Recorded on May 14, 2019, 2019 at G-Unit Studios in Rhode Island!
- Register for our upcoming webcasts by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand. Also, you can now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!
Topic: Preparing and Dealing with Ransomware
So, Baltimore has been hit with ransomware before. Back in 2018, their 911 system for almost 24 hours. At the same time, Atlanta was also being hit and a lot of the city services were down for days. The Atlanta attacks involved Samsam, and were demanding 50k from the city for the keys to the encryption. If you don't know, samsam uses RDP, JBoss (javabased servers) or FTP gain access but also can just brute force you.
The Baltimore attack this time was primarily against the City Council systems by RobbinHood ransomware. This new variant (often misspelled Robinhood) stops antivirus services first, also stops a lot of other services, disconnects network shares, why? I guess good guys? or a script is going to push the encryption? It basically encrypts all your files on that machine. There isn't much information about how it spreads currently but I am guessing it's manual (read phishing).
There is also no current method to recover the data since it is strongly encrypted. Good luck. And they want 3 bitcoin per machine or 13 bitcoins for your whole operation. So, currently, (as of yesterday) thats about 22,000 or 96,200 dollars. Ouch.
If you called a security specialist with this problem, well, good luck because there is little information on it (but people are reverse engineering it and experimenting to find out how it works and spreads) and as such, you don't have a lot of options.
So, what's a Mother to do? Well, a lot of what we tell you, is hard to do. Everyone sits through the video, says "that will never happen to me" and ticks the box to be done and gets back to work. So, here is our take on it.
- YOU ARE GOING TO GET HIT SOMETIME. Much like the heat death of the universe, it's inevitable. Unlike the heat death of the universe, you should worry about this one because it's a lot more "evitable" than the heat death in your near future.
- THERE IS NOT LIKELY MUCH YOU ARE GOING TO BE ABLE TO DO ABOUT IT. These things use strong encryption. So, unless you are planning to wait around for the heat death of the universe and don't mind being out of business (something like 10^106 years) well, you better be ready.
So, how the frack do you deal with this?
- YOU MUST HAVE OUT OF BAND BACKUPS. That is the principle mechanism for dealing with this type of problem. You need this at home, you need it at work, you probably shouldn't even trust that someone else is doing it for you since they may only be backing up things they thought were important or not actually doing the backups at all. We talked about backup strategies quite a bit back in episodes 52-54 so you should check those out as well. Basically, out of band means that it can't be reached from the local system through a normal channel. Now, for me, that means a windows service/share. So, if I take my key files and I move them into some other place for storage, that is NOT connected, then that should be sufficient. We used to tell businesses to drop their daily tapes with their bank deposit bag and pick up the 2 day old tapes the next day. Today, it's not that hard.
Now, remember, if your files are encrypted and you don't notice that, the next backup (using those whole, or one off backup strategies) will simply copy over the backed up files with the encrypted files. Now, the one offs may not actually overwrite the files due to the name change but do you trust that? Really? I don't. So, get those files you really need and put them somewhere. Be sure you do this in the context of your business cycle because if you lose everything and your last backup was 3 years ago, well...
I know this is a pain and we are all trying to automate everything we can, but the problem is the automation is not necessarily smart and the ransomware is smart and as such it may remain silent for a long time to take advantage of your backup strategy. It can even have a delayed start to wait for after hours so you don't notice. So, if it runs at 2300 and your backups run at 0300, well, perfect storm.
And remember, even at home you need to be doing this. Which key files do you need. My strategy is to archive and then deep store those archives on a server that is not connected to my home all the time. Then, I have to regularly copy the "running" versions of my work up onto those archives as well. This is in addition to my regular all the time backup approach.
One Drive, Google Drive, et. al, will not save you. Yes, these are backed up from physical failure, but if the ransomware simply copies itself to all your automatic drive shares, well, it won't even know that those one drive files are stored, one drive will simply sync the files and voila' everything is encrypted.
Now, Robin Hood did NOT jump across drive shares but that doesn't mean the next one won't.
- We have to do a better job in convincing people not to open email.
Firstly, we have to get people to stop sending exploding attachments. Any file can contain scripts and as such malware. These things can be small and as such attached to a doc file. That means when you get an email, you need to be more diligent about opening the attachments and even the email. See, when you double click a word file (or anything else) you are basically using your privilege level to execute that. Most people are running as administrator or at least you own your files (which are targeted most often) and so, when you click it, it has the same privilege as your files and the same ownership so it can get them. They don't care about encrypting your windows executables since you could just reinstall, it's your data they are after.
So, what should you do? Try my handy n part strategy for email
- Who? Do you know the sender? Is their domain (that's the part of the email after the @) something you know? Take that extra few moments to verify.
- What? Did they send you something? Why did they do that? I could never get over how many calls I got about Naked Wife. That was an early piece of malware that sent copies of a file called "naked wife" out to everyone in your address book. Shudder. So, did your father send you a word file out of the blue? I know it's a pain, but double check the sender. Out of band is best but if you want to email them back... Don't REPLY to the original. Send an email to the address as a new send.
- Think. Phishing and spear phishing never stop. They know how to target you with subject lines you don't think about. You must train yourself to be paranoid and watch for those things. When you get an email from your grandfather that says "naked wife" you probably will hesitate, but that email that says "Your withdrawal of all funds has been approved by [name of bank here] but you need to validate the transaction before all funds can be dispersed". Yeah, you may click that pretty fast. Or how about "Notice of warrant for arrest issued. Please be advised you have a warrant issued by the [insert police agency here]. I know we have been through this before but people aren't listening. They really target you and if you are working for a company, a lot of information is available to assist. Facebook has the name of your kids school, is it public?
- Dunk. or just delete it. Remember the old thing about putting a package you got from a student into a bucket of water before you opened it? Well, do that here. If you have suspicious email, set up a virtual box or some other vm and forward it to that account. Open it in the VM and you can see.
- Clean up. How many services and tools are you running? I bet, a lot. Did you install that cpu monitoring tool back in 2010 and it's still on there even though you have upgraded the mobo 3 times, well, what if that thing has a zero day in it? Clean up your machine and get rid of unused services. Not that this will save you but it at least will help.
- At work, firewall email. You may want to whitelist email (not that that helps really) but the extra step may make people stop and think.
- PATCH. You have got to find a way to get a better patching schedule. Some places require massive studies (not that that is a bad idea) that take months before they roll out patches. Find a way to prioritize patches and scoring them or something. Get those likelys out there quick. You may have to work hard to get management buy in but show them the Atlanta story or the Baltimore story and they may reconsider allocating some people to this. Or not.
- In which case, evaluate your backup strategy. Real time, out of band, and you have to test it. You have to test restores. Now, assume all real time backups are encrypted. Now assume all shared folder/drive backups are encrypted. Can you still restore? How far back did you have to go? Will that survive the business cycle?
If this doesn't scare you, well, I don't know what will.