{"id":85241,"date":"2017-11-29T20:15:30","date_gmt":"2017-11-30T01:15:30","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2021-07-13T16:56:42","modified_gmt":"2021-07-13T20:56:42","slug":"diy-ransomware","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/diy-ransomware\/","title":{"rendered":"DIY Ransomware"},"content":{"rendered":"

\"DIY<\/a>Sophos<\/a> has recently uncovered<\/a> a new trend of cyber DIY\u2019ers<\/strong> who are breaking into computers one at a time and\u00a0manually running ransomware<\/a> on them<\/strong>. Apparently, these purveyors of bespoke malware<\/strong> are tired of the mass distribution channels employed by WannaCry<\/strong><\/a> and NotPetya<\/a><\/strong>.<\/p>\n

\"cybercriminal\"<\/a>Why bother using stolen NSA exploits<\/a> or sending millions of booby-trapped email attachments when you can do it yourself. For whatever reason, some cyber-criminals have decided that if you want something doing properly, you have to do it yourself.<\/strong><\/p>\n

The Naked Security<\/em><\/a> blog points out that many companies, notably small businesses, outsource their IT to, or pay for lots of help from, outside contractors. These contractors might live in another part of town, or elsewhere in the country, or even on the other side of the world. To let remote sysadmins look after your Windows networks, the most widely used tool is Microsoft<\/a>‘s (MSFT<\/a>) own Remote Desktop Protocol<\/a>\u00a0or RDP for short.<\/p>\n

\"Microsoft<\/a>For those who haven\u2019t used it, the author describes RDP as a tool that allows remote use even of fully graphical applications that can\u2019t be scripted or operated via a command prompt. They can work like being right on-site.\u00a0 That means that the RDP password you\u2019ve chosen for your remote sysadmin (or that you\u2019ve let them choose for themselves) is essentially the key to your office \u2013 a weak password is like a server room door that\u2019s propped open, inviting any passing snooper to take a look inside.<\/p>\n

\"brute<\/a>So, if the crooks using a network search engine such as Shodan<\/a>, notice that you\u2019ve got RDP open to the internet, they\u2019ll take a poke around. Sophos security experts who\u2019ve investigated a number of recent RDP attacks have often found evidence that a tool called NLBrute was used to try a whole range of RDP passwords \u2013 a so-called brute force attack<\/a> \u2013 in the hope of sneaking in.<\/p>\n

Once they\u2019ve got your RDP password \u2013 whether they use NLBrute, or simply look you up on Facebook to find your birthday and your pet\u2019s name \u2013 they\u2019ll log on and immediately create various brand new administrative accounts. That way, even if you get rid of the crooks and change your own admin password, they\u2019ve already got backup accounts they can use to sneak back in later.<\/p>\n

Here\u2019s what you can expect to happen next, based on what Sophos has seen in the attacks they have investigated:<\/p>\n

\"Female<\/a>Step 1:<\/strong> The crooks download and install low-level system tweaking software<\/strong>, such as the popular Process Hacker tool<\/a>. Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery. The bad guys can also use it for no good. They can modify the operating system, kill off processes, delete files, and change configuration settings that are usually locked down.<\/p>\n

Step 2:<\/strong> The cybercriminals turn off or reconfigure anti-malware<\/strong> software, using the newly installed tweaking tools.<\/p>\n

Step 3:<\/strong> The bad guys go after the passwords of administrator<\/strong> accounts. If they can\u2019t get an admin password, they may try logging in as a regular user and running hacking tools that try to exploit unpatched vulnerabilities to get what\u2019s called EoP, or elevation of privilege<\/a><\/strong>.<\/p>\n

EoP means that already logged-on users can sneakily promote themselves to more powerful accounts to boost their powers. Sophos has seen EoP tools left on attacked systems that tried to abuse vulnerabilities dubbed CVE-2017-0213<\/a>\u00a0patched by Microsoft in May 2017 and CVE-2016-0099<\/a>, patched by Microsoft back in March 2016.<\/p>\n

\"database<\/a><\/p>\n

Step 4:<\/strong> The crooks turn off database services (e.g. SQL) so that vital database files can be attacked by malware<\/strong>. Files such as SQL databases are usually locked while the database server software is active, as a precaution against corruption that could be caused by concurrent access by another program. The side-effect of this is that malware can\u2019t get direct access to database files either, and therefore can\u2019t scramble them to hold them to ransom.<\/p>\n

Step 5:<\/strong> The crooks turn off Volume Shadow Copy<\/a><\/strong> (the Windows live backup service) and delete any existing backup files.\u00a0 Shadow copies act as real-time, online backups that can make recovery from ransomware a quick and easy process. That\u2019s why crooks often go looking for shadow copies first to remove them.<\/p>\n

Step 6:<\/strong> The crooks upload and run ransomware<\/strong> of their choice.\u00a0Because these DIY criminals have used their illegitimate sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet \u201cfor free\u201d.<\/p>\n

These bespoke hacks mean the crooks don\u2019t have to worry about using the latest and greatest malware, or setting up a command-and-control server, or running a hit-and-hope spam campaign.<\/p>\n

In one attack, Sophos saw a folder on the desktop containing four different types of ransomware. The crooks ran each in turn until one of them worked.<\/p>\n

Many ransomware attacks are distributed indiscriminately, and therefore rely on a \u201cpay page\u201d \u2013 a Dark Web server set up specially to tell victims how much to pay, and how to pay it.<\/p>\n

But the author notes these RDP crooks are already personally involved to the extent of logging into your network themselves, so there\u2019s often what you might call a \u201cpersonal touch\u201d.<\/p>\n

\"PayRather than automatically squeezing you via a website, the blog says you\u2019ll probably see a pop-up telling you to make contact via email to \u201cnegotiate\u201d the release of your data.\u00a0At the time of writing the Bitcoin address used by that attacker contained BTC 9.62, with 1 bitcoin valued at $11,388.33 (11-28-2017) currently worth almost $110,000.<\/p>\n

The Sophos investigators found that the victims of this kind of attack are almost always small-to-medium companies: the largest business in our investigation had 120 staff, but most had 30 or fewer. With small-scale comes a dependence on external IT suppliers or \u201cjack-of-all-trades\u201d IT generalists trying to manage cybersecurity along with many other responsibilities.<\/p>\n

In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff.<\/p>\n

Sophos recommends these steps to cut your risk of becoming a victim of DIY Ransomware:<\/strong><\/p>\n

    \n
  1. If you don\u2019t need RDP, make sure it\u2019s turned off<\/strong> on every computer on the network: RDP can be used to connect to servers, desktops, and laptops.<\/li>\n
  2. Consider using a Virtual Private Network<\/strong> (VPN<\/a>) for connections from outside your network. A VPN requires outsiders to authenticate with the firewall<\/strong> first and to connect from there to internal services. This means software such as RDP never needs to be exposed directly to the internet.<\/li>\n
  3. Use two-factor authentication<\/strong> (2FA<\/a>) wherever you can. To log on with 2FA you need a one-time logon code every time. If crooks steal or guess your password, it\u2019s no use on its own.<\/li>\n
  4. Patch early, patch often<\/strong>. This prevents crooks from exploiting vulnerabilities against your network reducing your exposure to danger.<\/li>\n
  5. After an attack, check to see what the crooks have changed. Don\u2019t just remove the malware or apply the missed patches and be done with it. Especially check for added applications, altered security settings, and newly created user accounts<\/strong>.<\/li>\n
  6. Set a lockout policy<\/strong> to limit password guessing attacks. With three guesses at a time followed by a five-minute lockout, a crook can only try out 12 \u00d7 3 = 36 passwords an hour, which makes a brute force attack impractical.<\/li>\n
  7. If you\u2019re using a third-party IT company<\/strong> and they haven\u2019t already suggested the precautions Sophos listed above, why not ask them why, and ask yourself if they\u2019re the right people to be looking after your network?<\/li>\n<\/ol>\n

    Related article<\/strong><\/p>\n