AUSTIN -- Security professionals at the (ISC)2 Security Congress discussed how ransomware attackers have enhanced their techniques and moved beyond simple phishing emails to spread infections.
Ondrej Krehel, founder and CEO of infosec forensics company LIFARS, LLC, based in New York, spoke about his experiences with more advanced ransomware attackers during an (ISC)2 session. He highlighted the recent example of a Samsam ransomware variant that struck a number of companies earlier this year, including healthcare organizations such as the non-profit MedStar. Instead of attacking endpoint systems through phishing emails, the Samsam campaign, also known as Samas, targeted organizations running vulnerable versions of JBoss and used the flaws to gain access to the servers.
Once the ransomware attackers gained access to a network, they began deploying web shells on the servers. And instead of infecting those servers with Samsam immediately, they waited and moved throughout the compromised network. Krehel said this led to devastating consequences for one healthcare company that LIFARS worked with following a Samsam attack.
"The victim we had had their whole data center encrypted, meaning 400 servers in less than eight hours," he said. "For almost three months, they had web shells deployed."
While the client had their systems backed up, Krehel said the scale of the attack brought the organization to its knees because it wasn't feasible to restore 400 critical servers in a timely manner. LIFARS also discovered another complicating factor with the client; while the company had deployed security patches for its JBoss installation, the patches were deployed in the wrong sequences, which kept the vulnerabilities open.
Krekel said the Samsam group was interesting because it evolved from a simple ransomware campaign to "a highly skilled enterprise." LIFARS estimates that the threat group uses around 50 people devoted to finding vulnerabilities and exploits to gain remote access to networks.
In a panel session titled "Ransomware – Tales from the Front Lines," John Carnes, senior advisor, information security at healthcare firm Anthem, cited an example of a non-profit organization that had its file server hard drives tied together. "They lost everything – no backups," he said. "That company dealt with ransomware in a very different form."
Some ransomware operations have learned to look for and infect connected backups. In the panel discussion, Erich Kron, security awareness advocate at KnowBe4, described a ransomware incident at a Texas police department; the police declined to pay the ransomware because the department's data was backed up. "What they found out was, their backups were network accessible and had been encrypted too along with all of the other data," Kron said. "And they ended up having to pay to get it all back."
Ransomware attackers have also wised up about their own vulnerabilities and weaknesses, Krehel said. In the past, cybercriminals would sometimes make encryption mistakes and mismanage their keys, but the more successful ransomware operations have clearly learned from those mistakes. "Attackers are very good about not peering keys anymore, meaning there is no master key," he said.
Defending against sophisticated attacks
Experts at (ISC)2 Security Congress generally agreed that now more than ever, a good backup and disaster recovery strategy is imperative. Kron emphasized the "3-2-1" method for backup, which involves having three sets of data, two different types of media, and one off-site, non-networked backup.
Krehel recommended that enterprises spend more time looking for indicators of compromise like suspicious web-shells because ransomware attackers may already be sitting in a network, waiting for the right time to strike. "The ultimate message here is that you need to be more proactive to scan for those indicators," he said.
In addition to more diligent scanning, Krehel also suggested building an incident response plan that specifically addresses a ransomware attack and has a detailed path to restore encrypted systems with backups. And above all, he advised, enterprises need to stay calm and not overreact to a ransomware attack.
Carnes also preached the virtues of calmness prior to attacks, especially since many enterprise executives seem sufficiently scared of ransomware; he advised attendees to communicate the risks and potential threats of ransomware without getting carried away with fear.
"I think that's where our competence has to leach out to the rest of our organizations to understand that we've been ready and we've been planning," Carnes said. "It's about preparedness and being ready."
Find out how NotPetya ransomware lives off the land
Read more on ransomware evolving into destruction of service attacks
Learn how to use a hacker mindset to improve enterprise security