Ransomware

Still More Ransomware

4 min read

July 10, 2019 at 1:00 PM

By now, the ransomware attack against the city of Baltimore has been widely publicized. This attack has been credited to the group responsible for generating the RobbinHood Ransomware package. The attack was first discovered at the beginning of May, and until recently the city was still struggling with restoring affected services. Earlier this spring the city’s 911 service was also impacted by a ransomware attack.

What we know about RobbinHood

Initially it was thought that the RobbinHood ransomware utilized the EternalBlue vulnerability associated with the WannaCry attack (2017). However, after reviewing the code, malware researchers now agree that this is not the case. It’s likely that RobbinHood follows a more common attack scenario. Many attackers now initially drop malware such as Emotet with backdoors like Trickbot that gather information about the data and servers on the victim network, and they then target specific servers and systems that look most valuable. Emotet can also harvest credentials and install other malware onto compromised systems. There’s no simple "trick" for this. It is a multi-headed attack. The attacker needs to have gained access to the network and then be able to elevate privileges. Like most ransomware today, RobbinHood tries to disable security applications and backup systems. It tries to disconnect network drives and delete certain extensions in network drives and network shares that link to backups. RobbinHood also appears to be setup as a ransomware-as-a-service model. The configuration uses an embedded template and can be configured for specific targets with basic input entered into a control panel.

How can organizations battle these high-risk Ransomware attacks?

Similar to other aggressive, high-risk ransomware packages (e.g. GrandCrab), defending against RobbinHood requires a multi-layered approach to security. Incident Response and Disaster Recovery plans that are tested and mature are also now becoming critical tools in the organization’s cyber-defense toolbox. Business & Cyber Resilience is an emerging organizational initiative that attempts to tie Risk, Security, Response, Recovery, and Strategic Planning together to minimize the impact of unexpected events on an organization.

Here are five simple steps that can be added easily to a cyber-attack defense strategy:

Educate employees about cyber-threats and what they can do to recognize them and prevent malicious attacks. Many industry, state, and federal guidelines / regulations require a minimum of annual security awareness education. However, in this age where the threat landscape is ever-evolving, a security awareness program that includes regular reminders and updates throughout the year can keep the information fresh in the minds of employees.
Keep anti-virus & anti-malware software up-to-date. This is an important step but would not be effective against the first few attacks from recently-created malware or variants to the original. A better approach is to employ behavior-based analytics protection (e.g. CrowdStrike). The use of local host-based firewalls and IDS / IPS could be used to prevent lateral movement.
Implement the principles of least-privilege to keep sensitive and confidential data separate from unauthorized users or attackers to mitigate accidental disclosures. Here are two recommendations that would not be costly or overly difficult to implement today:
1. Only system / network administrators should have administrative rights. Do not use the built-in operating system’s administrator account. System and network administrators should have a basic user account and a separate administrator account. Other system users should not have administrative rights. This will minimize their ability to install unwanted, potentially malicious applications.
2. Use network segmentation, access control lists, and firewalls to safeguard data and prevent unauthorized access. This may require a small investment depending on the current network switch environment, but many low-cost solutions are available today to fit any size of operation.
Patch all devices on a regular basis and maintain a well-defined patch management and vulnerability management program. Even computers that cannot access the internet need to be patched on a regular basis. Phishing has become the number one means for attackers to gain access to internal systems and insider-threats still account for more than 60% of reported data breaches in 2018.
Backup data and keep it stored in an offline location. Specific to ransomware attacks, backing up critical data can significantly reduce the impact of an incident. Armed with a timely backup and a method of restoring the operating system, a ransomware attack would be reduced to a productivity issue related to how long it takes to get systems back into production.

Finally, on the subject of major ransomware attacks and scary exploits, it’s a good time to remind readers about the importance of applying the latest security updates from Microsoft. In response to the WannaCry attack, Microsoft took the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003. Microsoft did this to head off another WannaCry-like outbreak from mass-exploitation of a newly discovered flaw that Redmond called imminently “wormable”.

That vulnerability exists in Windows XP, Windows 2003, Windows 7, Windows Server 2008 R2, and Windows Server 2008. Microsoft published a reminder to update your systems post on May 30th of 2019, saying that while it hasn’t seen any widespread exploitation of the flaw yet, it took about two months after Microsoft released a fix for the EternalBlue exploit in March of 2017 for WannaCry to surface. Contact us to learn more about ransomware, the damage it can cause to your systems, and the steps you can take to mitigate this risk!

Some recent Ransomware Attacks: