Wired discusses the recent Atlanta ransomware attack and how actors leveraging SamSam are selective about their targets, often choosing organizations it believes will end up paying the ransom:

Attackers deploying SamSam are also known to choose their targets carefully—often institutions like local governments, hospitals and health records firms, universities, and industrial control services that may prefer to pay the ransom than deal with the infections themselves and risk extended downtime. They set the ransoms—$50,000 in the case of Atlanta—at price points that are both potentially manageable for victim organizations and worthwhile for attackers.

And unlike some ransomware infections that take a passive, scattershot approach, SamSam assaults can involve active oversight. Attackers adapt to a victim’s response and attempt to endure through remediation efforts. That has been the case in Atlanta, where attackers proactively took down their payment portal after local media publicly exposed the address, resulting in a flood of inquiries, with law enforcement like the FBI close behind.

From an attackers point-of-view, it is just smart business to set the ransom price at a point within reach for the victim. The actors are banking on the victims believing it is far more expedient and less expensive to pay the ransom rather than endure a lengthy outage.

Although it appears easier to pay a ransom to rapidly resume operations, the overall economics of a ransomware attack are not that simple. Even if a victim pays a ransom they will need to essentially rebuild their entire network from the ground up to ensure they completely eradicate any trace of the attackers. Merely paying a ransom does not guarantee the actors did not leave a backdoor somewhere within the network.

Performing a cost-benefit analysis is important in these situations, weighing the difference in lost revenue due to the ransomware attack, lost productivity, cost to pay the ransom versus cost to remediate the infection. This is no easy task, with no black-and-white answer. The chosen route ultimately depends on the business and the types of daily operations it undertakes. Ransomware attacks are not one size fits all.

In the specific case of Atlanta, it sounds like mission critical data was encrypted in the ransomware attack. That the city cannot recover this data through local or cloud-based backups demonstrates a situation faced all too often: lack of proper foresight and planning. Had the city safely stored mission critical data off site in addition to its local storage, then forgoing payment and merely rebuilding would be an easy choice. But it seems the situation is much more complicated.

The City also suffered a cyberattack in April 2017, which exploited the EternalBlue Windows network file sharing vulnerability to infect the system with the backdoor known as DoublePulsar—used for loading malware onto a network. EternalBlue and DoublePulsar infiltrate systems using the same types of publicly accessible exposures that SamSam looks for, an indication, Williams says, that Atlanta didn’t have its government networks locked down.

“The DoublePulsar results definitely point to poor cybersecurity hygiene on the part of the City and suggest this is an ongoing problem, not a one time thing.”

Though Atlanta won’t comment on the details of the current ransomware attack, a City Auditor’s Office report from January 2018 shows that the City recently failed a security compliance assessment.

This is the issue: Atlanta lacks the necessary security professionals to keep the systems IT assets safe from modern attacks. This is a good lesson to be learned for other similar city governments. Get your act together and ensure security is a priority and baked into IT operations otherwise expect successful attacks to continue to hinder operations.

NPR has an update to a recent ransomware attack against the city of Atlanta stating the city has yet to fully recover and some governmental data remains encrypted while awaiting the ransom payment:

“Many city employees have been without access to Internet and email since Thursday after hackers locked some of its systems and demanded a $51,000 payment. The city says it completed part of its investigation of the cyberattack, but it’s working on restoring full service.”

Mayor Keisha Lance Bottoms told reporters that cybersecurity is now a top priority for the city.

“There’s a lot of work that needs to be done with our digital infrastructure in the city of Atlanta and we know that year after year, that it’s something that we have to focus on and certainly this has sped things up.”

Bottoms says the city has continued to operate despite the cyberattack.

Asked whether the city would pay the ransom to fully restore the city’s network, the mayor told reporters that she would confer with federal authorities on the best course of action.

What a horrible situation. It is terrible to read about a major city like Atlanta fighting to recover from a ransomware attack. The fact a breach of this nature, any breach in fact, occurred is unsettling. Ransomware in particular has been all over the news lately, and the city should have been prepared, even with the standard excuse of having limited funding available for cyber security.

There are a myriad of open source and inexpensive yet effective solutions available. Lack of funding is never a fully adequate excuse unless the actors are nation state. In that case, almost no organization or enterprise is safe.

Atlanta should have been proactively defending its IT assets rather than just waiting around for the worst to happen. That the mayor made the above statement in the middle of recovery efforts demonstrates a complete and utter lack of awareness and interest in budgeting for these events before they happen. There is almost no worse way to approach cyber security. Much like safety, it needs to be in the budget, and the correctly experienced cyber security professionals need to be employed to manage the defenses.

