Thought leadership. threat analysis, news and alerts.
Threat Focus: WastedLocker Ransomware
Garmin, an American multinational company that markets GPS navigation and wireless devices and applications, has reported a global outage on its systems since last July 23.
Last July 23, Garmin announced that it was experiencing an outage that affected Garmin Connect – a service that syncs users' activity and data to the cloud and other devices. Garmin also announced that the outage affected the company's call centers, cutting off the company's ability to respond to any calls, emails and online chats.
Last July 26, Garmin followed up its July 23 announcement. The statement said the company "has no indication that this outage has affected your data, including activity, payment or other personal information."
flyGarmin, Garmin's service that offers navigational software to pilots, in a separate statement said that last July 23 it also experienced a similar outage in which users couldn't access flyGarmin's website and call centers. flyGarmin specified that its Connext services, in particular, weather, data from the on-board Central Maintenance Computer (CMC), position reports were down; and Garmin Pilot apps, in particular, flight plan filing (unless connected to FltPlan, account syncing, database concierge) were down.
Based on its July 26 update, flyGarmin said that its website and mobile app are now operational, and that customer support can handle limited calls, but emails and chat supports are still unavailable.
While Garmin remains silent on what caused the global outage of its systems, BleepingComputer and TechCrunch reported that sources familiar with the Garmin outage investigation and company employees point to the direction that Garmin fell victim to WastedLocker ransomware.
A Garmin employee told BleepingComputer that they first learned of the attack when they arrived at their office last Thursday morning. As devices were being encrypted, employees were told to shut down any computer on the network, including computers used by remote workers that were connected via virtual private network (VPN), to prevent additional devices from being encrypted. As shown by the photo sent by a Garmin employee to BleepingComputer, the ".garminwasted" extension was appended to the file name of every encrypted file.
WastedLocker ransomware was first tracked in the wild in May of this year. This ransomware was named after the filename it creates which includes an abbreviation of the victim’s name and the word "wasted".
One of the known methods used by the group behind the WastedLocker ransomware is the use of fake software update that shows up on the users' computer screen when visiting certain legitimate websites. Malicious code is inserted by the group behind the WastedLocker ransomware on vulnerable websites, prompting unsuspecting users to click on the fake software updates that show up on their trusted websites.
Once a user clicks on this fake software update, the WastedLocker ransomware activates CobaltStrike – a commercial penetration testing tool that can be used by ethical security researchers as well as by malicious actors. This commercial penetration testing tool uses tools such as Metasploit and Mimikatz.
Metasploit is an open-source tool for probing vulnerabilities on networks and servers. It can easily be customized and used with most operating systems.
Mimikatz, meanwhile, is another open-source tool that gives out passwords as well as hashes and PINs from memory. This tool makes it easy for attackers to conduct post-exploitation lateral movement within a victim's network.
After exploring the weak spots and access credentials, the WastedLocker ransomware is then dropped into the victim's network or server. With WastedLocker ransomware, it isn't possible to get backup copy on the affected computer as this malicious software deletes shadow copies – the default backups made by Windows operating systems.
Security researchers, including those from Malwarebytes and Fox-IT, named Evil Corp Group as the group behind WastedLocker ransomware. Most of today's ransomware groups openly admit that they steal victims' data prior to encrypting files. These ransomware groups publish or auction the data belonging to victims that are unwilling to pay the ransom.
According to Malwarebytes, the group behind the WastedLocker ransomware "does not exfiltrate stolen data and publish or auction the data that belong to 'clients' that are unwilling to pay the ransom".
Fox-IT, meanwhile, said that the group behind WastedLocker ransomware “has not appeared to have engaged in extensive information stealing or threatened to publish information about victims”. "We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public," Fox-IT said.
The group behind WastedLocker ransomware demands ransom payment ranging from US$500,000 to over $10 million in Bitcoin. One of the sources of BleepingComputer said that the ransom demand in exchange for decryption keys that could unlock the encrypted files of Garmin is priced at US$10 million.
In December 2019, the U.S. Treasury Department, sanctioned Evil Corp by way of prohibiting U.S. persons in dealing with the group. The U.S. Treasury Department said that "U.S. persons are generally prohibited from engaging in transactions with them [Evil Corp]." Engagement, in this case, could be mean that US individuals or organizations are prohibited in engaging with Evil Corp, such as via ransom payment.
The sanction of the U.S. Treasury Department’ came after leaders and members of the Evil Corp were charged for developing and distributing the malicious software (malware) called "Dridex". The U.S. Treasury Department said that Dridex infected computers and harvested login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than US$100 million in theft.
‘Wiping & Ransom’ Attack Targets Cloud Data Stored in MongoDB Databases
Data stored in the cloud isn't off limits to cybercriminals. A new report showed that a malicious actor held for ransom nearly half of all MongoDB databases exposed online.
A recent ZDNet report showed that a malicious actor has uploaded ransom notes on 22,900 MongoDB databases left exposed online without a password. This nearly 23,000 MongoDB databases represents nearly 47% of all MongoDB databases exposed online.
MongoDB is a document database in which documents can be searched by their field’s key, making this type of database flexible. This database can be deployed, operated and scaled in the cloud via cloud hosting services.
The report showed that the attacker scanned the internet using an automated script to search for exposed MongoDB databases; contents of the exposed databases were then wiped out; and victims were asked to pay 0.015 bitcoin (approximately USD 136 as of July 4, 2020).
The attacker then gave victims 2 days to pay the ransom to get back their wiped data and further threatened to leak victims' data in case of non-payment of the ransom. The attacker also threatened victims that the data leak will be reported to the local General Data Protection Regulation (GDPR) enforcement authority.
