Thought leadership. threat analysis, news and alerts.
How to Strengthen Cloud Backups Against Ransomware
Cloud backup is an important defense against ransomware attacks. Cloud backups, however, have recently been the target by ransomware attackers.
In a ransomware attack, the computer or the data within is encrypted preventing users’ access to this computer or data. The lack of backups forces many victims to pay ransom in exchange for the decryption keys that would unlock these locked computers or locked data.
As many organizations have migrated their daily operations to the cloud, many have migrated their backups to the cloud as well. For many organizations, cloud backups have given them a false sense of security.
If not configured properly, cloud backups could easily be stolen, deleted and, in a worst-case scenario, used against your organization. The group behind the ransomware called “DoppelPaymer” recently published on their leak website the admin username and password for a Veeam user account owned by one of DoppelPaymer ransomware’s victims who refused to pay ransom.
Switzerland-based Veeam is a software company that develops cloud backup software. DoppelPaymer is the latest addition to the number of ransomware programs that establish leak websites to shame victims who refuse to pay ransom. Stolen data belonging to the victims prior to encryption are published on these leak websites.
"Cloud backups are a very good option against ransom but do not 100% protect as cloud backups are not always good configured, offline backups often outdated – the system of backups is really nice but human factor leaves some options," the group behind DoppelPaymertold Bleeping Computer.
How Cybercriminals Compromise Cloud Backups
Ransomware attackers often initially compromise victims’ computers through phishing campaigns or exposed RDP. In phishing campaigns, attackers trick victims in opening malicious emails containing malicious links or attachments. Opening these malicious links or attachments could lead to the downloading of the actual ransomware into the victims’ computers.
Exposed RDP is another gateway of ransomware attacker to the victims’ networks. RDP, short for remote desktop protocol, is a protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. Exposed RDP, those that used weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security measures, are targeted by cybercriminals as an initial entry point to gain access to their victims’ networks.
The group behind the ransomware called “Maze” told Bleeping Computer that cloud backups credentials are used to restore the victims’ data stored in the cloud to the servers under the group’s control. Maze ransomware started the trend among ransomware operators in establishing leak websites in order to shame victims who refuse to pay ransom.
"Yes, we download them [data stored in the cloud],” the group behind Maze ransomware told Bleeping Computer. “It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to data breach detection software.”
Operators of the DoppelPaymer and Maze ransomware, however, didn’t elaborate to Bleeping Computer how they were able to gain access to their victims’ cloud backups. In the case of users using the Veeam software for cloud backups, the role of Mimikatz and configuring Veeam to use Windows authentication could have led to the compromise of these cloud backups.
Once malicious actors gain access to their victims’ networks, they systematically move through the network, for instance, via the use of Mimikatz – an open-source application that allows attackers to view and save Windows authentication credentials. These stolen Windows authentication credentials are used by the attackers in accessing cloud backups that use the Veeam software as some administrators configure Veeam to use Windows authentication.
Cybersecurity Best Practices in Securing Your Organization’s Cloud Backups
In a white paper released by Veeam, the company said that one of the best practices in securing your organization’s cloud backups is through the use of different credentials for cloud backups. “One of the key characteristics of ransomware is its ability to propagate,” Veeam said. “By using different credentials within the Veeam infrastructure, we can introduce more resiliency by limiting propagation from other operating systems on the network. The best, broadest recommendation is to have at least two credential mechanisms in use. That can include both Windows and Linux accounts, Windows and Veeam Cloud Connect, etc.”
It’s also important to follow the time-tested 3-2-1 rule:
3: Keep 3 copies of any important file: 1 primary and 2 backups.
2: Keep the files on 2 different media types to protect against different types of hazards.
1: Store 1 copy offsite (for example, cloud backup).
Following the 3-2-1 rule, aside from cloud backup, it’s also important to keep a backup on-premise or on-site. This on-premise backup must be kept offline to ward off ransomware attackers. Aside from attacking cloud backups, ransomware attackers have targeted on-premise backups exposed to the internet.
In the past few months, ransomware attackers have targeted Network Attached Storage (NAS) devices. NAS is a storage and backup system that consists of one or more hard drives.
To gain access to NAS devices, attackers use brute force attack, that is, guessing through trial-and-error the correct username and password combination. To gain access to NAS devices, attackers also exploit security vulnerabilities that remained unpatched either through an absence of a vendor’s security update or failure of a NAS device user in installing in a timely manner the vendor’s available security update.
When you need help securing your cloud backups and applications against ransomware attacks, our experts are here to help. Get in touch with us today and protect your valuable assets.
Growing Threat of Ransomware Reinfection
Switzerland's cybersecurity body, the Reporting and Analysis Centre for Information Assurance (MELANI), has cautioned local SMEs and large organizations against paying ransomware attackers due to the risk of ransomware reinfection.
In a recent advisory to local organizations in Switzerland, MELANI said it’s aware of cases in Switzerland and abroad where the same organizations have been victims of ransomware attacks several times within a very short period of time. Ransomware is a type of malicious software (malware) that encrypts victims’ files and forces victims to pay ransom in exchange for the decryption keys that would unlock the encrypted files.
According to MELANI, even if a ransom is paid, there’s no guarantee that the ransomware attacker will decrypt the data. Switzerland's cybersecurity body also cautioned that even when ransom payment is made, leading to the decryption of the encrypted data, the underlying infection of some ransomware will remain active. “As a result, the attackers still have full access to the affected company's network and can, for example, reinstall ransomware,” MELANI said.
Emotet and TrickBot are two of the malware cited by Switzerland's cybersecurity body that could cause ransomware reinfection on victims’ computers even after ransom payment and after decryption.
In October 2019, the Canadian Centre for Cyber Security issued an alert to organizations in Canada about the 3-in-1 infection process involving 3 malware: Emotet, TrickBot and Ryuk. According to the Canadian Centre for Cyber Security, Emotet, TrickBot and Ryuk ransomware are part of the 3-stage infection process, with Emotet as the first malware downloaded, TrickBot as the second malware downloaded, and Ryuk ransomware as the last malware deployed against victims’ networks by an organized and prolific actor or group of actors.
Emotet, first detected in 2014, is a malware that’s distributed through emails containing malicious links or attachments. Victims are tricked into clicking these malicious links or attachments as the group behind Emotet uses branding familiar to the recipients.
According to the US Cybersecurity and Infrastructure Security Agency, once Emotet is downloaded on the victim’s computer, this malware uses a credential enumerator in the form of a self-extracting RAR file. This credential enumerator, the US cybersecurity body said, containstwo components: a bypass component and a service component. The bypass component is used to find writable share drives using SMB or brute force (attempt to crack a password or username using a trial and error method) users’ accounts, including the administrator account.The service component, meanwhile, writes Emotet onto thecompromised computer’s disk.
SMB, short for Server Message Block, is a network protocol used by computers running Microsoft Windows that allows systems within the same network to share files. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US Cybersecurity and Infrastructure Security Agency said.
Once the attacker gains access on the victim’s network via Emotet, the Trickbot malware is then downloaded and distributed to the compromised systems.
Trickbot, first detected in 2016, is a malware that has similar capabilities as Emotet. Similar to Emotet, Trickbot can brute force users’ accounts and spread onto as many computers as possible using SMB.
Analysis of the Trickbot showed that this malware uses PowerShell Empire, a publicly available tool. Designed as a legitimate penetration testing tool in 2015, PowerShell Empire has become a favorite tool among the well-financed threat groups.
PowerShell Empire allows an attacker to escalate privileges, harvest credentials, exfiltrate information, and move laterally across the victim’s network. PowerShell Empire is difficult to detect on a network using traditional antivirus software as it operates almost entirely in memory, and it also uses PowerShell, a legitimate application. Empire also allows an attacker to install Ryuk ransomware on high-value targets.
According to the Canadian Centre for Cyber Security, Trickbot’s capabilities allow it “to map out the network and give the malicious actor a better understanding of the target, including the value of the data.”
Ryuk ransomware first appeared in 2018. On its own, this ransomware doesn’t have the ability to spread onto as many machines as possible within a network, hence the dependency on other malware such as Emotet and Trickbot.
“The Ryuk ransomware itself does not contain the ability to move laterally within a network, hence the reliance on access via a primary infection, but it does, however, have the ability to enumerate network shares and encrypt those it can access,” UK's National Cyber Security Centre said. “This, coupled with the ransomware’s use of anti-forensic recovery techniques (such as manipulating the virtual shadow copy), is a technique to make recovering from backups difficult.”
Preventive and Mitigating Measures Against Ransomware
Every so often malware programs such as Emotet, Trickbot and Ryuk are able to access victims’ networks as a result of ignoring basic cybersecurity measures. Here are some basic cybersecurity measures in order to protect your organization’s network against malware such as Emotet, Trickbot and Ryuk:
In the case of Ryuk infection, it’s important to note that cleaning up the affected computers isn’t enough as these “cleaned” computers could still be reinfected as the associate malware used by Ryuk, Emotet and Trickbot, could be lurking on networked systems that were not initially affected by the ransomware.
Researchers Warn Windows EFS Could be Abused by Ransomware Attackers
Researchers at Safebreach Labs have warned that EFS, a feature in Microsoft Windows, could be abused for ransomware attacks.
What Is EFS?
EFS, short for Encrypted File System, is a feature on Windows operating system, starting with Windows 2000, for its business users. This feature allows users to encrypt specific folders and files. In encryption, data is converted into secret code, allowing only authorized users to access the specific folders and files and, in theory, denying access to unauthorized users.
EFS shouldn’t be confused with another encryption feature on Microsoft Windows called “BitLocker”. While EFS encrypts specific folders and files, BitLocker is a full disk encryption feature.
In EFS, to access the encrypted specific folders and files, an authorized user doesn’t need to provide a password as access is via the user’s account password. In BitLocker, to access the BitLocker-encrypted drive, a user needs to type the password or plug in a USB key or have BitLocker use Trusted Platform Module (TPM) if the Windows operating system has one.
Proof of Concept of Ransomware Attack Scenario Exploiting Windows EFS
Ransomware is a type of malicious software (malware) that encrypts victims’ computers or data, denying legitimate users access to their computers or data. In ransomware attacks, attackers demand from their victims to pay ransom in exchange for the decryption keys that, in theory, unlock the encrypted computers or data. Recent ransomware attacks, meanwhile, steal computer files prior to encryption and threaten the publication of these stolen files for victims who refuse to pay the ransom.
Researchers at Safebreach Labs recently disclosed that they’ve developed a proof-of-concept of a ransomware that abuses Windows EFS. The EFS-based ransomware developed by Safebreach Labs encrypts files, rendering these files unreadable to users and even to the Windows operating system. Safebreach Labs said that the encrypted files can only be made readable using the ransomware attacker’s decryption key and have the EFS-based ransomware restore the encrypted files into their original position, and only then that the Windows operating system can once again read the user files.
Safebreach Labs said that EFS-based ransomware is an “alarming concept and a possible new threat in the ransomware horizon” due to the following reasons:
Safebreach Labs said that EFS-based ransomware works on Windows 10 64-bit versions 1803, 1809 and 1903, and should also work on Windows 32-bit operating systems, and on earlier versions of Windows such as Windows 8.x, Windows 7 and Windows Vista.
Safebreach Labs said it tested its EFS-based ransomware on 3 anti-ransomware solutions from well-known vendors, and all 3 anti-ransomware solutions failed to protect against this new threat. Thereafter, Safebreach Labs notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints and provided them with the EFS-based ransomware proof-of-concept. Safebreach Labs also found that many of these major anti-malware and anti-ransomware vendors for Windows endpoints failed to protect against this threat.
Prevention and Mitigating Measures Against EFS-Based Ransomware
Below are some of the responses of the major anti-malware and anti-ransomware vendors for Windows endpoints that were notified by Safebreach Labs regarding the EFS-based ransomware.
Avast/AVG email to Safebreach Labs dated September 26, 2019: “We implemented a workaround for version 19.8.”
Bitdefender email to Safebreach Labs dated January 10, 2020: “As of today, the fix started rolling out on Bitdefender Antivirus, Bitdefender Total Security and Bitdefender Internet Security on version 22.214.171.124. On Bitdefender Free Edition the fix is in reporting mode only, being necessary for fine tuning in the future.”
Check Point email to Safebreach Labs dated January 20, 2020: “Check Point has resolved the issue and the fix is currently available with the latest Corporate Endpoint Client E82.30 and will be available in the latest release of Zone Alarm Anti-Ransomware in the next couple of days.”
McAfee email to Safebreach Labs dated January 17, 2020: “McAfee released protection against the sample code provided by the reporter in the Anti-Virus (AV) DATs released on 10th January. This covers both our Enterprise and Consumer products. The AV DATs are automatically updated and Customers can check the version of the DATs through the product User Interface.
“Enterprise Customers using MVision EDR have a detection rule available from 10th January which will trigger when some variations of this Proof of Concept are executed. Through EDR the administrator can scan their machines for other instances of the malware and then block execution or delete the malware. Enterprise Customers using ENS can configure an Endpoint Protection Access Protection rule which will prevent the sample deleting the keys it generates to encrypt the files. By preventing the deletion of the keys the files remain accessible to that user. Other users on the same machine would not have access to the files.”
Microsoft email to Safebreach Labs dated October 7, 2019: "Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows (https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria?rtc=1). Microsoft may consider addressing this in a future product".
In the absence of a Windows update, according to Safebreach Labs, one of the workarounds against EFS-based ransomware is by turning off EFS on the affected Windows operating system. The cybersecurity research lab, however, said that turning off EFS can disable legitimate encryption of the operating system.
Ransomware attacks are becoming more and more prominent. Turn to our experts to mitigate the ransomware infection risks and protect your organization. Contact us today for a no-obligation consultation.
Valuable Lessons from Recent Cyber Extortions
The recent data breach at LifeLabs, which affected nearly half of Canada’s population, and the recent data breach at the City of Pensacola highlight the growing danger of cyber extortions.
What Is Cyber Extortion?
Extortion – the act of using threats to gain something from someone – has been given a new form in the cyber world.
In the case of the data breach at LifeLabs, cybercriminals gained access to the company’s computer systems, stole data and thereafter demanded ransom payment from the company in exchange for the stolen data. In a joint statement, the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia said, “LifeLabs advised our offices that cyber criminals penetrated the company's systems, extracting data and demanding a ransom.”
"Retrieving the data by making a payment," said Charles Brown, President and CEO of LifeLabs, was one of the several measures taken by the company to protect customer information.
The recent cyber extortion at the City of Pensacola, meanwhile, involved a headline-grabbing method: ransomware – a malicious software (malware) that encrypts computer files, locks out users and demands from victims ransom payment in exchange for the decryption keys that would unlock the encrypted files. The group behind the ransomware called “Maze” claimed responsibility for the ransomware attack at the City of Pensacola. The group demanded that the City pay $1 million ransom to decrypt the encrypted files.
Ten percent or 2GB of the data stolen before encrypting the computer files of the City was recently published online by the group behind Maze ransomware. When asked by BleepingComputer if the group intends to release the rest of the stolen data, the group said, "It depends".
The group behind Maze ransomware similarly published online 10% or 700 MB of data stolen from another victim, the Allied Universal after the victim failed to pay the group’s demand of 300 bitcoins then valued at nearly $2.3 million. The group told BleepingComputer that the rest of the stolen data will be leaked online if the increased ransom of $3.8 million won’t be paid.
How Cyber Extortion Works?
How the attackers penetrated the LifeLabs’ computer systems, how the data was extracted data and how the ransom demand was made haven’t been made public. For Maze ransomware, however, there’s a handful of data online.
Security researcher Jérôme Segura first observed in May of this year Maze ransomware in the wild initially infecting victims’ computers via the Fallout exploit kit through a fake cryptocurrency exchange site. Fallout exploit kit exploits the security vulnerabilities in Microsoft Windows and Adobe Flash Player. In October of this year, security researcher JAMESWT observed Maze ransomware infecting victims in Italy through a phishing campaign that tricks victims into opening the attached document in an email pretending to be from the Italian Revenue Agency.
Researchers from Cisco Talos reported that they’ve also observed Maze ransomware in the wild. In a Maze ransomeware attack, the researchers said that after obtaining access to a network, CobaltStrike is used. CobaltStrike is a commercial penetration testing tool that markets itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike uses well-known tools, including Mimikatz – a tool that’s capable of obtaining plaintext Windows account logins and passwords.
According to Cisco Talos researchers, once the adversary behind Maze ransomware has access to the victim’s network, at least a week is spent moving around the network and gathering data along the way. The researchers added that the gathered data is extracted by using “PowerShell to dump large amounts of data via FTP out of the network”. After data extraction, Maze ransomware is then deployed on the compromised computers, the researchers at Cisco Talos said.
The researchers at Cisco Talos added that the observed Maze ransomware attacks also involved interactive logins via Windows Remote Desktop Protocol and remote PowerShell execution achieved via Windows Management Instrumentation Command-Line (WMIC).
In its 2020 Threats Predictions Report, McAfee Labs said that for 2020, it predicts that targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks, with the first stage of attack involving a crippling ransomware attack and the second stage of attack involving the threat to disclose the data stolen before the ransomware attack.
