KnowBe4 cautioned companies to heed new FBI and Microsoft alerts, warning of hybrid targeted ransomware attacks that attempt to encrypt an organization’s entire network. Criminal hackers have upped the ante. They are changing their approach and penetrate a network, wipe out all backups, infect all key machines with ransomware and then demand payment. The latest method uses a little-known strain of ransomware called “Samas”, first discovered in 2014. According to research reports by Microsoft, the majority of infections thus far have been detected in North America, with a few instances in Europe.
KnowBe4’s CEO Stu Sjouwerman said, “It is not clear yet if the current attack starts with phishing emails which infect a single workstation with ransomware and then installs a Trojan that allows the hackers into the network, or if the network gets penetrated first and subsequently gets infected with ransomware. It could very well be that both attack vectors are used.
Microsoft posted their technical analysis of Samas on TechNet with a detailed overview noting that first an attack-scan gets launched, looking for vulnerabilities, and then malware gets deployed using the PSEXEC tool.
The FBI wrote the first alert (PDF) Feb 18, 2016, and Microsoft published their analysis on March 17, 2016. IntelSecurity also published a PDF with more details about this hybrid attack. The FBI calls it an “aggressive campaign” which initially targeted vulnerable JBOSS applications allowing the hackers in and then infecting the network.
Intel said: “During the past few weeks, we have received information about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automatic execution of ransomware), the attackers gained persistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system several tools were used to find, encrypt, and delete the original files as well as any backups.
These tools included utilities from Microsoft Sysinternals and parts of open-source projects. After the encryption of the files, a ransom note appears, demanding a payment in Bitcoins to retrieve the files. By separating particular functions from the ransomware binary, executing certain actions using free available tools and scripts, the adversaries tried to avoid detection as much as possible. This is unlike most ransomware cases that spread wherever possible.
Sjouwerman commented, “It looks like targeted ransomware attacks have indeed arrived and will be around awhile.”
KnowBe4 offered tips on prevention and mitigation:
1. Keep all software applications up to date and patched
2. Use strong passwords
3. Disable the loading of Macros in Office programs through Group Policy settings described in an earlier KnowBe4 post
4. Implement strong backup and recovery policy, such as the 3-2-1 rule (3 copies, 2 different media, 1 offsite).
5. KnowBe4 offers a 20-page Ransomware Hostage Rescue Manual with actionable information to prevent infections and what to do when hit with ransomware.