Ransomware [edited title]

Two important industries were recently hit with ransomeware.
Do we know how they were infected? Were the infecting PCs running an admin account? Were backups unavailable?

There have been many industries recently hit by ransomware. For healthcare it’s so common it’s going on all the time and rarely makes the news anymore.

Speaking generally, most of the time the infections come through malicious emails. Also, backups are often available but restoring them can take days and companies will sometimes opt to pay the ransom rather than endure 2 or 3 days of downtime.

Which two ransomware breaches are you referring to?

This one I imagine:

The world’s largest meat processing company has been targeted by a sophisticated cyber-attack.

Computer networks at JBS were hacked, temporarily shutting down some operations in Australia, Canada and the US, with thousands of workers affected.

The company believes the ransomware attack originated from a criminal group likely based in Russia, the White House said.

The attack could lead to shortages of meat or raise prices for consumers.

9 times out of 10 the ransomware arrives as an attachment or link in an email. The simplest ones only attack the files the local user has access to - sometimes, these include the common shared files. this is why proper security restrictions, and particularly offline backups, are necessary. Email programs now, and Windows, will try to restrict what files can be opened from an email.

A more insidious trick is to do something like this, use it to take over the client PC (or get remote access), and proceed from there. Quite often, for simplicity or to accommodate bad programming, a user will be local admin on their PC. The hacker will try to learn more in depth about the business and network to better target the enterprise.

So, getting control with their userid allows access to the local password token database. The hacker downloads this - it’s encrypted to tokens, so it’s not directly readable. Run a dictionary attack - usually easy to guess passwords are a single word with a character or two on the end - say, beachball9! so by encrypting each word in the dictionary in turn along with a few characters, you can find a significant number of passwords. With modern PC’s this might take a few days or a week. The token database may contain the passwords of any domain user who has logged in during the last 30 days so may contain the domain admin password.

Unless the user logins are restricted, once the hacker is in, they can access other non-server PC’s -so try a bunch of other PC’s to try to find the domain admin.

Meanwhile, look for service accounts (like “postmaster”, let’s say) where perhaps the password is the userid.

Then there may be flaws in Windows, not yet patched, that allow admin access without doing all this hacking. Assorted researchers are finding these holes regularly, and Microsoft usually patches them fairly fast, but some enterprises don’t keep up to date on Windows updates, which is why Windows 10 is pretty much forcing out updates regularly.

If a hacker can get domain admin access, it’s pretty much over. If there is online backups - i.e. to a disk repository - then those can be scrambled too, making it impossible to fix things with a simple restore. If they’ve had hidden control for a while, who knows what’s hidden in the backups. Also, once a system has been compromised, it should be rebuilt from scratch - you have no idea what insidious software may be hidden. Just doing a “clean” is possible, but a risk. But rebuilds for most enterprises include installing a raft of application software, and the reconfiguration, so a restore is not a simple thing - now multiply that by every PC in the organization. .

Consider, too - that when it’s a meat packer, they ahve computers tracking every animal for health reasons. If it’s a pipeline, computers could be the controllers of the assorted pumps and valves, so those specialty software controls have to be reinstalled and reconfigured. Not to mention databases for suppliers, customers, contracts, shipments, etc. etc.

To understand the mess - Recall every so often there would be a glitch with some airline’s computer system. That meant people would show up at the airport, but the airline could not print boarding passes, list who was going on flights, and in the era of electronic ticketing, there were limited opportunities to use paper substitutes. The planes were fueled, staffed, ready to go - but the computers could not put people onboard.

Every hacked company has a similar dilemma. Worse yet, imagine if the phone system was VoIP managed in the same domain…now the company phones don’t even work…

@bob_2 already noted the recent one at JBS. The other would be last month’s attack on Colonial Pipeline, which runs a key petroleum pipeline in the eastern U.S., which was an even bigger news story at the time here in the U.S. – it caused a week or so of panic buying (and an associated spike in prices) of gasoline.

My understanding is that the systems actually operating the pipeline for Colonial Pipeline weren’t affected but what was unavailable was its billing system. In other words, they could have continued to supply fuel but could not track who needed to be billed.

