United States: Ransomware And Encryption Attacks - How Recent Attacks Can Inform Effective Prevention And Response Efforts

As organizations move towards the efficiencies of a "paperless office," the very same internet-facing technologies that help create a more efficient and productive workplace can also greatly increase the risk of suffering a significant ransomware or encryption attack. While a great deal of technical literature is available about encryption attacks and ransomware, the goal of this article is to provide simple and practical answers to the following questions:

  • Can my organization learn from recent encryption attacks to prevent an infection?
  • How can my organization be better prepared to respond to a successful attack?

Lesson 1: The critical importance of patching

SAMSAM (MSIL/Samas) health care sector attacks. The ransomware variant SAMSAM (aka MSIL/Samas) is publicly reported to have infected health care organizations through vulnerabilities in outdated "JBoss" software1. In addition to encrypting a network's active files, SAMSAM searches for file extensions and directories containing backup files. Once located, SAMSAM often successfully encrypts or deletes backup files before proceeding with its encryption of active files, thus creating a "perfect storm" of malicious design elements.

WannaCry — 99 countries affected with malware in 27 different languages. On May 12, 2017, malware known as WannaCry, WCry or Wanna Decryptor infected tens of thousands of users in as many as 99 countries. The requested ransom associated with the attacks was .1781 bitcoin, or roughly $300. WannaCry gained access to victim networks through one of two primary means: RDP compromise2 or the exploitation of a critical Windows SMB vulnerability3. In addition, WannaCry's cryptographic loading method does not directly expose itself on disk, making it difficult to detect through most antivirus software scans. Interestingly, Microsoft released a security update for this "MS17-010" vulnerability on March 14, 2017, approximately one month before the widespread attacks referenced above.

The malicious binary Dharma. The ransomware variant Dharma is one of the more common in recent days, affecting numerous financial services and health care systems through its use of asymmetric cryptography4. There are two separate versions of the Dharma variant, both of which use a combination of AES and RSA ciphers. The AES technology produces a public key to execute the encryption. It targets text documents, graphics databases, archives, audios, videos, and other file types. It appends a custom extension to the names of the encrypted items. The RSA cipher then generates and encrypts a private key that the attacker stores on a remote command and control server. During encryption, the explorer.exe process can become unresponsive, and like most other variants, Dharma generates a ransom note on the server's desktop. Through a recent online leak of Dharma decryption software, an effective "decryptor" for Dharma is now widely available, obviating the need for the payment of a ransom in many cases.

Action Item: Review your organization's patching protocols. The number of known ransomware variants continues to grow as opportunistic attackers target vulnerable organizations through the use of modified code and refined attack forms. According to Verizon's 2017 Data Breach Incident Report, public administration organizations were the number one industry targeted by ransomware, with healthcare the second most targeted and financial services the third5. On a positive note, SAMSAM and WannaCry attacks have been largely curtailed through public education and aggressive software patching campaigns. Keeping software up to date, however, requires careful planning and diligence. According to the Multi-State Information Sharing and Analysis Center (MS-ISAC), the primary infection vector in at least 95 percent of incidents was an unpatched vulnerability in an operating system, software, or plugin6.

To prevent attacks through unpatched software, organizations should consider the use of a centralized patch management system. In addition, alerts from automated vulnerability scanning tools should be aligned to trigger an organization's internal patching processes. Other measures, such as application white-listing and software restriction policies, should also be implemented to prevent the execution of programs in common ransomware locations, such as temporary folders.

Lesson 2: Control the use of administrative privileges

Petya malware — the attack on DLA Piper and others. On June 27, 2017, Petya malware spread across Europe and the United States, infecting international law firm DLA Piper, shipping giant Maersk, and several other global organizations. Instead of encrypting files one by one, Petya denied access to each infected system by attacking the network's master file table and rendering the entire file system not readable7. These attacks are believed to have propagated through a legitimate software updater for the tax accounting software MEDoc, and through a separate watering hole attack8 associated with Ukraine's municipal website, Bahmut. Significantly, the compromise of just a single set of administrative credentials enabled the spread of Petya malware across entire networks9. This highlights the critical need for organizations to both limit the granting of administrative credentials and to properly segment network environments.

Action Item: Strictly reduce accounts with administrative privilege. When attackers gain access to accounts with administrative privileges, they are able to access sensitive network data and further the exploitation of a network by installing keystroke loggers, sniffers, and remote control software to harvest additional data. To limit the chance an administrative account is compromised, administrative privileges should only be granted to those who need them to perform essential business functions. Audits of the use of administrative privileged functions should also be regularly conducted and monitoring should be employed to detect anomalous behavior on administrative accounts.

Action Item: Apply the principle of network segmentation. Categorize and separate your organization's data based on its value or on its importance to operations. In addition, implement virtual environments and the physical and logical separation of networks and data where possible. In other words, separate your organization's data and restrict permissions and accesses to limit the potential damage that can result from an attack.

Lesson 3 – Create an incident response plan that includes specific planning for encryption attacks

In the aftermath of a successful encryption attack, an organization will be unable to access important files or information within its network. For example, in the recent spate of Petya attacks, DLA Piper employees were without access to email or telephone systems for days. In addition, the firm's information technology team preemptively shut down many unaffected systems to limit the spread of the malware.

One of the critical questions regarding your organization's preparedness to withstand a significant encryption attack should be, "Can my organization conduct its most 'mission essential' functions without access to email, the internal document system, or any other of the firm's digital information?" In other words, after your firm activates its incident response plan and remediation efforts are underway, the question you may be faced with is whether your employees can operate under "Code White" conditions — that is, can your organization temporarily function without its usual network of computers? In the most extreme example, that might mean conducting all operations manually — hence the reference to the use of white paper notepads and pens and pencils.