Under GDPR, organizations that are found to have failed to protect customers’ private data and such failure lead to a data breach could receive a hefty fine from local enforcement authority. In July 2019, UK’s Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183.39m under GDPR for data breach. In July 2019 also the ICO similarly announced its intention to fine Marriott International, Inc. more than £99 million under GDPR for data breach.
Victor Gevers, a security researcher at the GDI Foundation, told ZDNet that the initial attacks didn't include the data wiping step. The wiping feature, Gevers said, was later added to the malicious actor's arsenal in attacking MongoDB databases. The ZDNet report said that the series of attacks on MongoDB databases started back in December 2016.
In a January 2017 blog post, Andreas Nilsson, Director of Product Security at MongoDB, acknowledged the attacks on unsecured MongoDB databases running openly on the internet. Said attacks, Nilsson said, erased database content and demanded from victims to pay ransom before the content can be restored.
In September 2017, Davi Ottenheimer, who leads the Product Security at MongoDB, in a blog post said that the company is aware of a new wave of attacks searching for misconfigured and unmaintained MongoDB databases. Ottenheimer said that the compromised MongoDB databases were left unsecured and connected to the internet with no password on their administrator account. This new wave of attacks, Ottenheimer said, doesn't indicate a new risk, just new targets.
"This [wiping and ransom of MongoDB databases] is not ransomware. Database does not get encrypted. It only gets replaced," Gevers told Bleeping Computer. "This is someone who does [this] manually or with a simple Python script."
According to Gevers, thousands of MongoDB databases are left exposed without a password online as these MongoDB instances used the old version of the MongoDB software in which the default configuration left the database open to external connections via the internet. "The most open and vulnerable MongoDBs can be found on the AWS platform because this is the most favorite place for organizations who want to work in a devops way," Gevers said. "About 78% of all these hosts were running known vulnerable versions."
How to Secure Data Stored in the Cloud
Unsecured and misconfigured data stored in the cloud isn't limited to MongoDB databases. In February 2018, BBC reported that security researchers have posted "friendly warnings" to users of Amazon's cloud data storage service whose private content has been made public to correct their settings that exposed data. "Please fix this before a bad guy finds it," one message left by security researcher said.
Here are some of the cybersecurity best practices in securing MongoDB databases deployed in the cloud via cloud hosting services and other data stored in different cloud platforms:
Like any online accounts, MongoDB databases deployed in the cloud and other data stored in the cloud via other cloud platforms need strong authentication methods. At the very least, protect the database with strong authentication method such as a strong password. These days cyberattacks often start with simple internet scanning. It’s important to protect cloud databases at its basic level with a strong password. It's also important to add extra layer of protection via multi-factor authentication.
The principle of least privilege is a security concept that limits access to the bare minimum to perform a task. For instance, a user is granted access only to specific database resources and operations and outside these defined role assignments, the user has no access to the other components of the database.
Use Firewall to control inbound and outbound traffic to your organization's databases. Use IP whitelisting to allow access only from trusted IP addresses.
It's important to keep a backup copy of the critical data stored in the cloud offline in case something happens beyond your organization's control that could prevent access to data stored in the cloud.
It's also important to audit data stored in the cloud, keeping track of the access and changes made to settings and data. A reliable audit system records these access and changes which can later on be used for forensic analysis and to make proper adjustments and controls.
REvil Ransomware Group Resorts to Auctioning Stolen Data
It's now a known fact that ransomware groups steal data prior to encrypting files and demanding ransom from victims.
The group behind the ransomware called "REvil", also known by the name "Sodinokibi", has recently flaunted its data-stealing capability by auctioning the stolen data of one of its ransomware victims that refuses to pay ransom.
On the dark web, the group behind the REvil ransomware created an e-bay-like auction site, auctioning the files of one of its victims that continued to refuse to pay ransom: a Canadian agricultural production company. The newly created auction site of REvil says that a successful bidder will receive 3 databases and 22,000 files stolen from the agricultural company.
The minimum deposit is set at USD$5,000 in virtual currency Monero, and the starting bidding price is USD$50,000. To date, the Canadian agricultural production company hasn't acknowledged the ransomware attack and the related stolen data.
Ransomware: More than Encryption
Ransomware is a type of malicious software (malware) that encrypts victims' computers or files, rendering these computers or files inaccessible to legitimate users. In a ransomware attack, a ransom note is shown on the victim’s computer screen that the only way to access the computer or files again is by paying a ransom, typically in the form of virtual currency.
In the past, ransomware victims aren't hesitant to acknowledge ransomware attacks. Often though in the victims' cyber incident reports and press releases, they assure affected clients or costumers that there's no need to worry as there's no evidence of data exfiltration.
The ransomware called "Maze" openly exposed the data exfiltration process that comes along in a ransomware attack. Maze ransomware is the first ransomware that publishes online the names of the victims that refused to acknowledge the ransomware attack on their systems and/or continues to refuse to pay the ransom.
The group behind Maze ransomware threatens the "shamed" victims that continued refusal to pay the ransom will result in the publication of the data stolen prior to the data encryption. Publication of stolen data led one of the victims of Maze ransomware to file a case in court against the group behind Maze ransomware.
Close to a dozen of other ransomware groups, including REvil, followed Maze's tactic of naming ransomware victims and threatening to publish victims' stolen data – an open acknowledgment that these ransomware groups steal data prior to encrypting files.
Microsoft Threat Protection Intelligence Team, in the blog post “Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk", said that “while only a few of these [ransomware] groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.”
Getting to Know REvil Ransomware
REvil Ransomware first appeared in the wild in April 2019. Exploiting software vulnerabilities, brute-forcing RDP access and using third-party software are some of the known strategies used by the group behind the REvil ransomware in gaining access to victims’ networks and eventually drop the ransomware.
