Ransomware Case Studies & Forensics Analysis
A particularly insidious type of malware is ransomware, which is secretly installed on your windows systems and locks the system down. That lockdown is inevitably accompanied by a message demanding payment if the systems owner ever wants to access the files again. Unless you are very lucky (or the hacker spectacularly incompetent), everything important on your hard drive will be effectively lost to you, unless you pay up.
Although earlier versions of ransomware sometimes had flawed encryption, recent iterations are better designed. Although you could pay the ransom, that’s not a guarantee that things will work out, as Masvet Hospital in Massachusetts discovered when hackers demanded a second ransom after locking down files.
I recently had an unpleasant encounter with ransomware. Here’s what happened:
The victim: a tree cutting firm in Stamford with 680 networked windows (280 in a central office, with another 200 in a satellite offices. upon arrival of the incident, we identify that the client had no protection in place. The network administrators had no idea has to what is going on in the network. no security tool, no forensic tool, and the perimeter had no IPS/IDS system in place.
All the company’s PCs ran Windows 7, and Windows 10. Employees answered email using windows system with operate on Office 365. After it became clear that we had a malware problem, our best guess was that it had penetrated the network via an email attachment. once we put the IPS/IDS inline, we identified multiple CNC communicating on the network.
We initially identified the culprit as Cerber ransomware, specifically a newer variant that resisted efforts by utility programs such as SpyHunter to remove it. I also checked the registry settings as described by Malwarebytes, hoping to isolate the exact nature of the threat, but had no luck. Cerber has a nasty habit of deleting key files in its wake in order to confound attempts to stop it.
The company decided to restart the software and see how things went. While the server was down, though, the firm had to write down new taxi orders on little slips of paper. It was chaos.
Each infected folder contained three files: # Decrypt My Files.html, .vbs and .txt. The ransomware encrypted any file on the target extension list, giving it a random filename with the .cerber extension.
The malware infected four PCs at the central office and two at satellite offices; the other six weren’t touched. The damage to these infected PCs was remarkably light: the log files (.log) were all encrypted, as well as one config file (.txt) that the server used for mapping East London into booking zones. After replacing that file, the server was able to run. The only loss was the log files.
The #Decrypt My Files.html contained a message asking for 1.2 Bitcoins (about $500) to recover the PC, including details on how to pay. No ransom was paid. The Taxi firm’s Managing Director already had a plan to replace all PCs in a few months, as most were six to eight years old. That plan was accelerated, and all 12 PCs were replaced one week after the initial infection.
I returned a week later to help replace the PCs and to my surprise discovered that no further infections had occurred since the first one. It’s my belief that the malware just ran once from one PC and managed to infect five others. But it wasn’t permanent, and didn’t reload after a reboot, so the malware was gone.
A recent article in SC Magazine seemed to confirm that a variant of Cerber only resides in RAM. Meanwhile, another article suggested that Cerber variants use PowerShell to change their signature, but I can’t be sure of that, as the taxi firm’s PCs didn’t have PowerShell installed.
Large companies often have disaster plans in place that include ransomware infections. But what should individuals or small businesses do when confronted with this issue? Crossing your fingers is probably not the best option.
Frequent offsite backups are the obvious first step, although the automation comes with a downside: if your files are maliciously encrypted, the encrypted files might accidentally get backed up, as well. If you take this route, make sure that the backup vendor offers a 30-day recovery period or versioning, so you can get your backed-up files intact.
For individuals, even something as simple as copying files to an external memory stick or drive is better than nothing. If you take this route, keep your USB storage unplugged from your machines when not copying to it.
As email attachments are a prime source of infections, having an email scanner is probably the best way to eliminate that particular vector of attack.
I’ve been thinking about using email clients and Web-browsing only from within VirtualBox, which might keep any ransomware nasties that evade detection from doing much damage. But if you don’t want to consider paying a ransom (and there’s no reason why you should), then the best solution for malware is preparation: back up your files early and often.
And if you’re involved in a business, take the time to educate staff about the dangers of opening email attachments, even if they know the sender.
Cyber Security CISO Services
Cyber Security CISO Internal and external penetration testing
Cyber Security CISO Malicious code review
Cyber Security CISO Computer Security incident response