Thought leadership. threat analysis, news and alerts.
How to Protect Your Organization’s Computers from WannaCry-Like Cyber-Attack
Microsoft recently took an unusual step of rolling out a patch for Windows operating systems that are out of support in an effort to stop a WannaCry-like cyber-attack.
This is the second time in just over 2 years that the technology giant rolled out a patch for Windows operating systems that are out of support. The previous unprecedented patch was rolled out at the height of the WannaCry cyber-attack on May 12, 2017.
According to Microsoft, the latest patch, which was released on May 14, 2019, fixes the security vulnerability in out-of-support versions of Windows, specifically Windows 2003 and Windows XP; as well as versions of Windows that still receive support from Microsoft, specifically Windows 7, Windows Server 2008 R2 and Windows Server 2008.
Failure to apply the May 14, 2019 patch renders the above-mentioned out-of-support and in-support versions of Windows vulnerable to WannaCry-like cyber-attack, this according to Simon Pope, Director of Incident Response at Microsoft Security Response Center (MSRC).
What Is WannaCry?
WannaCry is a malicious software (malware) that wreaked havoc in more than 300,000 computers in over 150 countries in less than 24 hours on May 12, 2017. Once a computer becomes infected with WannaCry, this malware encrypts files on the computer's hard drive, making it impossible for legitimate users to access them, and demands a ransom payment in exchange of the decryption keys that supposedly would unlock the encrypted files.
After infecting one computer, the WannaCry malware spreads itself through the network, infecting other vulnerable devices, without the need for further action from the users. Attempts on the part of the WannaCry victims to unlock the encrypted files by paying the ransom was a useless endeavour as the source code of this malware was written in such a way that it isn’t possible to determine who paid the ransom and who didn’t, as such, there’s no way to decrypt on a per-user basis.
Two months, specifically on March 14, 2017, prior to the WannaCry cyber-attack, Microsoft released a patch that fixes the security vulnerability exploited by WannaCry. The patch, however, wasn’t made available to Windows operating systems that were out of support, specifically Windows XP, Windows 8 and Windows Server 2003. At the height of the WannaCry cyber-attack on May 12, 2017, Microsoft took an unusual step of rolling out a patch for these 3 out-of-support versions of Windows.
The WannaCry malware was able to infect hundreds of thousands of computers in less than 24 hours as a result of these two features: remote code execution and worm capabilities.
Remote code execution is the ability of a malicious actor to access someone else's computer and make malicious changes to this computer regardless of the geographical location of this device. Worm capability, meanwhile, refers to the capability of a malware to spread itself through the network, infecting other vulnerable devices, without user interaction.
The May 14, 2019 patch released by Microsoft fixes the security vulnerability labelled CVE-2019-0708. Similar the WannaCry malware, security vulnerability CVE-2019-0708 exhibits remote code execution and worm capabilities.
Pope, Director of Incident Response at Microsoft Security Response Center (MSRC), said in a blog post, that while there’s no evidence that this security vulnerability has been exploited in the wild, it’s highly likely that malicious actors will write an exploit for this vulnerability and include it into their malware.
The security vulnerability, Pope said, is “wormable”, which means that “any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
WannaCry, in particular, infects vulnerable Windows operating systems via Server Message Block 1.0 (SMBv1) server – a protocol that enables Windows systems to share files, printers and serial ports. In vulnerability CVE-2019-0708, remote code execution and worm capabilities are made possible via Remote Desktop Protocol (RDP) – a proprietary protocol developed by Microsoft which allows users to access another computer over a network connection. “The Remote Desktop Protocol (RDP) itself is not vulnerable,” Pope said. “This vulnerability is pre-authentication ….”
Many malware in the past were able to bypass anti-malware and other security defences via RDP. Malicious actors gain access to compromised devices by stealing or brute forcing RDP credentials.
In early 2019, authorities shut down xDedic Marketplace, a website involved in the illicit sale of RDP credentials. According to authorities, RDP login details of tens of thousands of compromised servers owned by unknowing companies and private individuals were sold on the xDedic platform for amounts ranging from $6 to more than $10,000 each.
The top preventive measure in order to protect your organization’s computers from WannaCry and WannaCry-like cyber-attack is by keeping all software and, in particular, operating system software up-to-date.
It’s worthy to note that even though it has been a long time since the major WannaCry attack, organizations continue to be victimized by this malware. Months after the major WannaCry attack, US aircraft maker Boeingfell victim to WannaCry. In March 2018, Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out an alert to his colleagues that the WannaCry malware was “metastasizing rapidly” out of Boeing’s North Charleston production plant and could potentially “spread to airplane software”. Linda Mills, head of communications for Boeing Commercial Airplanes, in a statement said, “The vulnerability was limited to a few machines.”
As an added protection to your organization’s computers, it’s best to disable Windows protocols that are often exploited by malicious actors. Specific to WannaCry malware, disable SMB protocol and for the security vulnerability CVE-2019-0708, disable RDP.
Connect with our cyber security expertstoday to learn more about common threats and prevent cyberattacks.
Retargeted Attacks Continue to Rise
Once a target, always a target. This seems to be the case in the City of Baltimore in Maryland as the City recently suffered another cyber-attack – the second attack in just over a year.
Last May 7, Baltimore Mayor Bernard Jack Young announcedthat the City’s network was infected with a ransomware. As a precaution, he said the City shut down the majority of its servers. While the City’s essential services such as police and fire departments are operational, the ransomware infection and the resulting shutting down of the majority of the servers resulted in network outage, email outage and phone outage with nearly every other department of the City affected.
Just over a year ago, in March 2018, the City of Baltimore suffered another cyber-attack. The 2018 attack was, however, limited to Baltimore's computer network that supports emergency calls. The attack forced the staff to resort to manual operations to handle calls.
Baltimore Chief Information Officer and Chief Digital Officer Frank Johnson told Ars Technicathat the 2018 cyber-attack which brought down Baltimore's computer-aided dispatch (CAD) system was caused by a ransomware. It wasn’t revealed what was the exact type of ransomware that hit Baltimore’s CAD system.
