AN EYE-OPENING LOOK INSIDE A NOT-FOR-PROFIT CYBERATTACK

high ransomware risk.jpg

In the first quarter of 2018, we’re already seeing reports of a dangerous ransomware campaign in full swing. Ransomware continues to be a popular cybercriminal approach because of the sheer number of targets that can be infected. Everyone from individual users to large  enterprises have been attacked, and small to expansive infections won’t stop anytime soon.

One of many areas of a not-for-profit organization that appears enticing to cybercriminals is the information held on individuals who the organization serves. Not-for-profits can collect health information and act as an intermediary with requesting, through State and Federal Assistance Programs, aid for their constituents. Even though not-for-profits are targets like any other business and generally have exposure to other types of data, there is an added emphasis on your attractiveness to hackers because of PHI “protected health information.”

Ransomware is big business. As organizations increasingly depend on electronic data and computer networks to conduct their daily operations, growing pools of personal and financial information are being transferred and stored online aka “the cloud.”

By now, most organizations of all sizes, as well as, individuals are well aware of the deceptive nature of ransomware. As its name implies, ransomware is a malicious software that holds electronic files hostage pending the payment of a ransom, typically with untraceable bitcoin as the currency of choice. The main problem is the ransomware encrypts a series of files or worse, the entire hard drive preventing access to those files. Absent the victim’s ability to restore a backup, the attacker (aka “hacker”) may hold the encryption keys required to access the files until the ransom demand is met or only for a number of hours.

“Unfortunately, ransomware threats continue to emerge as they prove successful for cybercriminals, and more high-profile business targets fall victim to this kind of infection nearly every day. There’s no doubt that ransomware will maintain its reputation as a formidable threat in the cybersecurity industry,” says Rob Kleeger, Managing Director of Digital4nx Group, Ltd.

Organizations must treat mitigating the risks associated with ransomware — data loss, interruption of business operations, and more—as a strategic imperative by implementing a layered security approach that maps to and thus thwarts ransomware attack campaigns.

ransomeware.jpg

INCREASINGLY SOPHISTICATED VARIANTS ARE EMERGING

Ransomware is evolving using increasingly sophisticated tactics, techniques, and procedures to execute attacks. 

Ransom amounts are typically measured in the tens of thousands of dollars or less, which is indicative of a business model predicated on a large number of quick and small transactions across a broad set of targets.  While attack methods vary across types of vulnerabilities, the most commonly exploited is human vulnerability via spear phishing.  Traditionally, most infections are launched with a spam email that includes a malicious link or attachment, providing hackers entry into the system and enabling them to deliver the ransomware and lock down the system. 

“Drive-by downloading” is another frequently tapped vector to deliver ransomware payload. The hackers inject malicious code into legitimate webpages, or redirect traffic to spoofed sites, which has proven successful as well. 

The majority of ransomware variants are either known as crypto-based, or data-locker based. These variants leverage sophisticated encryption algorithms that lock down the infected device’s operating system – meaning that all files and data, as well as applications and other system platforms, are rendered unavailable, in addition to making system files and associated data inaccessible to the victim. CryptoLocker is one of the most well-known variants of this kind.  The recent Petya attacks fall into this category as well. 

The world has seen its fair share of ransomware attacks — the WannaCry and NotPetya attacks were in the past year alone. These attacks were direct ransom worms that had to do with informational warfare between countries, managing to affect large entities and causing organizations to rebuild active directories.

Dharma is a ransomware-type infection which targets to encrypt the most valuable information on the victimized computer. Dharma ransomware is a variant of CrySiS ransomware that has been increasingly tied to brute force Remote Desktop Protocol (RDP) attacks. Dharma made its first appearance in November 2016, shortly after the master decryption keys for CrySiS ransomware were publicly posted to the BleepingComputer.com forum.

In addition to bearing technical similarities to CrySiS, Dharma has also been observed infecting victims in similar ways. Both have been tied to a recent spike in brute force attacks on victims with open RDP ports. 

RDP was developed by Microsoft as a remote management tool. It’s commonly exposed in internal networks for use in administration and support, but when exposed to the wider Internet it can be a dangerous beacon for attackers.  Remote Desktop Protocol (RDP) attacks sometimes begin with the infection of one machine and then spreads to all other connected computers and then hold the victim hostage for ransom.

WE DO NOT EXPECT RANSOMWARE TO GO AWAY ANYTIME SOON. On the contrary, it can only be anticipated to make further rounds in 2018, even as other types of digital extortion become more prevalent. Cybercriminals have been resorting to using compelling data as a weapon for coercing victims into paying up. With ransomware-as-a-service (RaaS) still being offered in underground forums, along with bitcoin as a secure method to collect ransom, cybercriminals are being all the more drawn to the business model, according to Trend Micro.
Phish_Advise_Danger Keys.jpg

In a recent case for a Digital4nx Group, Ltd. not-for-profit client, we responded to a ransomware attack and learned that one ransomware (Dharma) had only locked up files on the local user’s computer.  A week later, there was an attack from a RDP connection from a user which then affected the entire user directory on one server and then worked its way across to the domain controller and email server, which effectively encrypted the entire operation.  

During the investigation, it was learned that the backup’s maintained by a third-party provider were actually stored on the encrypted server and the redundant backup was an external USB hard drive, which also was connected to the server.  Unfortunately, the only off-premises backup was months ago, thus the organization is beginning the process of recreating their efforts from re-entering data, paper files, and emails. The organization’s insurance coverage is woefully inadequate to cover the incident investigation and notification process. The potential regulator fines have not yet been determined. Could this ransomware event cause an operational going concern? Time will tell.

Ransomware isn’t spread indiscriminately. Instead, attackers typically gain access to target
servers via weak or stolen credentials, often identifying prospective victims by scanning the Internet for computers with exposed RDP connections.
 

By using port scanning tools like masscan, attackers can easily hone in on systems with open ports (port 3389 is standard for RDP). Once found, the standard drill is to try to gain access by conducting brute force attacks designed to guess weak or default passwords.

SamSam is one of a growing list of ransomware families that primarily infects victims via exposed RDP ports.  SamSam resurfaced, this time targeting organizations with RDP connections exposed.

SECURING RDP IS THEREFORE KEY

Ransomware is also exploiting application vulnerabilities, as is the case with SamSam, which takes advantage of vulnerabilities in certain web application stacks, and others that exploit vulnerabilities in Adobe Flash.  Trend Micro has reported the most consistent target of those attacks has been healthcare providers in the United States. One Dharma victim, ABCD Children’s Pediatrics in San Antonio, was forced to notify 55,447 patients that their personal data had been encrypted and therefore potentially exposed to hackers.

We know that some not-for-profit organizations can collect health information and act as an intermediary with requesting, through State and Federal Assistance Programs, aid for their constituents. Even though not-for-profits are targets and generally have exposure for other data (see the following use cases), we want to emphasize your added attractiveness to hackers because of PHI “protected health information” and related ransomware example.
 

DIGITAL4NX GROUP, LTD. HAS BEEN RESPONDING TO OTHER CYBER BREACHES COVERING SPEARPHISHING FOR WIRE TRANSFERS, PURCHASE OF GIFT CARDS, W2 TAX AND PAYROLL INFORMATION, AND VARIOUS CRIMINAL ACTIVITIES WHERE WE SEE AS A PATTERN CONNECTED TO THIRD PARTY IT PROVIDERS, WHERE SECURITY PERFORMANCE LEVELS ARE SUBPAR.
 

Because hackers have an array of variants and infection techniques to choose from, ransomware infections do not all look or operate the same way. While one infection may begin with an email and result in all data being encrypted, another may come from a malicious website and end with the entire operating system being locked down. This variation makes it difficult for users to guard against threats — but protection is not impossible.

Everyone with sensitive or important data should make backups, preferably on external disks or some combination of cloud servers and external disks that one has physical access to.

Part of the problem is a disparity in perception of risk between those on the ground — the IT teams that see the vulnerabilities and understand the threats — and those higher up. Board members don’t see the risk if everything is status quo. CFOs are focused on spending time and money on efforts that will result in profit and gains, not the far less glamorous idea of protecting their data. Business leaders need to ensure they’re doing everything they can to prevent successful infections in the first place. Ask yourself if it’s pragmatic to restore from your backups if you become a ransomware victim.

Ransomware victims should avoid paying ransoms to their cyber attackers, as sometimes an attacker won’t decrypt files even when a ransom is paid, and all payments made to  ransomware cyber attackers make ransomware profitable for criminals and encourages those actions to continue.

Best Practice Tips:

DO THE BASICS AND PLAN:
Security really doesn’t have to be difficult, or even expensive. Strong passwords, two-factor
authentication, security patches, continuous end-user training, isolated backups and hardened
systems and networks can make all the difference

SECURE RDP:
Remote Desktop has become one of the most popular tools for attackers to abuse. Make sure you secure it by doing the following:

  • Restrict access behind firewalls and by using a RDP Gateway, VPNs
  • Use strong passwords and two-factor authentication
  • Limit users who can log in using remote desktop

T est your backup systems:

In order to ensure that you survive a ransomware attack. The often missed fundamental best practices such as automating full and differential backups, keeping backups offline provide for a defense in depth approach are required to combat ransomware. 

Patching is fundamental.

What won’t help is throwing money at the problem and investing in thousands or hundreds of thousands dollar software if employees are neglecting basic system updates. Attackers are opportunists looking for an easy way in, and they look where they think you’ll have your guard down. 

Cyber Insurance:

Make sure you have a standalone cyber insurance policy and not a rider with minimum Coverage of $25,000 or $50,000. These are inadequate coverage values given public documented costs as this risk continues to grow as a result of high-profile data breaches and awareness of the almost endless range of exposure businesses face. 

Whether it’s credit card fraud, identity theft, email hacking, ransomware, account stealing or any other number of activities — you’re in the midst of an online war and you may not even know it.

Employee Awareness Training:

The goal is to ensure that employees at all levels are aware of how to identify, control, and mitigate loss of confidential data in a secure technical environment that meets acceptable security standards. Protecting an organization from cyber-threats, such as malicious hackers, requires everyone’s participation.

We find the weakest link in many organizations is an untrained employee who does not understand the value of the information that they control. They are often susceptible to social engineering and other human-based attacks. 

Billions of dollars are spent each year combating cybercrime and yet the number, intensity and severity of attacks keeps increasing.
 

Rob Kleeger

Digital4nx Group, Ltd., 8 South Main Street - Unit 70, Marlboro Township, NJ, 07746, United States

Rob Kleeger is the Founder and Managing Director of Digital4nx Group, a boutique firm which offers regional digital forensics services for plaintiffs and defendants in various civil and criminal legal matters. Digital4nx Group provides Digital Forensic Investigations, Electronic Discovery Consulting and Advisory Service, Incident Response to Data Breaches and Cyber Security services.

Real Time Analytics