I have strong feelings about paying the ransom and see it as funding future ransomware hacks.

Colonial Pipeline paid the ransom even though they had backups available. Then they discovered the decryption tool provided by the hackers was so slow it was faster to restore the backups. What a cluster.

I’m surprised there hasn’t been any attempts at (probably illegal) retaliation by one or more of these companies.

I assume they leave that up to the US government which can act with more impunity.

What seems weird to me is that this hasn’t become a much more solved problem. It seems like anything that’s going through and reading every file on the drive and replacing it or significantly changing it should be detectable. And that any place where security is important would have an EXE whitelist and not allow even the possibility of running something from an email. And, of course, you’d have backups with version history on everything.

Thus I wonder how many of these places that get hit have all the protections in place. Heck, I wonder how many run some sort of anti-ransomware program at all. Is it really that we can’t stop this stuff, or are low security targets being hit?

Yes, application whitelisting is probably the best protection against ransomware we have right now.

It’s not an easy thing to implement even in medium-size companies though. For large companies I think it would be a nightmare to keep it updated as new applications are adopted. You’d likely have to make regional exceptions as well. Whitelisting doesn’t save you if domain admin credentials are somehow compromised but that’s much less likely to happen.

I’m thinking put your email server on a separate network and read emails on another PC.

I wonder what systems these companies were running. My experiences with manufacturing and other business’ is that they are rarely running the most up-to-date systems. You and I might want the latest gadgets but large companies do not operate the same way.

Keeping a corporation with a wide number of sites updated with new stuff costs money, a lot of money, and the bean counters (accountants) need real justification before they will buy in the need for new systems, both software and hardware. So the old stuff keeps going until it is no longer supported or some other reason comes along. Living in a 5G world with a flip phone, because it still works.

While I’m sure it’s very hush hush, I do wonder how often there’s sabotage involved by an internal employee.

Definitely not at liberty to say much, but I do know this happened at a large financial firm I worked for.

I haven’t been in the business in seven years - but it is nearly impossible. I wasn’t doing application whitelisting for security reasons, my job was software licensing. I really didn’t want our users downloading software we didn’t own - or for which THEY didn’t have a license. But “they need the flexibility to do their job” and “IT doesn’t know which software they NEED.”

The first company I worked with managed to push it though - all software needed to be installed through our installation mechanisms. The second was hopeless. Not only couldn’t they control their end users - 30% of their Windows Server installations were just illegal and their annual Oracle true up was “SURPRISE!”

Against who? First they’d have to figure out who to hit.

The first really serious cyber incident I had to deal with (that is, with management responsibility for the incident) was ransomware, just after I joined the company.
The outgoing manager had some weird ideas about security, and had implemented them (for example, he issued everyone’s AD passwords, nobody could change their password and he had a list of them all in his wallet).
He had set up the network shares with granular permissions by department, which was sort of right, but he hadn’t assigned any granular permissions to the users, so they all had access to everything.

One user clicked a malicious link in an email, the ransomware ran on their machine.
Because of another weird thing where the previous guy used to jump onto a user’s machine and remotely access servers, other computers, file shares and the like, and because he did this in a way that left persistent privileges, the malware spread directly from that machine to several others, It ran on a total of 7 machines and in the space of half an hour or so, encrypted all of the files on all network shares for all departments.
Fortunately, he had implemented decent backups and replication that happened to work in such a way as to be quite resistant to attack by the ransomware, so all but a few recent saves to files were recoverable. The company was unable to function for 2 whole days while we brought everything back into service carefully.

As I understand it, links in email are still the most popular vector for this sort of attack. Not all small businesses come back from it.

I asked my daughter about security where she works in international financial services.

Emails come in on a dedicated system and have no physical link to the main database. There is an internal communication system as they talk to companies all over Europe and N America.

None of the computers in the office have vacant ports - USB or anything else.

Mobile phones are not allowed in the office.

She didn’t know about backups.

Is there a second PC for each user dedicated to email?

New attack on the Martha’s Vineyard and Nantucket ferry service.