Preventive and Mitigating Measures Against Cyber Extortion
While having a working backup system is still a must to protect your organization’s sensitive data, as shown in the recent cyber extortions, brushing off cyber-attacks through better backup systems will prove to be not enough in 2020 as attackers are aiming for data theft and leveraging this stolen data to get what they want.
Here are some of the preventive and mitigating measures against cyber extortion:
- Keep All Software Up to Date
Keeping all your organization’s software up to date stops attackers at their tracks as the latest software security updates typically fix security vulnerabilities.
- Apply the Principle of Least Privilege
The principle of least privilege promotes minimal user privileges on computers based on user’s job necessities. For instance, if the user’s work isn’t IT-related, his or her computer access shouldn’t allow administrative rights, referring to the right to install software, change the operating systems configuration settings and other higher-level access.
- Disable Windows Remote Desktop Protocol (RDP)
There have been many document cases whereby Windows Remote Desktop Protocol (RDP) had been used by attackers as a gateway to their victims’ networks. It’s advisable to disable RDP when this service isn’t used.
- Keep Backups Offline
Over the past few months, attackers have specifically targeted backup systems. It’s advisable to keep your organization’s backup systems offline.
Cyber extortions has become a new norm and many organizations have already fell victim. Connect with our team of cybersecurity experts today to understand you weakest links better and mitigate the risk of cyber extortion.
LifeLabs Reveals It Paid Ransom in Exchange for Stolen Data
LifeLabs, the largest provider of general diagnostic and specialty laboratory testing services in Canada, has announced that it paid an undisclosed amount of ransom in exchange for the stolen data of 15 million customers.
Charles Brown, President and CEO of LifeLabs, in a statement, said that the company’s computer systems were illegally accessed resulting in the theft of data belonging to approximately 15 million customers. Stolen data includes name, address, email, login, passwords, date of birth and health card number. The vast majority of the affected customers are from Ontario and British Columbia.
Brown added that laboratory test results of 85,000 customers from Ontario for the period 2016 or earlier were part of the stolen data. The President and CEO of LifeLabs further said that health card information of customers for the period of 2016 or earlier was also stolen.
"Retrieving the data by making a payment,” Brown said was one of the measures that the company took in order to protect customer information. “Personally, I want to say I am sorry that this happened,” he said.
While the President and CEO of LifeLabs said that risk to customers in connection with this cyber attack is “low and that they have not seen any public disclosure of customer data,” he called on affected customers to avail of the company’s one free year of protection that includes dark web monitoring and identity theft insurance.
How the LifeLabs Data Breach Unfolded?
The President and CEO of LifeLabs said that the data breach was discovered as a result of "proactive surveillance” and added that the company “fixed the system issues” related to the cyber-attack.
In a joint statement, the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) said that LifeLabsinformed the two offices on November 1, 2019 about the data breach. The IPC and OIPC said that they will conduct a joint investigation into the data breach at LifeLabs. Among the things to be investigated, the two offices said, will include the scope of the breach and the circumstances leading to it.
“They advised us that cyber criminals penetrated the company's systems, extracting data and demanding a ransom,” IPC and OIPC said in a joint statement. “LifeLabs paid the ransom to secure the data.”
"An attack of this scale is extremely troubling,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant."
“I am deeply concerned about this matter,” said Michael McEvoy, Information, and Privacy Commissioner for British Columbia. “The breach of sensitive personal health information can be devastating to those who are affected."
While ransom or payment was made, there was no mention that the attack was due to a ransomware – a type of malicious software (malware) that encrypts data and the group or individual behind the malware then demands ransom payment in exchange for decryption key or keys that would unlock the encrypted files.
Cyber Attackers New Modus Operandi
While cyber attackers have been known to steal data from their victims, there’s a scarcity of information showing victims paying ransom in order to get back the stolen data. The latest cyber incident at LifeLabs shows an alarming cyber-attack trend, that is, penetrating the victim's systems, extracting data and then demanding a ransom.
Ransomware attackers, meanwhile, over the past few weeks have openly employed a new tactic in order to force their victims to pay ransom: threatening ransomware victims that failure to pay the ransom will result in the publication of stolen data. This latest modus operandi by ransomware attackers confirms what has been widely known in the cyber security community that ransomware attackers don’t merely encrypt data but they also have ways to snoop and even steal data prior to the data encryption.
In late November of this year, the group behind the ransomware called “Maze” published online the stolen data from one of its victims, Allied Universal after Allied failed to pay 300 bitcoins, then valued nearly $2.3 million USD, within the period set by the malicious group. The group behind the Maze ransomware told BleepingComputer, “We gave them time to think until this day, but it seems they [Allied Universal] abandoned payment process.”
The group behind the Maze ransomware further said that before encrypting any of the victims’ files, these files are first exfiltrated or stolen to serve as further leverage for the victims to pay the ransom.
The group behind the ransomware called “REvil”, also known as Sodinokibi ransomware, recently announced in a hacker forum that it will also leak online the stolen data from ransomware victims who refuse to pay ransom. Other than leaking the stolen data online, the group behind REvil ransomware also said the stolen data from ransomware victims who refuse to pay could be sold.
Maze ransomware initially infects victims’ computers via phishing campaigns or via Fallout exploit kit – a hacking tool that exploits the security vulnerabilities in Adobe Flash Player and Microsoft Windows. REvil ransomware, meanwhile, also initially infects victims’ computers via phishing campaigns and exploit kits, as well as by exploiting a security vulnerability in Oracle’s WebLogic server and by brute-forcing Remote Desktop Protocol (RDP) access.
Ransomware Attacks Now Targeting Your Backups
Backups have traditionally been regarded as the last line of defence against ransomware attacks. Over the past few months, however, backups have been specifically targeted by ransomware attacks.
In the "IT threat evolution Q3 2019" report, Kaspersky researchers found that ransomware attacks on backups, specifically NAS backups, are gaining ground.
What Is NAS?
NAS, short for network attached storage, is a storage and backup system that consists of one or more hard drives. This storage and backup system can be connected to home or office network or the internet. In case a NAS device is connected to the internet, data stored on this device can be accessed using a web browser or mobile app.
Ransomware Targeting NAS
Researchers at Anomali in July of this year reported about eCh0raix, a ransomware that specifically targets QNAP network attached storage (NAS) devices. According to the researchers, the source code of eCh0raix has less than 400 lines, with functionalities that are typical to a ransomware, including checking if data in the infected system has already been encrypted, going through the file system for files to encrypt, encrypting the files, and producing the ransom note.
Researchers at Anomali noted that eCh0raix ransomware isn’t designed for mass distribution as the samples with a hardcoded public key appear to be compiled for the target with a unique key for each target.QNAP Systems, the manufacturer of QNAP network attached storage (NAS) devices, for its part, acknowledged that QNAP devices using weak passwords and outdated QTS firmware are vulnerable to eCh0raixransomware.
In July of this year, another NAS device manufacturer Synologyreported that several of Synology NAS devices were under ransomware attacks as a result of brute-forcing administrator login details. In a brute-force attack, a malicious actor submits a number of passwords in the hope of eventually guessing the correct one.
According to Synology, its investigation related to the ransomware attacks found that the attacks were due to dictionary attacks – the use of words in the dictionary in brute-forcing login details – instead of specific system vulnerabilities. Synology added that the large-scale ransomware attacks were targeted at various NAS models from different NAS vendors. Ken Lee, Manager of Security Incident Response Team at Synology, said that NAS attackers used “botnet addresses to hide their real source IP”.
Just last month, another NAS device manufacturer D-Linkacknowledged that the following D-Link network attached storage (NAS) models are vulnerable to a different ransomware called “Cr1ptT0r” ransomware: DNS-320 Ax/Bx, DNS-325, DNS-320L, DNS-327L, DNS-323 Ax/Bx/Cx, DNS-345, DNS-343 and DNS-340L. According to D-Link, Cr1ptT0r encrypts stored information and then demands payment to decrypt the information.
According to Kaspersky researchers, the growing ransomware attacks on NAS devices involve attackers scanning the internet for internet-connected NAS devices. Kaspersky researchers said that a number of NAS devices have vulnerabilities in the firmware, which enables attackers via an exploit to install on the compromised device a Trojan – a type of malicious software (malware) that’s often disguised as legitimate software – that encrypts all data on the NAS device. “This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock,” Kaspersky researchers said.
Preventive and Mitigating Measures
Here are some of the preventive and mitigating measures against ransomware attacks targeting NAS backups:
Manufacturers of NAS devices, QNAP Systems, Synology and D-Link, asked users to apply the latest software or firmware version.
In the case of D-Link NAS devices, D-Link said that DNS-320 Ax/Bx, DNS-323 Ax/Bx, DNS-325 Ax and DNS-345 Ax have passed their end of service date, which means that these models are no longer supported by the company through customer support and no longer receive software or firmware updates. For the said models that have passed their end of service date, D-Link asked users to "remove the Internet access of NAS on your router by disabling the port forwarding and DMZ setting".
One thing is common to these NAS ransomware attacks: They victimized only those devices that are connected to the internet. To protect backups from this type of ransomware, it’s important to disable internet connection to these devices.
Generally, an internet-connected NAS device can only be accessed via a web or mobile app interface and this interface is protected by an authentication page, where a user has to authenticate oneself before logging in. As acknowledged by NAS manufacturers, some users use weak passwords, making it easy for attackers to brute-force or guess the passwords.
When there’s a need for these NAS devices to be accessible via the internet, it’s important to use strong passwords and, if possible, to use multi-factor authentication to add another layer of defence.
Here are some of the additional defences to protect backups from ransomware attacks:
As shown in the number of ransomware attacks in recent months, this type of cyber-attack doesn’t seem to slow down.
Organizations that have shown to be financially capable of paying ransom, including government agencies, as well as organizations in the healthcare and education sectors are particularly targeted by this attack.
You don’t have to be a victim of a ransomware attack. Stop cybercriminals before they get the leverage.
Speak with our cybersecurity experts today and stop worrying about ransomware.
Hospitals in Different Parts of the World Hit by Ransomware Attacks
Michael Garron Hospital, formerly Toronto East General Hospital, recently confirmed that it was a victim of the ransomware called “Ryuk”, turning the spotlight on this ransomware and on ransomware in general.
Sarah Downey, President and CEO of Michael Garron Hospital, in a statement, said that last September 25th, the hospital became aware of a malicious software (malware), later identified as Ryuk, had infected the hospital’s servers. As a result of the ransomware attack, Downey said that “some data has been damaged” and for the first time in many years, the hospital’s clinical teams were forced to revert back to paper processes and using the telephone to call codes, access porters and check dietary orders.
The President and CEO of Michael Garron Hospital said that as a result of the attack, some of the hospital’s outpatient services were affected, with some appointments canceled and rescheduled. Downey added that the affected servers are being cleansed and it may take a few weeks for some of the hospital’s systems that are less critical to operations to be fully restored. Downey further said that the hospital hasn’t been in contact with anyone about ransom payment.
What Is a Ransomware?
Ransomware is a type of malware that’s designed to deny access to a computer system or data until a ransom is paid. In denying access to a system or data to legitimate users, attackers encrypt the system or data, turning this into a code that’s only accessible by the attackers using decryption keys.
In ransomware attacks, these decryption keys are typically handed over to the victims in exchange for a ransom payment. All too often ransomware attackers victimized organizations that can’t tolerate any downtime, making ransom payment all the more compelling.
Paying the ransom, however, doesn’t guarantee that victims can recover their encrypted systems or data as the decryption keys could simply be designed to not work at all.
What Is Ryuk Ransomware?
Ryuk ransomware was first observed in the wild in August 2018. In June 2019, UK's National Cyber Security Centre (NCSC) issued a Ryuk advisory, warning organizations globally about this ransomware.
Ryuk is often linked with two other malware: Emotet and Trickbot. Emotet was first observed in the wild in 2014, while Trickbot in 2016. In a Ryuk attack, the Emotet malware is used to drop the Trickbot malware. Trickbot, for its part, deploys hacking tools that facilitate the remote monitoring of the victim’s computer, credential harvesting and allowing the attackers to move to other computers within a network.
When ransomware opportunity is present, only then that Ryuk is deployed. It’s, therefore, possible that an organization is initially infected even without visible signs of a ransomware attack.
Prior to installing itself into the affected computer, Ryuk will first attempt to disable certain antimalware or antivirus software. Ryuk has the ability to spread to other computers within the same network as it is designed to enumerate network shares and encrypt those it can access.
According to the NCSC, it’s possible that Ryuk could be deployed through an infection chain other than using Emotet and Trickbot. NCSC added that in a Ryuk attack, it’s difficult to recover the infected computer’s backup as this malware uses anti-forensic recovery techniques such as manipulating the virtual shadow copy.
Other Cases of Ransomware Attacks
Hospitals and healthcare providers are targeted by ransomware attackers as these establishments cannot withstand IT downtime. In recent weeks, in addition to the Michael Garron Hospital, two other hospitals in Canada belonging to the Listowel Wingham Hospitals Alliance (LWHA), Listowel Memorial Hospital and Wingham and District Hospital, had been hit by ransomware.
In a statement, Listowel Wingham Hospitals Alliance said that since last September 26th its IT system has been shut down as a result of a ransomware attack. As a result of the attack, the Alliance said, “Manual and paper downtime procedures remain in place.” The Alliance hasn’t named the specific type of ransomware that hit the two hospitals.
A number of hospitals and health services in Gippsland and south-west Victoria, Australia, meanwhile, has been impacted by a ransomware attack. Victoria's Department of Premier and Cabinet, in a statement, said that the ransomware was uncovered last September 30th.
Last month, a U.S. healthcare provider Wood Ranch Medical announced that will permanently close its practice on December 17, 2019 as a direct result of a ransomware attack. Wood Ranch Medical, in a statement, said that on August 10, 2019, it suffered a ransomware attack on its computer systems. The health provider said that the ransomware, although not naming the specific type of ransomware, encrypted its servers and backup hard drives containing patients’ electronic health records.
“Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records,” Wood Ranch Medical said. “We will be closing our practice and ceasing operations on December 17, 2019.”
Last October 1st, DCH Health System, which runs 3 hospitals: DCH Regional Medical Center in Tuscaloosa, Northport Medical Center and Fayette Medical Center, announced that it suffered a ransomware attack that impacted its systems. The specific type of ransomware wasn’t disclosed.
Last October 6th, DCH Health System said that it “obtained a decryption key from the attacker to restore access to locked systems.” The organization didn’t specify whether ransom was paid. There are reports, however, that indicate that DCH Health System paid the attacker ransom.
Organizations large and small fall victims to ransomware too often. Contact us to speak with our cybersecurity experts today to develop a solid protection and mitigation strategy reducing your stress and protecting your organization.
The Importance of Facing Up to Cybersecurity Risks
A cybersecurity emergency has been declared across Louisiana, USA, after three public school districts were struck by a malware attack.
The cybersecurity danger hit Sabine, Morehouse and Ouachita, in North Louisiana, causing widespread concern. The Governor’s Office of Homeland Security and Emergency Preparedness put its crisis action team into motion quickly to handle the attack.
Sabine School District issued a statement, addressing the nature of the cybersecurity breach and their actions to fix it:
“The Sabine Parish School System was hit with an electronic virus [...[ this virus has disabled some of our technology systems and our central office phone system.”
According to the principal of Sabine Parish’s Florien High School, a ransomware virus had infiltrated their system and caused disruptions. The alarm was raised when the school’s technology supervisor noticed ‘unusually high bandwidth usage’.
Fortunately, Jones believes no sensitive information has been exposed during the attack, though everything stored on the School District’s servers was lost. This amounts to documents from across 17 years of Jones’s hard work, including schedules, speeches and more.
Taking Action, Addressing Issues Fast
While this is certainly a challenging situation for the three school districts, it appears the end result is nowhere near as terrible as it could have been. It’s clear everyone involved took decisive action when the suspicious activity was noticed, and the proper authorities were informed.
Plans for future protection and security measures are, apparently, being devised by state officials (in coordination with the FBI). But this case indicates just how important it is to face up to cybersecurity risks and take proper action to minimize the threat to systems.
Simply hoping hackers will miss or choose to ignore your business, organization, school etc. is simply not enough. Implementing effective defenses is the best way to safeguard your critical data, client information and financial details.
If any of these, and other types of vital data, become exposed by nefarious individuals, the clean-up could be a long, time-consuming, difficult process. The worst thing you can do in the event of a breach is sweep it under the carpet and try to contain any damage without raising the alarm.
Those involved in the Louisiana case alerted the proper parties and are dealing with the situation as best they can.
Yes, acknowledging that a cybersecurity attack took place does have the potential to affect your reputation and the trust people place in you. Yet it’s far better to be transparent and admit your cybersecurity measures may not have been quite as efficient as they should be than to lie.
The Problem of Ransomware and Preparing Your Team
Ransomware is, as our regular readers may know, a common choice of cyberattack for hackers. The Louisiana case is just one example of many.
The first ransomware was distributed by a biologist (Dr. Joseph Popp) in 1991: he sent floppy disks containing PC Cyborg Trojanto researchers, in an attempt to extort money.
Ransomware has come a long way since then, but while it has evolved in various ways, the aim remains the same.
Other notorious ransomware attacks include WannaCry, which was detected more than 250,000 times across 116 countries in 2017. This was designed to take advantage of a simple software defect, encrypting hard drive files to make them inaccessible — with the attackers only unlocking them after a bitcoin payment had been made.
The issue is, of course, that agreeing to pay a ransom doesn’t actually guarantee the people responsible will stick to their end of the deal. After all, why should they? If they’re willing to disrupt your daily processes, cost you money, damage your reputation and more, there’s no reason to believe they will do as they promise.
Prevention is, as the saying goes, better than cure. And that means taking steps to prepare your team for potential cybersecurity threats in their day-to-day work.
How can you do this?
Taking Steps to Protect Your System
Implementing security measures and processes to protect your system against breaches can be daunting, especially if you have no experience or real knowledge of this area.
It’s essential that you embrace the most cutting-edge cybersecurity software available and consult with experts. Professionals specializing in security measures and reinforcing systems will be able to identify the biggest dangers you face, how to defend against them and advise your team to be more vigilant.
In terms of training your staff, there are certain things you can try.
Raise cybersecurity issues and trends in regular meetings
Keep your employees updated on the latest cybersecurity hazards and techniques: make sure they understand what suspicious activities they should be aware of when responding to emails, downloading software or visiting websites.
Try to cultivate a more vigilant workforce and boost recognition of effective ‘safety first’ procedures. Get them into the habit of questioning links, emails and other potentially-infected elements when they’re not sure how safe they are.
Find time in a day to run a test exercise for your team. Act as if a cybersecurity attack has struck your system and have staff go through the motions of responding appropriately.
Do they know what to do if they spot the warning signs of an impending threat? Can they work as a cohesive team even when they’re not completely sure what’s happening? Work to make the answer to both a firm ‘yes’.
Everyone should know what role they have in the event of a cybersecurity breach. Perhaps they’re required to do nothing but sit tight and wait for business to resume as normal. Maybe they have to take an active part in informing clients of the situation or coordinating with security experts.
Having a formal plan means everyone involved can leap into action in the event of a crisis, saving valuable time and minimizing further disruption.
Knowing how to handle cybersecurity risks and attacks is fundamental for any business, organization or institution today. If you want to know more about protecting your system and taking effective action,contact our specialistsnow!
Disturbing Trend: More and More Ransomware Attack Victims Are Paying Ransom
UK's largest police forensics lab Eurofins reportedly paid ransom to ransomware attackers. The company joins the growing list of organizations that paid ransom to ransomware attackers.
The BBCrecently reported that Eurofins, UK's largest police forensics lab, paid an undisclosed amount to attackers after its computers were crippled by a ransomware attack. Eurofins Scientific, which has about 45,000 staff in more than 800 laboratories across 47 countries, is one of the global independent market leaders in testing and laboratory services for forensics. Eurofins Forensics Services, Eurofins Scientific's Forensics subsidiary which is based in the UK, is one of the primary forensic services providers to the UK police.
Last June 3, Eurofins Scientificdisclosed that during the first weekend of June 2019 (1stand 2ndJune) it fell victim to ransomware attack which caused disruption to many of its IT systems in several countries. The company said, in a statement, that from June 4th, it was able to “resume full or partial operations for a number of impacted companies and continue to do so every day”. As of June 17th, the company said, the vast majority of affected laboratories’ operations had been restored.
The ransomware involved, Eurofins Scientific said, appears to be a new ransomware variant which was “initially non-detectable by the anti-malware screen of our leading global IT security services provider at the time of the attack and required an updated version made available only hours into the attack”.
In a ransomware attack, a malicious actor or actors lock out legitimate users of IT systems or computer files through encryption (the process of converting plain texts to codes so that only people with access to a secret key, also known as decryption key, can access it). Ransomware attackers demand from their victims to pay ransom in exchange for the decryption keys that would unlock the encrypted IT systems or computer files.
Growing List of Ransomware Victims Paying Ransom
Eurofins Scientific joins the growing list of ransomware victims paying ransom. Two cities in Florida, U.S. and 2 towns in Ontario, Canada publicly admitted that they paid ransom to ransomware attackers.
Last June 17th, the City Council of the City of Riviera Beach, Florida unanimously approved the payment of ransom to ransomware attackers. A total of 65 bitcoins was paid to the ransomware attackers, equivalent to approximately $600,000 at the time of the ransom payment approval.
A few days after the ransom payment approval of the City Council of Riviera Beach City, another city in the Florida state Lake City paid its own ransomware attackers ransom. Lake City Mayor Stephen Witt told a local mediathat Lake City will pay cyber attackers USD $460,000 to get its computer system back. “I would’ve never dreamed this could’ve happened, especially in a small town like this,” the Lake City Mayor said.
Two towns in Ontario, Canada, the Town of Wasaga Beach and Town of Midland, have also publicly admitted that they paid ransom to ransomware attackers. Jocelyn Lee, Director of Finance and Treasurer of the Town of Wasaga Beach, reported to the City Council of Wasaga Beach that on April 30, 2018 the Town’s computer system was infected with a malicious software (malware) that left all of the Town’s data locked. Lee said the Town ended up paying the ransomware attackers 3 bitcoins, equivalent to $34,950 Canadian at the time of the ransom payment.
The Town of Midland, Ontario, meanwhile, in a statement said that on September 1, 2018, the Town's network was infected with ransomware. The Town said that it paid an undisclosed amount to the ransomware attackers in exchange for the decryption keys. In paying the ransom, the Town of Midland said, “Although not ideal, it is in our best interest to bring the system back online as quickly as possible.”
To date, South Korean web hosting company Nayanaholds the record of paying the most expensive ransom, totaling 397.6 bitcoins, valued USD$1.01 million at the time of the ransom payment.
Prevention & How to Recover from Ransomware Attacks
All ransomware victims that decided to pay ransom have one thing in common: They all failed to conduct regular back-up of their critical data. Organizations that diligently conduct regular back-up of critical data, in time of crisis, such as ransomware attack, can simply ignore the attackers’ ransom demand.
Paying the ransom also doesn’t guarantee that attackers will hand over the correct decryption keys that will unlock encrypted IT systems or computer files. Paying the ransom could instead encourage the attackers to launch another ransomware attack or the attackers could increase their ransom payment demand, knowing that organizations will likely consider paying the amount.
While conducting regular back-up of critical data is important, implementing cybersecurity measures that prevent ransomware attacks are equally important as well. The UK's National Cyber Security Centre (NCSC)recently issued a Ryuk Ransomware Advisory. Ryuk is a particular type of ransomware that was first observed in the wild in August 2018. It has since been responsible for multiple attacks worldwide. This ransomware, in particular, targets its victims and ransom payment is set based on the target’s perceived ability to pay.
NCSC recommends the following measures in order to prevent ransomware attacks, in particular, Ryuk ransomware attacks:
You don’t need to face cybercriminals alone. When you need help, our team of professionals is ready to assist and help you mitigate risks, recover, and proactively secure your data. Contact ustoday and stay safe.
How to Protect Your Organization’s Computers from WannaCry-Like Cyber-Attack
Microsoft recently took an unusual step of rolling out a patch for Windows operating systems that are out of support in an effort to stop a WannaCry-like cyber-attack.
This is the second time in just over 2 years that the technology giant rolled out a patch for Windows operating systems that are out of support. The previous unprecedented patch was rolled out at the height of the WannaCry cyber-attack on May 12, 2017.
According to Microsoft, the latest patch, which was released on May 14, 2019, fixes the security vulnerability in out-of-support versions of Windows, specifically Windows 2003 and Windows XP; as well as versions of Windows that still receive support from Microsoft, specifically Windows 7, Windows Server 2008 R2 and Windows Server 2008.
Failure to apply the May 14, 2019 patch renders the above-mentioned out-of-support and in-support versions of Windows vulnerable to WannaCry-like cyber-attack, this according to Simon Pope, Director of Incident Response at Microsoft Security Response Center (MSRC).
What Is WannaCry?
WannaCry is a malicious software (malware) that wreaked havoc in more than 300,000 computers in over 150 countries in less than 24 hours on May 12, 2017. Once a computer becomes infected with WannaCry, this malware encrypts files on the computer's hard drive, making it impossible for legitimate users to access them, and demands a ransom payment in exchange of the decryption keys that supposedly would unlock the encrypted files.
After infecting one computer, the WannaCry malware spreads itself through the network, infecting other vulnerable devices, without the need for further action from the users. Attempts on the part of the WannaCry victims to unlock the encrypted files by paying the ransom was a useless endeavour as the source code of this malware was written in such a way that it isn’t possible to determine who paid the ransom and who didn’t, as such, there’s no way to decrypt on a per-user basis.
Two months, specifically on March 14, 2017, prior to the WannaCry cyber-attack, Microsoft released a patch that fixes the security vulnerability exploited by WannaCry. The patch, however, wasn’t made available to Windows operating systems that were out of support, specifically Windows XP, Windows 8 and Windows Server 2003. At the height of the WannaCry cyber-attack on May 12, 2017, Microsoft took an unusual step of rolling out a patch for these 3 out-of-support versions of Windows.
The WannaCry malware was able to infect hundreds of thousands of computers in less than 24 hours as a result of these two features: remote code execution and worm capabilities.
Remote code execution is the ability of a malicious actor to access someone else's computer and make malicious changes to this computer regardless of the geographical location of this device. Worm capability, meanwhile, refers to the capability of a malware to spread itself through the network, infecting other vulnerable devices, without user interaction.
The May 14, 2019 patch released by Microsoft fixes the security vulnerability labelled CVE-2019-0708. Similar the WannaCry malware, security vulnerability CVE-2019-0708 exhibits remote code execution and worm capabilities.
Pope, Director of Incident Response at Microsoft Security Response Center (MSRC), said in a blog post, that while there’s no evidence that this security vulnerability has been exploited in the wild, it’s highly likely that malicious actors will write an exploit for this vulnerability and include it into their malware.
The security vulnerability, Pope said, is “wormable”, which means that “any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
WannaCry, in particular, infects vulnerable Windows operating systems via Server Message Block 1.0 (SMBv1) server – a protocol that enables Windows systems to share files, printers and serial ports. In vulnerability CVE-2019-0708, remote code execution and worm capabilities are made possible via Remote Desktop Protocol (RDP) – a proprietary protocol developed by Microsoft which allows users to access another computer over a network connection. “The Remote Desktop Protocol (RDP) itself is not vulnerable,” Pope said. “This vulnerability is pre-authentication ….”
Many malware in the past were able to bypass anti-malware and other security defences via RDP. Malicious actors gain access to compromised devices by stealing or brute forcing RDP credentials.
In early 2019, authorities shut down xDedic Marketplace, a website involved in the illicit sale of RDP credentials. According to authorities, RDP login details of tens of thousands of compromised servers owned by unknowing companies and private individuals were sold on the xDedic platform for amounts ranging from $6 to more than $10,000 each.
The top preventive measure in order to protect your organization’s computers from WannaCry and WannaCry-like cyber-attack is by keeping all software and, in particular, operating system software up-to-date.
It’s worthy to note that even though it has been a long time since the major WannaCry attack, organizations continue to be victimized by this malware. Months after the major WannaCry attack, US aircraft maker Boeingfell victim to WannaCry. In March 2018, Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out an alert to his colleagues that the WannaCry malware was “metastasizing rapidly” out of Boeing’s North Charleston production plant and could potentially “spread to airplane software”. Linda Mills, head of communications for Boeing Commercial Airplanes, in a statement said, “The vulnerability was limited to a few machines.”
As an added protection to your organization’s computers, it’s best to disable Windows protocols that are often exploited by malicious actors. Specific to WannaCry malware, disable SMB protocol and for the security vulnerability CVE-2019-0708, disable RDP.
Connect with our cyber security expertstoday to learn more about common threats and prevent cyberattacks.
Steve E. Driz, I.S.P., ITCP