Summer Ransomware Roundup: What a Long, Strange Trip It's Been
When researching articles and topics to write about for this week’s blog entry, I kept coming back to ransomware articles again and again. It was not possible to browse any InfoSec blog or news site without at least a few stories related to ransomware. Many thought the ransomware craze was finally over after becoming unprofitable compared to malicious cryptocurrency mining. However, after high profile ransomware attacks against the cities of Baltimore and Atlanta in the US, ransomware made a comeback with a vengeance causing hundreds of millions of dollars of damage in its wake.
In 2017, I accurately predicted that after WannaCry, NotPetya, and BadRabbit, incidences of ransomware attacks would be in decline in favor of Cryptojacking, the unauthorized act of using a target’s compute resources to generate cryptocurrency on behalf of the attackers. The narrative made sense that many ransomware victims in the developing world did not have the means to pay the ransom and just dealt with the data loss. Cryptojacking allowed attackers to reliably generate income-the moment a compromised system came online by mining Monero, a largely untraceable cryptocurrency. By the end of 2018, the tides were shifting against cryptojacking when the bottom fell out of the cryptocurrency market and a hard fork in the Monero chain that made crpyojacking barely profitable. In 2019, attackers took notice that organizations, including state and local municipalities, were taking out cybersecurity insurance policies that insure against ransomware attacks.
In early 2019, I again predicted that the world would see a resurgence of ransomware attacks due to the ease of payment collection through cybersecurity insurance carriers. The fact is that in many cases it is more economical to pay the ransom and hope to get the data back than to suffer long lengths of downtime and recover systems from backups that were hopefully in place. From the insurance carrier’s standpoint, they will always choose the cheaper option and everybody pays the price. Other municipalities become more attractive as targets now that attackers know that ransoms are paid, citizens living in affected cities will suffer some service outage during the attack and pay more in fees and taxes to cover ransomware losses not covered by insurance and by paying increased insurance premiums, and the status quo will be maintained. Even after the devastating ransomware outbreaks of WannaCry and NotPetya, the cybersecurity community has been screaming at the top of its lungs to anyone who will listen to take necessary precautions to prevent further attacks: keep systems up to date, have bulletproof backups, and do not click on links or open attachments from unknown senders. Just this past week, the US Department of Homeland Security and several NGOs (Non-gonvermantal organizations) have issued a statement urging the cyber community to take steps to prevent further damage from ransomware attacks.
Here are the top ransomware stories from this past week.
License, registration, and decryption keys, please
Any fan of the USA series Mr. Robot will remember that the protagonist Elliot Alderson had to hack into a prison network to free a drug dealer who was holding his girlfriend hostage. He was able to penetrate the prison network through the laptop of a police car which using an unsecured Bluetooth channel to connect his keyboard to the computer. This scene accurately portrayed the method of attack where attackers go after the weakest link in the security chain and use it to move laterally into a more secure network. This past week, three Georgia (US state) police agencies were affected by a ransomware outbreak that took its patrol car laptops offline. The Georgia State Patrol, Georgia Capitol Police, and the Georgia Motor Carrier Compliance Division all reported lockouts of their patrol car laptop computers. While the three agencies all operate independently of each other, they all used a shared resource IT department, which is the likely cause of the initial infection and allowed it to spread to other agencies. Having police cars interconnected greatly assists with investigations when an officer needs to look up a license plate, but it also opens it up as a potential attack vector. The initial impact appears to be minimal as tasks usually performed on the in-car laptop were radioed into a dispatch center which completed the job on behalf of the officer.
The Empire WILL Strike Back
Taking a line from my blog post from two weeks ago, the Governor of Louisiana has declared a state of emergency after three school districts in the state were hit by ransomware attacks. The IT networks of all three school districts got knocked offline and files have been encrypted and are inaccessible. Luckily the attack occurred during the summer months when most students and staff are on summer break, so the immediate impact was not felt by the broader student population. Signing the emergency declaration allows the three affected school districts to use state resources, including the Louisiana National Guard, to help bring its systems back online and protect them against further attack. Using state and eventually, federal resources to protect local systems against attack may include the Department of Defense’s new tactic of “defending forward” where US Cyber Command will disrupt the operations of attackers before they have the capability of attacking the US first.
Who Turned Out the Lights?
I have often argued that cyber attackers will cross a line when the cyber world begins affecting real-world systems. In December 2015, a massive cyberattack took out most of Ukraine’s power grid and left hundreds of thousands of residents without power. Attacking critical infrastructure such as a power grid has mostly been viewed as off-limits as it could justifiably cause a kinetic retaliatory response. City Power, an electricity provider in Johannesburg, South Africa was hit by a devastating ransomware attack which encrypted and made unavailable its databases, customer records, internal networks, public websites, and an application which allows residents to pay for electricity. This attack has led to widespread blackouts in the South African city because customers are unable to pay their bills or purchase more credits when automated systems begin shutting off power for non-payment. Making matters worse, the cyberattack is also making coordination and responding to the blackouts more challenging to try and turn the power back on for customers.