The point of entry of the ransomware was, however, partially identified. According to Johnson, the Baltimore City Information Technology office determined that "the vulnerability was the result of an internal change to the firewall by a technician who was troubleshooting an unrelated communication issue within the CAD System”.
In a press conference, Baltimore Chief Information Officer and Chief Digital Officer Johnson said that the recent cyber attack on Baltimore’s system was caused by the “very aggressive RobinHood ransomware".
Ransomware is a type of malicious software (malware) that locks out computer users by encrypting computer systems or files and demands from victims ransom payment in exchange for the decryption keys that would unlock the encrypted computer systems or files.
RobinHood ransomware is a fairly new malware. In early April last month, the RobinHood ransomware similarly infected the network of the City of Greenville, South Carolina, which prompted the City to shut down the majority of its servers.
In late April last month, security researcher Vitali Kremez reverse engineered a sample of the RobinHood ransomware. Kremez told BleepingComputerthat on execution, this malware stops 181 Windows services associated with antivirus and other software that could keep files open and prevent their encryption. This ransomware also doesn’t spread within the network, which means that every infected computer is individually targeted.
Kremez, meanwhile, told Ars Technica that the RobinHood ransomware attacker or attackers need administrative-level access to a system on the network “due to the way the ransomware interacts with C:\Windows\Temp directory”. It’s still unknown how the RobinHood ransomware gains access to a network and the computers connected toit.
The Robinhood ransomware drops its ransom note on the desktop, informing victims that 3 bitcoins must be paid to get the decryption key of one computer or alternatively send 13 bitcoins for the decryption keys of an entire infected system. The ransom note also states that the cost of payment increases “$10,000 each day after the fourth day.” The value of 1 bitcoin as of May 11, 2019 4PM GMT+7 is $6,312.
Prevalence of Retargeted Cyber Attacks
A study conducted by FireEye Mandiantfound that organizations that have been breached before are much more likely to be targeted again. In 2017, FireEye Mandiant reported that 56% of victims of at least one significant cyber-attack were targeted again by the same or similarly motivated attack group. In 2018, this number has continued to climb, increasing to 64%, FireEye Mandiant reported.
The top 5 retargeted industries in 2018 were finance (18%), education (13%), health (11%), pharmaceutical (9%), retail and hospitality (7%), and telecommunications (7%).
The FireEye Mandiant report further found that in 2018 organizations in the Asia-Pacific (APAC) region were far more likely to succumb to retargeted attacks, with 78% of APAC organizations fell victim to another attack. The said report also found that for the same period, 63% of organizations in the Americas fell victim to another attack. The report also found that for the same period, 57% of the organizations in Europe, Middle East, and Africa (EMEA) fell victim to another attack.
"This data further substantiates the fact that if you’ve been breached, you are much more likely to be targeted again and possibly suffer another breach," FireEye Mandiant said.
How to Prevent Retargeted Attacks
Configuring ordinary workstations not to install software and establishing a separate device or devices exclusively for administrative tasks (for installing and removing software and changing configuration settings) are two preventive measures in reducing the odds of malicious actors gaining access into your organization’s network.
Configuring ordinary workstations not to install software is a proactive means of preventing accidental installation of malicious software by unwittingly downloading malicious attachments or clicking on malicious links contained inside malicious emails.
Devices exclusively used for administrative tasks, meanwhile, should be secured through the following:
When you need help preventing cyberattacks and protecting your network and computers against ransomware, connect with our teamand get right advise at the right time.
Can Your Organization Survive a Cyberattack that Permanently Destroys Data?
Financial gain, either short-term or long-term, is often the motive of most cyber criminals. Some cyber criminals, however, aren’t after financial gain, but rather, they’re simply out to cause as much damage as possible.
The recent cyberattack at email service provider VFEmail shows an unconventional motive of simple destruction. Milwaukee-based VFEmail, founded in 2001, provides email service to businesses and individuals.
The first hints of the cyberattack on VFEmail came out last February 11, when the company’s Twitteraccount issued a series of tweets about the attack, starting with a tweet that said, “This is not looking good. All externally facing systems, of differing OS's and remote authentication, in multiple data centers are down.”
By 5 PM on February 11, the company declared on its website, “We have suffered catastrophic destruction at the hands of a hacker.” The company added that the attacker destroyed nearly two decades' worth of emails of all data in the US, both primary and backup systems.
The company further said that the attacker hasn’t asked for ransom. “Just attack and destroy," the company said. When asked about the identity of the attacker, VFEmail owner Rick Romero tweetedit could be "someone who had data they didn't want found or I really pissed off."
This recent cyber incident isn’t the first time that cyber criminals have targeted VFEmail. In a blog postdated November 4, 2015, Romero shared that a group of hackers threatened to launch a distributed denial-of-service (DDoS) on his email service if he doesn’t pay 5 Bitcoins.
True enough, after refusing to pay the ransom, VFEmail’s email service was disrupted by a DDoS attack prompting Romero to expose the group's extortion campaign. In 2017, the company’s email service was once again disrupted by a series of DDoS attacks, prompting the company to change to a new hosting provider. In 2018, the company’s email service was once again disrupted by a DDoS attack.
It isn’t clear what actually caused the latest cyberattack on VFEmail. What’s clear though is that the company’s nearly two decades' worth of emails of all data in the US, both primary and backup systems, are lost forever.
Other Cases of Disruptive Cyberattacks
WannaCry and NotPetya
WannaCry and NotPetya are two examples of cyberattacks that were meant mainly to destroy. At the height of WannaCry attack on May 12, 2017, an estimated 300,000 computers in 150 countries were infected by WannaCry malicious software (malware). Six weeks after the WannaCry attack, NotPetya malware was launched although it didn’t have as much impact as WannaCry.
Both WannaCry and NotPetya exhibit the characteristics of a ransomware, a type of malware that’s designed to deny legitimate users access to computer files by encrypting these files. Similar to other ransomware, WannaCry and NotPetya attackers also demanded ransom from their victims, assuring them that once ransom is paid, the decryption key that would unlock the encrypted files would be given.
While exhibiting the characteristics of a ransomware, both WannaCry and NotPetya were later found to be wipers – malware whose sole purpose was to destroy. Both WannaCry and NotPetya are considered as wipers, not ransomware, as despite paying ransom to the attackers, the attackers wouldn’t be able to give the correct decryption key as they themselves have no way of determining who paid the ransom and who didn’t.
Shamoon is another malware whose main purpose is destruction. In December 2018, Italian oil services firm Saipemreported that its servers based in the Middle East, India, Aberdeen and, in a limited way, Italy were infected by a variant of Shamoon malware. As typical effects of the Shamoon malware, Saipem said in a statement, the infection resulted in the "cancellation of data and infrastructures." Days after the statement, the company’s head of digital and innovation, Mauro Piasere, told Reutersthat the attack crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines.
According to Symantec, the latest version of Shamoon is far more destructive than the original Shamoon as the latest version has a new, second piece of wiping malware called “Trojan.Filerase,” a malware that deletes and overwrites files on the infected computer; while the original Shamoon malware itself erases the master boot record of the computer, rendering the computer unusable.
Because of the Filerase malware in the latest Shamoon version, Symantec said, recovery becomes impossible, compared to the older version of Shamoon in which the “files on the hard disk may be forensically recoverable.”
Here are some cybersecurity best practices in order to help prevent or minimize the effects of destructive cyberattacks – attacks that are meant to destroy:
Keep All Software Up-to-Date
Installing the latest patch or security update in a timely manner is one of the ways to keep destructive attacks at bay. Patches or security updates fix known security vulnerabilities that are likely to be exploited by cyber criminals.
Back-up Important Data
Similar to safeguarding your organization’s data from natural disasters, including fire and flood, having a back-up of important data will enable your organization to bounce back from a debilitating destructive cyberattack.
Practice Network Segmentation
It’s also important to practice network segmentation – the process of dividing your organization’s network into subnetworks. Network segmentation ensures that in case an attacker is able to infiltrate one of your organization’s network, the other networks won’t be affected.
Hard Lessons from a Ransomware Attack
A regional county municipality in the province of Quebec, Canada has learned the hard lessons about cybersecurity after it suffered a paralyzing ransomware attack.
Bernard Thompson, reeve of Mekinac regional county municipality, told The Canadian Pressthat the ransomware attack that paralyzed the municipality’s servers gave the municipality hard lessons in cybersecurity. “In the end, in terms of the security of our system, [the ransomware attack] was actually positive,” Thompson said.
The cyberattack against Mekinac's servers highlights the importance of protecting your organization's servers against ransomware attacks.
How the Mekinac Cyberattack Unfolded
The Canadian Press reported that on September 10, this year, municipal employees, upon returning to work after a weekend break, found a ransomware notice on their working computers, informing them that their files are locked. The ransomware notices also specified that in order to unlock the files, a total of 8 Bitcoins, then equivalent to $65,000, must be paid to the attackers.
The municipality’s servers were disabled for nearly 2 weeks as a result of the ransomware attack. The attack ended when the municipality negotiated and paid $30,000-worth of Bitcoin as ransom payment to unlock the locked files.
“It was hard, clearly, on the moral side of things that we had to pay a bunch of bandits,” Thompson said. He said this was the road that the municipality took as choosing the other way could mean months of data re-entry, costing significantly more than $30,000.
Mekinac’s ransomware attackers are still unidentified and their location not determined to date.
What is a Ransomware Attack?
Ransomware is a malicious software (malware) that encrypts files. Encryption is traditionally used to prevent data theft. In encryption, plaintext or any other form of data is converted from a readable format into an encoded version – a format that can only be readable if one has access to a decryption key.
In a ransomware attack, attackers convert the victim’s data from a readable format into an encoded version and demand from the victim ransom payment in exchange for the decryption key.
Ransomware infects computers or servers in many ways. Here are some of the ways that ransomware infects computers or servers:
1. Email-Based Attack
In the case of the Mekinac ransomware attack, the municipality’s servers were infected by a ransomware after an employee opened and clicked on a link in a malicious email sent by the attackers. It wasn’t specified, however, what particular ransomware hit the Mekinac’s servers.
The ransomware called “Locky” is an example of a ransomware that’s spread via email spam campaigns. This ransomware arrives in a victim’s computer through a Microsoft Office email attachment that evades antispam filters and tricks the user to open the attachment. Once this malicious attachment is clicked, Locky encrypts computer files and then demands the victim to pay a ransom to unlock the encrypted or locked files.
2. Drive-By Attack
Drive-by attack is another way by which attackers infect computers or servers. Bad rabbit ransomware is an example of a ransomware that’s distributed via drive-by attacks.
In a drive-by attack, attackers insert a malicious code, in this case, a ransomware, into an insecure website. Once a user visits this compromised site, the malware may either directly download to the visitor’s computer or the visitor is redirected to another website controlled by the attackers and from there the malware is downloaded to the victim’s computer.
3. Unpatched Servers
The ransomware called “SamSam” is an example of a ransomware that infects servers when they’re in an unpatched state. An unpatched server is one that isn’t updated despite the availability of a security update.
Researchers at Cisco Talos, in a blog post, wrote, “Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices.”
Lessons from Ransomware Attacks
Thompson, reeve of Mekinac regional county municipality, said that the ransomware attack on Mekinac’s servers taught the municipality to encrypt everything and to analyze every email. “Everything is encrypted now,” Thompson said. “Every email is analyzed before we even receive it. Every day, our system catches malicious emails trying to penetrate – but they are stopped. But the attacks keep coming.”
In addition to encryption and email scanning, here are additional best practices in order to protect your organization’s servers from ransomware attacks:
Back Up Important Files
Back up files that are stored in safe storages that aren’t connected to your organization’s servers give your organization assurance that if anything happens with the servers, for instance, a ransomware attack, your organization will still have other copies of the important files. This eliminates the pressure of paying ransom to attackers for the decryption key to unlock the locked files.
Keep All Software Up-To-Date
Make sure that all your organization’s software, specifically the server operating system, are up-to-date. Every security update or patch issued by software vendors contains fixes of security vulnerabilities that cybercriminals are quick to exploit.
Implement Domain Whitelisting
Whitelisting certain domains won’t prevent drive-by download attacks, but it’ll prevent secondary malicious websites from loading.
Limit the Number of Users with Administrator Privileges
A computer user with administrator privileges can install and uninstall software and change configuration settings. Limiting this privilege to a limited number of personnel limits the exposure of your organization’s servers to drive-by attacks.
When your organization needs help, our experts are a phone call away. Contact ustoday to prevent ransomware attacks.
Difference Between Malware Outbreak and Ransomware Attack
Are malware outbreak and ransomware attack the same or are they totally different?
The Canadian restaurant chain Recipe Unlimited prefers using the phrase “malware outbreak” over the phrase “ransomware attack”. In a statementissued last October 1, Recipe Unlimited said that it has been experiencing a partial network outage as a result of a “malware outbreak” since September 28, this year. The company didn’t go into details what type of malicious software (malware) infected its IT system.
Recipe Unlimited, formerly Cara Operations, franchises and/or operates more than 1,000 restaurants across Canada, including Swiss Chalet, Montana's, East Side Mario's, Harvey's, St-Hubert, The Keg, Milestones, Kelseys Original Roadhouse, New York Fries, Prime Pubs, Bier Markt, Landing, Original Joe's, State & Main, Elephant & Castle, The Burger's Priest, The Pickle Barrel and 1909 Taverne Moderne.
To prevent further spread of the malware, Recipe Unlimited said it took precautionary measures such as taking a number of systems offline and suspending internet access to affected locations. These precautionary measures resulted in the temporary closure of some of Recipe Unlimited’s restaurants, while those open can only accept cash.
CBC, on the other hand, got hold of a screencap of the ransom note that appeared on the computer compromised by attackers in the Recipe Unlimited’s attack.
The ransom note states, “As soon as we get bitcoins you’ll get all your decrypted data back.” Regarding the actual ransom amount, the ransom note states, “Every day of delay will cost you additional +0.5 BTC [Bitcoin]”. As of October 4, 2018, the price of one Bitcoin hovers around $6,500. The ransom note also states that aside from decrypting all the encrypted data, the company will also "get instructions how to close the hole in security and how to avoid such problems in the future".
When contacted by CBC, the spokesperson of Recipe Unlimited denies that the company’s data is being held for ransom by attackers. "We maintain appropriate system and data security measures," Recipe Unlimited spokesperson told CBC. The spokesperson also told CBC that the ransom note is a "generic" statement associated with the malware called “Ryuk”. In its earlier statement, Recipe Unlimited said it conducts "regular system back-ups to enable us to restore impacted systems”.
What Is Ryuk?
Ryuk is categorized as a ransomware – a malware that encrypts or locks files in hundreds of computers in each infected company and asks for a ransom payment in exchange for the decryption key to unlock the locked files. This ransomware targets organizations that are capable of paying a lot of money.
Some of the victims paid exceptionally large ransom in order to retrieve their files. Back in August this year, Check Point researchers reported that Ryuk attackers earned over $640,000 from ransom payments paid in varying amount (ranging between 15 BTC to 50 BTC) from victims worldwide.
According to Check Point, the source code of Ryuk closely resembles the source code of another ransomware called “HERMES” – the malware used in the attack against the Far Eastern International Bank (FEIB) in Taiwan. In the FEIB attack, $60 million was stolen in a sophisticated SWIFT attack, though this amount was later retrieved.
The difference between HERMES ransomware and Ryuk ransomware, Check Point said, is that while HERMES ransomware was delivered to FEIB’s network as a diversion, Ryuk ransomware is "by no means just a side-show but rather the main act".
What Is a Malware Outbreak?
Malware outbreak refers to a large-scale malware attack that causes widespread damage and disruption to an organization and necessitates extensive recovery time and effort. Ryuk ransomware’s impact on its victims amounts to a malware outbreak.
Here are some measures in preventing a malware outbreak or ransomware attack, as well as some of the security best practices in handling such outbreak or attack:
Keep All Software Up-to-Date
Keep all your organization’s software up-to-date as cyberattackers are known to infiltrate networks using known software security vulnerabilities that are already patched by software vendors.
Practice Network Segmentation
Network segmentation refers to the practice of dividing a computer network into subnetworks. One of the advantages of network segmentation is that in case one subnetwork is infected by a malware, the other subnetworks won’t be infected.
Contain the Outbreak
It’s important to contain the outbreak. Many ransomware programs have a worm capability. This means that the ransomware has the ability to spread itself within networks without user interaction.
One of the effective means of containing the outbreak is by quickly disconnecting infected systems from the overall network infrastructure. Physically disconnecting network cables and applying access controls on network devices are examples of disabling connectivity. One of the side-effects of containment is that this will affect the operation of other non-infected systems in the network.
Full Malware Eradication Process
Containment only stops the spread of the malware. The fact that the malware is still inside your organization’s IT system is a security risk. Full eradication process is necessary in parallel with the containment process.
Backup Critical Files
Make sure to conduct regular backups of critical files so that when an outbreak or cyberattack happens, your organization can get back up again by restoring the impacted systems. Backups also ensure that attackers won’t have a leverage in your organization’s impacted systems as backups can easily be restored, rendering the attackers’ demand for ransom futile.
When you need help, contactour cybersecurity experts and protect your data.
U.S. Justice Dept. Charges Alleged Member of Lazarus Group Over WannaCry Cyberattack
The U.S. Justice Department has formally charged a North Korean national, believed to be a member of the notorious hacking group known as “Lazarus” over WannaCry cyberattack and two other high-profile attacks, the Sony Pictures cyberattack and the cyberheist at the Bangladesh Bank.
The Justice Department filed a criminal complaintlast June 8, 2018 against North Korean national Park Jin Hyok for WannaCry, Sony and Bangladesh Bank cyberattacks. This criminal complaint though wasn’t made public when it was filed. It was only made public during the recent announcement by the Justice Department.
The WannaCry, Sony and Bangladesh Bank cyberattacks are among the notorious cyberattacks in recent years. On May 12, 2017, WannaCry cyberattack shook the online world after it locked down more than 300,000 computers in over 150 countries in less than 24 hours and demanded ransom payment from victims.
The Sony Pictures cyberattack in November 2014 stunned the company after thousands of its computers were rendered inoperable and unreleased movie scripts and other confidential information were made public.
The cyberheist at the Bangladesh Bank shook the financial sector in February 2016, after the fraudulent transfer of $81 million from the bank. To date, this $81-million fraudulent bank transfer is the largest successful cybertheft from a financial institution.
The criminal complaint, specifically filed by Federal Bureau of Investigation (FBI) Special Agent Nathan Shields, stated that there’s sufficient evidence that shows Park was a member of the conspiracies that resulted to the WannaCry, Sony, Bangladesh Bank successful intrusions as well as attempted intrusions, including the attempted intrusion at the U.S. defense contractor Lockheed Martin.
Shields said that Park, a computer programmer, used to work at a China-based company Chosun Expo. This company, Shields said, is a "North Korean government front company for a North Korean hacking organization”.
Cybersecurity organizations like Symantec, BAE Systems and Kaspersky Lab have called this North Korean hacking organization as “Lazarus”.
"While some of these computer intrusions or attempted intrusions occurred months or years apart, and affected a wide range of individuals and businesses, they share certain connections and signatures, showing that they were perpetrated by the same group of individuals (the subjects),” Shields said.
Shields said that there are numerous connections between Park, his true-name email and social media accounts, and the operational accounts used by the Lazarus group to conduct the successful intrusions and attempted intrusions.
According to Shields, the strongest link between the Lazarus group and the successful intrusions in WannaCry, Sony and Bangladesh Bank, and the attempted intrusion in Lockheed Martin is the FakeTLS table.
Shields said the FakeTLS table was found in WannaCry Version 0. It was also found in all three samples of Macktruck malware found at Sony attack, the Macktruck malware found in a spear-phishing document used in the attempted intrusion at Lockheed Martin, and the Nestegg malware found at Bangladesh Bank cyberheist.
TLS, short for Transport Layer Security, refers to a cryptographic protocol that’s used to increase the security of communications between computers. The “FakeTLS”, meanwhile, refers to a protocol that mimics authentic encrypted TLS traffic, but actually uses a different encryption method. By utilizing “fake” TLS, Shields said, attackers can carry on communications without tripping security alerts as many intrusion detection systems “ignore the traffic because they assume the contents cannot be decrypted and that the traffic is a common communication protocol”.
Shields added that the following technical similarities connect the malware used in WannaCry, Sony, Bangladesh Bank and Lockheed Martin:
Kaspersky Lab, for its part, said Lazarus is operating a malware factory that produces new samples via multiple independent conveyors. “The scale of the Lazarus operations is shocking,” Kaspersky Lab said.
Kaspersky Lab also agrees that Lazarus group was responsible for the WannaCry, Sony and Bangladesh Bank attacks.
According to Kaspersky Lab, from December 2015 to March 2017, its researchers collected malware samples relating to Lazarus group activity which appeared in financial institutions, casinos, software developers for investment companies and cryptocurrency businesses. Kaspersky Lab researchers found that although the Lazarus group was careful enough to wipe any traces of their illegal activities, one server that the group breached contained a serious mistake with an important evidence left behind.
The compromised server, Kaspersky Lab said, was used as a command and control center for a malware. While the group tested the compromised server using VPN/proxy servers to conceal their true IP address, the group committed one mistake as one connection came from a very rare IP address range in North Korea, Kaspersky Lab said.
Symantec, for its part, said there’s a strong link between Lazarus and WannaCry, Sony and Bangladesh Bank attacks.
According to Symantec, evidence gathered from an early version of WannaCry malware found three other malware: Trojan.Volgmer and two variants of Backdoor.Destover – software programs that were used as disk-wiping tools used in the Sony attack. Symantec added that WannaCry shares a code with Backdoor.Contopee – a malware used by the Lazarus group in intrusions at banks.
The attack methods of Lazarus group keep on evolving. One form of cyberdefense, therefore, isn’t enough to counter these attacks. Here are some of the attack methods used by the Lazarus group and corresponding preventive measures:
1. Exercise Caution in Clicking Links
One of the intrusion methods used by Lazarus is via spear-phishing email. According to the FBI, the group made an exact copy of a legitimate Facebook email but the hyperlinked text “Log In” that supposedly lead to the official Facebook page instead goes to a URL controlled by the group and directed victims to a malware.
2. Exercise Caution in Visiting Websites
One of the intrusion methods used by Lazarus, according to Kaspersky Lab, is by hacking government websites through known security vulnerabilities. When a target visits said compromised government website, the target’s computer then becomes infected.
3. Keep All Software Up-to-Date
The simple reason that the Lazarus group was successful in its WannaCry attack is that many have failed to update their Windows operating system. WannaCry Version 2, the one that hit worldwide on May 12, 2017, compromised Windows operating systems that fail to install Microsoft’s March 14, 2017 security update and older versions of Windows that were no longer supported, including Windows XP, Windows 8, and Windows Server 2003.
How to Avoid Being a Victim of Email-Based Ransomware
The latest version of the ransomware called “GandCrab” is an example of how cyber attackers bait their ransomware victims through email spam campaign.
Last month, security researchers at Fortinet observed a surge in an email spam campaign delivering the latest version of GandCrab ransomware.
GandCrab ransomware is a malicious software (malware) that encrypts files on the compromised computers, locks out users and demands a payment to decrypt or unlock the files.
How Ransomware Victims Are Baited via Email Spam Campaign
The latest version of GandCrab ransomware works by employing spam emails. While these spam emails don’t target specific individuals, it targets specific countries as emails in the US are the primary recipients of this spam campaign, followed by emails in the UK and emails in Canada.
Receivers of these spam emails are tricked into opening these malicious emails as the attackers use these subjects commonly used by people working in an organization:
Once the malware is downloaded to a compromised computer, all the files in the computer are then encrypted, preventing the user to access the files and a ransom note is posted on the computer screen.
This ransom note directs the user to a site using the TOR browser – a browser designed to protect privacy and anonymity. Once accessed, this site tells the victim that files on the compromised computer have been encrypted. The victim is asked to pay USD 800 within a certain period. If payment isn't done within the allowed period, the cost of decrypting the files is doubled.
GandCrab Ransomware Earlier Versions
The first version of GandCrab ransomware first appeared in the wild on January 30, 2018.
This early version of GandCrab ransomware was distributed as well via spam emails purporting to be invoices. The early version of GandCrab ransomware was also distributed via malicious advertisements (malvertisements) linked to malicious websites where the downloading of the GandCrab ransomware is then initiated.
Similar to the latest version of GandCrab, the first version spread into the wild and encrypts the files on the compromised computer. Instead of asking ransom payment in the form of US dollars, the first version of GandCrab asks for a ransom payment in the form of Dash cryptocurrency – the first time this cryptocurrency has been used in a ransomware campaign. In the past, ransomware attackers preferred cryptocurrencies Bitcoin and Monero as ransom payment.
According to Europol, European Union’s law enforcement agency, GandCrab ransomware is run as an affiliate program or ransomware-as-a-service. Anyone who wants to join the GandCrab affiliate program pays 30% to 40% of the ransom revenues to its creator and in return gets a full-featured web panel and technical support.
According to Check Point, as of March 13, 2018, GandCrab has infected over 50,000 computer systems and received an equivalent of USD 300,000 to USD 600,000 in ransom payments.
A tool to decrypt files encrypted by GandCrab (version 1)was developed by a combined effort of the Romanian authorities, Bitdefender and Europol and made available to the public for free.
According to Check Point, the decryptor tool wasn’t a result of a cryptographic breakthrough. It was, however, borne out of the law enforcement arm’s access to the ransomware’s master server, enabling the law enforcement arm to recover all private keys that had been used to perform the encryption made by GandCrab (version 1), evident with the decryptor tool’s dependence on an available victim ID.
Developers of GandCrab, however, regular modify the ransomware, making the decryption tool developed by the Romanian authorities, Bitdefender and Europol useless as it won't bring the files back.
Paying the ransom for the latest version of GandCrab is, therefore, not advisable as this doesn’t guarantee that the attackers have the capability or any intention to decrypt files.
Social Engineering Feature of GandCrab Ransomware
As can be gleaned from the different versions of GandCrab ransomware, social engineering is employed.
Social engineering cyberattack happens when an attacker uses a typical form of human interaction to obtain information about an organization or to compromise the organization’s computer systems.
Today’s human interaction now involves technology. Many human interactions now happen via email exchanges – a form of online communication that withstands even with the advent of new forms of communications like instant messaging, social networking and online chat.
GandCrab isn't the only ransomware that relies on spam emails for its distribution. Other notorious ransomware like Spora and Locky are also distributed through spam emails. For instance, on August 28th last year, in just a matter of 24 hours, over 23 million spam emails were sent carrying the Locky ransomware.
Interesting to note that these 3 ransomware GandCrab, Spora and Locky tricked their victims into opening email attachments laden with ransomware by using the subject “Invoice”.
Here are some of the best practices on how to avoid being a victim of email-based ransomware like GandCrab:
Bad Rabbit Ransomware, New variant of NotPetya, Is Spreading
Bad Rabbit ransomware, a new variant of NotPetya, is spreading across Eastern Europe and other parts of the world.
According to the Russian News Agency TASS, Bad Rabbit ransomware attacked the Russian mass media and Ukraine’s airport and subway. Symantec reported that Bad Rabbit primarily attacked Russia (86%), followed by Japan (3%) Bulgaria (2%), Ukraine (1%), US (1%) and all other countries (7%).
NotPetya versus Bad Rabbit
NotPetya is a malicious software (malware) that was released into the wild in June of this year. It wreaked havoc to thousands of computers worldwide, including Belgium, Brazil, Germany, Russia and the US. Merck, Nuance Communications, FedEx are some of the victims of NotPetya.
Similar to NotPetya, users of computers infected by Bad Rabbit received a notice that their files are encrypted. Both malware have the same style of ransom note, suggesting to victims to pay certain amount to get access to files. Both are worms, which mean that they’ve the ability to self-propagate – self-reproduce by infecting other computers in the network.
One stark difference between NotPetya and Bad Rabbit is the use of self-propagation tools. While NotPetya self-propagates using EternalBlue and EternalRomance, Bad Rabbit self-propagates by only using EternalRomance.
EternalBlue and EternalRomance are just two of the many exploits released in April of this year by the group called “Shadow Brokers”. The group claimed that EternalBlue, EternalRomance and the other hacking tools they’ve released were used by the National Security Agency (NSA) in exploiting the vulnerabilities in Windows operating system. According to Microsoft, it released a security update or patch dated March 17, 2017, fixing the vulnerabilities exposed by Shadow Brokers.
The second difference between NotPetya and Bad Rabbit is that NotPetya is a “wiper” rather than a ransomware. A wiper’s aim is to wipe out or delete all computer files for good, while ransomware’s aim is to generate money from victims. None of the victims of NotPetya were able to unlock their encrypted files. According to Symantec, its analysis of Bad Rabbit confirms that it’s not a wiper as the encrypted files can be recovered if the key is known.
How Bad Rabbit Works
Bad Rabbit infects victims’ computers in the following manner:
The first contact of victims of Bad Rabbit is via watering holes – legitimate websites that are altered by cybercriminals. Bad Rabbit compromised many popular websites in the affected countries.
Once a victim visits one of these compromised sites, Bad Rabbit malware is dropped or downloaded into the victim's computer as a fake software update to Adobe Flash Player.
Bad Rabbit malware masquerading as an update to Flash Player enters the victim’s computer by employing social engineering – convincing the victim that there’s a need to update his or her Flash Player. In the middle of the computer screen, a popup shows up asking the user to download an update for Flash Player.
Once the fake Adobe Flash Player "Install" button is clicked, the Bad Rabbit malware drops five open-sourced tools described below into the victim’s computer. According to Symantec, the download originates from a particular domain. It’s possible though that victims may have been redirected there from another compromised sites, Symantec said.
Mimikatz is an open-sourced tool used for changing privileges and recovering Windows passwords in plaintext.
In addition to Mimikatz, Bad Rabbit also uses a hardcoded list of commonly used default passwords in attempting to guess Windows passwords.
ReactOS is an open-sourced tool that’s used as an alternative to Windows operating system. The use of ReactOS, according to Symantec, reduces the amount of detectable suspicious activity on an infected computer.
DiskCryptor is an open-sourced tool that’s used to perform encryption. After individual files in the victim’s computer are encrypted, Bad Rabbit will then conduct a full disk encryption. Once the system is restarted, a ransom note is displayed, demanding a ransom amounting to 0.05 Bitcoin (US$280).
Bad Rabbit spreads to other vulnerable computers in the network by using EternalRomance, an exploit that bypasses security over Server Message Block (SMB) – referred to as the transport protocol used by computers using Windows operating system for a variety of purposes, including file sharing, printer sharing and access to remote Windows services.
According to researchers at RiskIQ, long before the distribution of Bad Rabbit ransomware last October 24th, cyber attackers have already compromised the affected websites used as watering holes. The researchers said that they “can track the distribution vector back to early 2016 showing that victims were compromised long before the ransomware struck.”
"The thing we do not understand at this point is why they decided to burn this information position to mass distribute the Bad Rabbit ransomware rather than save it for another type of malware," RiskIQ researchers said.
How to Prevent Bad Rabbit Attacks
As Bad Rabbit uses factory or default passwords, it’s important to protect your computer with a strong password. This security measure, however, isn’t enough to protect you from Bad Rabbit.
Bad Rabbit self-propagates by using the hacking tool EternalRomance. A security update or patch that stops EternalRomance has already been made available by Microsoft since March 17, 2017.
"Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware,"
In an effort to keep your all software up-to-date, be careful though of falling into traps of fake updates.
Fake Adobe Flash Player update has long been the favorite of many cyber criminals as they always find security vulnerabilities of this software. If an update pops up in your monitor, don’t click the button, and visit the official Adobe website for updates.
Massive Locky Ransomware Campaign Attempts to Infect Millions of Computers in 24 Hours
Locky is the first ransomware to make $1 million per month based on a Google-led study (PDF). After lying low in the first half of 2017, this notable ransomware made a massive comeback last August 28th, unleashing 23 million malicious emails in just 24 hours.
"In the past 24 hours we have seen over 23 million messages sent in this [Locky Ransomware] attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017," researchers at AppRiver said.
How the Latest Locky Ransomware Works
Millions of workers who returned to work on Monday, August 28th, received an email with subject lines “please print”, “documents”, “photo”, “images”, “scans” and “pictures”.
Each email comes with a ZIP attachment containing a Visual Basic Script (VBS) file. Once opened, this VBS file initiates the downloading of the latest version of Locky ransomware. All the files on the infected computer are then encrypted –conversion of computer data into ciphertext, a data form that can only be read using a decryption secret key or password. After the data encryption, victims are instructed to install the TOR browser and provided with a .onion, also known as dark web site. Below is the screencap of the dark web site.
The dark web site shows a victim how to purchase Bitcoins. It also tells the victim to send .5 Bitcoin – equivalent to a staggering $2,381 – to a certain Bitcoin address as payment to supposedly unlock the encrypted files.
The latest Locky strain was reported last August 17th this year by researchers at Fortinet. The latest strain uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. Rommel Joven, one of the Fortinet researchers who discovered the latest Locky variant, tweeted last August 17th that this variant is the second modification of Locky in over a week.
Last August 14th, Fortinet researchers identified the predecessor of the Lukitus Locky variant called "Diablo6", named after the “.diablo6” extension to its encrypted files.
“It’s still too early to say if this campaign signals the start of Locky diving back into the ransomware race or if it is just testing the waters," Fortinet researchers said about the Diablo6 Locky variant. This variant similarly spreads through spam emails – each containing a VBS attachment. Once clicked, the VBS file downloads the Locky variant from a compromised URL or webpage.
History of Locky Ransomware
Locky ransomware was first distributed into the wild in early February 2016. Based on the Google-led study, Locky was the highest grossing ransomware in 2016, earning a total of $7.8 million.
Locky’s notoriety rose when it victimized an American hospital in early February 2016. The hospital publicly acknowledged (PDF) that it was a victim of a malware that locked access to certain hospital computers by encrypting the files and demanding ransom payment worth 40 Bitcoins (equivalent to $17,000 at that time) for the decryption key. The hospital said that it paid $17,000 as it was the “quickest and most efficient way to restore our systems and administrative functions”.
According to Fortinet researchers, from February 19, 2016 to September 15, 2016, Locky's total hits reached 36,314,789, mostly affecting computer users in the U.S., France, Japan, Kuwait, Taiwan and Argentina.
Modifications of Locky ransomware aren’t limited to the Lukitus and Diablo6 variants. In its more than a year existence into the wild, creators of Locky ransomware periodically make changes to this malicious software. Aside from “.lukitus”, “.diablo6”, Locky’s creators also used “.locky”, “.zepto” and “.odin” as names of extension to its encrypted files.
Different variants of Locky were spread in 2 ways: 1) spam emails and 2) compromised websites.
One of the main paths of Locky infection is through spam email campaigns. The following are some of the subject lines used in spam emails to the spread the Locky ransomware:
An email with the subject line "Scanned image from MX-2600N” may look innocent enough. But the use of such subject line is a product of a sophisticated campaign – a plan to mislead many employees into clicking the spam email.
The term “MX-2600N” is actually the most popular model of Sharp scanner/printer that’s used by many offices. Many employees use this model to scan documents and email them to themselves or other people. So, when they see an email with the subject “MX-2600N”, they’re tricked into thinking that they’re opening an email that they’ve sent to themselves.
According to Fortinet researchers, Locky’s spam email campaigns in the past contained the following attachments:
The other attack path used by Locky ransomware is via compromised websites that redirect to Nuclear or Neutrino Exploit Kit. Unlike in a malicious email campaign whereby the victim has to open an email and click on the attachment, an exploit kit like Nuclear or Neutrino doesn’t require added action from the end user. An exploit kit works like a ghost while a potential victim is browsing a compromised website. In the case of Locky ransomware, the exploit kit acts as the distributor of the malware to the victim’s computer.
How to Prevent Locky Ransomware Attacks
Here are some of the ways to block Locky ransomware attacks:
1. Use Up-to-Date Browser and Software
“Using up-to-date browser and software remains to be the most effective mitigation against exploit kits,” Microsoft said. “Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.
2. Exercise Caution When Opening Emails and Attachments
Be wary about opening emails from unknown senders. When in doubt about an email, ignore it, delete it and never open attachments or click on URLs.
When you need help protecting your infrastructure and your data, connect with our team and we will be more than happy to help.
4 Lessons Small Businesses Can Learn from WannaCry and NotPetya Cyber Attacks
WannaCry and NotPetya, also known as Petya, have been the most talked about cyber attacks in the past three months. WannaCry was released into the wild in May this year; NotPetya in June this year.
Their popularity is understandable given that the combined victims of these two cyber attacks reached hundreds of thousands worldwide, with WannaCry affecting over 300,000 computers in 150 countries; NotPetya affecting over 12,500 computers in 65 countries.
Most importantly, these two cyber attacks, labeled as ransomware – malicious software that encrypts computer data and asks for ransom money to unlock it – victimized big corporations and big government institutions worldwide.
WannaCry disrupted the operations of UK’s National Health Service, U.S. express delivery company FedEx and Renault's assembly plant in Slovenia. NotPetya, on the other hand, disrupted the operations of the Chernobyl nuclear plant, U.S.-based pharmaceutical company Merck and Danish shipping firm Maersk.
While big corporations affected by NotPetya such as Nuance, TNT Express, Saint-Gobain, Reckitt Benckiser Group and Mondelēz International publicly acknowledged that their operations have been disrupted, and they have suffered economic losses because of the attack, these big corporations have proven their resilience.
“If a public breach damages a brand and causes customers to switch to a competitor, a larger business can weather the impact better than a smaller business,” Cisco said in its 2017 midyear cyber security report. “When attackers breach networks and steal information, small and medium-sized businesses (SMBs) are less resilient in dealing with the impacts than larger organizations.”
Here are 4 lessons small businesses can learn from WannaCry and NotPetya cyber attacks:
1. Use the Latest Operating System
Users of old operating systems are vulnerable to cyber attacks.
Majority of NotPetya ransomware infections, according to Microsoft in a bulletin dated June 29, this year, were observed in computers using Windows 7. Windows 10, on the other hand, according to Microsoft is resilient against the NotPetya ransomware attack.
For WannaCry, users of old Microsoft operating systems – in particular, Windows XP, Windows 8 and Windows Server 2003 – fell victim to this malicious software. Microsoft ended its support for Windows XP on April 8, 2014; Windows Server 2003 on July 14, 2015; and Windows 8 on January 13, 2016.
For Windows XP, Microsoft issued this statement:
"After April 8, 2014, Microsoft will no longer provide security updates or technical support for Windows XP. Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. PCs running Windows XP after April 8, 2014, should not be considered to be protected, and it is important that you migrate to a current supported operating system – such as Windows 10 – so you can receive regular security updates to protect their computer from malicious attacks."
In the paper “The hackers holding hospitals to ransom” published in the British Medical Journal (BMJ) two days before the WannaCry attack, Krishna Chinthapalli, a doctor at the National Hospital for Neurology and Neurosurgery in London, found that a number of British hospitals were using Windows XP, an operating system introduced by Microsoft in 2001.
2. Install Security Update of the Latest Operating System
Even if you’re using the latest operating system and you fail to install the latest security update or patch, your computers are still vulnerable to cyber attacks.
Users of Windows 10 – the latest operating system from Microsoft – who failed to install the security update released by Microsoft on March 14, 2017 fell victim to WannaCry.
Microsoft said that its March 14, 2017 update resolves vulnerabilities in Microsoft Windows that “could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.” WannaCry exactly exploited this specific security vulnerability mentioned in the March 14th update by Microsoft.
3. Paying Ransom Isn’t a Guarantee that You’ll Get Your Data Back
In a typical ransomware, computer data is encrypted, a ransom note is shown on the computer screen of the victim, the victim pays and the victim recovers data as the data is decrypted.
WannaCry victims paid close to $100,000 – paid in bitcoins; NotPetya victims paid close to $10,000. These earnings are stark contrast to the number one top grossing ransomware Locky which earned $7.8 million, and the second top grossing ransomware Cerber which earned $6.9 million based on the data provided in a Google-led study (PDF).
The reason why these two didn’t earn that much bitcoins is that many victims early on knew that these malicious programs couldn’t restore their data despite paying ransom. According to the Google-led study, WannaCry and NotPetya are "impostors” as they are in reality “wipeware” pretending to be ransomware.
Matt Suiche from Comae Technologies concluded that NotPetya is a wiper as it “does permanent and irreversible damages to the disk”. Suiche differentiates a wiper and a ransomware, this way: “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.”
Victims of NotPetya also can’t pay ransom as the payment email address isn’t accessible anymore. The email address specified in the NotPetya ransomware notice was immediately blocked by the email provider Posteo. The perpetrator or perpetrators of NotPetya also didn’t replace the blocked address with another one.
In the case of WannaCry, McAfee researchers found that while WannaCry can decrypt files, “WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.”
4. Backup Your Data
Make your organization resilient to cyber attacks by backing up your critical data. You can always get back your operating system or other software applications by reinstalling them. It may, however, be impossible to recreate your data lost to cyber criminals. It’s important then to always backup your critical data.
Backing up data on a regular basis isn’t just helpful in case cyber attackers corrupt your data, it’s also valuable in case your computers are stolen or destroyed as result of fire or other disasters.
Steve E. Driz