A ransomware bedtime story

This ransomware bedtime story is not about your company, this post is about another company – because your company is secure and well protected right?

The company VulnX has been running for years, it has 100 clients and it is a successful business. Their IT infrastructure is maintained by their system and network administrator.

They use various security solutions like Firewalls, Antivirus software and network monitoring services. They also have a SIEM installed which provides critical information about the events that are taken place in the IT infrastructure of VulnX.

So now you know a little about VulnX, we are going to take a deep dive into the compromise of VulnX. Just to make it clear. VulnX is a FAKE company. It is made up.

A nightmare

On a sunny but cold day one of the sales employee’s runs into the office of the system administrators – the sales employee which is known for being motivated, eager and successful informs that he opened an email attachment, and once he viewed the attachment his computer started renaming file names on the device.

The sales employee says that he does not know what to do, and he claims that important files are stored on that device which have to be recovered.

The system administrator calms the sales employee, and tells him to standby while some research is being performed. The system administrator opens up his SIEM and security monitors and to his big surprise, he sees that the infected device of the sales employee is scanning for shares on the network – on the same moment, another employee storms in the office of the system administrator – she states that all her designs and marketing files have been locked, including the once on the network shares and external storage devices that were connected to her device.

The experienced system administrator decided to disconnect the infected machines and network shares in the subnet that had been compromised. He immediately send out a mail towards the entire company – informing them that a ransomware attack has targeted the company – and that people should take extra care when opening email attachments. He also informed the company that the network shares from the sales and design teams have been disconnected.

Now that the system administrator had created a moment, he started investigating the compromised devices, he discovered that they were hit by the Locky Ransomware. The wallpapers of the infected devices had changed into a ransom letter that informed the user to pay-up the ransom via a bitcoin transaction.

The administrator started searching the web for decryption tools for Locky, but he quickly realized that no decryption tool was available. A couple of hours passed while the administrator communicated with the C-level, and the decision was made that the ransom would be paid in order to recover the files, and luckily, they were.

The system administrator started thinking about how it was possible that the infection was successful.

Lack of awareness

The system administrator noticed that it could be because of the lack of awareness. These attacks only have to be successful once.

He thought about how he could inform the company about these types of attacks:

  • Flyers with tips and tricks on how to stay secure
  • Creating an awareness campaign within the company, so he send out some fake mails himself towards his colleagues, and each one that opened the attachment got an kind message that he could have been compromised with malware
  • Enforcing the use of the sandbox module in the antivirus product (scan the file before you open it)

Weak points in the infrastructure

The system administrator did acknowledge the fact that he cannot blame the employees for the infection – those people are always on the hunt for more sales, so it is not strange that they do not check each attachment or link before opening it. They want to move fast. So he started thinking about how those emails were landing in their inboxes, and how he could battle that.

He came up with the following ideas:

  • Domain blacklists
  • URL blacklists
  • IP blacklists
  • Email attachments scanned in a sandbox environment before they land in the inbox
  • More backups

Lack of on-site knowledge

The system administrator had more confidence now that it would be harder for the cybercriminals to breach the environment via mail – but he understood that there was still a small chance that they could come inside the network. So he thought about the devices that had been compromised, and to his big surprise he came to the conclusion that;

  • Encryption modules had to be used by the malware – while those devices only use the Encryption module on certain times
  • That a command which renames hundreds of files within seconds from those types of devices is never going to be a legitimate command

So the system administrator decided to take a look at the possibilities on restricting those type of commands and modules.

Policies are not enforced

He also noticed during his research that multiple devices within the IT infrastructure were not up to date. Although he had implemented policies to enforce that, somehow still a couple remained vulnerable.

Shit happens, so he decided to recheck all the policies within the company – he updated the policies and he immediately hardened critical devices by simply using policies like:

  • Only allowed specific vendor USB sticks at X hours.
  • Shutting down USB / WIFI / Infrared / Bluetooth on devices that do not need them

Updates and (custom) patches

He immediately did an update run on machines which allowed that, and as an experienced system administrator he know how to perform custom patches on devices that did not allow an automatic update.

Indications that action needs to be taken

The most important thing the system administrator learned, was the fact that he could not blindly rely on the monitoring systems that had been setup. Because the cybercriminals are always looking for methods to trick those systems.

So he made a little list of indications, and once those indications pop-up, he knows that he need to take immediate action.

  • Rise in Malspam complains or alerts
  • Rise in use of Shared networks
  • Rise of infrastructure use on weird hours
  • Rise in BYOD
  • Rise in alerts in the already setup monitoring tools

And for the next time

The system administrator noticed that he spend a lot of hours into thinking on which action he should take and which tools he should use.

He created an emergency toolkit which contained:

Share this info with your network: