Ransomware incidents demystified

Good morning everyone and welcome to this year's Virtual Besides Athens. I am Thanasis Diogos, I come from IBM X-Force IR and together we're going to discuss, I'm going to present you the ransomware incidents and some experience that we have seen from ransomware incidents. So, first of all, let's start with some statistics. from the very recently published IBM Security X4 Threat Index 2021, where you can see that we keep track of statistics from the incidents that we have been working. And you can see on this slide that actually ransomware has increased for 3% over year over year. And of course, what is also obvious from this slide is that actually ransomware, they are dominating. the malicious operations because you can see that they're going beyond every other

type of malicious and security incidents that we've been facing. Furthermore, what was recorded in this report, in this research, it is that Europe is now the continent with the most attacks recorded and you can see that this year it has surpassed North America and this makes our continent, our region, as one of the most attacking regions globally. Let's talk about ransomware, right? And how ransomware has evolved and how ransomware has moved forward. Some time ago, some years ago, let's say, they started as a single computer or consumer level, let's say, and they came a lot of times hidden, something like fake antivirus and something like that. From the assembly you can see on the right of the screen, it started in 2013 and again, as I said,

it appeared as a single computer attack threat and it was not capable of replicating over the network or doing any other stuff than just attacking the computer that it was being executed. Now, moving on, it has adapted the RSA standards, the standards of encryption that everybody is using and that's why it's almost impossible to decrypt the files or do anything with the encrypted files. And of course it has evolved to sophisticated malicious operations where you can see some parts of the malicious operations is that a significant number of data, like in this ransom note that we see from DarkSide, threat group they are uploading more than 100 gigabytes of data and you have to make sure you have to be sure that they will choose the

files wisely so they will choose files that they will contain accounting information personal information client information they will choose files they will choose portions of data that they know they can use on their advantage, they know that they can use in order to add more pressure to us and they know that this will damage one way or another the reputation of the company. As you may see from the ransom note, they will put the files in a public website, same or a leak site as they call them. And this is on the right side of the screen, this is one from Maze Ransomware, where they actually put all the files, they put the name of

the company, they can put all the information they have leaked over there for public use, of course in case that the victim chooses not to pay, not to comply or not to cooperate with ransomware operators. Now they have taken this a bit forward, they have done more steps and now these days we see that some victims, no maybe let's say some clients of the victim organizations, they've been notified that you know your organization, your service provider has been attacked, which is a victim organization, and they are letting them know that their data has leaked, has been exposed and they of course they're doing that on a way to add more pressure to the victim organization.

But very recently they also started requesting money from the clients of the victim organization in order for them to pay, to make sure that their data will not be published, will not be publicly exposed. And of course you have to have in mind that they choose their targets very wisely and they know, let's say, what exactly they can make out of the targets that they choose. They use all the public information that is available, like in this case, which is from a very well-known website called ZoomInfo, where actually this website, it lists the organization, the description of the organization, where exactly it is located, other kind of information, but what is very critical and very useful for the attack operators is the number of employees

and the revenue, of course, as well. The revenue plays a key role into the attack part because they know, according to the revenue that the organization actually gains, this is the amount of money that they could be either fined by the GDPR or this is the amount of money that maybe they would be more willing to pay in order for all of their data to be published. Now, how exactly those incidents start these days? Especially these days with the pandemic, you know, a lot of people are working from home and they're still using, they're more likely to be using their corporate devices, but since they're working from home, they might be visiting other personal websites,

like websites with personal mailbox. So one of the samples that you see on the right side is a an Excel spreadsheet which was named like "combatiation reject" it was sent to a personal mailbox of a corporate person then the person because maybe of the lucrative file name it was actually the person actually opened the spreadsheet and the the instructions were followed by enabling editing and enable content and of course as you realized at that point all macros were executed on macros let's say security defensive controls were disabled and the spreadsheet allowed the attackers to to gain access into the corporate device that was, as I said, of course, it was located, it was placed in the home of the person,

right? Of course, you realize that at that point, with just, let's say, a very small amount of Windows commands, they can realize that this is a device that it is domain join, they can also realize who owns the device, which is the company that owns the device, and they can start looking, and they will start looking almost immediately, for any kind of remote access, VPN credentials, and anything that would allow them to jump over to the company that the person is actually operating for. And that's why we bring to the next topic how those incidents start. And these days, they do not access again due to the COVID. It has been come. very necessary for businesses to operate but unfortunately we still see lots of organizations

still using unsecure remote access and when we're saying unsecure remote access yes we're talking about let's say lose the password policies and the absence or the non-deployment of multi-factor authentication right that these will allow for password spray attacks to be utilized, for password brute force attacks, or even when a corporate device is being compromised, the credentials that were stored and were discovered by the attackers to be used without any further restriction. Another very interesting attack that we saw is the one that was used with a default credential. So the organization decided to to install and publish an Active Directory web management service. And what happened, we're not aware why this happened, it is that they left the default credentials, the default admin credentials unchanged. As you realize, this

is very easy to find, this is very easy to discover for someone even by just looking the vendor documentation. And what happened because of that is that since it was publicly exposed to the internet and no VPN was configured or something like that, the malicious actors, when they realized that the application was published, they just tried the default credentials and when they got access, One of the features, let's say, that this application allows is it allows to create a user and of course it also gives you the capability at the end of the user creation to execute a script. So what happened in this case? It was that they created a user which nobody cared

