Preface: Ransomware common deploying malicious actions is the automatically propagation. Their target will be included ADMIN$, C$, SYSVOL, and NETLOGON default setup.
Common infection technique: Believe it or not, quite a lot of ransomware developers will use simple technique. Deploy encryptors across the environment using Windows batch files (mount C$ shares, copy the encryptor, and executed it with PsExec tool). Please refer to the official website for details – https://us-cert.cisa.gov/ncas/alerts/aa21-291a
Strengthen your prevention, detection and corrective control: If PsExec is utilized in an environment, disabling the admin (ADMIN$) share can restrict the capability for this tool to be utilized to remotely interface with endpoints. In addition, you should perform system hardening. For example. Modify the registry value to disable administrative sharing on workstations and servers.
Perhaps BlackMatter ransomware not use this technique. But this is a baseline protection. According to the suggestion by US-cert. Define new rules in your IDS is the effective way to mitigate the risk. Please refer to attached diagram for details.
Since it is hard to avoid design limitation. For example: Disabling PowerShell Remoting does not prevent local users from creating PowerShell sessions on the local computer or for sessions destined for remote computers. As a result, it provides a way for attackers.
Long time ago, SIEM vendor (Splunk) recommend using sysmon to detect ransomware attack. I agree that this is the effective solution. The concept is shown as below:
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Preface: IDC report predicted that By 2024, 60% of industrial organizations will integrate data from edge OT systems with cloud-based reporting and analytics, moving from single-asset views to sitewide operational awareness.
Background: PowerShell provides an adversary with a convenient interface for enumerating and manipulating a host system after the adversary has gained initial code execution.
Security Focus: According to the observation of the security company. You can use PowerShell to execute various Base64 encoding commands. The trend of operation technology will be programmed and developed on powershell. Cybercriminals responsible for ransomware activities often try to delete them so that their victims cannot restore file access by restoring to shadow copies. The method is to use this (Invoke-ReflectivePEInjection to directly inject DLL into PowerShell). Meanwhile, they require system administrator privileges, so they rely on zero-day and unpatched victim workstations for privilege escalation.
Remark: What’s more telling is the inclusion of function names that correspond with a PowerShell payload called “Invoke-ReflectivePEInjection”, which lets an attacker inject a dynamic link library (DLL) directly into PowerShell.
Preface: A ransomware attack paralyzed the networks of at least 200 U.S. companies, said headline News. President Biden announces investigation into international ransomware attack on 3rd Jul, 2021.
Background analysis: Cyber criminals are turning to fileless attacks to bypass firewalls. These attacks embed malicious code in scripts or load it into memory without writing to disk.
Malware tricks you into installing software, allowing scammers to access your files and track your actions.
Ransomware is a form of malware goal to locks the user out of their files or their device.
However, whether it is malware or ransomware, they all rely on working with C&C servers. Cybercriminals use C&C servers to host ransomware. If the computer cannot access the infected server and/or malicious website. Therefore, ransomware infections will be reduced.
How DNS Sinkholing reduce the infection hit rate? In fact, the firewall cannot see the originator of the DNS query. When the client tries to connect to a malicious domain, the existing solution is likely to wait for the download and let the anti-virus and malware protection mechanisms isolate the malicious file.
Sinkholing can be done at different levels. Both ISPs and Domain Registrars are known to use sinkholes to help protect their clients by diverting requests to malicious or unwanted domain names onto controlled IP addresses.
Question: If the solution is mature and well-defined. But why the service provider does not implement it. Is it a cost factor?
Preface: The Thirty-six stratagems is a Chinese essay use to illustrate a series of stratagems used in war. It also applies to cyber warfare.
Background: Kernel-based Virtual Machine (KVM) is an open source virtualization technology built into Linux®. Specifically, KVM lets you turn Linux into a hypervisor that allows a host machine to run multiple, isolated virtual environments called guests or virtual machines (VMs). KVM is part of Linux. VMware relied on Linux during its early history. The early version of its hypervisor, called ESX, included a Linux kernel (the central part of an OS that manages the computer hardware). When VMware released ESXi, it replaced the Linux kernel with its own.
Security Focus: Security researcher MalwareHunterTeam found a Linux version of the REvil ransomware (aka Sodinokibi) that also appears to target ESXi servers.
Ransomware, menacing! Experts observe that ransomware is not limited to Windows operating system attacks. The evidence proves that they can run on Linux. Other ransomware operations, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty have also created Linux encryptors to target ESXi virtual machines.
HelloKitty targeted a UK Healthcare organisation
DarkSide target multiple large, high-revenue organizations resulting in the encryption and theft of sensitive data and threats to make it publicly available if the ransom demand is not paid.
GoGoogle is a malicious program designed to encrypt data and demand ransom payments for decryption. During the encryption process, all affected files are renamed according to this pattern: original filename, unique ID, cyber criminals’ email address and the “.google” extension.
Mespinoza TheMespinozaransomware was first used in October 2018 at least. The first versions produced encrypted filescarrying the «.locked» extension, common to many ransomwares. Since December 2019, a new version ofMespinozais documented in open sources. This version is often calledPysabecause it produces encrypted fileswith the «.pysa» extension.
Preface: Ransomware infection not merely boots by vulnerability of the windows OS and or products components. Web site programming technique is the accomplice. Perhaps we can say, how successful of ransomware attacks will depends on the total number of compromised web server. What I call the trigger point.
Background: Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Ransomware is a type of malware attack. The encryption process will performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It also locks access to the data. For cyber criminals view point, it is not possible to rent a web hosting service. Therefore, the possible way is find the online web portal which contained vulnerability. If they can compromised the online web. They can setup the phishing attack and evade traditional domain black list filter. So they can do their job silently.
Traditional corrective control not address the problem in effective way: A corrective control is an aftermath of detective and preventive. You can only restore from a backup after an incident. According to historical of attack, ransomware will be exploit operation system and or component vulnerability to conducting the infection. So traditional full backup may not use here because victim will be concerning what is exact time they receiving the attack. As a matter of fact, the correct way to proceed the restore procedure is wait for the digital forensic investigation result. Till today such attack still bother the whole world.
Maybe when something happens, the term phishing is on your side. See if you can learn more with the attached diagram.
Preface: When the TCP/IP network protocol replaces the classic MODBUS protocol on a large scale. At the same time, there is a large demand for the deployment of Windows operating system servers and workstations. From the perspective of cyber security, information technology and operational technology are the same.
Synopsis: On May (9th May 2021), 2017, the WannaCry ransomware attack show to the world of their power. They can easily halted the entire DHS medical service in England. Recently, Ransomware attack shuts down biggest U.S. gasoline pipeline.
Contingency plan focus: In fact, according to official recommendations, payment of ransom is not recommended. This is because even if you pay, there is no guarantee that your system and data will be 100% fully restored. Therefore, an effective backup solution combined with business contingency plans is the correct way to solve this problem. However, the service interruption caused by ransomware is different from the traditional disaster recovery concept. The traditional DR concept assuming hardware or software failure. But it can resume operation through hot standby or cold standby facilities.
A gap was found here: In fact, the contingency plan for ransomware attacks is slightly different from the traditional disaster recovery plan. Because traditional DR will replicate two equivalent functional sites for DR. However, if the DR site contains design weaknesses similar to the production site. Maybe your DR environmental risk level will increase! Because it is a ransomware attack.
Preface: A Russian-speaking outfit called DarkSide offered would-be computer crooks not just the tools, but also customer support, New York Times said.
My observation: My observation: Perhaps cyber criminals learn from practice. They know the system infrastructure weakness of industrial especially oil, powers supply facilities even logistic industry.
Remark: ransomware criminal will select dynamic cloud computing as a base. If victim web server is using IaaS service, it is most likely is their target.
Preface: The first ever ransomware virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp (now known as the ‘father of ransomware’). It was called the AIDS Trojan, also known as the PC Cyborg.
Synopsis: Perhaps mankind cannot imagine that in our modern world. We still impact by viral infection. The situation looks like we are replaying the seen in 1346 – 1353 (plague). But the digital world is the same. In past few weeks we heard ransomware wreak havoc. As far as we know, ransomware not only appears today. Since 2013, CryptoLocker attack found. But what is the standpoint by public began to focusing “WannaCry” ransomware in 2017. Unlike crypto-ransomware (WannaCry), Locker ransomware does not encrypt files. Instead goes one step further, and it locks the victim out of their device.
What is the countermeasure after the ransomware attack? – Changed passwords for all end-users and privileged users. – Changed access keys for all service accounts. – Enhanced malware/ransomware protection on endpoints and servers. – Enhanced monitoring and logging to identify malicious activities.
The objective of this topic is only for information base. Perhaps when you read below article posted in 2017. You will have resonance.
News feed: AXA Group announced on Sunday (16-05-2021) that the company has become a victim of a ransomware attack. Axa Hong Kong said there has been no evidence that data processed by Inter Partners Asia in markets other than Thailand have been affected by the targeted ransomware attack. No official announcement till today to update this incident.
Technology exploration: Avaddon ransomware performs an encryption in offline mode using AES-256 + RSA-2048 to encrypt files. With AES128-bit key, the task of cracking AES by checking each of the 2128 possible key values (a “brute force” attack) is so computationally intensive that even the fastest supercomputer would require, on average, more than 100 trillion years to do it. Microsoft .NET Cryptography library is capable to encrypt and decrypt file on his own. The Windows 10 operating system incorporates the . NET Framework 4 installed and enabled by default. Therefore cybercriminal can share this service. For more details, please refer to attached document.
What is the consequence if AXA underestimate this matter? Or it is just a bluff!
A similar type of attack (files encrypted with RSA-2048 and AES-128 passwords) will allow cyber-criminals to gain access through remote control systems. After the machine is infected with the ransomware. The data exfiltration will be occurred. In fact, the hacker group claimed to have stolen 3 terabytes of data, including a long list of information: ID cards, passport copies, customer claims, reserved agreements, denied reimbursements, payments to customers, contract and reports, customer IDs and bank account scanned papers, hospital and doctor reserved material (private investigation for fraud) and customer medical reports including HIV, hepatitis, STD and other illness reports.
Preface: Critical infrastructure cybersecurity is not new – it was first addressed by Presidential Decision Directive (PDD) 63 in 1998. The term Internet of Things (IOT) was used but it was for consumer product applications not industrial applications. Perhaps the Executive Order on Cybersecurity does not adequately protect critical infrastructures
The goal provides a directive to computer users to reduce the possibility on ransomware attack. Apart of best Practices, whether there is other way to enhance your current system infrastructure to avoid computer user negligent.
Solution 1: Technology so called clean DNS works by adding a layer of security between a user and the internet that prevents visits to websites used for scams, phishing, and malware and ransomware distribution.
Solution 2: Be aware that unofficial observation concluded that if you had infected trickbot, you would receive ransomware attack soon. Please refer to the attached diagram for the solution.