ransomware Archives - Craig Hays

Reading Time: 6 minutes

How hackers manually escalated from a malicious email to a devastating, company-wide ransomware takeover in under 5 hours.

It started with a phish ransomware in 5 hours — Photo by Pixabay from Pexels

(This article aims to contextualise an excellent incident report by Thedfirreport.com. I’ve used my own experience to fill in the gaps to demonstrate how these attacks affect real people in real companies.)

The Attack Started Like Many Others

A phishing email landed in the victims inbox at around 5 pm UTC and was promptly opened and read. There was nothing particularly suspicious about it. It was a well-written email with a reasonable call to action. There were no urgent demands. It wasn’t claiming to be from the company CEO. It looked identical to many of other emails received that same day.

The company email servers scanned it and allowed it straight through to the victim’s inbox. It was sent through a legitimate and well-known email delivery service with a good reputation. There were no attachments to be scanned for malware. All it contained was a politely written request and a link to a web page.

The web page didn’t ask them to log in. It wasn’t trying to steal their password by masquerading as a trusted login page. All the victim saw was a message saying: ‘Oops! The document preview isn’t available. Click here to download’, or words to that effect. This is the sort of error message that we’ve all seen many times over the years. Most of us wouldn’t think twice about clicking that link, myself included.

Malware In Disguise

The browser downloaded a file named something like PreviewReport.DOC.exe. A warning message came up at the bottom of their browser asking if the user wanted to keep or discard the file as it could be harmful.

Regrettably, our unfortunate user downloads all sorts of documents all day every day and many of them give the exact same warning. They’ve learned that this warning message is just a regular part of online life. One more thing they must click on in order to get work done. Out of habit, they clicked on ‘keep’, then opened the file.

The executable was signed with a trusted certificate from a well-known vendor. It was malicious, and yet it was signed. The thing is, anyone can buy legitimate and trusted software signing certificates on the internet these days if you know where to look. The user’s PC had AppLocker configured to block unsigned executables but it made no difference. The trusted, signed malware executed without a problem.

Their local antivirus software had the latest virus signatures downloaded and available. As the malware was unique to this victim, the signature didn’t match anything on record. Nothing was blocked.

As far as the user was concerned, the file did nothing. Perhaps it was corrupted. Nevermind…

Sadly, it wasn’t corrupted. It sent a message out to a command and control server on the internet to say, ‘Hello, I’m here, And I’m waiting’, then opened a backdoor into the heart of the company network. It checked-in using standard, encrypted, HTTPS traffic, and notified the ransomware gang that it was active and waiting for instructions. From the outside, it looked exactly the same as the device’s owner viewing any other secure web page on the internet.

[Read more…]

Reading Time: 5 minutes

There are very few things that genuinely worry me in cybersecurity. Recovering from ransomware is one of them.

Ransomware is the digital equivalent of someone breaking into your house, while you’re in it, and deliberately destroying everything. There are no other, prevalent, cyber weapons that do that. Ransomware is the only one. It is the cruellest, most violent, and most invasive type of malware on the internet. If someone did it in the physical world they would be imprisoned for a long time.

The catch with ransomware is that it offers you a lifeline. An undo button. A chance to reverse all damage. ‘Pay us and we’ll put it all back the way it was.’ Like it never happened. But it did.

Ransomware is Generally Indiscriminate

Ransomware doesn’t care who you are. The threat of ransomware affects both my personal and professional life. The photographs and videos of my daughter’s entire existence are just as vulnerable as the data and systems of FTSE listed companies.

Wannacry, one of the most famous ransomware variants, originally spread from machine to machine through an unpatched file-sharing service. Once a host becomes infected it encrypts all local files and begins looking for other vulnerable hosts to attack. Whoever owns the host is irrelevant. If you’re on a network connected to a compromised host then you’re going to see infection attempts coming your way. Internet, home network, corporate office, or public Wi-Fi, it makes no difference.

The vulnerable hosts that allowed Wannacry to spread initially have been patched or are already compromised. Now ransomware tends to spread through user interaction. A phishing email or drive-by download is the most likely cause of infection. Some malware variants even request permission to run to as an administrator to ensure no chances to access everything a missed. The recipient doesn’t matter, the outcome is the same.

But Ransomware Criminals Will Discriminate

The only thing that differs between victims is the size of the ransom demand. If an attacker is able to identify the system as belonging to a registered company then the price of the decryption key will be proportionate to the company’s annual returns. The victim’s goal is to recover from the ransomware attack. The attacker’s goal is to receive payment. Therefore, ransomware criminals walk a fine line between ‘I can’t afford to do that’ and ‘I can’t afford to not do that’.

While individuals may struggle to pay more than a few hundred dollars, a big corporation can usually afford to pay a lot more. Many cyber insurance providers will willingly negotiate the value of the ransom demand on behalf of their customer. Paying for the decryption key can be cheaper than recovering everything from backups. It’s not always a certainty though as it’s hard to rely on criminals to honour the terms of an agreement. That said, ransomware criminals rely on the general public consensus of their own compliance in order to make money. Unless the majority of people who pay for a decryption key actually get what they pay for, people will stop paying.

Criminals are Getting Smarter

In the early days of ransomware, criminals would compromise a system then almost immediately trigger the encryption process. This generated a lot of short term profits but reduced the size of overall payouts possible from corporations. For many companies, restoring from backups was a painful but acceptable solution to the problem. For a criminal, this isn’t the outcome that makes money.

Now, ransomware attacks against corporations have evolved. Instead of immediately starting the encryption process, criminals are hanging around, observing, exploring, and waiting for the right moment to strike for maximum effect. If you were watching them you’d find them slowly poisoning backups, corrupting stale data, and monitoring backup software until retention periods have expired. In the style of Mr Robot, criminals are going after production systems and their online and offline backups through corruption and expiration.

This evolution makes it much, much harder to recover from ransomware. If you can’t recover from offline backups your only option is to buy the decryption key. At least that’s the reasoning of the new approach. Another other attack vector is to exfiltrate data before encrypting it locally and using the threat of GDPR fines to coerce payment. By leaking sensitive information to the press bit by bit until payment is made, a stronger case for paying the ransom demand can be built. Especially if someone is trying to keep the breach a secret. (By the way, don’t ever do that. Transparency and honesty are key.)

So How Will I Recover from Ransomware?

Thankfully I haven’t been hit by ransomware, yet. Unfortunately, it’s only a matter of time. No matter how hard you try you will always get hacked in the end. That’s why we apply our focus on response and recovery as much as on the protection against and detection of threats. Just like everyone else, the best way to recover from ransomware is to ensure you have offline backups of everything. Not just the data but full images of servers, installation files, license keys, processes and documentation, your active directory database in a tested, recoverable form… literally everything you could need to rebuild everything from scratch.

As evolved ransomware attacks are targeting offline backups, the solution here is longer retention periods. If you only keep backups for 30 days it is really easy to lose everything. If you keep a combination of daily, weekly, monthly, and yearly backups, you’ll at least have something to work with. It’ll be less than ideal but something is better than nothing. Long retention and early detection are your best defences.

In my personal life, I take the same approach. I use a combination of different online backup solutions with different retention policies. I combine that with offline snapshots of everything important to me on multiple disks. Simply replicating everything to a cloud-based mirror of isn’t enough as ransomware changes to your local files will be replicated offsite just like your regular updates. Even if you use a backup provider that guarantees immutability of your data for a given period of time, all an attacker has to do is observe your password and delete your account before encrypting everything. Offline backups are the only safe option. Just don’t plug them back in again unless you’re sure your machine is safe.

You Can’t Backup Your Reputation

The only thing you can’t backup is your reputation. No matter how well you respond, if you were the one responsible for protecting against a ransomware threat and you ‘failed’, you will be blamed. Even if only by yourself. Just remember, there’s only so much you can do with the time, money, and people available to you. Make sure you have offline backups that can’t be corrupted and at least you’ll be able to recover something in the end. You might not be able to backup your reputation, but with perseverance, you’ll be able to restore it.