New campaign of targeted ransomware attacks

During the past few weeks, we have received information about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automatic execution of ransomware), the attackers gained persistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system several tools were used to find, en

crypt, and delete the original files as well as any backups. These tools included utilities from Microsoft Sysinternals and parts of open-source projects. After the encryption of the files, a ransom note appears, demanding a payment in Bitcoins to retrieve the files. By separating particular functions from the ransomware binary, executing certain actions using free available tools and scripts, the adversaries tried to avoid detection as much as possible. This is unlike most ransomware cases that spread wherever possible. Targeted ransomware attacks have arrived. [The attackers could ask anywhere from $500 - $10,000 or more to allow you access to your data again]

• Quickly install security updates: The entry point appears to be exploiting a known vulnerability in third-party software. This demonstrates the value of disciplined practices regarding operating system and application software updates, especially for externally facing systems.

• Ensure updated security software is installed: When malware such as ransomware is discovered, up-to-date security software may be able to detect it.

• Implement a robust backup/recovery strategy: Good backup and recovery is critical in cases of targeted attacks as well as other catastrophic events. The data should be stored in a secure and separate location, and the recovery strategy should be frequently tested. February 2016 By Christiaan Beek and Andrew Furtak


Featured Posts