A TARGETED CAMPAIGN AGAINST CRITICAL ASSETS – WITH NOTHING TO STOP IT. DID A U.K. ENTERPRISE UNWITTINGLY HELP ITS HACKERS?
Reactive, not predictive – an attacker’s paradise.
The Head of IT’s story
Head of IT, Tasneem, feels like she’s been caught in a multiple pincer movement.
Ransomware came and ruined her week. Whilst she was busy dealing with that, malware came and stole her colleagues’ credentials and goodness knows what other data too, and – according to her fuming CEO Doug – probably put it up for sale on the Dark Web.
And it got worse. In battling to restore backed-up data into the enterprise’s systems, to recover from the ransomware that had locked the business’s data up, Tasneem received the news from the Reliance acsn analyst that the attack wasn’t a wide-scale phishing attack at all, but a targeted campaign to go after specific critical assets that would cause maximum disruption to the business. Small scale, big hit.
And as if that weren’t terrifying enough, Tasneem also learned, via the Reliance acsn analyst, that her chances of stopping any ransomware attack – targeted or otherwise – had anyway been close to zero.
Why? Because her focus on simply keeping security policies updated and installing firewalling and AV had lulled the enterprise into a false sense of security, blinding it to the gaps elsewhere in its defences.
(She hadn’t explained that last bit to Doug. Unsurprisingly, she thought she probably wouldn’t bother.)
A targeted attack – but persistent, and one of many
The Ryuk ransomware strain, unlike other ransomware strains that are often deployed via mass campaigns, tends to be focused only on critical assets, and is usually deployed manually by the threat actor.
Nonetheless, this targeted and manual character does not mean Ryuk is not a widespread threat; indeed, reports from NCSC and Reliance acsn’s other threat intelligence systems showed multiple active campaigns during the time of the attack.
Once ‘dropped’ onto the targeted networks, Ryuk creates persistence through a scheduled task that re-triggers the ransomware – and the modifications it makes to the Windows Run registry keys – whenever a user logs in.
AV? A false sense of security. The analyst’s story
For the Reliance acsn analyst advising CEO Doug and his team, a story was unfolding that he had seen far too many times before.
Over-dependence on reactive security software, lack of predictive threat insight, and – to add insult to injury – poor management of whatever limited protection the technology can actually provide. A false sense of security in more ways than one.
It was all the more galling for the fact that the business had become dependent on an AV focussed regime, potentially giving the hackers a helping hand.
Could AV have stopped Ryuk?
When he tested the Ryuk ransomware sample, the Reliance acsn analyst found that it was identical to previously seen Ryuk samples.
Like them, it worked by using a dropper to create a five-letter, randomly generated file name, using the srand function and GetTickCount for random seed generation.
The generated files were then written to a specific folder – again, typical Ryuk behaviour. (In this incident, this was called /users/Public, and the name of the ransomware file was TlMMh.exe).
The fact that this was a targeted attack, with unique presentation to evade detection, that covers its tracks by switching security software off (as we described in Episode 1) is, by definition, likely to elude security technology. In the analyst’s own lab tests, the seen variants were undetected by any of the commercially available AV solutions when Reliance acsn were the first to upload a sample to virustotal. Of course 24 hours after that first upload, over 85% of these solutions detected the sample, but by then it was too late for this business.
Evidence, if any were needed, that security software alone cannot stop the big hitters going after the biggest prizes.
How did we get hit hardest exactly where it hurts most? The CEO’s story.
Doug’s head is still spinning.
It follows, from the fact that the attackers had targeted specific critical assets, that they knew far more than they should about the business and its networks.
Had they been on the network, gathering information, spying on it? For how long? Sure, the security software’s only half-useful – they had all reluctantly realised that now – but how come somebody hadn’t spotted the threat, and worked out what it presaged?
Then he realised, once again, that he had no bodies who could do that.
Is this how the attackers prepared for the big hit?
Today’s threat actors can sit on their victims’ networks for weeks, months, even years – watching, waiting, gathering information.
They deploy signature-less attacks and actions that masquerade as legitimate internal use, covering over their tracks and often rendering them invisible to security technology alone.
Cyber security research foundation The SANS Institute recently issued a paper that highlighted a strong need for more network visibility, particularly actionable data or intelligence about attackers, tools and indicators of compromise (IOC).
These are deliverables that rely heavily on real human security knowledge – the ability to understand not only what’s happening but where it’s leading next.
Needless to say, therefore, any organisation in which security starts and stops with security technology is lacking critical insight and is particularly vulnerable to undetected network activity – including the enterprise we have featured in these episodes.
So, who got paid, how much, and does the financial impact stop there?
Episode 4 counts the cost
Miss Episode 2? Read it here
Miss Episode 1? Read it here