Many varieties of ransomware begin doing damage as soon as they gain a foothold on the target network. They gain access often by Phishing techniques, credential stealing, or brute force attacks on internet-facing devices, and skillfully bypass or disable weak to moderate cybersecurity systems during installation. Then they get to work, immediately crawling the network for more vulnerabilities and encrypting valuable files. Once the files are encrypted, messages are left for users to discover: “Pay us or lose your data forever.” As scary as that is, there is now a scarier, patient ransomware that can do more damage to your business.
Traditional Ransomware vs Patient Ransomware
Cyber attacks often use some form of Phishing as a method for gaining access to network resources. Once access is gained, the attack is automated, often following a relatively rapid progression of data exfiltration and encryption. This allows a large number of attacks with as little human intervention as possible to process them.
But this speed comes at an opportunity-cost for the attackers, because they aren’t able to exploit each attack to its fullest extent.
This patient ransomware has a different pattern. Microsoft, who first identified these attacks, reports that many of the attacks “started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers.” Internet-facing devices and systems are the ones that exist on the perimeter of a business network and are most likely to be attacked and compromised. And while some have inherent security flaws, others succumb to more brute force attacks. RDP is short for “Remote Desktop Protocol” and is the technology that is used to provide millions of remote workers with access to their office computers.
Once the attacker gains access to the network, they focus on credential theft -- looking for additional user and resource credentials they can use to travel through a network, acquiring access to an increasing number of online resources, and installing software -- in this case the Java runtime environment and a file called PonyFinal.jar -- that waits patiently to do its damage when asked. During this period, the attackers learn about the business and often exfiltrate data to remote servers.
Then, with the knowledge they’ve gained, they pull the trigger. Backups are deleted or encrypted, data is encrypted and the Ransomware trap is set. According to Microsoft, these patient attacks can exist on networks for months without detection before damage is done.
The cybercriminals who run these exploits are patient. They spend months embedding themselves and their software in a business network and wait for the right time to strike. According to ThreatPost, “the operators go on to encrypt files at a later date and time, when the likelihood of the target paying is deemed to be the most likely.”
Those most likely times are those when urgency or opportunity may be highest. For example, attacking accounting firms in early April, when Microsoft reported that many of these attacks went live. According to the software company, "So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding."
Protecting Your Company from Patient Ransomware
Protecting your company from patient ransomware begins by preventing the attack in the first place. Brute Force attacks rely on commonly used or easy to guess passwords, which are especially dangerous on internet-facing devices. Multi-Factor authentication could stop such attacks before they begin.
In other cases, access is gained via exploits of systems that have reached End-Of-Life and which are no longer supported or updated with regular security fixes. Especially vulnerable are tools such as Windows Server 2003 and 2008. Other common access points are “Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers.” Migrating from unsupported software and keeping other software updated are two additional ways to prevent such brute force attacks.
Once access is gained, additional network resources are often exploited due to the use of the same passwords for multiple network resources. Requiring unique, complex passwords for all resources prevents this type of unauthorized network traversal.
If the organization has recent backups of their data and system resources, then many Ransomware attacks can be ineffective because all the organization needs to do is restore the backups. That’s why once the attack goes live, online system and data backups are the first resources targeted for encryption or deletion. Without these, the organization is more likely to yield to the demands of the attackers.
SIEM, Your 24/7 CyberSecurity Team
Because these patient ransomware attacks, as well as other types of attacks, often use commonly used administrative tools, such as Powershell and PSexec, or penetration testing tools such as Cobalt Strike, they often go unnoticed. Detecting the presence of such attacks before they are activated often requires pattern identification that only trained cybersecurity experts can identify.
Digital Uppercut’s Security Information and Event Management (SIEM) system could be the key to not only preventing the initial penetration, but to identifying the malicious software if it is ever installed. Windows itself, and every piece of network management or administrative software that we install on our clients’ networks is capable of producing log files of all system activity. We properly configure each tool or system for optimal logging and forensics.
Our SIEM system is a continuous real-time monitoring of your security logs. We study your network as a whole, not just as a collection of individual machines. We collect all of the logs from your servers, firewalls, desktops and other devices and store them all offsite, where we analyze them in real time. We’re actively looking for anything that might threaten your business. And in the unlikely event that we find something, our SIEM system notifies our Security Operations Center where we analyze the issue, identify its parts, and remediate the problem.
Digital Uppercut Has Your Back
At Digital Uppercut, protecting your data, your organization, and your staff are our top priority. If your current IT team hasn’t given you the confidence that you’re well protected, let’s talk. Our SIEM is just one part of our Data Protection Toolkit, which is designed to help keep your business running in the face of ever-expanding digital threats. So when something new comes along, like this patient ransomware threat, you’ll be protected. Contact us online or call us at 818-913-1335.