Subscriber Discussion

Ransomware Concerns

Avatar
Keith Walker
Jun 15, 2016

We are starting to see some of our customers being hit with the Ransomware viruses (CryptXXX, TelsaCrypt, etc.) that are becoming extremely wide-spread. One of these is an embedded access server (CCure Site Server). We also had an office machine hit due to, what we think, was an outdated version of Adobe Flash. We were able to restore a backup of the machine, but it also hit Dropbox, which uploaded to their server. This was recovered, but required their assistance and took a few days.

For those unfamiliar, these viruses/trojans encrypt specific files, such as .jpg, .pdf, .xls, .doc and many others, usually changing the file type to something like .crypt. Text files are put into each infected folder with instructions on how to pay to unencrypt the files, usually for $500 to $1000, with no way to guarantee that paying will actually get you your files back. The CCure Site Server was actually hit with a lock screen that prevents it from even booting into Windows Safe Mode.

Personally, I think we are seeing the beginning of what is going to become a major problem. These have been around for years, but the more I read about them, the more I'm developing a "sky is falling" mentality and the more I think we're seeing the tip of the iceberg.

Has anyone else encountered these, either personally, or through your business? What steps are you taking to protect your machines, as well as your customer machines? It seems that these viruses are slipping through AV software and once they've encrypted their target files, are deleting themselves to avoid detection.

(2)
Avatar
Brian Rhodes
Jun 15, 2016
IPVMU Certified

Wow. Did you contact Software House for help to remove it? What was their comment on it?

Avatar
Keith Walker
Jun 15, 2016

Sold us a recovery USB drive. Luckily, our tech made a backup about a month ago, so they'll just need to add a few badges back. They wanted us to connect it to our network so that they could remote in, but we weren't having any of that. Short of paying the ransom, I really doubt their tech support could do much.

(1)
U
Undisclosed #1
Jun 15, 2016

What types of customers are these? Small/medium business, large organizations, governments, etc? Based upon the post, I'm assuming it's a small to midsize business that likely doesn't have a robust network security team, but that's a guess.

For me, the answer is better network security on the client side. There is only so much that integrators can do in these cases -- we can install the most secure products out there (CCure -- prime example...probably the single-most secure platform on the market? At least in the discussion...), but if the box they sit on can be accessed and infected, it makes no difference.

There is a reason that companies such as Palo Alto Networks, Imperva, Bluecoat, F5, etc etc are exploding the way they are, and it's for this exact type of thing. Whether it's a properly-installed WAF to monitor network traffic and prevent incursions, high-end firewalls, a whitelisting protocol instead of blacklisting, etc -- network security is becoming a big deal for everyone.

For SMB's who simply don't have the resources to deploy a full-scale network security team, it's making hosted environments all that much more appealing. Moving everything to a hosted and/or cloud-based platform is the only way a lot of these smaller companies will be able to adequately fend off these types of attacks without hiring a couple of people and spending a lot of money to manage it.

(1)
U
Undisclosed #2
Jun 16, 2016
IPVMU Certified

Related: First production version of Linux ransomware is poorly designed, fails to secure ransom.

Harden your systems before the patch comes out...

UM
Undisclosed Manufacturer #3
Jun 16, 2016

We were hit with this ourselves last year. I think it came in when a tech installed their company Dropbox account on their personal computer without authorization, which copied what may have been an infected PDF or Excel file. Our office administrator go it when I think they were collecting the time time sheets through the Dropbox folders.

We were down nearly a whole day figuring out how to recover, but for the most part it was simply restoring files using Windows Shadow Copy and Dropbox archived file versions. Our accounting person had to recreate a days worth of work.

The most common important thing cited to mitigating cryptoware risk is having a good backup of you files. The second is multiple layers of security, from end point anti-malware software on the workstations to your gateway router. User training of course is up towards the top of protection protocols. Another that is not often thought of, especially if you have a network of computers, is limiting the network permissions of the users on the network to be no more than what we need. Our office administrator's computer was only able to change files it had access to locally on Dropbox and on shared network folders they had permission to, which was about a quarter of the overall files. They weren't able to infect other computers. We formatted the infected computer and reinstalled the OS and programs from scratch.

