2017 has been a pretty “interesting” year from an information security perspective. We have had plenty of big security events such Cloudbleed, the CIA Vault7 leaks, Shadow Broker’s exploits and post-exploitation tools publication, hacking of Macron’s campaign for the French presidency, Equifax, Uber, Deloitte, Nicehash, and even the DoD AWS breaches.
But in this post I want to focus on the main Ransomware cases we saw last year because they were much more impactful than the ones of previous years.
Since 1989 when the AIDS Trojan was released, ransomware has evolved a lot. Specially in the last few years where we can see an exponential evolution for ransomware in terms of complexity and impact that ransomware campaigns have had worldwide.
Legacy ransomware was quite basic and mainly relied on the victim’s lack of a backup, fear and hurry to pay. But in the last few years we’ve seen a trend of rapidly evolving ransomware variants that continue to grow in complexity. To ensure the highest number of paying victims, ransomware authors have begun to adapt the ransom messages to the victim’s language. We’ve also seen ransomware as a service, allowing criminals without the skills or knowledge to stand up successful ransomware campaigns, we’ve even seen ransomware that allows you to avoid the payment if you infect other victims.
On the other hand, society has changed in a way that makes ransomware much more impactful. We rely much more on smart phones and computers. The data these devices store has become more valuable for users and organizations. Additionally, the Internet of Things (IoT) has come to stay, so we’ll see more and more devices affected by ransomware in the future.
But if we look specifically into 2017 we can find a new big trend for ransomware: the capability to automatically spread themselves laterally within the network of their victims. Ransomware authors have successfully automated lateral movement techniques which were previously used by advanced adversaries.
On April 14th, 2017, the Shadow Brokers group published an exploitation framework developed by the Equation Group. This framework included the incredibly effective and advanced EternalBlue and EternalRomance exploits that leveraged vulnerabilities on the windows SMB protocol to gain administrative access into the targeted system. These exploits where a key reason for the success of the most impactful ransomware campaigns from 2017, as we will explore in this post.
On May 12th, 2017, the “WannaCry” (Wanna Cryptor) ransomware became a worldwide issue. It spread quickly and effectively, affecting more than 300,000 systems in at least 150 countries. This ransomware encrypted the files of the victim and spread laterally through an organization’ network by using the EternalBlue exploit. Even considering the huge economic impact that Wannacry resulted in, we were lucky because the ransomware was only capable to propagate laterally on Windows7 and Server 2008 systems, and not in WindowsXP or Windows10.
On the other hand, WannaCry had implemented a “kill switch” mechanism. During the infection phase, it queried DNS for a specific domain and only attempted to move laterally to new systems if the domain was not answering. When Marcus Hutchings (AKA MalwareTech), a security researcher, registered and sinkholed the domain, the WannaCry ransomware stopped spreading as a worm.
The fact that the WannaCry ransomware was buggy, didn’t use unique bitcoin wallet addresses per infection (a key “security” measure used by most ransomware variants today to make it difficult for researchers to track payments made to the authors), and had this “kill switch” mechanism caused some security researchers to speculate about the possibility of WannaCry being a test that started that was accidentally released to the wild. On the other hand, last December, the U.S. assistant to the president for homeland security and counterterrorism attributed this ransomware to North Korea, who vehemently denied being responsible for the cyber attack.
A month and a half after WannaCry, we wake up with a new surprise: Petya/NotPetya. Petya was a ransomware variant in use since April 2016. The Petya ransomware was unique because rather than searching and encrypting specific files (like most ransomware), it replaced the infected machine’s boot loader and encrypts the master file table to lock the access to the computer or the data on it until the ransom is payed. The ransomware strain seen on June 26th, named NotPetya and which original infection vector appears to have been a malicious update from a Ukrainian financial software firm, re-used quite a bit of the Petya ransomware code with significant improvements and differences.
First of all, NotPetya is not truly a functional ransomware strain since even if you pay, you can’t unblock the access to the victim’s system. Due to this, it appears that the purpose of this malware was not to make money but rather to impact the availability of data and services. Second, much like the WannaCry ransomware campaign, NotPetya implemented mechanisms to automatically spread itself by using the EternalBlue exploit. However, NotPetya was also effective against organizations that had already applied patches that prevented the use of the EternalBlue and other Equation Group exploits. The NotPeyta ransomware used common threat actor techniques to retrieve cached passwords from already infected systems to move laterally within the network and infect additional systems by abusing PsExec and WMI protocols.
Because NotPetya appears to have been designed to cause damage to customer systems, it is much more effective than WannaCry, but masquerading as a standard ransomware campaign points to the likelihood that it was developed by a very skilled and resourced group. The potential goal of the campaign becomes clearer when you examine the impact of the Notpetya campaign. Most of the organizations impacted by NotPeyta where located in Ukraine, including airports, public transportation, banks, and Ukrainian government systems. The Security Service of Ukraine point to the involvement of the Russian Federation special services in the attack.
Finally, on October 24th, 2017 BadRabbit made its debut. This ransomware is a variant of NotPetya that leverage hard coded and stolen credentials to spread across the local network. However, the fact that it didn’t use EternalBlue to spread laterally like WannaCry and NotPetya (it used another Equation’s group exploit called EternalRomance instead) and the fact that a vaccine to prevent the infection was quickly available the day of the attack have mitigated much of the impact of this last big wave of 2017’s ransomware.
Looking at the impact those ransomware incidents have had we can realize the importance for organizations to implement some basic security controls such:
- An updated inventory of the computers assets. You can’t protect what you don’t know you have.
- An effective Vulnerability Management Program to ensure systems are correctly patched for critical vulnerabilities.
- Access control and proper network segmentation.
- Do proper Windows hardening and take advantage of the new security controls Microsoft is including on its OS. You can find here a good article from Microsoft on this topic.
- Have an effective backup strategy to be able to recover the important data in case of disaster but also in case of ransomware infection.
- Limit user privileges on the endpoints whenever is possible. Notpetya would not have been as effective if users had not local administrator privileges on the endpoints.
- Limit the internet access from production servers whenever possible.
- Implement and test an Incident Response Plan that includes ransomware scenarios to avoid any improvisation in a crisis scenario.
- Use effective Endpoint security solutions able to identify Indicator of Attack/compromise rather than rely only on signature based detection.
In conclusion, 2017 was the year of the of worm-style ransomware such as WannaCry or Notpetya, which affected organizations all over the world and used advanced lateral movement techniques to enable its spread. I think we should expect this trend to continue and evolve in the near future. I believe it’s important for the organizations to get as prepared as possible to prevent and be able to successfully react to such threats.
If you’re in Switzerland this January, join us at the SIGS Kick Off in Zurich or the ICT Networkingparty 2018 in Bern. Our focus in 2018 throughout the SIGS .series 2018 will be MSS, and both these events promise to bring together the brightest minds in the IT Security industry to share thinking on 2018 trends.