InfoSec Alert - RansomWare Threats Increasing

3/30/2018

Aaron Lancaster , Sr. Security Engineer

This is an rmsource InfoSec alert.

The purpose of this alert is to inform rmsource clients of current or imminent security concerns so that proper precautions may be taken.

Executive Overview:

There is always a temptation to think to ourselves, “that will never happen to us.” Such could certainly be the case when we think about Ransomware, but we would be fooling ourselves. Look no further than this week’s ransomware outbreaks at the City of Atlanta and Boeing as evidence that no one is out of harm’s way.

There are many variants of Ransomware including “SamSam” which hit Atlanta last week, a variant that has been in the wild since 2016. This is the second major infection event the city has suffered in the last year. Outbreaks a similar variant called “Bad Rabbit” led to US-CERT issuing an advisory in October 2017.

“US-CERT has received multiple reports of ransomware infections, known as Bad Rabbit, in many countries around the world. A suspected variant of Petya, Bad Rabbit is ransomware—malicious software that infects a computer and restricts user access to the infected machine until a ransom is paid to unlock it. US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.” -US-CERT

Security hygiene plays a critical role in guarding against threats of this kind. Sources cited several externally-accessible insecure services as a probable infection vector. These interfaces were reported to the City of Atlanta several times since 2013. Attackers likely bought credentials to access the organization on the dark web and then used a tool to deliver the malware. The malware authors are demanding $51,000 to decrypt the affected systems. In a commendable tactical move, the City of Atlanta has brought-in outside consultants to conduct remediation work.

Due to the exposure of patient health data, in July of 2016 U.S. Health and Human Service, Office of Civil Rights issued guidance declaring ransomware infection encrypting Protected Healthcare Information (PHI) a reportable breach which brings along with it fines, increased audit scrutiny and possible jail time.

Recommendations:

Mitigation:

US-CERT has provided the following recommendations and best practices:

Segregate networks and functions.
Limit unnecessary lateral communications.
Harden network devices.
Secure access to infrastructure devices.
Perform out-of-band network management.
Validate integrity of hardware and software.

Additionally, the following technologies should be leveraged for protection.
- Firewalls with application sandboxing
- Intrusion Detection & Protection Systems (IDS/IPS)
- Antivirus
- Endpoint Protection Software with Sandboxing
- Email security gateways
- Web URL Filtering
- SIEM for early detection and reaction
- Mobile Device Management systems