Ransomware - It's not just "user-injected"
For those of you that don't know what it is, essentially it's Malicious software that can be installed on your computer. A very effective and destructive "virus".
To encrypt your files, photos, music and most commonly accessed data in return for a ransom payment which may enable you to de-crypt and retrieve your files. It can also encrypt other files on computers across your network.
Whilst some decryption tools are available for some variants, many new strains are extremely secure and no decryption is possible. You are encouraged by the cyber criminals to access a deep, dark part of the web which is essentially untraceable to contact them in order to pay them a ransom (usually thousands and sometimes in the tens or even hundreds of thousands) in order for them to send you the unique decryption key. UNDER NO CIRCUMSTANCES SHOULD YOU DO THIS! Disconnect from the internet first if you encounter an attack and get help from a professional. If you pay the Ransom, you are essentially paying criminals, there will be no customer support if you pay and are unable to de-crypt and you could also be funding further, more serious crimes. We will details software that can protect you from these exploits but most importantly, you should have excellent, secure offsite and onsite back-ups of your data. In most instances, this is the only way to recover. However, it will also encrypt data in Dropbox, OneDrive, LiveDrive and other online collaboration and back-up systems.
Our previous experience
We have seen around 5 attacks so far on people who have come to us after the event. All of these have been "user-injected". This means that the user has unknowingly allowed the virus into their computer, usually by clicking on a link in an email or through a malicious website or pop-up. In all instances, the user had not backed up their data and it was lost. It was archived off their systems in it's encrypted form in the hope that a security company would come up with a decryption tool. They never did for those particular variants.
Last week's experience
As an IT support and services provider, it's a little embarrassing to say the least to admit being compromised. However, last week, we suffered an attack. This was realised when I tried to login to my own computer and had errors galore. As soon as I logged in, I realised that I had suffered a Ransomware attack. But how? I'm very cautious and from the time-stamp of the first infected file, I realised that I wasn't in the office then. I asked my colleague who hadn't noticed any issues, but there were encrypted files on his PC and a ransom note, as with mine. As I turned white, I logged into our local server....and soon realised that also had been encrypted. This was where we focused our attention and immediately disconnected it from the network and ran a scan. We also ran a scan on the other computers which were encrypted. Those two came up clean, however we noticed an executable running in Task Manager on the server running from a TMP file. We immediately stopped this process and renamed it and changed it's file extension to prevent it running again and stop further encryption. Investigating further, we checked our firewall logs, we found 2 sessions open on port 3389 which is used for Microsoft Remote Desktop Services, originating IPs of the compromised port were in the UAE and Argentina. We then knew that these were the originating cause. We immediately closed the sessions and closed port 3389 on our firewall. I had opened the port a while back as a "temporary" measure when I was working from another location and needed access and I forgot to close it.
Leaving this one port open was my one, very regrettable mistake...As an IT person, we often concentrate more on our clients than we do our own systems but that is no excuse!
It got me thinking, as the other machines had not been infected, how was their data encrypted? As we are on a local domain Active Directory system, the server (as it was logged in with the Domain Administrator user account and password, which was very strong) will have had Admin access to any other PCs on the domain and therefore access through Windows File Sharing to the admin shares on each drive (eg, C$, D$) so it could then run the executable from the server to encrypt data on those accessible drives. Simple really...and very effective! The solution, block access with your firewall if file-sharing is not required.
Anyway, this may be a lot of information for some of you but we want people to understand exactly how much damage this malware can do. We had the latest Malwarebytes Endpoint 3.0 and Anti-Exploit software protection installed on the server and across PCs on the network, however, because they essentially hacked into the server using RDP, they could easily disable this. However, Malwarebytes are working on making the next release with Anti-Tamper protection to prevent this, we will still use and recommend Malwarebytes and remain a partner of theirs, we have been assured that had it been a "user-injected" attack, it would have been protected.
In order to recover, we performed a bare metal restore on our server which was successful and we were actually back and up and running a few hours after investigation. We lost a very small amount of data, the files not backed up since the last back-up task ran. If our back-up systems did not work however, it could have potentially destroyed our business.
We have learnt from this and it has been a very valuable lesson but at the same time a very educational one. Although we're assured that data won't have been breached or taken, we've taken the precaution of changing all of our client's usernames and passwords as well as our own as a precaution. These were stored however in a secure, encrypted database within our own systems. We've also reviewed our own back-up and disaster recovery planning and monitoring as well as completely locking down our firewall and internal network too. Whilst we do admit, it is embarrassing, let's not forget that the likes of the CIA and NSA have also had breaches in the past...if people want to get in, they will...you just have to try and make it as difficult as possible!
We have reported this attack to Action Fraud here in the UK. However, it's unlikely despite the information we have provided to them, that any prosecution will take place. These criminals often operate from countries where UK and US authorities have no jurisdiction and they also hide their tracks using proxies and other compromised networks to initiate their attacks. Whilst it's frustrating, there is often very little that the authorities can do anything about this sort of potentially very lucrative crime. We have however provided a lot of information to Malwarebytes which is very useful to them in terms of being able to combat and protect against in future.
We were very lucky that our back-up systems worked as were able to restore very quickly with minimal impact.
What can you do?
Our advice has always been to educate employees in your business on avoiding user-injected threats by thinking 3 times before clicking on any links in emails, websites, social media etc, this is one of THE most effective points of protection. Don't trust anything. Always login directly to the website instead clicking on an email link. Some phishing and malicious emails can be incredibly convincing!
However, for that extra level of protection, we definitely recommend Malwarebytes Endpoint Security across your network. As a Malwarebytes partner, we can provide, provision and install this on your network for you so get in touch for pricing.
Speak to your IT support or if you don't have any, speak to us about what you are doing and what can be done to secure that even further. Question everything. Do we need that port open to all IP addresses? Do we need file sharing ports open on our desktops? Are our passwords secure? Are our systems protected by Two-Factor authentication and is it enabled if so? Is our back-up working? Do we have an isolated offsite back-up and is it tested regularly? Is the firmware on our router/firewall up to date? Are our servers and workstations patched with updates? Can we lock down access to certain sites or apply even more strict security policies? Do our employee contracts cover your IT systems sufficiently? Do you have Cyber-Crime protection built in to your company's Insurance policies? Do we have a lock-down procedure in place if a threat is detected to prevent further loss? Do we regularly scan our systems for malware?
It was very difficult to write this blog and admit our error and the consequences of it. However, we made the decision to admit it in the hope that we can prevent somebody else's business from suffering a similar, potentially devastating attack. An attack like this can and has in the past, destroy businesses. Please do feel free to share this blog with your friends and family. Whilst we've covered it's effects in a business environment, Ransomware is also extremely common on domestic devices, think about those years of photos of your children that you have stored on your computer and what you'd do if you lost them all forever!