Researchers at Cisco reported that the group behind the REvil ransomware has been exploiting CVE-2019-2725 since at least April 17, 2019 in installing the ransomware. CVE-2019-2725 is a security vulnerability in Oracle WebLogic. Oracle first patched this vulnerability on April 26, 2019. "This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack," researchers at Cisco said.
Researchers at McAfee Labs, meanwhile, reported that the group behind REvil ransomware initially gains access to victims' networks by brute-forcing RDP access in installing the ransomware. Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows a user to access Windows workstations or servers over the internet.
In a related report, McAfee Labs reported that the number of RDP ports exposed to the internet has grown from roughly three million in January 2020 to more than four and a half million in March. "RDP ports are often exposed to the Internet, which makes them particularly interesting for attackers," researchers at McAfee Labs said. "In fact, accessing an RDP box can allow an attacker access to an entire network, which can generally be used as an entry point for spreading malware, or other criminal activities."
Kaspersky Lab, meanwhile, reported that since the beginning of March 2020, the number of Bruteforce.Generic.RDP attacks has rocketed across almost the entire planet. In a brute force attack, attackers systematically try all possible username and password combinations until the correct combination is found.
Aside from exploiting software security vulnerabilities, brute-forcing RDP access, the group behind the REvil ransomware has also been known to install on the victims' networks the ransomware by using third-party software. In August 2019, the mayor of Keene, Texas revealed that the group behind the REvil ransomware managed to install the ransomware on the municipality’s network through a software that a third-party IT company used to manage the municipality’s network.
While the motive behind this new tactic of auctioning ransomware victims' stolen data isn't yet clear, the timing of the launching of this new tactic amid the on-going COVID-19 pandemic and the resulting government-mandated home quarantine could mean that ransomware victims are refusing to pay ransom as they could've hardened their backup systems or that victims are hard-pressed in paying out ransomware attackers due to the economic fallout resulting in the on-going pandemic. Falling in the wrong hands, the auctioned stolen files could be used against victims and the victims’ customers.
Cybercriminals are not playing by rules and are winning in most cases. Protect your organization today by engaging with our expert team. Connect with us today.
Lessons from the First Computer Pandemic: Love Bug
Twenty years ago, the world's first computer pandemic called the "Love Bug", also known as "ILOVEYOU" virus, wreaked havoc worldwide.
On May 4, 2000, in just a span of 24 hours, the Love Bug affected an estimated 45 million computers worldwide, causing an estimated US$10 billion in damages.
Tracking Down the Creator of ILOVEYOU Virus
BBC technology reporter Geoff White tracked down the creator of the ILOVEYOU virus working in a mobile phone repair shop inside a shopping mall in Manila. Onel de Guzman, now 44, admitted to White that he solely created the ILOVEYOU virus.
de Guzman told White that he unleashed the virus to steal passwords so he could access the internet without paying. He claims that he never intended the virus to spread globally and that he regrets the damage that the virus had caused. de Guzman was never charged with a crime as at the time when he unleashed the virus, the Philippines had no laws criminalizing malicious use of computers.
How the ILOVEYOU Virus Caused a Computer Pandemic
The ILOVEYOU virus arrives on the victim's computer via Outlook software. At the time, Outlook was the common means of sending and receiving emails.
The email's subject simply contains "ILOVEYOU", while the email's body contains these few words: "kindly check the attached LOVELETTER coming from me". The email contains an attachment named "LOVE-LETTER-FOR-YOU.TXT". "I figured out that many people want a boyfriend, they want each other, they want love, so I called it that," de Guzman said.
Once an email receiver clicks on the attached document, the virus makes copies of itself to the Windows System directory and to the Windows directory. It also adds itself to the registry for it to be executed when the system is restarted.
It also replaces the Internet Explorer home page with a link that downloads the program called "WIN-BUGSFIX.exe". This downloaded file is also added to the registry for this program to be executed once the system is restarted.
The downloaded file from the web is a password-stealing malicious software (malware) that calls the WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to this email address: firstname.lastname@example.org.
This virus spreads to other victims' computers via Outlook. The same email that arrives on the original victim's computer is mass emailed to everyone in the victim's Outlook address book. This virus spreads also via mIRC whenever another person joins an IRC channel where the infected user currently is logged in.
Other than stealing passwords and spreading itself, this virus performs the most destruction function: overwriting files. This virus looks for particular file types from all folders in all local and remote drives and overwrites them.
Similar to modern-day ransomware – malware that prevents victims' from accessing their computers or files, the ILOVEYOU virus denies victims access to their files. Unlike ransomware, where in some cases, the decryption keys given by attackers after ransom payment work in unlocking in locked files, in the ILOVEYOU virus, there's no way to unlock these files.
Many organizations lost a lot of data because of this overwrite function. The mass emailing function of the virus also overloaded many mail systems around the world.
Will There Be Another Computer Pandemic?
Time will tell if there'll be another computer pandemic.
If there'll be one it would be a bit different from de Guzman's creation. An attacker aiming to use a mass emailing virus via Outlook and other mail client software needs to take an extra step to run malicious attachments as current mail client software programs are more cautious in running script files unlike in the days when the ILOVEYOU virus was unleashed.
To date, the damage caused by the ILOVEYOU virus is unprecedented. The virus successfully played on mankind's need to be loved. In today's environment, where many are connected to the internet, another virus could turn into a computer pandemic, exploiting another of mankind's other needs.
The ILOVEYOU virus has taught the online world one thing: Next time, back up your files. Having a working back up prepares your organization for the next computer pandemic similar to the ILOVEYOU virus that overwrites or destroys victims' files.
There's also a need to protect these backups from attackers. In recent months, ransomware attackers have been known to go after victims' backups.