All Your Records Are Belong To Us
Ransoming data has been around since the late 80’s, but the type of data and spreading mechanisms have evolved dramatically since then. Publicly accessible MongoDB servers are showing up on Shodan every day. Database administrators who do not know the first thing about securing an internet-facing database have opened themselves and their employers to data theft, data manipulation, not to mention privacy violations. It truly is mind-boggling how an administrator can take the time to make a database internet-facing and not have a simple ACL or set up authentication to access the data. However, the saying “A fool and his money are soon parted” holds here. Unprotected MongoDB databases have recently had their database contents replaced with a ransom note stating that the database had been downloaded and to get it back, the victim must pay a ransom in Bitcoin. There is no guarantee that the data will be returned or that the attacker did not make a copy of the data to be sold un an underground market on the Dark Web once the victim pays the ransom.
This attack mirrors a similar trap that Uber fell into in 2017 when an attacker threatened to release the illegally obtained records of 57 million Uber customers unless Uber paid the data thief. Uber paid the blackmail money and used HackerOne’s managed bug bounty platform to launder the payment, but not before firing its CISO and head of cybersecurity. HackerOne’s terms and conditions made the attacker contractually obligated not to share any of the stolen information.
A White Knight Emerges
Despite the first eight thousand words or so of this article, not all news related to ransomware is bad news. Launched in July 2016, a non-profit project started by Europol dubbed “No More Ransom” recently reported that it helped prevent the transfer of over $100 million in ransom payments robbing the robbers of their ill-gotten gains. The No More Ransom project relies on the fact that many ransomware authors are lazy and do not perform key generation that would prevent the easy reverse engineering of the decryption key. Some malware authors are so lazy that they use the same decryption key for every instance of infection, allowing victims to recover their files quickly. At the time or writing No More Ransom provides decryption tools and assistance for over 109 different strains of ransomware. Contributors to the No More Ransom project include security researchers, security vendors, law enforcement agencies, and Computer Emergency Response Teams (CERT). The $100 million number in prevented ransom payment is also believed to be underestimated with a more accurate number being somewhere in the $600 million range. As long as the security community continues to come together to prevent infections or free decryption resources, it will deny the attackers their revenue stream, which motivates them to carry on their operations.
Wild West Cybersecurity Insurance Market
Cybersecurity Insurance vendors are thinking twice about offering coverage for ransomware payments. Threat modeling for a Category 5 hurricane would seem elementary compared to predicting the probability and potential impact of a severe cyber attack. WannaCry was much more widespread and impacted more systems, but it is widely held that the successor ransomware strain NotPetya was far more destructive in terms of dollars lost as a result of the attack. Litigation related to the 2017 ransomware attack is still ongoing and more anxious onlookers from the side are opting not to provide this type of coverage for fear of being involved in a protracted legal battle. The data available for the probability and impact of a hurricane, earthquake, wild fire, or other natural disaster is plentiful and goes back decades and centuries. Ransomware, in its current form, has not been around for more than a decade and its nature is always evolving. Encrypting Pfizer’s data in the cloud ten years ago would have a very different impact than encrypting it today. As tools, techniques, and procedures of the attackers evolve, so do the stakes for organizations as more and more rely on computer systems to automate workflows and run the business. The automated systems of Norsk Hydro got taken offline and workers had to be called in to switch their operations to manual control while the incident response teams repaired the IT infrastructure. This unpredictability will ensure that there will be a few insurance carriers that will become very good at modeling cybersecurity threats. Fewer carriers mean less competition, which will drive up prices. Higher prices will cause organizations to rethink their risk posture if they should purchase the insurance to cover the cost of the attack, implement security controls to prevent the attack in the first place or hope and pray they never become a victim.
Wrapping It All Up
If it has not been clear to my readers from my previous posts or the theme through this post, an ounce of prevention is worth a pound of cure. Preventing systems fro being infected in the first place ensures that the administrator never needs to worry about how to recover from a cyber attack. While it is not realistic that any organization can prevent any attack from being successful, practicing defense-in-depth starting with bulletproof backups and user awareness training will go a long way. It is not enough to have “good enough” security that only examines the DNS record or HTTP traffic while bypassing “trusted” websites such as CDNs, cloud file storage, and HTTPS traffic. It is not enough to tell users not to click on links in e-mails from unknown senders. Proper security awareness training extends beyond once-a-year online training classes and must continue to phishing tests, red teaming, and security controls to protect users against themselves. With a significant in attacks utilizing SSL or TLS-based encryption and malware-less payloads, it becomes essential to inspect all internet traffic for malicious data. With my next prediction being that payouts by cybersecurity insurance companies will soon dry up, some other revenue stream will take its place as attackers never take a day off from extorting victims.