Avatar
Jon Dillabaugh
Jun 17, 2016
Pro Focus LLC

At least they offer to give you your data back for a fee. Back in the day, they just flashed the firmware on your drive, essentially bricking it. There was little the average person could do.

Avatar
Keith Walker
Jun 17, 2016

Well, maybe... Not sure that they would actually follow through with the data return once they have the money.

Avatar
Jon Dillabaugh
Jun 17, 2016
Pro Focus LLC

Many documented cases of successfully retrieving data after ransom payment.

(1)
Avatar
Luis Carmona
Jun 17, 2016
Geutebruck USA • IPVMU Certified

I've read the same thing, most times they do give you the decryption keys to get your data back. It's even been reported the FBI recommends people pay if they want their data back.

But then they drop another trojan that will later encrypt your files again.

U
Undisclosed #2
Jun 17, 2016
IPVMU Certified

But then they drop another trojan that will later encrypt your files again.

Like everybody else, they are just looking for a little RMR, recurring monthly ransom.

(2)
(5)
U
Undisclosed #2
Jun 17, 2016
IPVMU Certified

At least they offer to give you your data back for a fee.

Maybe we should be grateful to them as well for pen testing our systems...

(2)
Avatar
Jon Dillabaugh
Jun 17, 2016
Pro Focus LLC

Here is an under the hood look at ZCrypt.

https://blog.malwarebytes.com/threat-analysis/2016/06/zcrypt-ransomware/

In this blog, it shows the process of how it makes a call out for the private key to unlock the data when payment has been received.

Too bad these ransomeware artists aren't using Mybitcoin...

Avatar
Joseph Marotta
Feb 03, 2017
IPVMU Certified

January 30, 2017

Ransomeware Takes Out 70 Percent of Washington DC Security Cameras

http://www.eweek.com/security/ransomware-takes-out-70-percent-of-washington-dc-security-cameras.html 

(1)
U
Undisclosed #4
Feb 04, 2017

Kinda makes you want to sit in a dark room with some heavy dub step/psy-goa techno with a cool matrix screen saver while you make rule the world .gif images of windows script host. Mirror, mirror on the wall, who is the fairest of them all?

Seriously, cybersecurity is going to take center stage soon with all their silly ethical hacker titles and hold us all just as ransom as the big bad wolf himself.

We need to assist technology standards with biometric compilations and stamp out the human sys-admin whom may or may not have a god complex of an oblique god.

Ending this here, sad to see the state of hacks these days. Repair bots to the rescure(new word).

NL
Nicholas Lyle
Feb 04, 2017

 As an IT provider this is something we work hard to protect our customers from. Although it's becoming a more common attack it's still evolving and the delivery methods are constantly changing. In order to fully protect a clients network and endpoints you need to use a layered approach to security.

It starts with a quality UTM firewall, then moves to layering the network so that critical systems cannot be infected from end users. From there you need to have frequent backups in place that are decoupled from the machines they are protecting and access controls in place so that only the protected machines can write to the backup repository. 

The final layer is is at your endpoints. Your users systems should be protected with a quality and updated AV. The key is that you also have to constantly remind the end users about the threats and help them implement a set of best practices. 

Even with all of the above perfectly executed an infection can still happen. But this is what the backups are for. With a properly configured backup server or BDR you should be back up and running in minutes with virtually no loss of data or productivity. 

(1)
U
Undisclosed
Feb 05, 2017

Let me get this straight.  The victim's system was sufficiently connected to the public internet that it could be reached by a ransomware attack.  "Just like the DC cops do it", apparently.  Or the SF Muni folks, if I'm mis-speaking of the DC incident.  What part of "segment, segment, segment" am I missing in this conversation?

(I like the drop-box comment.  Nice to know I'm not a freak for worrying when the physical security folks gleefully use public-access file sharing sites on sensitive gear.)

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions