together we can make this world a better place!
Looks like if you block C:\Windows\perfc.dat from writing/executing - stops #Petya. Is used for rundll32 import.
https://twitter.com/HackingDave/status/879779361364357121
Local kill switch - create file "C:\Windows\perfc"
It kills WMI vector. Still need to patch MS17-010 for full protection.
PSEXEC: %PROGRAMDATA%\dllhost.dat is dropped and is legit PSEXEC bin
Remote WMI, “process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1”
Log clean, «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:»
Creates a scheduled task that reboots 1 hour after infection. If task removed before the hour, does not reschedule and can buy time
Petya also attempts to kill Exchange & MySQL if they are running. If you host either of these services and notice them die, this is including in it's infection process (svchost.exe) // by Mike "Bones" Flowers:
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im Microsoft.Exchange.*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im MSExchange*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlserver.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlwriter.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im mysqld.exe
The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin)
Machines that are patched against these exploits (with security update MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) or have disabled SMBv1 (https://support.microsoft.com/kb/2696547) are not affected by this particular spreading mechanism
Test local account behavior [NOT TESTED]:
Don’t know if you have also noticed, but it only encrypted the MFT records for my test user account profile folders, the default Windows accounts Administrator, default user etc were all untouched, my test account was local so I don’t know what behaviour would be expected for domain account profile folders.
100% on the sample used by me and on a standalone computer, user files were encrypted prior to reboot and the malware was not able to escalate privileges to deploy the MFT encryption payload, no instructions were deposited about recovering these files
wowsmith123456@posteo.net
iva76y3pr@outlook.com // by WhiteWolfCyber
carmellar4hegp@outlook.com // by WhiteWolfCyber
amanda44i8sq@outlook.com // by WhiteWolfCyber
gabrielai59bjg@outlook.com
christagcimrl@outlook.com
amparoy982wa@outlook.com
rachael052bx@outlook.com
sybilm0gdwc@outlook.com
christian.malcharzik@gmail.com
Email forms and attachment:
The subject in this case are formed like that (for targed "targed.emailName@targedDomain.com"):
targed.emailName
The body:
Hello targed.emailName,
You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is 6089
With appreciation!
Prince
Attached file name:
Scan_targed.emailName.doc
Sagan log analysis rules for the detection by Quadrant Information Security (quadrantsec.com) – Note: These are NOT Snort/Suricata rules! See http://sagan.io for more details:
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003121; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5e
e4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128
cdc8; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003122; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003123; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc,myguy.xls.hta; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:1;)
To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.
Other observed infection vectors include:
A modified EternalBlue exploit, also used by WannaCry.
The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.
IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.
Petya uses memory injection as an evasive technique to bypass existing defenses. Attackers often use this method to hide in legitimate processes on the endpoint by injecting malicious code into the memory of non-malicious applications. Sometimes referred to as fileless malware, these threats avoid being detected by file-based detection tools, as the malicious code manipulates the memory stack to achieve malicious actions without actually placing the malicious program on the file system.
In the case of Petya, the executable creates another instance of itself and injects decrypted code into it.
In what is somewhat of a mildly amusing statement, and I am sure not all of the conversation. Suggests that its down to patriotic individuals acting on behalf of themselves when they feel there are negative comments made about Russia.
Responding to a question about concerns in Germany that Russian hackers could meddle in that country’s upcoming federal elections, Putin said it was “theoretically possible” that “patriotic” hackers could attack those who “speak negatively about Russia.”
“At a government level, we are never engaged in this. That’s the most important thing,” Putin said at the televised meeting, which was held during Russia’s annual St. Petersburg International Economic Forum. He added that hackers could come “from any country in the world.”
As per my previous update, the idea behind what they wanted to do was a good one, but legally not so much. Seems as humans we just cannot get around doing the right thing and being proactive. We only understand how to react to when things go wrong.
Whatever happened to NSA warez crowd funding idea? Statement on why we pulled the plug on the opensource crowdfunded #ShadowBrokers purchase pic.twitter.com/5DRbu1KUdA