Skull and crossbones on a brick building

Anatomy of a ransomware attack: Lessons learned

Ransomware began as small time larceny but it has expanded to threaten businesses of all sizes.  A recent study by Osterman Research for Malwarebytes found that 40%  of companies in the United Kingdom, United States, Canada and Germany have suffered from a ransomware attack in the last year.

Of those attacked, a third lost revenue and 20 percent had to suspend business entirely after discovering the attack, noted the study, which surveyed 540 CIOs, CISOs and IT directors from companies with an average of 5,500 employees. It found that most ransom demands remain small potatoes for most companies—more than 80 percent faced demands from $1,000 to $10,000—but one percent of the extortionists asked for $150,000 or more. It also found that 40 percent of the companies in its survey paid ransoms after they were victimized.

So how do you defend against ransomware? One Fortune 100 company didn't pay ransom when it was recently attacked. In fact, it ignored the attackers entirely. How did it do that? An executive at the company agreed to answer that question as long as his name and his company's identity remain anonymous for security reasons.

SANS 2016 State of Application Security Report

The attack

One of the most common ways ransomware infects a system is through an ill-advised click. An employee receives a legitimate-looking email and is instructed to click on a link in it to receive some additional information, or other benefit. According to the Osterman study, email is the top vector for spreading ransomware.

Osterman found more than half the attacks in the United States (59 percent) and Germany (61 percent) originated through email , either through malicious attachments or links. That's less so in Canada (30 percent) and the United Kingdom (39 percent).

That wasn't the case, however, with the Fortune 100 company, which suggests some ransomware outfits may be changing their attack strategy. The Fortune 100 executive explained:

"They're not using phishing to get in. They're taking advantage of known vulnerabilities that exist in certain platforms."

In the case of this Fortune 100 company, it was a vulnerability in an open source program called JBoss. "JBoss servers are web servers so they're exposed to the Internet and if you're not fully patched, there are well-known vulnerabilities that can be exploited," the executive said. Although the Fortune 100 company had fully patched most of the 300 servers it had running JBoss in the segment of its network that was targeted, at least one hadn't, and the attackers exploited a known vulnerability and set up shop on the server.

Once nested on the server, the marauders were able to compromise an administrative account. Attackers want to compromise those kinds of accounts because it gives them increased privileges that can be used to reconnoiter and compromise system. It's also why attacks are often targeted at upper management and C-level executives. Osterman found that nearly 80 percent of attacks impacted mid-level managers or higher. A quarter of the attacks focused on senior executives and the C-suite.

Once the administrative account was cracked at the company, the intruders downloaded some well-known hacking utilities that allowed them to survey the network and jump to other devices and plant ransomware everywhere throughout the network. "Eventually they set it all off in one day and took our systems down and encrypted the data on a lot of these servers," the executive said.

The response

After discovering the attack, all employees were advised not to touch any of the infected machines and not to respond to anything. The signature of the malware was quickly identified and after consulting with its antivirus provider, the malicious application was identified as zero-day malware—something never seen before by the provider.

Antivirus software is ill-equipped to deal with ransomware, maintained Nathan Scott, a senior security researcher at Malwarebytes. For one thing, ransomware is too polymorphic, which means it can create new variants of itself faster than it can be identified by the antivirus software. In the Fortune 100 case, the ransomware on the system was a variant of a common ransomware program.

"Ransomware writers have everything figured out to a T." —Nathan Scott, Malwarebytes

The infection took the company offline for about 24 hours, but it managed to get up and running without any interaction with the attackers. "We ignored them," the executive said. "We wiped all our systems and rebuilt them from scratch. That was hundreds and hundreds of servers and systems."

In many ransomware cases, attackers succeed because they're able to encrypt an organization's data and it has no way to get it back. Some of them have backups and can restore their data from that, but even backups are no guarantee that an organization will be protected from an attack. Scott of Malwarebytes says:

"They even destroy backups now. It's not even enough to have a backup anymore."

"We've even witnessed ransomware that has gained access to a network or computer through a backup," Scott added. The ransomware will encrypt the data on a Network Attached Storage device or cloud backup and then proceed to the computers they're connected to.

The Fortune 100 company, though, did not have to resort to backups because it had an architecture that isolated its data from the systems connected to the Internet-facing machines. "They only got to our servers and there was no customer data or databases on those systems—those were stored on remote storage, which they weren't able to get to." The executive says:

"So we didn't care about wiping everything out because we knew we could rebuild it."

Lessons learned

The executive noted his company learned a number of lessons from its experience with ransomware. For example, make sure the software on all your servers is up to date with the latest security patches. "There are tools that can help you do that," he said. "They can automatically roll out patches as well as identify known vulnerabilities."

It's also wise to have as little infrastructure as possible exposed to the Internet. "In one of our environments, for instance, we have tens of thousands of machines but we only have 25 that are exposed to the Internet," the executive explained. "It's a lot easier to make sure those 25 are patched than worrying about 10,000."

Separating data from Internet-facing systems is also a good practice. "You want to architect your system so you can put another layer of security that's hard to break through—maybe a different level of authentication—between the servers than run things and your data," the executive said.

"That helps a lot because you don't have to worry about restoring from backups or sync problems or having valuable data encrypted that you'll have to pay to get back."

The company also learned that automation is important not only for building systems but for recovering them in the event of a ransomware attack. "You need to know how to rebuild things fast," the executive said. "The best way to do that is to build your systems with automation and then keep those scripts and configurations around so if you have to rebuild it, you can rerun them."

Although this Fortune 100 executive was confident about his organization's ability to deal with ransomware, his feelings don't appear to be shared by many of his peers. According to the Osterman study, 96 percent of U.S. organizations aren't very confident in their ability to stop ransomware.

SANS 2016 State of Application Security Report
Topics: Security