The group behind the ransomware called "DoppelPaymer" published on their leak site the admin username and password for a non-paying ransomware victim who used the Veeam cloud backup software. The group behind the ransomware called "eCh0raix" also went after QNAP NAS backup devices.
Protect your organization's backup devices by keeping it offline. If there's a need to connect these backup devices online, make sure to use strong authentication methods such as multi-factor authentication and to keep the backup device firmware up to date.
It’s also important to follow the time-tested 3-2-1 rule:
3: Keep 3 copies of any important file: 1 primary and 2 backups.
2: Keep the files on 2 different media types to protect against different types of hazards.
1: Store 1 copy offsite (for example, cloud backup).
Another attack scenario could come from a silent operator. The ILOVEYOU virus and the different shades of ransomware are overtly noticeable attacks. The next big thing or even one that we haven't noticed yet, could be one that silently lurks in millions of computers worldwide.
How to Strengthen Cloud Backups Against Ransomware
Cloud backup is an important defense against ransomware attacks. Cloud backups, however, have recently been the target by ransomware attackers.
In a ransomware attack, the computer or the data within is encrypted preventing users’ access to this computer or data. The lack of backups forces many victims to pay ransom in exchange for the decryption keys that would unlock these locked computers or locked data.
As many organizations have migrated their daily operations to the cloud, many have migrated their backups to the cloud as well. For many organizations, cloud backups have given them a false sense of security.
If not configured properly, cloud backups could easily be stolen, deleted and, in a worst-case scenario, used against your organization. The group behind the ransomware called “DoppelPaymer” recently published on their leak website the admin username and password for a Veeam user account owned by one of DoppelPaymer ransomware’s victims who refused to pay ransom.
Switzerland-based Veeam is a software company that develops cloud backup software. DoppelPaymer is the latest addition to the number of ransomware programs that establish leak websites to shame victims who refuse to pay ransom. Stolen data belonging to the victims prior to encryption are published on these leak websites.
"Cloud backups are a very good option against ransom but do not 100% protect as cloud backups are not always good configured, offline backups often outdated – the system of backups is really nice but human factor leaves some options," the group behind DoppelPaymertold Bleeping Computer.
How Cybercriminals Compromise Cloud Backups
Ransomware attackers often initially compromise victims’ computers through phishing campaigns or exposed RDP. In phishing campaigns, attackers trick victims in opening malicious emails containing malicious links or attachments. Opening these malicious links or attachments could lead to the downloading of the actual ransomware into the victims’ computers.
Exposed RDP is another gateway of ransomware attacker to the victims’ networks. RDP, short for remote desktop protocol, is a protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. Exposed RDP, those that used weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security measures, are targeted by cybercriminals as an initial entry point to gain access to their victims’ networks.
The group behind the ransomware called “Maze” told Bleeping Computer that cloud backups credentials are used to restore the victims’ data stored in the cloud to the servers under the group’s control. Maze ransomware started the trend among ransomware operators in establishing leak websites in order to shame victims who refuse to pay ransom.
"Yes, we download them [data stored in the cloud],” the group behind Maze ransomware told Bleeping Computer. “It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to data breach detection software.”
Operators of the DoppelPaymer and Maze ransomware, however, didn’t elaborate to Bleeping Computer how they were able to gain access to their victims’ cloud backups. In the case of users using the Veeam software for cloud backups, the role of Mimikatz and configuring Veeam to use Windows authentication could have led to the compromise of these cloud backups.
Once malicious actors gain access to their victims’ networks, they systematically move through the network, for instance, via the use of Mimikatz – an open-source application that allows attackers to view and save Windows authentication credentials. These stolen Windows authentication credentials are used by the attackers in accessing cloud backups that use the Veeam software as some administrators configure Veeam to use Windows authentication.
Cybersecurity Best Practices in Securing Your Organization’s Cloud Backups
In a white paper released by Veeam, the company said that one of the best practices in securing your organization’s cloud backups is through the use of different credentials for cloud backups. “One of the key characteristics of ransomware is its ability to propagate,” Veeam said. “By using different credentials within the Veeam infrastructure, we can introduce more resiliency by limiting propagation from other operating systems on the network. The best, broadest recommendation is to have at least two credential mechanisms in use. That can include both Windows and Linux accounts, Windows and Veeam Cloud Connect, etc.”
It’s also important to follow the time-tested 3-2-1 rule:
3: Keep 3 copies of any important file: 1 primary and 2 backups.
2: Keep the files on 2 different media types to protect against different types of hazards.
1: Store 1 copy offsite (for example, cloud backup).
Following the 3-2-1 rule, aside from cloud backup, it’s also important to keep a backup on-premise or on-site. This on-premise backup must be kept offline to ward off ransomware attackers. Aside from attacking cloud backups, ransomware attackers have targeted on-premise backups exposed to the internet.
In the past few months, ransomware attackers have targeted Network Attached Storage (NAS) devices. NAS is a storage and backup system that consists of one or more hard drives.
To gain access to NAS devices, attackers use brute force attack, that is, guessing through trial-and-error the correct username and password combination. To gain access to NAS devices, attackers also exploit security vulnerabilities that remained unpatched either through an absence of a vendor’s security update or failure of a NAS device user in installing in a timely manner the vendor’s available security update.
When you need help securing your cloud backups and applications against ransomware attacks, our experts are here to help. Get in touch with us today and protect your valuable assets.
Growing Threat of Ransomware Reinfection
Switzerland's cybersecurity body, the Reporting and Analysis Centre for Information Assurance (MELANI), has cautioned local SMEs and large organizations against paying ransomware attackers due to the risk of ransomware reinfection.