This is a hard-learned lesson for Atlanta, and one they likely will not forget anytime soon.

CNN reports on the FBI opening up an investigation into a ransomware attack targeting Atlanta:

Cox confirmed that the city had received a written demand related to the attack. When asked in the news conference if the city was going to pay a ransom, Bottoms said, “We can’t speak to that right now.”

“We will be looking for guidance from, specifically, our federal partners on how to best navigate the best course of action,” she said.

The city engaged Microsoft and a team from Cisco’s Incident Response Services in the investigation, Deputy Chief Information Officer Daphne Rackley said.

When asked if the city was aware of vulnerabilities and failed to take action, Rackley said the city had implemented measures in the past that might have lessened the scope of the breach. She cited a “cloud strategy” to migrate critical systems to secure infrastructure.

“This is not a new issue to the state of Georgia, it’s not a new issue to our country. We have been taking active measures to mitigate any risk in the past.”

It sounds like Atlanta is taking appropriate actions and have modified their strategy to account for these possibilities. I am curious what vector was used in this attack, and await the findings once a forensic audit is completed.

Dark Reading tracking bitcoin wallet addresses as indicators of compromise (IOCs) as a valuable defense data point:

By tracking bitcoin wallet addresses as an IOC, we’ve been able to connect the dots between ransomware, wallet addresses, and shared infrastructure, TTPs (tactics, techniques, and procedures), and attribution.

Here is an example of how bitcoin is used in a ransomware campaign: A new piece of ransomware gives you a bitcoin address for payment. You can then make correlations that connect across sectors, like retail, energy, or technology groups based on the blockchain and/or reuse of the same address. With WannaCry, there were hard-coded bitcoin addresses that made it easy to correlate what you are dealing with and which sectors were being affected. The more bitcoin addresses are shared, the more you can identify addresses to which bitcoins are forwarded.

The ability to track transactions through the blockchain allows you to connect different ransomware campaigns. Cybercriminals don’t typically share bitcoin wallets as they might share the same exploit kit, but by tracking blockchain transactions, analysts have another investigation point from which they can pivot and dig for more.

I doubt there are many organizations using this technique. It is both valuable, and forward-thinking, and should be considered based on an organization’s cyber defense capabilities maturity level. If threat intelligence is already being consumed, adding this should be fairly straight-forward.

Dark Reading on a Shurl0ckr, new a Gojdue ransomware variant, making the rounds on Google Drive and Microsoft Office 365 because most major anti-virus software is failing to detect the malware:

Shurl0ckr works the same way as Satan ransomware. A hacker creates a ransomware payload and distributes it via phishing or drive-by download. The malware encrypts files on disk in the background until the victim pays a Bitcoin ransom. Hackers pay a percentage to the author.

The discovery was part of a broader study on malware in the cloud. Researchers found 44% of businesses they scanned had some form of malware in at least one of their cloud applications. One in three corporate instances of SaaS applications were infected with malware.

Microsoft OneDrive had the highest rate of infection compared with other major SaaS applications, with 55% of instances hit. Google Drive was next-highest at 43%, followed by Box and Dropbox, both of which had a 33% infection rate.

Just because the cloud-based file storage services are unable to detect Shurl0ckr does not mean local endpoint-based protection is failing. A strong layered endpoint defense, even at home, should prevent this from doing any damage.

It is vitally importantly to be careful about what files are either accessed, downloaded, or opened. Never open attachments from unknown or untrusted sources. Ensure downloaded files are generated from well known web sites and established companies. Finally, always use endpoint security software and ensure the definitions are regularly and automatically updated.

Just like when physically walking around the city, paying attention and a little vigilance will go a long way in remaining safe.

Lifehacker Australia reports on cyber attack trends they observed throughout 2017:

According to a new security report by Malwarebytes, Ransomware attacks were up ten-fold last year on the back of the WannaCry and NotPetya attacks. And the bad guys are spreading their resources with attacks using a number of there tools all on the rise. In short, it’s been a bad 12 months for those protecting systems and threat actors have reaped a bumper crop.

According to the Malwarebytes report, ransomware is now the fifth most common attack method. But a number of other attacks were also on the rise over 2017.

  • Ransomware (1000% increase)
  • Hijacker (522% increase)
  • Spyware (200% increase)
  • Worms (50% increase)
  • And while adware saw a modest 15% increase in 2017 over 2016, it remains the most prevalent form of malware the security firm found

Cryptojacking, where processor power is leached to mine cryptocurrencies, is a relatively new threat vector that emerged last year, with around 8 million drive-by attacks detected each day last September.

