Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-08-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Follow-up to: Stop calling it a ransomware "attack"

Published: 2016-08-07
Last Updated: 2016-08-07 20:52:37 UTC
by Brad Duncan (Version: 1)
1 comment(s)

Introduction

Earlier today, I posted a diary protesting an overall trend of calling ransomware infections "ransomware attacks" [1].  Unfortunately, that previous diary didn't include information on attacks that actually have involved ransomware.

Some tweets about my original write-up got me thinking about it some more...  So this diary goes into more detail.


Shown above:  Commenting on the first diary, @DanielGallagher notes Samsam.


Shown above:  Commenting on the first diary, @fwosar discusses RDP attacks.

Distribution: both large-scale and targeted

As previously stated, I frequently find ransomware during daily investigations of exploit kit (EK) traffic and malicious spam (malspam) campaigns.  However, my visibility is limited.  I rarely, if ever, run across activity I consider a targeted attack.  That field of view doesn't include ransomware infections seen after brute force attacks using Microsoft's Remote Desktop Protocol (RDP).  Examples of brute force RDP attacks resulting in ransomware infections have been published as recently as May [2, 3] and June 2016 [4].

Other sources have reported targeted attacks involving ransomware known as Samas, SamSa, or SamSam [5, 6, 7, 8, 9 to name a few].  Most of these write-ups say organizations in the health industry (as well as other industries) have been targeted.  These reports document a trend where an attacker first gains unauthorized access to an organization's network, then the attacker deploys ransomware on hosts within that network.


Shown above:  Diagram of a Samas infection chain from the Microsoft report [8].

That's certainly an attack.

I'd be crazy not to include this information when discussing my disdain for the term "ransomware attack."  And it's something I foolishly omitted in my previous diary on the subject.  Ransomware is, indeed, distributed in both large-scale and targeted campaigns.

Large-scale does not equal targeted

Most reports of ransomware infections, especially in the health care industry, imply some sort of targeted attack.  But that's not always the case.

For example, in March 2016 we saw reports that a Kentucky-based Methodist Hospital was infected with Locky ransomware through malspam.  The malspam contained a Word document with malicious macros masquerading as an invoice [10].  The press played it up as an attack, but malspam is a common tactic of large-scale campaigns distributing Locky, where some messages occasionally slip through spam filters.  Even Krebs called it an "opportunistic attack" when reporting on the incident [11].

However, opportunistic is not targeted.

In March 2016, Wired published an in-depth write-up on why hospitals are perfect targets for ransomware [12].  In that article, the author discusses Methodist Hospital and other Locky incidents while including targeted attacks by criminals spreading Samsa ransomware.  Although the author notes Locky involves "spray-and-pray phishing campaigns" involving mass emails, this method is still described as a "Locky attack."

Wired's article is well-written and worth a read.  It includes plenty of detail on the reasons why health care organizations are at risk.  But readers who only skim the article will miss some key points, and they could easily confuse large-scale Locky distribution with a targeted attack.  In cases like this, I think authors should use "Locky campaign" instead of "Locky attack."

Final words

Even considering targeted attacks involving ransomware, I still feel we're putting too much emphasis on the attackers and not enough focus on fixing our own vulnerabilities.

Furthermore, I believe media reporting leads some people to confuse large-scale ransomware campaigns with targeted attacks.

The number of ransomware samples found in large-scale campaigns far outweighs the number of ransomware samples reported from targeted attacks.  I still believe that, odds are, any given ransomware "attack" is probably the result of a large-scale campaign.

I'd rather see people use "ransomware incident" instead of "ransomware attack."

My thanks to @DanielGallagher and @fwosar for their tweets.  They helped keep me a bit more honest.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] https://isc.sans.edu/forums/diary/Stop+calling+it+a+ransomware+attack/21345/
[2] https://blog.fox-it.com/2016/05/02/ransomware-deployments-after-brute-force-rdp-attack/
[3] http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/
[4] http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/
[5] http://researchcenter.paloaltonetworks.com/2016/03/evolution-of-samsa-malware-suggests-new-ransomware-tactics-in-play/
[6] http://blog.talosintel.com/2016/03/samsam-ransomware.html
[7] https://www.secureworks.com/blog/samas-ransomware
[8] https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/
[9] http://blog.trendmicro.com/trendlabs-security-intelligence/lesson-patching-rise-samsam-crypto-ransomware/
[10] http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/locky-ransomware-strain-led-kentucky-hospital-to-an-internal-state-of-emergency
[11] http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/
[12] https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/

Keywords:
1 comment(s)

Stop calling it a ransomware "attack"

Published: 2016-08-07
Last Updated: 2016-08-07 19:49:47 UTC
by Brad Duncan (Version: 1)
3 comment(s)

2016-08-07 update:  I've posted a follow-up diary [link] that includes information on targeted attacks that do involve ransomware.

Introduction

I dislike the term "ransomware attack."  Why, you ask?  It's a matter of perception. 

The word "attack" indicates specific intent against a particular individual or group.  An attack means someone (or something) is targeted.  But I'm hesitant to use the terms "attack" and "targeted" when discussing ransomware.  Calling a ransomware infection an "attack" focuses blame on an enemy.  I consider this mindset dangerously close to fear mongering.

If we continue thinking of ransomware infections as "attacks," we'll never seriously consider a wide variety of issues that allow ransomware infections to happen in the first place.

Ransomware distribution

Ransomware is distributed on a large scale.  Criminal groups generally use two methods to distribute malware: malicious spam (malspam) and exploit kit (EK) campaigns.  These are most often large-scale operations that attempt to reach as many potential victims as possible.

I view EK campaigns as laying a bunch of mousetraps throughout the web.  An EK is not an active attack against a specific victim.  People stumble across EKs through casual web browsing.  Personally, I've never found any convincing evidence that ransomware infections through EK traffic have been targeted.

But what about malspam, you ask?  You might think someone receiving an email with ransomware was targeted.  However, I find it hard to believe the massive waves of malspam I sometimes look into are targeted against specific individuals.  Especially when it's Locky ransomware, which is widely distributed [1, 2, 3].  When someone's email address is discovered by a spammer, it gets on a list.  That list is often shared, and the person's email address will be constantly bombarded by wave after mindless wave of botnet-based malspam.

Ultimately, I believe ransomware infections are the result of large-scale campaigns covering numerous potential victims, and a comparatively small number of people actually get infected.

Yes, those relatively few infections often have major consequences, but they're not the result of narrowly-defined attacks.  They're the result of large-scale campaigns.  The important part isn't necessarily who is infected.  The important part is that enough people with enough resources are infected to make it profitable for the criminals.


Shown above:  Roberto probably said, "It's got my name in it, so it must be targeted!"

Assigning criminal intent based on statistics

During my day-to-day research, I usually see ransomware.  I also see the malspam and EK vectors this malware comes through.  But we should not make any assumptions of criminal intent based on the data we collect.  Why?  Because no matter how wide we cast our net, we'll never know the full truth.

I still read such reports.  The latest one I looked at was based on a July 2016 Osterman Research survey about ransomware [4].  It's typical of what I've been seeing lately.  The report states that healthcare and financial services are the industries most vulnerable to ransomware attacks.  According to the report, "These industries are among the most dependent on access to their business-critical information, which makes them prime targets for ransomware-producing cyber criminals."


Shown above:  One of the charts from the Osterman report.

I enjoyed reading the report.  It has some good insights.  But whenever I see these statements, I always wonder if those industries are really targeted more than other industries.  Or did they have more infections because they're inherently more vulnerable?  If they're indeed the most vulnerable, wouldn't it follow they're more likely to get infected during massive campaigns indiscriminately targeting everyone?

Like the large-scale EK or malspam campaigns spreading ransomware I see every day?

I don't know how to describe this.  We're saying certain industries are targeted more because they're getting infected more.  That just feels wrong.  Ransomware doesn't need to be targeted if it's widely distributed.

Yet everyone and their mother are calling these ransomware attacks.

Final words

We tell ourselves we must know our enemy so we can better protect our network.  However, I think we put too much focus on the enemy and not enough focus on ourselves.

Is everyone in your organization following best security practices?  Is security a truly essential part of your corporate culture?  Is security a primary concern when establishing or upgrading your network architecture, or does cost outweigh the best security measures?  Most organizations have problems in these areas.  We convince ourselves there are certain weaknesses we must live with.

And management really wants to know who was behind that ransomware infection and why your organization was apparently targeted.

But odds are the ransomware was directed at any number of people who either stumbled across it or were unlucky enough to find it in their inbox.

Sure, call it a ransomware incident.  Just don't call it a ransomware attack.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] https://www.fireeye.com/blog/threat-research/2016/03/surge_in_spam_campai.html
[2] https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware
[3] http://researchcenter.paloaltonetworks.com/2016/07/unit42-afraidgate-major-exploit-kit-campaign-switches-from-cryptxxx-ransomware-back-to-locky/
[4] https://go.malwarebytes.com/OstermanRansomwareSurvey.html

Keywords:
3 comment(s)
Diary Archives