In a recent advisory to local organizations in Switzerland, MELANI said it’s aware of cases in Switzerland and abroad where the same organizations have been victims of ransomware attacks several times within a very short period of time. Ransomware is a type of malicious software (malware) that encrypts victims’ files and forces victims to pay ransom in exchange for the decryption keys that would unlock the encrypted files.
According to MELANI, even if a ransom is paid, there’s no guarantee that the ransomware attacker will decrypt the data. Switzerland's cybersecurity body also cautioned that even when ransom payment is made, leading to the decryption of the encrypted data, the underlying infection of some ransomware will remain active. “As a result, the attackers still have full access to the affected company's network and can, for example, reinstall ransomware,” MELANI said.
Emotet and TrickBot are two of the malware cited by Switzerland's cybersecurity body that could cause ransomware reinfection on victims’ computers even after ransom payment and after decryption.
In October 2019, the Canadian Centre for Cyber Security issued an alert to organizations in Canada about the 3-in-1 infection process involving 3 malware: Emotet, TrickBot and Ryuk. According to the Canadian Centre for Cyber Security, Emotet, TrickBot and Ryuk ransomware are part of the 3-stage infection process, with Emotet as the first malware downloaded, TrickBot as the second malware downloaded, and Ryuk ransomware as the last malware deployed against victims’ networks by an organized and prolific actor or group of actors.
Emotet, first detected in 2014, is a malware that’s distributed through emails containing malicious links or attachments. Victims are tricked into clicking these malicious links or attachments as the group behind Emotet uses branding familiar to the recipients.
According to the US Cybersecurity and Infrastructure Security Agency, once Emotet is downloaded on the victim’s computer, this malware uses a credential enumerator in the form of a self-extracting RAR file. This credential enumerator, the US cybersecurity body said, containstwo components: a bypass component and a service component. The bypass component is used to find writable share drives using SMB or brute force (attempt to crack a password or username using a trial and error method) users’ accounts, including the administrator account.The service component, meanwhile, writes Emotet onto thecompromised computer’s disk.
SMB, short for Server Message Block, is a network protocol used by computers running Microsoft Windows that allows systems within the same network to share files. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US Cybersecurity and Infrastructure Security Agency said.
Once the attacker gains access on the victim’s network via Emotet, the Trickbot malware is then downloaded and distributed to the compromised systems.
Trickbot, first detected in 2016, is a malware that has similar capabilities as Emotet. Similar to Emotet, Trickbot can brute force users’ accounts and spread onto as many computers as possible using SMB.
Analysis of the Trickbot showed that this malware uses PowerShell Empire, a publicly available tool. Designed as a legitimate penetration testing tool in 2015, PowerShell Empire has become a favorite tool among the well-financed threat groups.
PowerShell Empire allows an attacker to escalate privileges, harvest credentials, exfiltrate information, and move laterally across the victim’s network. PowerShell Empire is difficult to detect on a network using traditional antivirus software as it operates almost entirely in memory, and it also uses PowerShell, a legitimate application. Empire also allows an attacker to install Ryuk ransomware on high-value targets.
According to the Canadian Centre for Cyber Security, Trickbot’s capabilities allow it “to map out the network and give the malicious actor a better understanding of the target, including the value of the data.”
Ryuk ransomware first appeared in 2018. On its own, this ransomware doesn’t have the ability to spread onto as many machines as possible within a network, hence the dependency on other malware such as Emotet and Trickbot.
“The Ryuk ransomware itself does not contain the ability to move laterally within a network, hence the reliance on access via a primary infection, but it does, however, have the ability to enumerate network shares and encrypt those it can access,” UK's National Cyber Security Centre said. “This, coupled with the ransomware’s use of anti-forensic recovery techniques (such as manipulating the virtual shadow copy), is a technique to make recovering from backups difficult.”
Preventive and Mitigating Measures Against Ransomware
Every so often malware programs such as Emotet, Trickbot and Ryuk are able to access victims’ networks as a result of ignoring basic cybersecurity measures. Here are some basic cybersecurity measures in order to protect your organization’s network against malware such as Emotet, Trickbot and Ryuk:
In the case of Ryuk infection, it’s important to note that cleaning up the affected computers isn’t enough as these “cleaned” computers could still be reinfected as the associate malware used by Ryuk, Emotet and Trickbot, could be lurking on networked systems that were not initially affected by the ransomware.
Researchers Warn Windows EFS Could be Abused by Ransomware Attackers
Researchers at Safebreach Labs have warned that EFS, a feature in Microsoft Windows, could be abused for ransomware attacks.
What Is EFS?
EFS, short for Encrypted File System, is a feature on Windows operating system, starting with Windows 2000, for its business users. This feature allows users to encrypt specific folders and files. In encryption, data is converted into secret code, allowing only authorized users to access the specific folders and files and, in theory, denying access to unauthorized users.
EFS shouldn’t be confused with another encryption feature on Microsoft Windows called “BitLocker”. While EFS encrypts specific folders and files, BitLocker is a full disk encryption feature.
In EFS, to access the encrypted specific folders and files, an authorized user doesn’t need to provide a password as access is via the user’s account password. In BitLocker, to access the BitLocker-encrypted drive, a user needs to type the password or plug in a USB key or have BitLocker use Trusted Platform Module (TPM) if the Windows operating system has one.
Proof of Concept of Ransomware Attack Scenario Exploiting Windows EFS
Ransomware is a type of malicious software (malware) that encrypts victims’ computers or data, denying legitimate users access to their computers or data. In ransomware attacks, attackers demand from their victims to pay ransom in exchange for the decryption keys that, in theory, unlock the encrypted computers or data. Recent ransomware attacks, meanwhile, steal computer files prior to encryption and threaten the publication of these stolen files for victims who refuse to pay the ransom.
