By Samantha Agather, Information Security Analyst – Intrinium
For those who remember the Wannacry outbreak of 2017, or have come face to face with ransomware personally, ransomware is a detestable word that causes even the most pleasant of people to have bitter feelings.
Now, what if I told you that it’s all too easy anymore to get infected with this cruel virus? It’s almost as easy as signing up for an email account. Ransomware as a Service (RaaS) is the dark side of Software as a Service, like Office365 or Dropbox. Like Office or Dropbox, you create an account with the ransomware developer(s) and they provide you the software (or ransomware in this case). The ransomware developers provide the same level of customer service to assist the user in customizing the ransomware and ransom demand and provides “customer” support to victims who are having trouble paying the ransom. Once the payload is created and customized, it can be distributed through phishing campaigns, through live hacking attacks, or an automated script that scours the internet to find your weak points.
One of our first sightings of this new style of deployment was months after the ransomware/worm hybrid Wannacry took the world by storm, shutting down hundreds of thousands of computers by exploiting the EternalBlue vulnerability.
RaaS Examples and the Damage it Causes
GandCrab, Datakeeper, and Ransom32 are all considered RaaS as their source code can be downloaded for use by anyone who wants to use it. GandCrab was probably the most prevalent RaaS until it retired on May 31, 2019, due to its ease of use and customer service. However, the group that created GandCrab did not retire themselves, instead of releasing a new brand called “REvil’ or “Sodinokibi”, and theories state that GandCrab was only retired to bring the limelight away from the group.
One example of GandCrab that occurred in January infiltrated a network through an open port 3389 (an RDP port that allows remote control of destination computers) and then deployed the ransomware through the Domain Controller. The ransomware encrypted the Domain Controller, multiple terminal servers, multiple user devices, an NTFS server, their Sage server, and worst of all- their backups.
The ransom demanded would have doubled if they hadn’t paid part of the ransom to get a few files back that were business-critical, as the website had a timer on it for the payment. This is a trademark of a large percentage of ransomware classes.
Who RaaS Effects
If you receive emails or take phone calls, you are susceptible to a ransomware attack via phishing or vishing. All it takes is for someone to click a bad link, download a bad file, or give out their username or password.
For slightly more complex attacks, you only need to have a vulnerable system- outdated operating systems (Windows Server 2003), open ports on your firewall (port 3389 for example), or even outdated software like Java or even your firewall firmware. For easier exploits, like having port 3389 open to the internet, it does not take someone with experience or knowledge to look up proof of concept exploits and deliver the payload into your system. It can be a disgruntled client who paid the neighborhood college kid to do the dirty work or an employee with a vendetta who simply executed the ransomware on a machine on your network. It’s not always easy keeping your vulnerabilities under control, especially if the ransomware is being distributed in an email phishing campaign- it only takes one person to miss the signs. Vulnerability scans are a good way to look at your hardware to find where your defenses are lacking, and Social Engineering engagements are a good way to gauge your employee vulnerability.
Protect Yourself and Your Company
The most simple way to keep you and your company safeguarded is to maintain updates- yes, they’re annoying when you’re in the middle of a project, but you may not may regret taking the ten minutes at the end of the day to close everything out properly and restart your computer, or even taking the five minutes it takes to update Java.
After updates, it’s highly recommended to run phishing campaigns to help prepare your employees for dealing with scams and those who want to do harm.
Use layered security– don’t just use an antivirus, add a firewall to monitor network traffic for potentially malicious connections, or even abnormal traffic in general.
Finally, run an external vulnerability scan on your externally-facing IPs- this will give you a great idea where to start improving your network security so not just anyone can get into your network from the outside. Building a true vulnerability management program goes even further! Building a true vulnerability management program goes even farther!
If you are still unsure of your abilities to withstand an attack, please do not hesitate to contact us. We will be more than happy to assist!
Worm: a virus that can recreate itself and spread through a network with no human intervention (See the Morris Worm or Wannacry)
EternalBlue: A vulnerability discovered by the NSA that was leaked by the Shadow Brokers hacker group shortly after Microsoft patched the vulnerability
Wannacry: A ransomware-cryptoworm that propagated through the EternalBlue vulnerability that affected end-of-life operating systems that were being used out of support, and affected devices that had not been kept up to date with patches. This ransomware affected more than 200,000 computers in more than 150 countries in just a few days, including National Health Service hospitals in England and Scotland.
RDP: A protocol that allows a user or admin to remotely connect to a computer as though they were using that computer in person.