Ransomware has been around for a number of years, starting out as spam email blasts to see who would click on a link or open an attachment containing malware. It would encrypt victims' Word, PowerPoint, pictures, and other files for a standard ransom to get the data back, usually about $300. Cyber criminals were just looking to spread the net as wide as possible and see what would stick. Not anymore.
Ransomware has become much more sophisticated, efficient, and very targeted. Criminal actors have combined several attack vectors to collect a much higher rate of return per campaign. Spear phishing emails are nearly impossible to identify as malicious, and traditional network compromises are being used not only to compromise custodial data but to make their profit from the organization that most values the data, the owner.
In late April, a managed service provider (MSP) in the southeast was targeted. Being the host for over 280 customers makes for a very target rich environment. Here is the story.
A customer of the MSP called the support team and asked for a port to be opened on a firewall for a backup system. The password for the backup system was set to “backup1”. Within a week they were compromised with the latest and greatest ransomware. The ransom was set at $50k. The MSP’s insurance company pulled their law firm to help with the logistical details under privilege—who in turn brought in a digital forensics company. It became clear very quickly that the mission of both of these organizations was to protect the insurance company, not the insured.
The MSP brought in our team to assist with the investigation and cleanup to protect their interests and work alongside the legal and forensic firms. Our triage of the scene showed the attackers first deleted all of the backups. Next, they wiped out of the co-location data and encrypted over 56 Terabytes of data, making it useless without the keys. Consultations with other forensics and incident response organizations and the FBI lead to the conclusion that the only way to recover the data was to pay the ransom. A small amount was paid for proof the tool would work before the full ransom was paid. It should be noted that the law firm charged $5k just to execute the Bitcoin transactions.
Then the real work began. Technical teams worked 24 hours a day for four days to decrypt and return all of the data to a usable state. Additionally, there was a lot of work to be done to find and remediate all additional vulnerabilities which would be beyond the scope of the current investigation. As we see in most cases, the attackers now know the MSP will pay the ransom, so they will likely be back. Any vulnerability left behind will be used for round two.
Total costs estimated as of this writing well exceed $100k, and there is still considerable remediation work to be done. There has been no payment as yet from the insurance company, while the forensics team and law firm continue to evaluate whether this is a payable claim. In many cases the claims are not paid if there is any negligence that can be proved on the part of the insured.
There are two lessons to be learned from this event:
Lesson 1:
Do not blindly trust your managed service or cloud providers, or any technology vendor. Using vendors as a launch point is one of the most popular attack vectors for cyber criminals. Many service providers provide impressive slide decks of the security they provide, but it is sometimes just “Security Theater.” Some will provide an impressively thick System and Organization Controls SOC II report, which is where an accounting firm audits all of the controls the MSP provides. There is nothing in these reports that shows missing security practices. They could be doing everything they provided the accountants very well, but missing entire areas of security standards and best practices. The only way be sure that your business is properly protected is to manage your own vendor risk program. Each vendor must be risk ranked and their dependence and business exposure prioritized so that the appropriate level of evaluation can be assigned. Evaluations should be done at a regular cadence and diligently managed with proper follow-ups on security gaps.
Lesson 2:
The vulnerabilities in our systems are most often not technical; exposers come through absence of processes or lax procedures. This attack and the exorbitant cost to the business could have been prevented with a proper security program. First, the client request for a change in the firewall rules should be pushed through a change management process that included proper approval, back-out strategy, and management, etc. Second, the password used was about as weak as possible. A basic dictionary word with a number added to the end is child’s play for even a novice hacker. Lack of education and awareness of basic security requirements combined with absence of an enforced password policy made this attack very easy.
This story is merely one of thousands. Ransomware incidents have risen over 50 percent in the last year, according to the just released Verizon Data Breach Investigation Report. In the survey, financial services was the top industry affected, at 24 percent.
The only way to properly protect your organization is to consider ALL of the attack vectors and have a complete security program including executive leadership. Included in that program should be an incident response plan that includes a ransomware attack scenario. The growth rate and the successful attacks that we are seeing would seem to indicate that is it not a matter of if but when. Make sure your organization is prepared.