Researchers at Safebreach Labs recently disclosed that they’ve developed a proof-of-concept of a ransomware that abuses Windows EFS. The EFS-based ransomware developed by Safebreach Labs encrypts files, rendering these files unreadable to users and even to the Windows operating system. Safebreach Labs said that the encrypted files can only be made readable using the ransomware attacker’s decryption key and have the EFS-based ransomware restore the encrypted files into their original position, and only then that the Windows operating system can once again read the user files.
Safebreach Labs said that EFS-based ransomware is an “alarming concept and a possible new threat in the ransomware horizon” due to the following reasons:
Safebreach Labs said that EFS-based ransomware works on Windows 10 64-bit versions 1803, 1809 and 1903, and should also work on Windows 32-bit operating systems, and on earlier versions of Windows such as Windows 8.x, Windows 7 and Windows Vista.
Safebreach Labs said it tested its EFS-based ransomware on 3 anti-ransomware solutions from well-known vendors, and all 3 anti-ransomware solutions failed to protect against this new threat. Thereafter, Safebreach Labs notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints and provided them with the EFS-based ransomware proof-of-concept. Safebreach Labs also found that many of these major anti-malware and anti-ransomware vendors for Windows endpoints failed to protect against this threat.
Prevention and Mitigating Measures Against EFS-Based Ransomware
Below are some of the responses of the major anti-malware and anti-ransomware vendors for Windows endpoints that were notified by Safebreach Labs regarding the EFS-based ransomware.
Avast/AVG email to Safebreach Labs dated September 26, 2019: “We implemented a workaround for version 19.8.”
Bitdefender email to Safebreach Labs dated January 10, 2020: “As of today, the fix started rolling out on Bitdefender Antivirus, Bitdefender Total Security and Bitdefender Internet Security on version 126.96.36.199. On Bitdefender Free Edition the fix is in reporting mode only, being necessary for fine tuning in the future.”
Check Point email to Safebreach Labs dated January 20, 2020: “Check Point has resolved the issue and the fix is currently available with the latest Corporate Endpoint Client E82.30 and will be available in the latest release of Zone Alarm Anti-Ransomware in the next couple of days.”
McAfee email to Safebreach Labs dated January 17, 2020: “McAfee released protection against the sample code provided by the reporter in the Anti-Virus (AV) DATs released on 10th January. This covers both our Enterprise and Consumer products. The AV DATs are automatically updated and Customers can check the version of the DATs through the product User Interface.
“Enterprise Customers using MVision EDR have a detection rule available from 10th January which will trigger when some variations of this Proof of Concept are executed. Through EDR the administrator can scan their machines for other instances of the malware and then block execution or delete the malware. Enterprise Customers using ENS can configure an Endpoint Protection Access Protection rule which will prevent the sample deleting the keys it generates to encrypt the files. By preventing the deletion of the keys the files remain accessible to that user. Other users on the same machine would not have access to the files.”
Microsoft email to Safebreach Labs dated October 7, 2019: "Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows (https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria?rtc=1). Microsoft may consider addressing this in a future product".
In the absence of a Windows update, according to Safebreach Labs, one of the workarounds against EFS-based ransomware is by turning off EFS on the affected Windows operating system. The cybersecurity research lab, however, said that turning off EFS can disable legitimate encryption of the operating system.
Ransomware attacks are becoming more and more prominent. Turn to our experts to mitigate the ransomware infection risks and protect your organization. Contact us today for a no-obligation consultation.
Valuable Lessons from Recent Cyber Extortions
The recent data breach at LifeLabs, which affected nearly half of Canada’s population, and the recent data breach at the City of Pensacola highlight the growing danger of cyber extortions.
What Is Cyber Extortion?
Extortion – the act of using threats to gain something from someone – has been given a new form in the cyber world.
In the case of the data breach at LifeLabs, cybercriminals gained access to the company’s computer systems, stole data and thereafter demanded ransom payment from the company in exchange for the stolen data. In a joint statement, the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia said, “LifeLabs advised our offices that cyber criminals penetrated the company's systems, extracting data and demanding a ransom.”
"Retrieving the data by making a payment," said Charles Brown, President and CEO of LifeLabs, was one of the several measures taken by the company to protect customer information.
The recent cyber extortion at the City of Pensacola, meanwhile, involved a headline-grabbing method: ransomware – a malicious software (malware) that encrypts computer files, locks out users and demands from victims ransom payment in exchange for the decryption keys that would unlock the encrypted files. The group behind the ransomware called “Maze” claimed responsibility for the ransomware attack at the City of Pensacola. The group demanded that the City pay $1 million ransom to decrypt the encrypted files.
Ten percent or 2GB of the data stolen before encrypting the computer files of the City was recently published online by the group behind Maze ransomware. When asked by BleepingComputer if the group intends to release the rest of the stolen data, the group said, "It depends".
The group behind Maze ransomware similarly published online 10% or 700 MB of data stolen from another victim, the Allied Universal after the victim failed to pay the group’s demand of 300 bitcoins then valued at nearly $2.3 million. The group told BleepingComputer that the rest of the stolen data will be leaked online if the increased ransom of $3.8 million won’t be paid.
How Cyber Extortion Works?
How the attackers penetrated the LifeLabs’ computer systems, how the data was extracted data and how the ransom demand was made haven’t been made public. For Maze ransomware, however, there’s a handful of data online.
Security researcher Jérôme Segura first observed in May of this year Maze ransomware in the wild initially infecting victims’ computers via the Fallout exploit kit through a fake cryptocurrency exchange site. Fallout exploit kit exploits the security vulnerabilities in Microsoft Windows and Adobe Flash Player. In October of this year, security researcher JAMESWT observed Maze ransomware infecting victims in Italy through a phishing campaign that tricks victims into opening the attached document in an email pretending to be from the Italian Revenue Agency.
