Automation is a big thematic at Cyber Crucible. Embracing it helps individuals in the Security Operations Center (SOC) get more impact out of the great work they’re already doing. Why? We can’t always scale our talented human personnel to cover everything that needs to get done: tasks, alerts, incidents, and other projects create a bandwidth issue. In fact, one could argue it’s humanly impossible to do so.
With respect to Ransomware, we’re seeing a lot of information in the news about ransomware attacks and hackers are using automation themselves. It’s important to note that it takes a very small, almost thoughtless action to cause a whole lot of damage inside the company or organization. We intend to help you and your team fight back.
This webinar covers three cases of ransomware and the news that we’ve seen in 2019: (1) City of Baltimore, which impacted CEO Dennis Underwood personally as a resident of Baltimore. (2) The two Florida city cases, which despite both being in Florida they were not the same type or ransomware or impact (3) Norsk Hydro case, which is a an aluminum manufacturer based in Europe, and their global operations have been impacted by ransomware.
Dennis then talks about the different ransomware tradecraft, which has been challenging to keep up with because of the sheer variety of ransomware. Gone are the days where an organization can simply restore backups or run a free decryptor tool. Finally, Dennis walks us through the demo of the ransomware decryptor capability, followed by open Q&A.
Many more ransomware attacks are happening that are not being announced in the news. As an information security community, we’re sweating the public cases because it is required to be public. Multiple cities have been hit in 2019…
In June 2019, the security world got news that Riviera City, Florida will pay a $600k to a ransomware demand (security consultants even advised them to pay up). How did the virus get in the network? A police officer clicked a malicious email. The impact? Staff couldn’t get paid. 911 calls couldn’t get logged. They had to make a large insurance claim to cover the cost. In Lake City, Florida, the ransomware type was Ryuk and the city paid a $460,000 bounty. It was actually cheaper for them to pay the ransom. There was an insurance claim of cyber insurance to cover the cost. The ransoms were paid because simply that was their quickest way of getting back into business.
Baltimore was hit with an advanced piece of ransomware with properly implemented encryption that took down this city’s ability to generate revenue and to do collections. They chose to not pay the ransom, which of course is everyone’s right and they have incurred a financial penalty for that: we’re up to $18 million dollars so far. Staff dependent on manual work-arounds and the water billing was affected. There is some question of whether paying the ransom or not was a smart decision, and that’s a horrible, horrible place to be.
And, of course the Norsk Hydro case. They also chose not to pay the ransom and not to give additional revenue towards the attackers despite the costs and fines rapidly escalating above a million dollars. Norsk Hydro has lost some ability to conduct business operations and produce aluminum. Attackers are learning in 2019 that they can charge more and get away with it.
What are the hackers are doing? They’re being patient and navigating their attack slowly and methodically throughout the business. They’re finding out where the businesses most valuable data is they are making sure that access to backups is not available. They’re using automation to delete information outright or encrypt the backups themselves. Then, the infection moves within the organization’s infrastructure: it might start in a workstation, say in sales, then automatically navigate to a network share, such as file servers, and finally make the malware available to infect someone else across the business, such as in accounting. Those network shares and those file servers are also being automatically encrypted. So, we have a combination of advanced breach behaviors along with these more saboteur exploitation that deny recovery resources to the target organization.
Unfortunately, we’re seeing that free decryptor tools aren’t adequate. They were great resources back in older ransomware versions, but 2019’s advanced attackers are also seeing the free decryptors and iterating against their capabilities. As a result, it’s increasingly difficult to be able to use free decryptor tools that are out there. The “good old days” are gone in most advanced cases.
This demo shows how a junior resource can change the impact of ransomware attacks. Of special note: the Locker Gaga ransomware that was used in the Norsk Hydro aluminum manufacturer attack was actually using some of the same encryption techniques that we demonstrate here. For the demo, we chose a strong encryption, which is the reality of what organizations are facing today. Free tools and perfect backup process cannot perfectly defend against ransomware in 2019.
This part of the demo shows that licensing is on an eCommerce model: easy and painless to purchase and they can be assigned to agents to install on devices. The software creates the agent and assigns it a license automatically. Then, the software configures the high security settings and variables so that communication can occur very quickly and easily with the cloud. We download the agent, then run the ransomware to show what it can do…
Once that agent is running on the endpoint, it does very targeted collection of what we call “crypto variables” and potential crypto variables. In the demo you see ransomware being run and the ZenSiphoner agent is working in the background collecting data about the attack. In the demo, we see an attack has been started against the victim, and text files on the victim’s desktop are being turned into encrypted blobs which cannot be read. The attacker is using very strong AES 256 bit encryption that is NIST certified. And, the variables are randomly generated, so what that means is that you can’t just take the keys and the variables from one machine and apply them to another. In addition, there are unique variables per file, so that you can’t even take one key or one set of variables and expect it to work on all files.
In the demo, you see the Ransomware Rewind product applying our machine learning algorithms in the agent, along with a lot of heavy lifting in the cloud. The combination of on-device analytics and in-the-cloud analytics provides a capability to actually decrypt quickly and easily.
During an attack, if systems and files get encrypted, the customer is able to submit the targeted file to Ransomware Rewind for decryption. The software asks the security analyst to give us a little more detail about what it is (file type, names, content, size, etc.). If the analyst doesn’t have these pieces of information, for instance, like an original file name, that doesn’t stop us. The information simply helps us be more efficient in our actual processing. The demo shows an uploaded PNG image file.
Finally, the demo shows us downloading the decrypt program, then using a variety of variables and in this case, despite all of the advanced protections of the ransomware, we were able to successfully decrypt and bring the business back online.
[A] Cyber Crucible is providing a capability with Ransomware Rewind that helps you get one step ahead of the hackers, that is effective against the modern versions of the ransomware that we’re seeing people struggle against. It will work against the old ones as well as the new ones. How? We use a whole bunch of machine learning and encrypted analytics to even remove that uncertainty from from victims where they don’t have to try to figure out what the similar version is. You as the client provide older versions and newer versions of ransomware and we’re able to come back with the decryption very quickly easily just like we showed.
[A] There is no easy-button, unfortunately. This is a very difficult risk management situation so we’re using Cyber Crucible automation to provide a cleaner risk management program for businesses. It’s no longer a situation where they have an almost certainty of having a payout of an uncertain amount. We’re turning ransomware and the entire breach environment and breach strategy as something that can be managed effectively. With our deployment it’s easy to understand what’s going on and provide immediate value to businesses that are hit. It’s a programmatic approach the technology, and the decryptor capability is one component of being prepared. We would love to have a training component and services component associate with Cyber Crucible sales, because unlike in breach circumstances the the ransomware is a bit of a bomb where there’s not really a chance to learn many lessons before you’re possibly paying dearly.
[A] Right now, even when you do pay a fine, which we don’t necessarily know what that fine will guarantee that the attacker-provided decryptor will even work, I think what we’re going to see attackers use automation. More victims and businesses will be targets for ransomware in a more sophisticated way, for example smaller and mid-sized businesses will be viable targets. We’re going to see that automation help refine the decision on whether whether the decryptor is going to work or not, whereas right now there are questions if the hacker-provided or freeware decryptor will even work right. I think that uncertainty will go away over time. So, we’ll know that the decryptor works, but it’s gonna be twice the cost. Before it was arbitrarily a five million dollar fine, I do see where the attackers are going to start being more savvy on the knowing how much money the business actually has and charge accordingly.