By Leonardo Lanzi, coordinator of the GARR CERT
Once upon a time…
In March 2016, I had the chance to be near enough a ransomware infection to be able to examine how it functions and its effects and, as I was not being the real target, I was able to keep calm and give some help to colleagues, who were almost overwhelmed with fear.
It was a variant of a crypto-ransomware, today considered a classic, in the shape of an attached file of a supposedly official email. By being open it encrypted all the files with doc and xls extensions or similar, as well as pdf and zip, not only on the local hard disk. Even before that, it also attacked the Samba file server where administrative and accounting documents were shared, to which the infected PC was connected as a remote client. In less than an hour, more than 35.000 files – their digital life – became useless. In each directory, the same message appeared, in the form of a text file and image, clearly explaining what had to be done: there was a ransom of a few thousand dollars in a Bitcoin wallet to be paid within three days; if the victims complied, a contact mail would provide the necessary software and decryption key, giving access to the files again. After the three days expired, the contact mail would be disabled, and .. goodbye to the data!
How it ended
In 2016, ransomware was not yet so well-known, at least in our working environment. There was no response plan to this type of security incidents, and some mistakes were made, the worst of which, often not yet understood, was the reboot of the PC [to avoid boring details here, if you are interested in this specific topic feel free to contact me]. Anyway, the ransom was not paid.
The shared data was almost completely recovered from a nightly backup except for a few documents created in the morning before the ransomware run, and some problems related to the timestamp of the recovered data, which required an additional forensics activity to reset the correct date of each file.
All in all, it worked out well.
It could be worse
All cyber threats evolve, and ransomware is developing rapidly: these are no longer limited to file encryption, but have become one of the components of complex attacks of criminal organisations, who often choose specific targets to which they adapt their resources. And as in every evolution, we observe diversification.
Some ransomware acts on the lower levels of the operating system, and disable the bootstrap, or delete the shadow copies for the system recovery; others are focused on code obfuscation techniques, showing more than 200 different encryption functions (namely all available), or exploit hardware performances: once CPU type and available memory are detected, they run up to tens of parallel threads. Still others open remote access and, after mapping the local network, they try to find exploitable vulnerabilities among more interesting targets, like different kinds of reachable servers.
Often, the extortion doubles: together with the ransom demand, data leak sites are published, to increase the psychological pressure with the additional threat of a public data disclosure in case the ransom is not paid. A recent variation for the second threat is a DDoS attack against the victims’ network ( the latter threat supported, in turn, by a real Proof Of Concept).
Some criminal groups give a professional feel to their actions, by publishing the list of their victims ordered by budget, or offering free online support to their clients during the process of data recovery. Other groups point out that they choose their targets accurately, to be sure to ask fair ransoms with total costs and inconvenience levels lower than those linked to a backup restore and complaints to the Police and the Data Protection Authorities.
Lesson learned from a ransomware attack
The most obvious lesson we can learn is still regarded nowadays as a matter for professionals-only, while it should be the first objective in our increasingly digital life: to make sure that our data is safe from all kinds of threats. Each of our devices record data about ourselves (but also about other people), and especially, smart devices are interested in making our life easier by storing increasing amounts and different kind of information (email, messages, documents, pictures, videos, position and routes etc). This more and more happens also with the company data on our PC – just take a moment and think about your work activity during lockdown. In one sentence: “everything on cloud, and always available online”.
That’s the critical point: “always online”. Backup copies must be kept offline, or at least not directly available by the same login credentials and authentication procedures used into our online devices. Learning to safely backup our data it’s like starting workouts: at the beginning, it just feels like useless hard work, until it becomes a habit and we start to see some positive effects.
Obviously, backup is not enough, but it’s a great starting point. And if it’s about data of a group of people, whether it is a company, an university, or an hospital, dedicated resources are needed, in a proportionate manner to the data value and to the attacks-related risks, and it would be good if there was at least one experienced coach to lead the whole team in this kind of adventures.
Since May 2018, Leonardo is the coordinator of the GARR CERT. Master Degree in Physics, Ph.D. in Computer Science, he was the systems and network admin at the Department of Physics and Astronomy of the University of Florence. He was also lecturer in Computer Science for first year course of the Physics and Astrophysics curriculum.
Read more on the GÉANT Cyber Security Month 2020: https://dev.connect.geant.org/csm2020