I have been blogging about ransomware for a long time now, given its devastating impact upon small to mid-sized enterprises. However, there have been some indicators lately that people are finally being forced to pay attention to. For instance, the FBI issued a warning regarding ransomware last month (and again last week), and there is a resurgence of ransomware from last year causing hospitals to turn away patients across the globe. Since organizations are still being afflicted by Ryuk, I have to delve deeper into this particular ransomware attack. I answer common questions such as how companies are infected, and why it’s so difficult to address once they are infected. I separate the common misconceptions about Ryuk from the way it actually works against your defenses, like anti-virus, "next-gen" anti-virus, and more.
If you have been infected by Ryuk or other ransomware, or have paid a ransom in the past as a result of ransomware, ActZero can help - reach out to us here. Or, if you're looking to improve your incident response capabilities check out our guide:
How does RYUK get on my system(s)?
What people think happens: The Ransomware is downloaded from an email attachment or is included in the body of the email itself as an image.
What actually happens: A user clicks on an email, which downloads a Trojan (Trickbot or Emotet), eventually enabling the “command and control” of your machine(s) – this is what enables the actual ransomware to be downloaded later in the process. But first, the malware steals credentials and sends them back to the attacker, spreads internally to other machines over SMBv1 (what Windows uses for file sharing and printing on networks; it’s almost always in use for enterprises who share print resources on a given floor or department). It then gives remote control of the system to the attacker. The problem is getting rid of the Trojan, not the ransomware or it’s files. Once the hacker has control, they push the ransomware to your computer. This usually occurs once they have control of multiple machines, to ensure that the loss of data / operating capability is maximized.
Why the difference matters: Hackers can keep encrypting machines if only the ransomware and NOT the Trojan is removed. Victims inevitably get tired of setting up a server only for it get re-infected again and again.
I have anti-virus/anti-malware – Can I Be Infected?
The short answer is, yes. Anti-Virus products typically block malware based on signatures. The anti-virus “asks” ‘does this executable “look like” (have the same signature as) malware that has been reported or researched before. So, it’s not an issue of “how good” your signature-based solution is, or even “how many signatures” it possesses – the underlying method can’t deal with viruses that are generated to have a unique (never-before seen) signature.
I have "next-gen" anti-virus, EDR, or EPP that doesn’t use signatures - Can I be infected?
Solutions that track zero-days based on behavior or machine learning, can still be duped into allowing the installation of ransomware. This is because, just like signature-based detection tools, hackers can test the virus they create against VirusTotal. Not only can they test it first, to see if it lands, but they can engage in active countermeasures based on the rules that solutions like yours apply. Don’t take my word for it - see this news story about how even machine-learning-driven AV can still fall victim.
Why doesn’t my anti-virus stop Ryuk? Or the Trojans that download it?
Hackers, more specifically the malware developers that supply them don’t really make viruses anymore, they make kits that generate viruses in order to bypass signature detection. Malware makers produce many different versions of the same program, which have different signatures. These programs do the same thing, and achieve the same negative outcomes on your system – just without a signature that your anti-virus is “looking for.” You can see it in action in this video advertisement shows a generator for the Philadelphia ransomware generator for a meager $30.
What people think happens: Anti-Virus vendor can block the virus and the trojan. So, I’ll run an update, conduct a scan, and it should clear out the infection having learned about the new threat.
What actually happens: Virus makers can just submit the samples they made to VirusTotal to find out which ones are currently able to be detected by your AV and send you the ones that pass. In other words, they can test to see whether their newly generated viruses will be identified by most antivirus software before they send it off.
Additionally, once you are infected, they have the ability to further compromise your anti-virus to prevent it taking action. Remember what I said about command and control? One such command they can issue is to shut down the anti-virus.
Can’t I just re-image the machines and update or upgrade my anti-virus?
Many IT professionals aren’t well-equipped to deal with ‘combating’ the infection itself; so they resort to a best practice of backing up frequently, quarantining and re-imaging infected machines. Then, to deal with “what about next time”, they think they can update their existing anti-virus, upgrade to a newer or better “next-gen” anti-virus (see my ancient post on what the difference is).
Why people think this works: They think the approach their AV uses was the reason the virus beat it - it’s not! It’s that a person is able change the file to bypass what a program can analyze about the file itself. Firewalls, Email Gateways don’t solve the problem, they just make it take longer to get through. These are simply additional barriers that a hacker must work around, and unless you have covered every possible point on your attack surface (spoiler alert; you very likely have not) they will still get in.
What actually remediates the issue: Enterprise Firewall and anti-virus are enough security technology, once you have disabled the capabilities used by the malware on the operating system and remedied most hygiene issues in your environment. Start with the most critical (you’ll need a framework to determine which vulnerabilities/patches have the greatest impact).
Which settings do I turn off? How do I apply them? How often must they change? What factors determine the criticality of a given hygiene issue?
For your purposes, these questions are actually rhetorical. The fact is, that even if I gave away all the secret sauce in this blog post, that most IT generalists are without the cybersecurity-specific expertise required to achieve this. Plus, that’s only the “proactive” side of it - they wouldn’t have the tools or processes to actively threat hunt and respond to intrusions (not to mention the time/resources required to do this 24/7). But, by explaining to you how we address these issues, you can see why a managed detection and response service is critical to have in place (ideally, before you are infected) in order to deal with ransomware infections, like Ryuk. Reach out to ActZero to see our service in action.