Faces of Ransomware

You’re at your computer going through some emails that have been neglected. You come across one from a person whom you don’t immediately recognize. Maybe it’s that person you met at the conference last week? They said they would send you some information. You open the email and click an attachment that you believe may be the information. Your screen flickers for a moment, then a message appears that reads:

Your important files have been encrypted and are unusable. For the decryption key send Bitcoins to the following Bitcoin wallet: youareavictim@badguywallet.

You’ve become a victim of ransomware. In a typical ransomware attack, the victim clicks on a hyperlink or opens an attachment in an email that places the unwitting person in a position of paying to decrypt the files on their computer. Ransomware infects and encrypts files such as documents, photos, music, or any other important files stored on the computer. The hacker then demands payment – the “ransom” – often in the form of a Bitcoin payment.

The latest versions of ransomware use strong encryption algorithms such as AES(Advanced Encryption Standard) and Triple DES (Triple Data Encryption Standard). These algorithms are very complex and difficult to break, which is precisely why the bad guys use them in ransomware attacks. Now that we know what ransomware is, let’s look at and compare some of the recent ransomware used and what the outcomes were of the attack.

WannaCry

This past May the world was shaken by a ransomware attack called WannaCry. This ransomware attacked more than 200,000 computers worldwide and crippled an estimated 25% of the national Healthcare System of Great Britain. WannaCry used a vulnerability in the Windows Server Message Block (SMB) protocol.

The National Security Agency called the vulnerability EternalBlue. Through this vulnerability the intruders could attack the main network of the hospital and pivot covertly through the network, infecting multiple computers having the same SMB vulnerability with the WannaCry payload. This attack was very nasty and the cost is still being calculated.

WannaCry also affected manufacturing companies, including Honda, which was forced to stop all production in its Tokyo plant due to WannaCry attacking industrial control systems.

Petya

Hot on the heels of WannaCry was the ransomware named Petya, which uses the same EternalBlue vulnerability as WannaCry. Petya attempts to attack the master boot record, which allows the system to “boot” up or start, and then attempts to encrypt its master file table system’s master file list. The fact that WannaCry and Petya uses the same vulnerability begs one to ask if they are the children of the same parent.

There are also improvements made to Petya that also suggests that perhaps WannaCry was an experiment and Petya was the improvements needed to make the attack more successful. An example of this is the fact that Petya has no ““kill switch” as WannaCry did. The similarities between the two and the improvements made in Petya suggests the same actor. Petya was a bit different in its first appearance. It was first reported in the Ukraine and it attacked mostly power companies, airports, public transit, and the central bank.

It also attacked the Danish shipping company Maersk, the Russian oil giant Rosnoft, and institutions in India, Spain, France, and the United Kingdom. And Petya’s not dead yet – a similar version, the appropriately named “NotPetya,” began infecting systems not long after.

NotPetya

NotPetya is believed to be a version of Petya. It’s like Petya, but different enough to qualify as an entirely new form of ransomware, researchers say. This ransomware uses the same exploit method, EternalBlue, which WannaCry and Petya used to infect hundreds of thousands of computers and take down hospital networks. However, with the new strain, only computers on a local network are scanned, not the entire internet, as WannaCry attempted. This strain attempts to find passwords that enable it to move freely across the internal network. The passwords are extracted from memory and from the local file system.

Another tool used by NotPetya is PsExec 2.2. Microsoft explains PsExec 2.2 as “a lightweight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.”

Simply put, NotPetya uses this this tool to remotely execute code on the infected machine and to attack machines yet to be infected. The epicenter of NotPetya is the Ukraine and the shipping giant Maersk was the largest victim.

Tips for Avoiding Ransomware:

It is important to protect yourself from ransomware attacks. Below are some tips for keeping ransomware off your systems.

  1. Back up your files. Keep a copy of your files on a separate detachable external hard drive or in the cloud.
  2. Disable macro in Microsoft Office products. Some ransomware trick you into enabling macros in MS Office products.
  3. Consider installing Microsoft Office Viewers.
  4. Don’t open unsolicited emails or attachments.
  5. Keep your operating system, antivirus/anti-malware software, and applications current with the latest updates.

These should help keep you from being a victim of ransomware. For more tips about how to prevent ransomware, take a look at our video, Defending Against Ransomware, and contact Bridgehead I.T for to begin protecting your organization from the inside out.