Coveware: Ransomware Recovery First Responders

View Original

No Malware necessary. Just malicious intent

While the vast majority of cases we handle at Coveware involve known variants of ransomware such as Dharma and SamSam, we have recently seen cases that involve no malicious encryption software at all, just malicious intent combined with off the shelf commercial encryption software, often the freemium version of commercial products.

There have been prior ransomware types that used legitimate commercial encryption software. Earlier this year, it was reported that Qwerty Ransomware was using GnuPG to encrypt files of breached victims. Recent incidents we assisted indicate lone hackers/distributors who are recognizing the diminishing value of purchasing branded ransomware such as Dharma or GandCrab and paying the syndication fees, which can be as high as 30%.   

These incidents play out in very similar fashion to a traditional ransomware attack. The hacker gains access to the network through commonly exploited avenues such as unsecure RDP ports and probes for servers, drives, and any connected backups. Rather than using a ransomware payload, the hacker uses off-the-shelf file encryption software to encrypt servers and connected drives. If backups are connected and reachable, they are typically wiped or encrypted as well to prevent a restore (note to readers, ensure your backups are partitioned off your network!).

The hacker catalogs each server that they encrypt by name or IP address so they can log the encryption codes needed to decrypt if a ransom is paid. Before leaving the network, the hacker drops a few .txt files with an email address like normal ransomware does as well. Then they wait for the victim company to contact them.

The hackers offer to decrypt a server for free, much like in a normal ransomware case where the hacker offers to decrypt a few files as proof that they can. Payment is made in cryptocurrency and so far data recovery has been 100% on cases we have handled. That being said, these cases pose a challenge to us, and anyone that faces them. We do our best to take a data-driven approach to ransomware cases, by offering historical statistics by ransomware type, and even the hacker’s identity. Use of off-the-shelf encryption removes a number of markers we traditionally use to diagnose and predict outcomes.  

Additionally, there is less of a safety net for the victim company with these types of attacks.  With a traditional ransomware variant like SamSam or Dharma, there is some relative comfort to be gained in the durability of the decryption tool.  The tools have been used for months or years sometimes and are known quantities to the hacker and to firms like ours. With off the shelf encryption, if the hacker disappears, or losses the encryption keys, they are gone, as is the encrypted data. We have contacted several manufacturers of this software to confirm that there is no decryption back door offered.  As compared to traditionally ransomware, we have revived cases where the original hacker goes AWOL, or a latent TOR site needs to be refreshed. No such revival is possible should a lone hacker disappear with the only decryption keys ever made.

What has been most striking about these types of ransomware attacks is how easily they could be propagated by an insider: a person within an organization who understands the company’s security weak points, but does not have the gumption to purchase a malicious tool kit from the more dimly lit parts of the internet, or be a distributor of a known ransomware-as-a-service group.

Defending against these attacks requires the usual measures - strong endpoint security (especially RDP) and continuity (partitioned backups). But it may also require measures that detect behavioral changes in files (files in the process of becoming encrypted) given the absence of actual malware used in these types of attacks. We would also suggest that prevention of these types of attacks could also be mitigated through background vetting of all employees with security administration rights. In the same manner that accountants and controllers should be vetted to ensure they are not risks to embezzle from a company, employees with security administrative rights should be screened as well. Additionally, since these attacks are financially motivated, we would add that above market compensation for you security admins may be a helpful risk mitigant!

Malicious intent is just as dangerous as malicious software, it turns out.