It should come as no surprise to see cryptojacking emerging as a significant threat. The rise in BTC value over the last four-to-six months has attackers looking to cash in however they can, and malware is the perfect vector for such crimes.

ExtremeTech reports on Ransomware scammers getting a taste of their own medicine:

The new attack on scammers was spotted by security firm Proofpoint, which noticed a warning posted to a ransomware payment portal called LockerR. This service runs on the Tor network, a spiderweb of encrypted nodes across the world that can route traffic anonymously and host hidden services. This is where many scammers operate due to the relative safety compared with the open internet. The problem is that most Ransomware victims don’t know how to access Tor. Therefore, scammers direct them to Tor proxies that can load a Tor service in a standard browser. That’s where the scammers are being scammed.

According to the notice posted on LockerR, the onion.top Tor proxy has started redirecting Bitcoin payments from the ransomware makers to a different address. It just replaces the original Bitcoin wallet address with the one owned by the proxy operators. The payment portal encourages victims to use the Tor browser to connect to LockerR directly in order to ensure the Bitcoins make it to the right address. So far, about $22,000 worth of ransomed Bitcoins have been “stolen” from the people who were trying to scam innocent computer users.

You have to admit, it is actually pretty funny seeing scammers get their due from other scammers.

Bleeping Computer reports on the discovery of yet another ransomware strain that encrypting users files and, rather than requesting bitcoin payment, redirects users to an online payment portal where the ransom may be paid via credit card:

The ransomware is not under active distribution and appears to be still under development. First samples were spotted by security researcher MalwareHunter going back to January 15.

The ransomware identifies itself as MindLost, but Microsoft detects it as Paggalangrypt.

The biggest clue that MindLost is still under development, is that this filter is not active yet. Searching and encrypting files on all the storage mediums is time consuming, so current MindLost samples bypass this behavior and only encrypt files in the “C:\\Users” folder. Stable versions will likely not feature this filter.

It is abnormal to see a development sample out in the wild like this, but not unprecedented. Analyzing it now will allow signatures to be written to detect the current variant, but a future distribution will likely be altered enough to be undetectable.

From the ZDNet reports on a huge ransomware attack against shipping giant Maersk:

Maersk has revealed that a devastating ransomware attack which struck businesses across Europe in 2017 required close to a “complete infrastructure” overhaul and the reinstallation of thousands of machines.

In total, Maersk reinstalled 4,000 servers, 45,000 PCs, and 2,500 applications in what the chairman called a “heroic effort” over ten days, one in which the executive said may have usually taken up to six months to implement.

Hagemann said the ransomware attack was a “very significant wake-up call for Maersk, and you could say, a very expensive one.”

“We were basically average when it came to cybersecurity, like many companies,” the executive said. “This was a wake-up call not just to become good, but to have cybersecurity as a competitive advantage.”

What a complete and utter disaster for Maersk. What is most interesting to me, and what I would really like to know, is how this was even able to cause such devastation to mission critical corporate IT assets.

Ransomware authors are leveraging publicly accessible app API’s to create malware:

However, the malware also has unusual aspects, such as the use and abuse of Telegram Messenger’s communication protocol to send decryption keys to the threat actor, which, according to Secure List, appears to be the “first cryptor to use the Telegram protocol in an encryption malware case.”

While cryptors either maintain offline encryption or don’t, this Trojan chooses to. In order to keep communication lines between the threat actor and ransomware concealed and protected, secure channels need to be created — and this often increases the cost of malware development.

To circumvent these costs, TeleCrypt abuses the publicly available Telegram Bot API by operating as a bot which generates unique tokens that are inserted into the malware’s body so the Trojan can use the Telegram API.

By utilizing this channel rather than maintaining communication between the operator’s command and control center (C&C) over simple HTTP-based protocols, commonly used by many ransomware variants, security is improved and tracing the operator is more difficult.

These malicious actors are getting craftier by the day.

CSO Online about a unique Facebook-based delivery method for Locky ransomware:

The attack leverages a downloader called Nemucod, which is delivered via Facebook Messenger as a .svg file.

The usage of SVG (Scalable Vector Graphics) files, is important. SVG is XML-based, meaning a criminal can embed any type of content they want – such as JavaScript. In this case, JavaScript is exactly what the attackers embedded.

If accessed, the malicious image will direct the victim to a website that appears to be YouTube in design only, as it’s hosted on a completely different URL.

Once the page is loaded, the victim is asked to install a codec in order to play the video that’s shown on the page.

If the codec (presented as a Chrome extension) is installed, the attack is this spread further via Facebook Messenger. Sometimes the malicious Chrome extension installs the Nemucod downloader, which ultimately delivers Locky.

There are a lot of moving parts to delivering Locky in this manner. In addition, anecdotally anyhow, I believe most people use Facebook Messenger on their mobile devices rather than via the web so I wonder about the effectiveness of this attack. Unfortunately, there are a lot of folks who do not pay close enough attention and will allow the codec to install without nary a second thought, and thus allow this exploit to succeed.

Ransomeware is a huge problem for every enterprise but there is a growing segment of industry particularly vulnerable to these types of attacks. The FBI explains why so many organizations are vulnerable to ransomware attacks:

“[Organizations] are getting hit; they’re often catastrophic events, and that’s why we’re being as aggressive as we can be,” says Kramer, who supervises a squad of FBI agents and analysts in New York. The FBI’s primary goals: to ensure greater engagement between ransomware targets and the FBI as well as to improve general preparedness for these attacks.

One key challenge that healthcare entities, in particular, face is balancing the needs for speed and security. “There’s often a disconnect between the need for security and the need to get access to information quickly,” Kramer says. “They’re often at odds, and there’s an evolution underway in terms of rethinking some things … to make sure that networks are secure.”

Ransomeware seems to be affecting the healthcare industry far more than other areas, and I really have to wonder the reason. On the one hand I understand there is a need for speedy operations. On the other cyber should be there not only for protection, but to act as an enabler as well.

Healthcare needs to get its act together, and quickly, otherwise we are all going to be reading about a major medical company related cyber event quite soon.

Researchers are seeing CryptXXX, and new strain Cryptobit, Ransomware being pushed out through a variety of sketchy domains:

The campaign, called Realstatistics, has tainted thousands of sites built on both Joomla! and WordPress content management systems. Researchers with security company Sucuri observed the campaign injecting bogus analytics code, including the url realstatistics[.]info, into the PHP template of infected sites over the past few days.

Like practically every strain of ransomware, Cryptobit urges victims to contact the cybercriminals in order to restore their files. The ransom note – which appears on victims’ desktops – doesn’t specify how much, or what denomination, to pay in order to get their files back however. Some of the first Cryptobit infections were discovered in April; at the time the ransomware was using both AES and RSA to encrypt files, something that makes it more difficult to decrypt the data.

Criminals were pushing Cryptobit hard for more than a week; Duncan said he spotted eight different samples of the ransomware variant pop up over the course of 10 days. The campaign shifted to distributing other malware at the end of June, however, he said.

Ransomware is one of the more evil malware types, primarily leveraged by crime syndicates looking to extort money from people who do not know any better. A new version of TeslaCrypt has been released with changes to the encryption scheme to potentially make the malware appear to be more intimidating (emphasis added):

“Why use this false front? We can only guess – perhaps the attackers wanted to impress the gravity of the situation on their victims: files encrypted by CryptoWall still cannot be decrypted, which is not true of many TeslaCrypt infections,” Fedor Sinitsyn of Kaspersky Lab wrote in an analysis of the new ransomware.

But the more significant modification in version 2.0.0 is the inclusion of an updated encryption method. TeslaCrypt, like many other ransomware variants, encrypts the files on victims’ machines and demands a payment in order to obtain the decryption key. The payment typically must be in Bitcoin and the attackers using crypto ransomware have been quite successful in running their scams. Estimates of the revenue generated by variants such as CryptoLocker run into the millions of dollars per month.

Researchers have had some success in finding methods to decrypt files encrypted by ransomware, specifically TeslaCrypt. But the change to the malware’s encryption method may make that more difficult.

“The encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm. The cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key’ alone,” Sinitsyn said.

“Each file is encrypted using the AES-256-CBC algorithm with session_priv as a key. An encrypted file gets an additional extension, ‘.zzz’. A service structure is added to the beginning of the file, followed by encrypted file contents.”

NetworkWorld on Intel Security scaring a ransomware script kiddie out of business a mere four days after he launched the plot:

The scheme experienced meteoric growth in just days, but once it became public knowledge its architect couldn’t stand the threat of legal problems and is now backing off – which wasn’t the original plan at all.

“Plan A was to stay quiet and hidden,” the coder wrote yesterday on the Tox malware site buried deep behind the onion router (Tor) network. But Plan A was overturned by researchers at Intel Security who found the site and wrote about it just four days after it was set up.

“It’s been funny, I felt alive, more than ever, but I don’t want to be a criminal. The situation is also getting too hot for me to handle, and (sorry to ruin your expectations) I’m not a team of hard core hackers. I’m just a teenager student.” The message is signed “Tox”.

Disclaimer: I work for Intel Security but had nothing to do with this report.