Researchers from Cisco Talos reported that they’ve also observed Maze ransomware in the wild. In a Maze ransomeware attack, the researchers said that after obtaining access to a network, CobaltStrike is used. CobaltStrike is a commercial penetration testing tool that markets itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike uses well-known tools, including Mimikatz – a tool that’s capable of obtaining plaintext Windows account logins and passwords.
According to Cisco Talos researchers, once the adversary behind Maze ransomware has access to the victim’s network, at least a week is spent moving around the network and gathering data along the way. The researchers added that the gathered data is extracted by using “PowerShell to dump large amounts of data via FTP out of the network”. After data extraction, Maze ransomware is then deployed on the compromised computers, the researchers at Cisco Talos said.
The researchers at Cisco Talos added that the observed Maze ransomware attacks also involved interactive logins via Windows Remote Desktop Protocol and remote PowerShell execution achieved via Windows Management Instrumentation Command-Line (WMIC).
In its 2020 Threats Predictions Report, McAfee Labs said that for 2020, it predicts that targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks, with the first stage of attack involving a crippling ransomware attack and the second stage of attack involving the threat to disclose the data stolen before the ransomware attack.
Preventive and Mitigating Measures Against Cyber Extortion
While having a working backup system is still a must to protect your organization’s sensitive data, as shown in the recent cyber extortions, brushing off cyber-attacks through better backup systems will prove to be not enough in 2020 as attackers are aiming for data theft and leveraging this stolen data to get what they want.
Here are some of the preventive and mitigating measures against cyber extortion:
- Keep All Software Up to Date
Keeping all your organization’s software up to date stops attackers at their tracks as the latest software security updates typically fix security vulnerabilities.
- Apply the Principle of Least Privilege
The principle of least privilege promotes minimal user privileges on computers based on user’s job necessities. For instance, if the user’s work isn’t IT-related, his or her computer access shouldn’t allow administrative rights, referring to the right to install software, change the operating systems configuration settings and other higher-level access.
- Disable Windows Remote Desktop Protocol (RDP)
There have been many document cases whereby Windows Remote Desktop Protocol (RDP) had been used by attackers as a gateway to their victims’ networks. It’s advisable to disable RDP when this service isn’t used.
- Keep Backups Offline
Over the past few months, attackers have specifically targeted backup systems. It’s advisable to keep your organization’s backup systems offline.
Cyber extortions has become a new norm and many organizations have already fell victim. Connect with our team of cybersecurity experts today to understand you weakest links better and mitigate the risk of cyber extortion.
LifeLabs Reveals It Paid Ransom in Exchange for Stolen Data
LifeLabs, the largest provider of general diagnostic and specialty laboratory testing services in Canada, has announced that it paid an undisclosed amount of ransom in exchange for the stolen data of 15 million customers.
Charles Brown, President and CEO of LifeLabs, in a statement, said that the company’s computer systems were illegally accessed resulting in the theft of data belonging to approximately 15 million customers. Stolen data includes name, address, email, login, passwords, date of birth and health card number. The vast majority of the affected customers are from Ontario and British Columbia.
Brown added that laboratory test results of 85,000 customers from Ontario for the period 2016 or earlier were part of the stolen data. The President and CEO of LifeLabs further said that health card information of customers for the period of 2016 or earlier was also stolen.
"Retrieving the data by making a payment,” Brown said was one of the measures that the company took in order to protect customer information. “Personally, I want to say I am sorry that this happened,” he said.
While the President and CEO of LifeLabs said that risk to customers in connection with this cyber attack is “low and that they have not seen any public disclosure of customer data,” he called on affected customers to avail of the company’s one free year of protection that includes dark web monitoring and identity theft insurance.
How the LifeLabs Data Breach Unfolded?
The President and CEO of LifeLabs said that the data breach was discovered as a result of "proactive surveillance” and added that the company “fixed the system issues” related to the cyber-attack.
In a joint statement, the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) said that LifeLabsinformed the two offices on November 1, 2019 about the data breach. The IPC and OIPC said that they will conduct a joint investigation into the data breach at LifeLabs. Among the things to be investigated, the two offices said, will include the scope of the breach and the circumstances leading to it.
“They advised us that cyber criminals penetrated the company's systems, extracting data and demanding a ransom,” IPC and OIPC said in a joint statement. “LifeLabs paid the ransom to secure the data.”
"An attack of this scale is extremely troubling,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant."
“I am deeply concerned about this matter,” said Michael McEvoy, Information, and Privacy Commissioner for British Columbia. “The breach of sensitive personal health information can be devastating to those who are affected."
While ransom or payment was made, there was no mention that the attack was due to a ransomware – a type of malicious software (malware) that encrypts data and the group or individual behind the malware then demands ransom payment in exchange for decryption key or keys that would unlock the encrypted files.
Cyber Attackers New Modus Operandi
While cyber attackers have been known to steal data from their victims, there’s a scarcity of information showing victims paying ransom in order to get back the stolen data. The latest cyber incident at LifeLabs shows an alarming cyber-attack trend, that is, penetrating the victim's systems, extracting data and then demanding a ransom.
Ransomware attackers, meanwhile, over the past few weeks have openly employed a new tactic in order to force their victims to pay ransom: threatening ransomware victims that failure to pay the ransom will result in the publication of stolen data. This latest modus operandi by ransomware attackers confirms what has been widely known in the cyber security community that ransomware attackers don’t merely encrypt data but they also have ways to snoop and even steal data prior to the data encryption.
