"I'm sorry, your files are locked!"
So, we were doing an assignment on ransomwares. It's for the introduction to computer science course, since we touched on information security and paid some good attention on that, it is kinda expected. Well, not too bad, we picked this one out of 3 topics (analysis on ransomware attacks, analysis on phishing attacks, analysis on data breaches). At least, it is something we know what is going on...data breaches eh, I can't get an example on my mind for now xD.
We are required to do a case study on a ransomware attack case (it doesn't matter which one, we can choose what we like), so we went and searched for some ransomware attacks that can be written...I mean, we can indeed choose whatever we like, but we need it to involve some organization, and it needs to have sufficient news coverage for us to write on and observe, then compare, then...probably write 3 thousand words on it (or whatever that makes up 8 pages). So, we cannot just randomly pick some family that got attacked by Wannacry and write about it because it's just impossible. Instead, we went and searched for some cases that are huge enough for the attackers to demand big ransoms. We did found a few good ones, although the ransoms are not that big, but yea we could squeeze pages out of that.
So let's see what we found, because apparently that's the thing that swung in my mind from this morning till now.
We picked a case in which a hospital (Hancock Health) got attacked by a ransomware called SamSam. It's quite an interesting one - the attack is not randomly shot across the net like Wannacry did, it was planned and executed by someone with a clear target and some clean procedures.
First of all, the attack was started by the attackers that hacked a third-party vendor that provides the hospital a remote access portal. You know, certain vendors have a master password as a legit backdoor to help their users out when they get into trouble, so apparently this has one. The attackers got the password, logged into their server, and deployed that ransomware to let the chaos begin. Their IT staff was pretty responsive and knew that something was wrong when the performance of their systems dropped, but they were still not fast enough to stop the thing from happening. It became a pretty painful weekend for them - the attack happened on Thursday night, so starting from Friday everything was done using the traditional way of pen and paper. Luckily the life support systems were safe.
The attackers were pretty smart - well, they must be smart to attack - they knew that they have a backup, since they started the attack on the backup server. What's interesting? They didn't delete all the backups right away, they just corrupted the most important part of the backups, so that they can get their records back, but everything else will remain broken. Upon learning about that, they decided to just pay the ransom and pray that things will go fine - it did, the 55k USD ransom did bought them the decryption key. On Monday, things were back on track. Good for them.
You can read a little more about this here, and their CEO's summary of the event. It was a pretty good read. That's why I like assignments like these, you get to read some pretty nicely written articles that you don't normally dig for.
Well, what's the point of doing case studies if we don't learn from them?
The biggest lesson from this incident, from my own viewpoint, is that you should never keep important backup machines online, or let it connect directly with any of the machines connected to the internet. Let's just sit and think for a moment - if you want someone to pay you for those files, you will need to let them lose access to the files in any means. If they can just restore the files from backups, you don't get the money. So, newer ransomwares will try to delete your backups, if they find any, or even shadow copies (some strange Windows feature that I don't really understand here, but you may search on it and probably learn something new). What you can do is, prevent yourself from being a victim of ransomware attacks, and also keep your backups away from them. If you need a spoonfed method for the latter, just dump your backups into an external hard disk then put it at somewhere safe. Practically, as long as it is not exposed to other machines, it is safe. Computer viruses can't live in air.
Also, always patch your computers, despite how much you hate to do so. Yes, I mean Windows Updates.
I don't want to say how much trouble Wannacry did to the world just because that big portion of Windows computers did not install the security patch. So, probably every weekend night, go scan for updates and let it install overnight. I know it's painful, but you should still do it for your own sake, and put the blame on Microsoft for not developing a more efficient patching method. Hey, Linux doesn't take more than 5 minutes to install a kernel update...
I guess that's all for now, assignments like these really do help us to learn and read more. Who else reads random articles on the net for no purpose anyways? See you next time.
P/s: Go search on "city of atlanta ransomware", that's also an interesting one.
:)