Details of a ransomware attack and a way to thwart the ransom. Don’t plan to pay. Plan to recover.

Here are the basic steps included in a ransomware attack and how vulnerable people and ports are used to accommodate the attacker.  Conditions must be met.

  1. The attacker relies on stolen credentials.  The credentials are harvested by viruses delivering malware.  Specifically in recent attacks Emotet as the delivery agent for the Trickbot trojan.  All too easy with users susceptible to social engineering.
  2. Trickbot moves laterally across systems, relying on SMB to navigate the network as it steals passwords, mail files, registry keys and more.  It communicates the stolen material back to the bad actor, the Black Hat.
  3. Next Trickbot might launch the Empire Powershell backdoor and download the Ryuk virus upon the black hat’s command.  Armed with harvested credentials, the black hat is now ready to execute Ryuk and encrypt files at will.
  4. The black hat scans for any vulnerable port of entry on an external interface.

┌─[blackhat@parrot]─[~]

└──╼ $nmap -Pn -p 8443 xxx.123.xxx.456
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-09 16:47 EDT
Nmap scan report for system.contoso.com (xxx.123.xxx.456)
Host is up (0.029s latency).
PORT     STATE SERVICE
8443/tcp open  https-alt

Once a port of entry is found, in this case a very common and vulnerable port used as a remote access interface, the black hat can use the stolen credentials to log in to the network and rely on protocols such as SMB and RDP to access and exploit systems on the network, launching Ryuk to encrypt files on select systems, typically all of them.  Azure?  Too bad, encrypted.  Active directory authenticated AWS?  Ouch.ryk, every file owned.  Once the damage is found you’ll need to recover.

So how can you protect systems and most importantly backups so that rapid recovery, the best response to a live attack, remains possible?

  • The obvious first step in recovery is to neutralize all exploits.  It can also be the most time consuming.  Use Windows firewalls to block all SMB traffic and stop lateral movement across systems.  Deploy through domain level group policy.  Open only the ports necessary to deliver anti-malware utilities to clean all machines of any sign of exploits.  Windows 7 systems remain highly vulnerable to SMB attacks without proper patching and configuration.  Update 02/07/20: Windows 7 is depreciated, insecure and should not be used.  Best to get them off your network regardless of how annoyed some end users are by the thought of Windows 10.
  • Always be certain backup files and database backups reside on systems that are not authenticated to the network using domain level authentication.  Make sure they cannot be accessed using SMB or RDP protocols at all.
  • Of extreme importance is to make sure EVERYONE, especially your domain administrators are forced to change their login credentials routinely.  IT staff have a bad habit of being prime offenders of exempting themselves from password changes.  Take a stand.  Everyone changes their passwords and password complexity rules must be adhered to by every single account on the network.  Use 2 Factor Authentication 2FA every time possible, especially mailboxes and cloud accounts.
  • Make sure you have machine images that are not accessible using domain level authentication or credentials.  If you run a VMware environment make sure you administer VCenter only through local Vsphere credential logins, not AD authentication.  This serves not only to protect your production images, more importantly it protects your snapshots.  Hyper-V environments, God help you.  When you are solely reliant on Windows authentication to manage your virtual servers, you’re vulnerable.  I’d have to do more research on exactly how to stop propagation to all systems in a Hyper-V environment.  My first inclination would be spend some money on VMware or a Citrix XEN Hypervisor, Nutanix if you must.
  • Have snapshots.  Have recent snapshots.  If you don’t run virtual servers at least have Windows bare metal restore backups for physical machines.  Again these are to be written to appliances that are not connected to the network with domain level authentication.  Snapshot and bare metal backup files should remain recent enough to take into account all hardware and operating system changes that have been implemented.
  • Close vulnerable ports on your public interfaces or at minimum set them to random port numbers.  Obvious ports like 8443 are gonna get hit.
  • If you are a heavy transaction environment then you will also want to incorporate more more redundancy at the database server and application server level, such as SQL database replication with incremental transaction log offloads to drive space that is again, not domain authenticated.

Note: I did not specify anything related to archiving and compliance backups because while essential for certain industries and disaster situations they are not specific to rapid recovery in the event of any malicious disaster in which physical hardware assets are not compromised.  

Once you are able to quickly restore a virtual machine or physical system from a recent snapshot or bare metal recover file copies of data files and database backups can be moved into place for restoration to the most current backup set.  Daily is usually the best most small to medium “enterprises” can achieve.  With added expense in resources and configuration backups can be run with more frequency.   Unfortunately even hourly database log shipping won’t save a database from an encryption attack.  As my last point emphasized, unless log files are being off loaded in hourly increments to storage appliances that are not connected with domain level authentication they aren’t safe.  As always, the question of investment becomes: How much can you afford to lose?

The best defense against Ransomware is a good offence in the form of rapid recovery.  Since these exploits rely on social engineering (gullible people) you can never pretend your network is free of any vulnerability.  Don’t just design your backup and recovery environment in case something happens.  Make sure it’s tested it for when it happens.

 

Subscribe
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x