Next Generation Bank Heist

Catchy title. I know.  Please allow me to be clear.  If you elect to take this article as an instruction manual to make negative decisions, I guarantee you will be caught. This article will illuminate how Ransomware is a silent, but deadly, piece of software designed to cause you much pain and anguish. That is if you don’t protect yourself from it.  It would be even better if you carry this knowledge to your enterprise with a new perspective and effective advice on how to prevent this from even happening.

“Burglars know there’s more ways than one to skin a vault,” and that’s precisely what they have been doing over the last 2 years, digitally.  Skinning electronic vaults by “hire” of sophisticated, but affordable, underground Ransomware-As-A-Service (RaaS) vendors.  In case you are wondering what RaaS is, it’s the latest development of ransomware coming with customer support and service level agreements. As you can imagine, this is a threat deserving an ample amount of respect.

The Middle East was center stage in the Ransomware wars of 2015. Robbers equipped with an email and a few hours of “know-how” have been wreaking havoc on Financial Institutions and exploiting an easily averted vulnerability found at the employee training level. Email is the most common delivery mechanism for Ransomware. Emails disguised as legitimate from a source you would think familiar.  Once this email is opened and the victim (or untrained employee) is allowed to unpack the attached Archive File, the heist has begun.  These emails aren’t easily detected by companies’ SPAM filters, because in short, lots of time and effort were spent creating them to avoid SPAM detection software. In most cases, the same goes for Anti-Virus solutions. The code signatures are developed in such a fashion not to be detected by most anti-virus engines, making them more allusive and harder to avert.

Understanding Ransomware:

Wikipedia Defines Ransomware as “a type of malware that restricts access to the infected computer system in some way and demands that the user pay a ransom to the malware operators to remove the restriction.” See diagram.

Enough about the problem. Let’s discuss solutions. What can be done to protect your organization from becoming a Ransomware victim? Lots, and it’s relatively simple. “Relatively.”

Solutions:

A.    Because ransomware’s primary delivery mechanisms all seem to stem from a phishing style email, it is imperative for organizations to TRAIN their workforce on Email Phishing Attacks. Frequently. Furthermore, this training should include “Reality Testing” exercises by either your company or a security consulting firm conducting a live exercise of a Spear Phishing campaign across the entire enterprise. Tracking the employees who do not pass these tests and retraining them is imperative to the success of this critical operation. If you are not comfortable with this, please hire a professional.

B.    Enable “Attachment Filters” at all Mail Gateway technologies. “Capture, block, or trap” emails with attachments containing Archives or JavaScript code. Because of the relatively new nature of these ransomware variants, it’s imperative Email Anti-Virus technologies are configured to scan for Archives. Heuristic detection should also be turned “ON.”  Such email filters can be implemented in properly configured Anti-Virus Gateways, Web-Filters with SMTP Capable Services, and Firewall / IDS technologies as well.

C.    This would be a good time as a System Engineer or InfoSec professional to recommend all email clients are configured to use Rich Text, and not HTML rendering, as an enterprise policy.  In a Microsoft environment, it can be handled by GPO or within Exchange Server configurations.

C.    If you have Firewalls, Intrusion Detection Systems, Mail Gateways and other Perimeter Network Security Appliances capable of inspecting SMTP (email) traffic, we suggest you implement File Type Recognition triggers for files with the RAR extension. Most ransomware comes in the form of an RAR archive identified by the (.rar) extension.

D.    Force Anti-Virus and Host Based Security System (Host Based IDS) Policy Updates to ensure all nodes are updated and policies are replicated to all end-points.  Because the core code elements are 2 years old, some Anti-Virus vendors should have signatures to capture older variants of this Trojan.

E.    All Firewall, Network Devices, or Intrusion Detection Systems (if you’re a smaller organization your ISP or Security Solutions Provider) should monitor for suspicious traffic on uncommon ports.  Identified hosts communicating on these ports should be investigated for infection in a “sandbox” environment immediately.  Proper VLAN and Network Segmentation should allow for proper mitigation controls to ensure propagation is minimized.

F.    Ensure that NAT (network address translation) table logs are maintained for an adequate time period to ensure in the event of infection detection from perimeter network appliances (Firewalls, IDS, JIDS, Web Proxies, etc) all reversal host lookups are made possible to assist in infected host identification.

Furthermore, if you have not implemented a strategic and enterprise backup policy for Critical Assets, it’s time. Whether or not you leverage an online Cloud Solution or an in-house OS native one, just having one is better than not. Though advances in decrypting software have been made, it’s still a highly unlikely probability you will recover your data without paying the ransom if you’re infected.

It’s best you stick to the preventive measure defined above. An ounce of effort preventing will save you pounds of currency in the long run.

Please feel free to contact me at tate@bitsdigits.com, or at 1.844.BTS.DGTS, should you have any questions comments or concerns. We take security seriously, as should you.

Edited January 2020.


Original Exclusive article by J. Tate, Chief Intelligence Officer, bits&digits in January 2016 issue of BizBahrain magazine, pg. 78 – 79.

Catchy title I know,  please allow me to be clear.  If you elect to take this article as an instruction manual to make negative decisions I guarantee you will be caught. This article will illuminate how Ransomware is a silent but deadly piece of software,  designed to cause you much pain and anguish if you don’t protect yourself from it.  It would be even better if you carry this knowledge to your enterprise with a new perspective, and effective advice on how to prevent this from even happening.

“Burglars know theres more ways than one to skin a vault” and that’s precisely what they have been doing over the last 2 years, digitally.  Skinning electronic vaults by “hire” of sophisticated but affordable underground Ransomware-As-A-Service (RaaS) vendors.  In case you are wondering what RaaS is,  it’s the latest development of ransomware that comes with customer support and service level agreements. As you can imagine, this is a threat deserving an ample amount of respect.

The Middle East was center stage in the Ransomware wars of 2015. Robbers equipped with an email and a few hours of “know-how” have been wreaking havoc on Financial Institutions. Exploiting an easily averted vulnerability found at the employee training level. Email is the most common delivery mechanism for Ransomware. Emails disguised as legitimate from a source you would think familiar.  Once this email is opened and the victim (or untrained employee) opens this email and is allowed to unpack the attached Archive File, the heist has begun.  These emails aren’t easily detected by companies SPAM filters because in short, lots of time and effort were spent creating them to avoid SPAM detection software, in most cases the same goes for Anti-Virus solutions. The code signatures are developed in such a fashion not to be detected by most anti-virus engines, making them more allusive and harder to avert.

Understanding Ransomware:

Wikipedia Defines Ransomware as “is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.” See diagram

Enough about the problem, lets discuss solutions. What can be done to protect your organization from becoming a Ransomware victim? Lots, and its relatively simple “relatively”.

Solutions:

1.    Because ransomwares primary delivery mechanisms all seem to stem from a phishing style email it is imperative organizations TRAIN their workforce on Email Phishing Attacks. Frequently. Furthermore this training should include “Reality Testing” exercises by where either your company or a security consulting firm conducts a live exercise of a Spear Phishing campaign across the entire enterprise. Tracking the employees who do not pass these tests and retraining them is imperative to the success of this critical operation. If you are not comfortable with this, please hire a professional.

A.    Enable “Attachment Filters” at all Mail Gateway technologies “capture, block, or trap” emails with attachments that contain Archives or JavaScript code. Because of the relatively new nature of these ransomware variants , its imperative that Email Anti-Virus technologies are configured to scan for Archives. Heuristic detection should also be turned “ON”.  Such email filters can be implemented in properly configured Anti-Virus Gateways, Web-Filters with SMTP Capable Services, and Firewall / IDS technologies as well.

B.    This would be a good time as a System Engineer or InfoSec professional to recommend all email clients are configured to use Rich Text and not HTML rendering as an enterprise policy.  In a Microsoft environment it can be handled by GPO or within Exchange Server configurations.

C.    If you have Firewalls, Intrusion Detection Systems, Mail Gateways and other Perimeter Network Security Appliances capable of inspecting SMTP (email) traffic,  we suggest you implement File Type Recognition triggers for files with the RAR extension. Most ransomware comes in the form of an RAR archive identified by the (.rar) extension.

D.    Force Anti-Virus and Host Based Security System (Host Based IDS) Policy Updates to ensure all nodes are updated and policies are replicated to all end-points.  Because the core code elements are 2 years old some Anti-Virus vendors should have signatures to capture older variants of this Trojan.

E.    All Firewall, Network Devices, Intrusion Detection Systems  (if you’re a smaller organization your ISP or Security Solutions Provider) should monitor for suspicious traffic on uncommon ports.  Identified hosts communicating on these ports should be investigated for infection in a “sandbox” environment immediately.  Proper VLAN and Network Segmentation should allow for proper mitigation controls to ensure propagation is minimized.

F.    Ensure that NAT (network address translation) table logs are maintained for an adequate time period to ensure that in the event of infection detection from perimeter network appliances (Firewalls, IDS, JIDS, Web Proxies,etc) all reversal host lookups are made possible to assist in infected host identification.

Furthermore, if you have not implemented a strategic and enterprise backup policy for Critical Assets its time. Whether or not you leverage an online Cloud Solution or an in-house OS native one, just having one is better than not. Though advances in decrypting software have been made, its still a highly unlikely probability that you will recover your data without paying the ransom if your infected.

It best you stick to the preventive measure defined above. An ounce of effort preventing, will save you pounds of currency in the long run.

Please feel free to contact me at tate@bitsdigits.com or at 1.844.BTS.DGTS should you have any questions comments or concerns. We take security seriously, as should you.

Related Posts

About The Author

Add Comment