As noted here in our monthly updates, ransomware is a destructive cyber-attack that only seems to be gaining traction. It poses a serious threat to an organization’s active data, backup data, system configurations, and baseline operating systems.
NIST & NCCoE Publish Guidelines for Ransomware
NIST and NCCoE partnered to provide guidance on recovering from ransomware.
The complete guide is NIST SP 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events.
“This project explores methods to effectively recover operating systems, databases, user files, applications, and software/system configurations. It also explores issues of auditing and reporting to support recovery and investigations.”
“The goal of this effort is to help organizations identify:
- Altered data, as well as the date and time of alteration
- The identity of those who alter data
- Other events that coincide with data alteration
- Any impact of the data alteration
- The correct backup version (free of corrupted data) for restoration”
IT security professionals will find this practical guide helpful in improving the legitimacy of backup data, reducing the impact and downtime of a ransomware attack, and providing more continuity of operations.
Bitpaymer Ransomware Wreaks Havoc on Scottish Hospitals
A new version of Bitpaymer ransomware is back and spreading via remote desktop protocols. NHS Lanarkshire experienced the new ransomware as they deal with their second attack of the year.
NHS Lanarkshire is part of Britain’s National Health Service, and were victimized earlier in May by the WannaCry ransomware outbreak.
Once they discovered the Bitpaymer attack, NHS Lanarkshire alerted the public on Facebook noting the IT issues and disruption to services. That was quickly followed up by a warning to patients looking for care at the emergency department.
NHS Lanarkshire promptly engaged their contingency plan, and within a few days the IT team restored most of the affected systems. The hospital did not pay the ransom demand.
The new version of Bitpaymer was successful at sliding by anti-virus defenses unnoticed and infecting the system. From there, it performs the encryption process and saves the locked files with the ‘.locked’ extension.
Below is the Bitpaymer ransom message:
Bitpaymer is known to spread by leveraging remote desktop protocols (RDP). Attackers will search for connected endpoints with RDP enabled and brute force the username password combinations. Then they use RDP client software to remotely access target PCs and servers to install ransomware.
Bitpaymer is looking to catch big fish. Attackers spreading the new version are targeting larger-sized companies and organizations. This is reflected in their ransom demand of 50 Bitcoins – currently worth about $235,000.
IT teams will want to secure and protect all endpoints where RDP is enabled, including strengthening RDP passwords and implementing multi-factor authentication.
PrincessLocker Brings Exploit Kits Back into Fashion
PrincessLocker isn’t a fun game with rainbows and unicorns. Instead, it’s a fresh ransomware version designed to encrypt files and PCs.
First spotted in September 2016, a decryptor tool was quickly built to assist victims on PrincessLocker ransomware. Attackers fixed the issues in the ransomware code and we’re seeing it pop up on the radar again.
Below is the PrincessLocker ransom message:
Exploit Kit Distribution
The notable feature about PrincessLocker ransomware is the use of an exploit kit called RIG to deliver the malware.
Exploit kits are malicious software hiding on websites to automatically exploit vulnerabilities in a web user’s browser or plug-ins. The malware waits for unsuspecting users to visit the website while running browsers or plug-ins with vulnerabilities.
Attackers will often use spam or phishing emails to lure victims to the website. This is one reason why clicking the link in emails is dangerous. In this case, if the RIG exploit kit finds any of these flaws in Internet Explorer or Flash Player, PrincessLocker gets installed and performs the encryption process (CVE-2013-2551, CVE-2014-6332, CVE-2015-2419, CVE-2015-8651, CVE-2016-0189).
Browsers have played their part in securing their code to protect against these types of attacks. But the continued use of exploit kits as an attack method indicates vulnerabilities still exist.