There are two unprecedented digital attacks going on right now that we wanted to let you know about.
For 20 years, data endpoint security has relied on signature databases. Succinctly, security vendors have a list of bad files, and if you try to run something on the list, it doesn’t run. Security vendors have been competing for years on the basis of who has the best, most up to date list of bad files. This is effective against classic viruses, which by definition copy themselves over and over.
Enter Malware-As-A-Service. On the dark web, criminals can purchase subscriptions to paid services that allow them to generate brand new digital attacks on demand. The bad guys can log in to a website, create a brand new malware package that has never existed before, sign up for a free email account on a well known service, and proceed to send a customized payload to your business that isn’t on any list.
Almost all detection methods rely on repetition, so criminals are now customizing their attacks, tailoring them for their high value target – you.
Your spam filter passes the message because it came from a legitimate gmail.com or outlook.com address. Imagine the uproar if IT administrators started blocking gmail.com, yahoo.com, or aol.com. So the sender gets marked as safe. The attached file is scanned for malware, and it doesn’t match any known malware signature. Your gateway scans the message. It doesn’t match any known malware signature. You run the attachment. Your endpoint security software scans the file, and it doesn’t match any known malware signature. So the code is executed. A few minutes later, files on your company network begin to become unavailable, and you receive an invitation to send money to criminals to get them back.
Welcome to 2016.
Ransomware uses standard RSA 256 bit encryption, in fact the same sort of trusted commercial encryption that is used to protect your credit card while shopping online, to scramble all the data it can get access to. Subsequently, the victim is invited to pay for the decryption key. These attackers have developed an “honor among thieves” reputation. Buying the key isn’t easy, but if you complete the process, you generally get your files back. However, the prices are going up, and no one likes giving thousands of dollars to criminals.
Spearphishing is a type of identity theft that requires personal attention from the attacker. Instead of putting up a cheesy looking, broken English, fake bank website and trolling for passwords, they research the target. They call them on the phone, ask for an appointment with the CEO or owner. When they are told that they will have to schedule that with his assistant, Shiela Macgillicuddy, they send emails to email@example.com and firstname.lastname@example.org from free email accounts, claiming to be the CEO and asking for immediate assistance with a wire transfer. The sweet spot for these attacks seems to be small and medium businesses who are sophisticated enough to be able to quickly complete a wire transfer, but not sophisticated enough to have proper controls in place.
What does a ransomware attack look like? It looks like this:
That’s kind of hard to read. Oh! It looks like I can “enable editing” to turn off this silly protected view. I’ll just click this button here. Hmm. None of my files seem to work now. Maybe… uh oh.
Delivered-To: email@example.com Received: by 10.194.6.102 with SMTP id z6csp64350wjz; Mon, 14 Mar 2016 10:39:03 -0700 (PDT) X-Received: by 10.112.141.132 with SMTP id ro4mr8520419lbb.104.1457977143841; Mon, 14 Mar 2016 10:39:03 -0700 (PDT) Return-Path: firstname.lastname@example.org <rintoulCoy35@net1.bg> Received: from 84-40-85-183.net1.bg ([184.108.40.206]) by mail.brightbear.org with ESMTP id d66si11045850lfd.149.2016.03.14.10.39.03
That probably looks like a bunch of gibberish to you. However, if you look at a couple of these, you’ll start to see some patterns. What I want you to notice about this one is that it says it’s from “email@example.com” – basically when the attacker set this up, they told their mail software that their first name is firstname.lastname@example.org – that way it isn’t even checked for accuracy. You can put literally anything you want in the “firstname” and “lastname” fields. For security reasons, you shouldn’t be allowed to put in a “name” that looks like an email address, but there’s nothing to stop you from doing so. It would be just as easy to put in the first and last name of the CEO of your company, or Barack Obama, or Canadian Pharmacy. You get the idea. In this case, when we inspect the headers, we can see that the message is actually coming from the address rintoulCoy35@net1.bg. net1.bg turns out to be a cable internet provider in Bulgaria. Maybe this isn’t a legitimate message.
So, what can you do?
Email is the vector du jour for both of these attacks. Some of our vendors are recommending blocking all Word and PDF attachments at this time. Obviously that’s impractical for most businesses. Employees need to exercise extra caution when opening attachments, especially from unknown senders. Enabling macros on a document you just received from an unknown sender is extremely unsafe. Ordering a wire transfer over email should be prohibited.
In the event that you execute something like a ransomware payload, you should immediately disconnect your computer from power and the network, and contact your IT service provider.
Oh, and this is very important – do not reply to the email. Don’t taunt the attacker, or tell them that you’re on to them, or even that you’re notifying the police. Any communication with them increases your value as a target, and lets them know that their attempts to communicate are reaching the right person. Delete these messages without responding. Let them assume that their messages are not being delivered or read.
What can your service provider do?
At Bright Bear we already follow best practices and employ solutions from Sophos, AVG, and Commvault to detect replicating viruses, however this new breed of personalized attacks is largely immune to detection. For our managed customers, we are writing domain policies to slow the spread of encrypting ransomware, and to make it harder to execute macros that came from an email. Ultimately, this isn’t going to be enough. We are currently testing the next generation of antimalware software. It is expensive, but it is effective. Behavior based analysis in these new tools looks at not just whether a file is on a list, but at what the file is actually doing. This new breed of security software is smart enough to know that if a program wants to encrypt lots of files, an administrator should sign off on that idea. We are rushing a bit to get these new tools out there, because these attacks can be devastating.
Currently, the best hedge against this sort of criminal activity is to maintain a good backup. A lot of the value of working with a managed service provider like us is that we know how to do that, and we have the resources to maintain and recover from an attack like this. We are doing everything we can to stay ahead of these sort of attacks, but to be successful at fending them off, service providers and their customers need to work together.