Action Item: Update and revise your organization's incident response plan. While it may seem unnecessary or unrealistic to prepare for a scenario in which a large portion of your network has been rendered inaccessible, consider that the crippling attacks on Sony Corp. 10, Saudi Aramco11, or Maersk and DLA Piper are increasingly within the realm of possibility. In each of those events, the organization's critical infrastructure was severely damaged and employees could not access the digital information necessary to conduct even the most basic daily business activities. A well-crafted incident response plan should therefore contemplate either partial or complete encryption scenarios and provide for immediate access and current and accurate information regarding:

  • Designated first response staff (including key stakeholders, such as IT, legal, financial, HR, insurance, risk/compliance, corporate communications/public relations);
  • Pre-positioned supplies and resources12 to allow mission essential functions to continue;
  • Plans to engage key personnel and vendors to restore affected segments of the network from backup data; and
  • Plans to transition back to normal operations when the incident has been mitigated.

Action Item: Review your organization's backup protocols. Effective backup protocols are absolutely critical to surviving a significant encryption attack. Utilize a backup system that allows multiple iterations of the backups to be saved, in case backup copy becomes encrypted or the files within the backed up data are otherwise infected. Routinely test backups for data integrity and ensure that your technical staff is both trained on data recovery and integrated into your organization's IRP. Training through tabletop exercises is an effective means to ensure that the organization's operational plan to restore affected parts of the network will function properly when it is most needed.

Other Helpful Action Items: The Center for Internet Security and the MS-ISAC offer the following additional guidance to help you secure your network and to prevent or limit the damage from a successful encryption attack:

  • Use antivirus and anti-spam solutions. Enable regular system and network scans with antivirus programs authorized to automatically update signatures. Implement an anti-spam solution to stop phishing emails from reaching the network. Consider adding a warning banner to all emails from external sources that reminds users of the dangers of clicking on links and opening attachments.
  • Disable macros scripts. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications. These macros are a frequent encryption attack vector.
  • Restrict internet access. Use a proxy server for internet access and consider ad-blocking software. Restrict access to common ransomware entry points, such as personal email accounts and social networking websites.
  • Vet and monitor third parties that have remote access to the organization's network and/or your connections to third parties to ensure they are diligent with cybersecurity best practices.
  • Participate in cybersecurity information sharing. Programs and organizations, such as MS-ISAC and the FBI's InfraGard and Domestic Security Alliance Council can provide the latest guidance on best practices, advisories, and information on the latest ransomware and encryption attacks.
  • Establish relationships with federal law enforcement/national security organizations. The FBI maintains Cyber Task Forces in each of it 56 field offices nationwide. The United States Secret Service maintains a nationwide network of 46 Electronic Crimes Task Forces as well. These organizations publish additional bulletins and advisories based on trends culled from active cyber investigations. These materials, as well as access to periodic roundtables and working groups, can be obtained free of charge by contacting your local field office and requesting to be placed on cyber advisory distribution lists13.

Conclusion

In today's digital environment, organizations should plan for the possibility, or even the eventuality, of a ransomware or encryption attack. While the likelihood of an attack is greater now than at any time in the past, employing a multi-layered cyber defense that carefully implements the 20 industry-standard critical cyber security controls14 will greatly reduce the likelihood of a significant encryption attack. This data security posture will also prepare you to more quickly recover from an attack which encrypts all or part of your organization's network.

Footnotes



[1] The JBoss vulnerability, which proved to be the vector of intrusion in the recent SAMSAM attacks, was an open source version of software used to implement Java and other web-based applications. Many victims were unaware that this unpatched version of JBoss was even running within their environments.

[2] RDP, or Remote Desktop Protocol, is a proprietary Microsoft network communications protocol designed to facilitate remote access to virtual desktops, applications, and servers.

[3] The Server Message Block (SMB) Protocol is a network protocol whose main purpose is to enable file sharing. For more, see Microsoft SMB Protocol and CIFS Protocol Overview: https://msdn.microsoft.com/en-us/library/windows/desktop/aa36 5233(v=vs.85).aspx

[4] According to the SANS Institute, asymmetric cryptography is a modern type of "public key" cryptography in which the algorithms employ two different keys (a public key and a private key) and use a different component of the key pair for different steps of the algorithm.

[5] See: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ .

[6] See: https://www.cisecurity.org/white-papers/technical-white-paper-timely-patching-reduces-system-compromises/

[7] See: https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/

[8] A watering hole attack is one in which the attacker guesses or observes which websites the group often uses and infects one or more of them with malware.

[9] See Cyber Alert: Petya Ransomware, June 28, 2017: https://www.cisecurity.org/cyber-alert-petya-ransomware/

[10] See "Hackers Lay Claim to Saudi Aramco Attack": https://mobile.nytimes.com/blogs/bits/2012/08/23/hackers-lay-claim-to-saudi-aramco-cyberattack/

[11] See "U.S. Said to Find North Korea Ordered Cyber Attack on Sony": https://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html

[12] For example, to be able to effectively function following a significant encryption attack, the following items might be prepositioned in a strategically designated location to enable the firm's critical tasks to continue: laptops for key personnel with preloaded macros and software, copies of staff directories and other important contact information, updated customer lists, critical billing information, and other important reference materials.

[13] For more information about FBI programs like InfraGard and the Domestic Security Alliance Council, see: https://www.fbi.gov/about/partnerships/office-of-private-sector, or contact your local FBI field office directly. To locate one of the 46 US Secret Service's Electronic Crimes Task Forces, see: https://www.secretservice.gov/investigation/

[14] For more information on the 20 critical cyber security controls, see: https://learn.cisecurity.org/benchmarks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Lewis Brisbois Bisgaard & Smith LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Lewis Brisbois Bisgaard & Smith LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions