Bach Seat

Sophos has recently uncovered a new trend of cyber DIY’ers who are breaking into computers one at a time and manually running ransomware on them. Apparently, these purveyors of bespoke malware are tired of the mass distribution channels employed by WannaCry and NotPetya.

Why bother using stolen NSA exploits or sending millions of booby-trapped email attachments when you can do it yourself. For whatever reason, some cyber-criminals have decided that if you want something doing properly, you have to do it yourself.

The Naked Security blog points out that many companies, notably small businesses, outsource their IT to, or pay for lots of help from, outside contractors. These contractors might live in another part of town, or elsewhere in the country, or even on the other side of the world. To let remote sysadmins look after your Windows networks, the most widely used tool is Microsoft‘s (MSFT) own Remote Desktop Protocol or RDP for short.

For those who haven’t used it, the author describes RDP as a tool that allows remote use even of fully graphical applications that can’t be scripted or operated via a command prompt. They can work like being right on-site.  That means that the RDP password you’ve chosen for your remote sysadmin (or that you’ve let them choose for themselves) is essentially the key to your office – a weak password is like a server room door that’s propped open, inviting any passing snooper to take a look inside.

So, if the crooks using a network search engine such as Shodan, notice that you’ve got RDP open to the internet, they’ll take a poke around. Sophos security experts who’ve investigated a number of recent RDP attacks have often found evidence that a tool called NLBrute was used to try a whole range of RDP passwords – a so-called brute force attack – in the hope of sneaking in.

Once they’ve got your RDP password – whether they use NLBrute, or simply look you up on Facebook to find your birthday and your pet’s name – they’ll log on and immediately create various brand new administrative accounts. That way, even if you get rid of the crooks and change your own admin password, they’ve already got backup accounts they can use to sneak back in later.

Here’s what you can expect to happen next, based on what Sophos has seen in the attacks they have investigated:

Step 1: The crooks download and install low-level system tweaking software, such as the popular Process Hacker tool. Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery. The bad guys can also use it for no good. They can modify the operating system, kill off processes, delete files, and change configuration settings that are usually locked down.

Step 2: The cybercriminals turn off or reconfigure anti-malware software, using the newly installed tweaking tools.

Step 3: The bad guys go after the passwords of administrator accounts. If they can’t get an admin password, they may try logging in as a regular user and running hacking tools that try to exploit unpatched vulnerabilities to get what’s called EoP, or elevation of privilege.

EoP means that already logged-on users can sneakily promote themselves to more powerful accounts to boost their powers. Sophos has seen EoP tools left on attacked systems that tried to abuse vulnerabilities dubbed CVE-2017-0213 patched by Microsoft in May 2017 and CVE-2016-0099, patched by Microsoft back in March 2016.

Step 4: The crooks turn off database services (e.g. SQL) so that vital database files can be attacked by malware. Files such as SQL databases are usually locked while the database server software is active, as a precaution against corruption that could be caused by concurrent access by another program. The side-effect of this is that malware can’t get direct access to database files either, and therefore can’t scramble them to hold them to ransom.

Step 5: The crooks turn off Volume Shadow Copy (the Windows live backup service) and delete any existing backup files.  Shadow copies act as real-time, online backups that can make recovery from ransomware a quick and easy process. That’s why crooks often go looking for shadow copies first to remove them.

Step 6: The crooks upload and run ransomware of their choice. Because these DIY criminals have used their illegitimate sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet “for free”.

These bespoke hacks mean the crooks don’t have to worry about using the latest and greatest malware, or setting up a command-and-control server, or running a hit-and-hope spam campaign.

In one attack, Sophos saw a folder on the desktop containing four different types of ransomware. The crooks ran each in turn until one of them worked.

Many ransomware attacks are distributed indiscriminately, and therefore rely on a “pay page” – a Dark Web server set up specially to tell victims how much to pay, and how to pay it.

But the author notes these RDP crooks are already personally involved to the extent of logging into your network themselves, so there’s often what you might call a “personal touch”.

Rather than automatically squeezing you via a website, the blog says you’ll probably see a pop-up telling you to make contact via email to “negotiate” the release of your data. At the time of writing the Bitcoin address used by that attacker contained BTC 9.62, with 1 bitcoin valued at $11,388.33 (11-28-2017) currently worth almost $110,000.

The Sophos investigators found that the victims of this kind of attack are almost always small-to-medium companies: the largest business in our investigation had 120 staff, but most had 30 or fewer. With small-scale comes a dependence on external IT suppliers or “jack-of-all-trades” IT generalists trying to manage cybersecurity along with many other responsibilities.

In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff.

Sophos recommends these steps to cut your risk of becoming a victim of DIY Ransomware:

1. If you don’t need RDP, make sure it’s turned off on every computer on the network: RDP can be used to connect to servers, desktops, and laptops.
2. Consider using a Virtual Private Network (VPN) for connections from outside your network. A VPN requires outsiders to authenticate with the firewall first and to connect from there to internal services. This means software such as RDP never needs to be exposed directly to the internet.
3. Use two-factor authentication (2FA) wherever you can. To log on with 2FA you need a one-time logon code every time. If crooks steal or guess your password, it’s no use on its own.
4. Patch early, patch often. This prevents crooks from exploiting vulnerabilities against your network reducing your exposure to danger.
5. After an attack, check to see what the crooks have changed. Don’t just remove the malware or apply the missed patches and be done with it. Especially check for added applications, altered security settings, and newly created user accounts.
6. Set a lockout policy to limit password guessing attacks. With three guesses at a time followed by a five-minute lockout, a crook can only try out 12 × 3 = 36 passwords an hour, which makes a brute force attack impractical.
7. If you’re using a third-party IT company and they haven’t already suggested the precautions Sophos listed above, why not ask them why, and ask yourself if they’re the right people to be looking after your network?

Related article

• Hackers have cashed out on $143,000 of bitcoin from the massive WannaCry ransomware attack (CNBC)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.