about that. The user creation was just the means to execute the script and in the script they put a malicious parcel that was downloading the malware from another web public website and this was being executed now this is where it becomes even more dangerous this was being executed on a domain controller and it was being executed by a domain admin because this application was configured to interact with domain controllers and interact with domain admin credentials Other type of misconfigurations that we keep seeing is one of these on the right side is very popular let's say is that this long time ago Microsoft came up with a group policy object that would allow you to create a scheduled task and you know for your Windows clients and

define as well the username and password for the scheduled task to be executed. One of the things that happened is that the username and the password and the complete schedule task was stored in an XML file and the password was encrypted with an encryption key that Microsoft accidentally revealed sometime after the group policy was introduced and you realize that anybody that had access to those files, the files that contain the encrypted password and because the encryption key became public they could actually get the username and password in clear text. And this is something that we keep seeing and one of the bad things with this one is that Microsoft has actually published a patch for

this one long time ago in 2014, but the issue with this patch and many other patches is that it's actually fixes the vulnerability so it stops let's say saving passwords in such a way but it will not take care it will not remove from your domain controllers the existing files that contain this sensitive information so this is an activity that you have to do on your own and the issue with this one is that a lot of people they didn't realize that the patching is just half of the of the job right The thing that we see very often is what I call IT paralysis and this has to do with the troubleshooting mentality of the information technology personnel. For them, most of the times, they need

to fix problems. They have issues and they need to fix but you have to have in mind that security incidents are dealing with confidentiality, integrity and availability so it's not about fixing some problem. Also because many organizations they're not training enough their people, you realize that there's a lot of panic during security incidents and this panic comes because they feel that personally they're being under attacked or maybe they already know that their credentials, their personal credentials were stolen and this ends up to the situation that they're not able to execute regular tasks right so you know what happens if you don't train people what i used to say is that you actually end up trusting the instincts of the people right because this is what happens if

people don't don't go through some proper training, then they react based on their instincts. And you know what? If you react based on your instincts, this means that you cannot actually predict the reaction. You cannot actually work in a predicted manner. One very good example is what we have here, is that an organization was encrypted with the Aphrodite ransomware, and we could see in the browser history, after the Aphrodite ransomware was deployed, the administrator was looking on the internet for solutions, as I already said, to fix the problem that has happened due to the Aphrodite. But again, you have to remember, this was not a problem, right? This was a security incident. So what has happened there is that on the first line here, or in the

picture here, you see files encrypted by the Aphrodite Rapsomware. For the first line you see the Aphrodite ransomware which is this Ridley Recovery .txt file which was created by Aphrodite but you see something weird, right? That it has an extension of Harma which Harma is another ransomware. So in this case what actually happened is that because the administrator was looking for solutions to the problem several tools that were downloaded, one of the tools was another Harma prior that was let's say, put into the public website as a solution for other ransomware. So when this HARMA ransomware was executed on the same systems that were already encrypted by Aphrodite, the systems ended up being encrypted by Aphrodite initially and then by HARMA ransomware. So

you can realize how many more problems this caused to the organization, how much more any kind of decryption or restoration was eliminated from the organization and how badly, let's say, all the evidence were destroyed by executing twice a different ransomware. So, even life is full of choices and this of course happens for, is applicable for ransomware as well. So, the choices here is that you may pay, which of course it is always, we are always against that, but what I'm going to say, what I'm trying to say is that you have either be created by seeing this ransomware that we faced last year or you restore your files. But as you may see on the right side of the screen, on this specific ransomware there

was a button, let's say, that you could click in order to check if the conditions were met for the ransomware in order for the ransomware itself to start recreating the file. So when we saw that, This instantly gave us the idea that maybe the decryption code is within the ransomware itself. This was true and what we managed to do, we managed to actually reverse engineer the ransomware and just keep only the decryption routines and functions from the ransomware itself and these were used later on in order to decrypt the files for that victim organization. But I have to tell you for sure that in either case, you either pay decrypt or you restore, you have to be prepared in all cases for the same problems. Long

delays into your services, long down times as well into your services and for sure a long term risk that will remain into your organization because of the existence of malicious actors. So, what you have to do and what we highly recommend you to do is to either be ready or get ready. How do you get into that readiness level? You need to adapt and enhance the detection and logging capabilities. And how are you going to do that? you will do that by establishing a visibility into what's happening into your endpoints. In order to do that, you need to maybe have an EDR solution like Endpoint Detection and Response solutions and you need to work into your login solutions in order to make sure that you

actually record the information that is required to provide answers, right? You know, when an incident happens and when you start doing the investigation, you would rely a lot on the available logs, right? And if the available logs, they did not record the important information or the information required in order to understand what happened you will not be in a position to actually understand and respond to what happened but also you will not be in a position to know how to secure the rest of the environment right and because you will not know what exactly happened okay in order for this of course to work work, you need to have an incident response plan in place.

An incident response plan in place that will actually, your people will actually test it and be trained on that. And of course, don't Don't be confused on this one. When I say people, we mean the complete personnel of an organization, including higher management of the organization, because those are the people that they will be responsible for guiding the rest of the company during such a crisis. Right, and you have to remember that during such major crises things, as we said already, will not be operating in the expected way. And finally, you need to start utilizing threat intelligence into your login solutions, into your detection solutions in order to be in a position to be able to detect as much early

as you can that some malicious actor has gained access to some portion of your network or some endpoints of your network before things really go wrong. Thank you very much and enjoy the rest of the day.