During the past few weeks, we have received information about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automatic execution of ransomware), the attackers gained persistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system several tools were used to find, en
crypt, and delete the original files as well as any backups. These tools included utilities from Microsoft Sysinternals and parts of open-source projects. After the encryption of the files, a ransom note appears, demanding a payment in Bitcoins to retrieve the files. By separating particular functions from the ransomware binary, executing certain actions using free available tools and scripts, the adversaries tried to avoid detection as much as possible. This is unlike most ransomware cases that spread wherever possible. Targeted ransomware attacks have arrived. [The attackers could ask anywhere from $500 - $10,000 or more to allow you access to your data again]
Prevention Based on what we have learned about these attacks, it seems clear that the adversaries launched a targeted and manual attack with the goal of holding files for ransom.
Some of the techniques used suggest an attempt to evade detection. Although there is no silver bullet to prevent such attacks, good security practices do help.
We recommend the following measures:
• Quickly install security updates: The entry point appears to be exploiting a known vulnerability in third-party software. This demonstrates the value of disciplined practices regarding operating system and application software updates, especially for externally facing systems.
• Ensure updated security software is installed: When malware such as ransomware is discovered, up-to-date security software may be able to detect it.
• Implement a robust backup/recovery strategy: Good backup and recovery is critical in cases of targeted attacks as well as other catastrophic events. The data should be stored in a secure and separate location, and the recovery strategy should be frequently tested.
February 2016 By Christiaan Beek and Andrew Furtak