Ransomware Rampage

  • SSS GRC Team
  • Jun 30, 2020

Ransomware is a form of malware that encrypts data to prevent victims from accessing their information and computer systems until a ransom is paid. Increasingly, cybercriminals behind ransomware attacks are using a two-pronged approach, demanding an additional ransom in exchange for them not leaking confidential information seized during their attacks. With successful ransomware attacks impacting locally based organisations like Fisher and Paykel Appliances, Lion Breweries, and Toll Holdings, it is clear the ransomware epidemic has now reached Oceania.

As the prevalence of ransomware attacks surges, more and more organisations are finding out the hard way about the horrifying impacts on their critical business processes, financial stability, and reputation. Collateral damage will often continue long after the attack, with precious data being lost and unhappy customers seeking civil action for privacy violations.

Some of the consequences of successful ransomware attacks from the last 12 months 

  • Local and central government agencies have been forced to temporarily shut their doors to their constituents and found themselves unable to receive electronic payments
  • Healthcare providers already hammered by Coronavirus overloading have been forced to pay ransoms to maintain their over-stretched services
  • Organisations that have tried to resist paying the ransom have had their confidential data published on the Internet
  • Remediation costs, including in-depth investigations to fully eradicate the attacker, have ranged from tens of thousands to tens of millions 

How does it work?

The delivery mechanism of ransomware varies widely but an advisory from CERT NZ indicates that active ransomware campaigns being reported in New Zealand are exploiting common remote access technologies like virtual private networks (VPN) and remote desktop protocol (RDP).

Attackers frequently use brute-force attacks against RDP connections exposed to the Internet to breach a target organisation’s defences. If an RDP port is exposed to the Internet, attackers can use brute-force password attacks to gain unauthorised access. To prevent this kind of exploitation, organisations should ensure that RDP is only accessible through a secure VPN connection.

However, attackers are also scanning the Internet to locate vulnerable VPNs. One particular VPN vulnerability that has been widely abused is documented as CVE-2019-11510 and affects the Pulse Secure VPN. All users of VPNs are advised to check for available security patches due to this attack vector becoming more common as employees increasingly work remotely during Coronavirus lockdowns.

Cybercriminals are using sophisticated techniques and expending significant resources in their reconnaissance of suitable targets, often lingering in networks for weeks or months to map out their network topology and locate backups before unleashing the ransomware payload. Vulnerable businesses that had scrimped on security with optimistic plans to restore from backups all-too-often find that those backups are not as complete as they had expected, or that the backups have also been encrypted.

As well as exploiting vulnerable remote access technologies, another common delivery mechanism is a phishing email with a small shim attachment that includes a script to download the ransomware payload via a command and control server. Other attack vectors include infected USB drives, exploited free software, and ‘drive-by-downloads’ from compromised websites.

Whatever the entry point, the initial infection is usually dropper file that will then download the threat from a command and control site. Once executed many modern ransomware variants then use ‘living off the land’ techniques like exploiting PowerShell, WMI and other native Windows technologies to move laterally through the target network.

How can you protect yourself?

The key to stopping ransomware is a layered security approach, otherwise known as defence in depth. These layers of defence should include the following:

  • Good practice around phishing training for personnel
  • URL protection for emails
  • Heuristic attachment detection for email gateways
  • Standard practice around users not being able to install unauthorised software
  • Blocking connections to command and control sites from the endpoint and gateway
  • Using host-based firewalls to block unrequired ports (such as RDP)
  • Timely application of patches to prevent exploitation of known vulnerabilities
  • Using endpoint protection that includes exploit prevention to detect zero day exploits