Director, Risk and Threat Management
James Robinson is responsible for our internal information risk management and threat management programs within information security and is a member of the Office of the CISO for Optiv. Robinson uses real world experiences to help enterprise-level organizations to solve their security and related business issues. He also develops and delivers a comprehensive suite of strategic services and solutions that help CXO executives change their security strategies through innovation.
Ransomware Kill Chain and Controls - Part 2: Once the Crying is Over, the Controls Must Kick In
In the first part of the blog series, we alluded to the impending danger of ransomware campaigns. It appears the concerns were justified, given the size of the most recent cyber attack that hit countries worldwide on May 12. The WannaCry ransomware program, also called WannaCrypt, WanaCrypt0r and Wanna Decryptor, was launched by a group of cyber criminals causing computers in more than 100 countries to lock up and be held for ransom.
WannaCry primarily uses the ETERNALBLUE SMB exploit to propagate but potentially uses traditional ransomware methods such as phishing emails, drive-by downloads and malicious ads. A critical patch was issued by Microsoft on March 14 to remove underlying vulnerabilities for supported systems, but many organizations have not yet applied it. Microsoft also released a patch for legacy operating systems on May 13, including Windows XP, Windows Server 2003 and Windows 8.
Without the proper controls in place, organizations will continue to fall victim to the next wave of attacks. Using this example, we can break down the steps in the kill chain as well as look at counter measures you can use to help protect your organization against these threats.
The Kill Chain Sequence and Controls That Combat Them
Step 1: Package and Delivery – The attackers packaged up their malware by leveraging tools and embedding a key and generator for the encryption process. During the delivery bait or exploit, an exposed vulnerability is typically used to initially share or launch the attack. In traditional ransomware campaigns, we typically see phishing emails with infected attachments or links, but it could also be a hacked website or a malicious ad. If the user “takes the bait” by clicking on a link or opening an attachment, this triggers the next step.
Controls: Organizations must understand the threat landscape and have the capability to combine reports and intelligence and understand just how critical threat(s) are to the enterprise. Also, employee education is the front line of defense against ransomware. Right now, there are people all over the world that are just getting exposed to new threats like WannaCry. This is a great opportunity to educate your employees. Email filtering helps prevent malicious attachments (like booby-trapped PDFs) from gaining entry to the environment. Sandbox technology allows internal incident responders to test malware detonation in a safe environment so the company can understand the threats employees face.
Step 2: Load and Run – With traditional ransomware, once an individual clicks on a malicious file, the malware executes its exploit, downloads its payload and installs on the user’s device, or is run in memory. WannaCry works in a similar fashion, though it doesn’t require user interaction to function. Additionally, similar to other ransomware, WannaCry uses a cryptographic loader to protect components of itself while it runs in memory, evading traditional antivirus technologies. The user may not know the malware is running and that their device is being taken over with infected software until it is too late.
Controls: Many times strange things happen when something malicious is loading or running on a computer. If your user base knows how to report and respond quickly, you may be able to get a leg up on the incident. User reporting is a critical part of an effective incident response plan, which also includes a good patching process, among other things. Also, a proactive and continual process of active threat hunting can assist in getting early visibility.
Step 3: Encryption – WannaCry, like other ransomware, encrypts files on the device to restrict access. This effectively locks out data from the user or renders the entire device inoperative. Similar to other ransomware campaigns, WannaCry leverages RSA-2048 and AES-128-CBC for its encryption routines. This effectively renders the data unrecoverable.
Controls: While no decryption tool exists for WannaCry and many other ransomware variants, there are some early warning tools and processes companies can use to prevent mass encryption during a ransomware attack. Advanced File Integrity Monitoring tools can assist in identifying changes to files from a provided baseline. So-called “canary” files act like a canary in a coal mine, hinting of disaster before a full-blown incident occurs. Harnessing tools like these can help mitigate the effect of a ransomware attack.
Step 4: Replication – Unlike traditional ransomware, during replication, WannaCry harnesses a vulnerability in unpatched systems to spread via SMBv1 shares. This is in addition to spreading via network shares mounted as disks, which is a common method of propagation for traditional ransomware.
Controls: Identity and access management (IAM) and network isolation is a key control against WannaCry. Ensuring systems are stratified is a key strategy. End-user workstations should have limited access to mission-critical data. When configuring a network and user base, it is important to remember the concept of least privilege—users should only have access to the bare minimum of data they need to do their job. This helps ensure as little damage as possible during an incident and has the added benefit of defending against additional attacks like insider threats, as well.
Step 5: Ransom/Extortion – In order to gain access to the system or data, the threat actors request payment (or $300 USD in bitcoin in this case) from the victim for the key to decrypt files.
Controls: It is important to remember that paying the ransom perpetuates the effectiveness of the attack. Optiv does not recommend paying the ransom. However, Optiv also understands that not every organization has a functional disaster recovery plan. In that case, having incident responders on staff that understand bitcoin technology and processes is important, as victims have had to buy bitcoins to decrypt the system. Instead, organizations should have thorough backups that are tested on a regular basis. Additionally, organizations should have a sound incident response plan and procedure that contains contingencies for ransomware.
On the heels of this widespread attack, organizations have an opportunity to reassess current security positions—people, processes and technologies—to withstand this current wave of attacks and prepare for the next. The best defense is planning, preparation and effective controls—having a solid cyber security program in place and actively monitoring and adapting as threats evolve.
Nick Hyatt is a senior consultant with Optiv’s enterprise incident management practice. In this role, he specializes in incident response, threat hunting and digital and malware forensics.