Chronology of a Ransomware Attack
This chronology is a fictional characterization of an actual ransomware attack on some unsuspecting IT administrators with names and programs that have been changed to protect the innocent (or the unlucky).
Monday, December 7, 2015 – 18:35 (IT Crew)
Dave, Jack, Cathy and Rashid all work in the IT Department of a large Law Firm and are required to stay late daily, after all of the firm’s employees have left for the day, to administer systems and perform the daily backups of computer systems when they are not in use. This after-hours, unsupervised work period gives the IT crew the opportunity to play action/shooter, multi-player games over the company Local Area Network (LAN) while they wait for menial IT tasks to complete for the day. Their game of choice today is called “Solar Commando” and they all downloaded the same “cracked” version of the game using BitTorrent and have been “fragging” each other over the network for the last hour.
Monday, December 7, 2015 – 19:40 (Dave)
Completely entrenched in his multi-player game, Dave is surprised by his Network Support phone line ringing loudly in his cubicle. He pauses his game and calls out across the cubicles to the other players “Got to take this” and picks up the phone. The caller on the other end of the line is his boss, who explains that he can’t connect remotely to the VPN and he can’t access the corporate website. While on the call, Dave opens a command prompt and tries a ping test to both DNS names and they fail. Knowing the IP addresses of both services he tries to ping again and they both respond. He determines the problem is with the external DNS server and then attempts to remotely access the server through SSH and the response is very slow and after at least a minute, he finally gets a login prompt. He enters his credentials and the server takes even longer to respond and provide him with a successful login. He then tries to run a few Linux commands to analyse the system resource usage and it takes the system almost three minutes to respond and show statistics. To his surprise, he finds that the BIND (DNS) process is using more memory than the system has available and when he does a detailed analysis of logs he discovers the culprit – too many non-existent domain name queries. He notes that in the last hour alone, there have been thousands of log entries from internal hosts on his subnet, attempting to resolve DNS names that don’t exist. At this point, Jack announces to his peers that he has to stop playing the game and that there is a problem with DNS.
Monday, December 7, 2015 – 19:52 (Jack)
Upon hearing the DNS issue exclaimed by Dave, Jack, the Microsoft System Center Configuration Manager (SCCM 2007) administrator, pauses his game and opens up the SCCM console to check on any system issues reported by the SCCM client for the DNS servers. The first console window he sees immediately shows that there have been a number of Windows Registry changes for his and others PCs in the last hour and when he opens the alerts to inspect the changes, he notices the new registry key “HKEY_CURRENT_USER\Software\CryptoLocker_0388”. Jack inquisitively looks into all of the alerts randomly and sticks his head up over the cubicle and asks “anyone know what CryptoLocker is?”.
Monday, December 7, 2015 – 19:53 (Cathy)
At the same time Jack is discovering the registry changes, Cathy’s computer has become very slow and she decides to close the Solar Commando game, believing it to be the cause. Once the program closes and her Windows desktop appears she notices her desktop wallpaper has been changed with text on a black background that reads “All your files was encrypted with CryptoLocker” and four additional paragraphs of grammatically incorrect text that explains she needs a decryption key and has 3 days to pay for services or she will lose all of her files. The message goes on to instruct “IT-specialists” that the data was encrypted using AES and RSA algorithms and to crack the key, she would need more than a millions years. Cathy immediately followed her instincts, knowing her IT peers where capable of playing this sort of prank on her and yelled out over the cubicles “which one of you nut-jobs changed my wallpaper?”
Monday, December 7, 2015 – 20:10 (Rashid)
Amidst all the commotion created regarding the issues others are seeing, Rashid closes his game and reports he has the same wallpaper indicating his files have been encrypted as well. He is the Backup administrator for all of the servers and happens to already have the Backup Server console window open and is noticing that many of the backups are failing with alerts indicating that the backup software can’t copy any of the files they are attempting to prepare for backup across any of the network shares. The error message is access denied. Rashid opens one of the shared folders all users save data to and attempts to open one of his documents and is immediately presented with a dialog box indicating that the format of the file extension is not valid. He tries several of his document types and they all fail. Suddenly, a dialog box presents itself stating his files have been encrypted and that he has less than 72 hours left to pay “300 USD / 300 EUR” and to select “Next” to choose a payment method. Naturally, Rashid clicks “Next” and is provided a drop-down menu that gives him payment options of either “MoneyPak” or “Bitcoin”. At this point Rashid yells out to the team “folks, we have a really bad problem!”
Post-Mortem of a Ransomware Attack
Attack Vector: during a post-mortem it was discovered that the pirated copy of the game that the IT administrators obtained through BitTorrent was encapsulated inside an infected executable and when they each installed the game, the subsequently installed the malware.
Attack Timeline: while they were busy playing their game the malware was busy communicating with the Command & Control (C&C) server on the Internet through a covert means known as Domain Generating Algorithm (DGA), which sends thousands of DNS requests to a list of names it has stored until it finds the right one that resolves the location of the C&C server, where it then sends the decryption key to unlock the files once the attacker has been paid the ransom.
Attack Propagation: since all of the IT administrators had privileged access and had all of the corporate network “shares” mapped to their PCs, the malware easily accessed thousands of files used by every department in the law firm. The ransomware does not have the ability to infect other computers over the corporate network, only the files accessible through file shares connected to the administrators.
Attack Detection: during the post-mortem it was determined that all of the PCs in the IT lab were running out-dated anti-virus detection software, that may have mitigated the attack in the first place. Additionally, the company did not have any Security Information Event Management tool that may have identified the thousands of DGA requests through DNS and alerted someone.
Attack Clean-Up: the clean-up of the attack was quite costly since the company agreed to pay the attacker’s ransom to recover some critical client legal files that couldn’t be backed up during the attack. They further paid a consultant to recover data on the file servers using shadow copies and previous day backups. The company also terminated the 4 administrators and continued using the third-party consultants while they found replacement employees.
System Administrators need to be especially vigilant in conforming to corporate security policies and need the appropriate security awareness training to understand the threats and the risk to the infrastructure they are managing. As the threats morph and the attackers find more covert ways to inject malware into the most benign applications and processes, it’s the SysAdmins and their escalated privileges that become the target.