In late November of this year, the group behind the ransomware called “Maze” published online the stolen data from one of its victims, Allied Universal after Allied failed to pay 300 bitcoins, then valued nearly $2.3 million USD, within the period set by the malicious group. The group behind the Maze ransomware told BleepingComputer, “We gave them time to think until this day, but it seems they [Allied Universal] abandoned payment process.”
The group behind the Maze ransomware further said that before encrypting any of the victims’ files, these files are first exfiltrated or stolen to serve as further leverage for the victims to pay the ransom.
The group behind the ransomware called “REvil”, also known as Sodinokibi ransomware, recently announced in a hacker forum that it will also leak online the stolen data from ransomware victims who refuse to pay ransom. Other than leaking the stolen data online, the group behind REvil ransomware also said the stolen data from ransomware victims who refuse to pay could be sold.
Maze ransomware initially infects victims’ computers via phishing campaigns or via Fallout exploit kit – a hacking tool that exploits the security vulnerabilities in Adobe Flash Player and Microsoft Windows. REvil ransomware, meanwhile, also initially infects victims’ computers via phishing campaigns and exploit kits, as well as by exploiting a security vulnerability in Oracle’s WebLogic server and by brute-forcing Remote Desktop Protocol (RDP) access.
Ransomware Attacks Now Targeting Your Backups
Backups have traditionally been regarded as the last line of defence against ransomware attacks. Over the past few months, however, backups have been specifically targeted by ransomware attacks.
In the "IT threat evolution Q3 2019" report, Kaspersky researchers found that ransomware attacks on backups, specifically NAS backups, are gaining ground.
What Is NAS?
NAS, short for network attached storage, is a storage and backup system that consists of one or more hard drives. This storage and backup system can be connected to home or office network or the internet. In case a NAS device is connected to the internet, data stored on this device can be accessed using a web browser or mobile app.
Ransomware Targeting NAS
Researchers at Anomali in July of this year reported about eCh0raix, a ransomware that specifically targets QNAP network attached storage (NAS) devices. According to the researchers, the source code of eCh0raix has less than 400 lines, with functionalities that are typical to a ransomware, including checking if data in the infected system has already been encrypted, going through the file system for files to encrypt, encrypting the files, and producing the ransom note.
Researchers at Anomali noted that eCh0raix ransomware isn’t designed for mass distribution as the samples with a hardcoded public key appear to be compiled for the target with a unique key for each target.QNAP Systems, the manufacturer of QNAP network attached storage (NAS) devices, for its part, acknowledged that QNAP devices using weak passwords and outdated QTS firmware are vulnerable to eCh0raixransomware.
In July of this year, another NAS device manufacturer Synologyreported that several of Synology NAS devices were under ransomware attacks as a result of brute-forcing administrator login details. In a brute-force attack, a malicious actor submits a number of passwords in the hope of eventually guessing the correct one.
According to Synology, its investigation related to the ransomware attacks found that the attacks were due to dictionary attacks – the use of words in the dictionary in brute-forcing login details – instead of specific system vulnerabilities. Synology added that the large-scale ransomware attacks were targeted at various NAS models from different NAS vendors. Ken Lee, Manager of Security Incident Response Team at Synology, said that NAS attackers used “botnet addresses to hide their real source IP”.
Just last month, another NAS device manufacturer D-Linkacknowledged that the following D-Link network attached storage (NAS) models are vulnerable to a different ransomware called “Cr1ptT0r” ransomware: DNS-320 Ax/Bx, DNS-325, DNS-320L, DNS-327L, DNS-323 Ax/Bx/Cx, DNS-345, DNS-343 and DNS-340L. According to D-Link, Cr1ptT0r encrypts stored information and then demands payment to decrypt the information.
According to Kaspersky researchers, the growing ransomware attacks on NAS devices involve attackers scanning the internet for internet-connected NAS devices. Kaspersky researchers said that a number of NAS devices have vulnerabilities in the firmware, which enables attackers via an exploit to install on the compromised device a Trojan – a type of malicious software (malware) that’s often disguised as legitimate software – that encrypts all data on the NAS device. “This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock,” Kaspersky researchers said.
Preventive and Mitigating Measures
Here are some of the preventive and mitigating measures against ransomware attacks targeting NAS backups:
Manufacturers of NAS devices, QNAP Systems, Synology and D-Link, asked users to apply the latest software or firmware version.
In the case of D-Link NAS devices, D-Link said that DNS-320 Ax/Bx, DNS-323 Ax/Bx, DNS-325 Ax and DNS-345 Ax have passed their end of service date, which means that these models are no longer supported by the company through customer support and no longer receive software or firmware updates. For the said models that have passed their end of service date, D-Link asked users to "remove the Internet access of NAS on your router by disabling the port forwarding and DMZ setting".
One thing is common to these NAS ransomware attacks: They victimized only those devices that are connected to the internet. To protect backups from this type of ransomware, it’s important to disable internet connection to these devices.
Generally, an internet-connected NAS device can only be accessed via a web or mobile app interface and this interface is protected by an authentication page, where a user has to authenticate oneself before logging in. As acknowledged by NAS manufacturers, some users use weak passwords, making it easy for attackers to brute-force or guess the passwords.
When there’s a need for these NAS devices to be accessible via the internet, it’s important to use strong passwords and, if possible, to use multi-factor authentication to add another layer of defence.
Here are some of the additional defences to protect backups from ransomware attacks:
As shown in the number of ransomware attacks in recent months, this type of cyber-attack doesn’t seem to slow down.
Organizations that have shown to be financially capable of paying ransom, including government agencies, as well as organizations in the healthcare and education sectors are particularly targeted by this attack.
You don’t have to be a victim of a ransomware attack. Stop cybercriminals before they get the leverage.
Speak with our cybersecurity experts today and stop worrying about ransomware.
Steve E. Driz, I.S.P., ITCP