Aurich Lawson

There’s something inherently world-changing about the latest round of crypto-ransomware that has been hitting a wide range of organizations over the past few months. While most of the reported incidents of data being held hostage have purportedly involved a careless click by an individual on an e-mail attachment, an emerging class of criminals with slightly greater skill has turned ransomware into a sure way to cash in on just about any network intrusion.
And that means that there’s now a financial incentive for going after just about anything. While the payoff of going after businesses’ networks used to depend on the long play—working deep into the network, finding and packaging data, smuggling it back out—ransomware attacks don’t require that level of sophistication today.
It’s now much easier to convert hacks into cash.
Harlan Carve, a senior security researcher at Dell SecureWorks, put it this way. “It used to be, back in the days of Sub7 and ‘joy riding on the Information Highway,’ that your system would be compromised because you’re on the Internet.

And then it was because you’ve got something—you’ve got PCI data, PHI, PII, whatever the case may be.

Then it was intellectual property.

And now it’s to the point where if you’ve got files, you’re targeted.”
This week’s ransomware attack at Maryland’s MedStar Health hospital network is a prime example.

For more than a week, 10 hospitals operated without access to their central networks, because the Windows servers controlling MedStar’s domains were locked down by the ransomware variant known as Samsam.
Security firms report that there have been many other incidents with Samsam over the past few months.
Some attacks have encrypted the contents of hundreds of servers and desktops.
The Samsam attacks have been so effective in part because the attackers have been able to gain administrative access to the Windows domains they’ve hit by taking advantage of a collection of relatively well-known exploits.

These exploits, some of them years old, are still so widespread that a cursory scan by Cisco Talos Labs uncovered more than 2 million systems vulnerable just to the JBoss application server exploit used by the Samsam attackers.
Given the rapidly shifting nature of crypto-ransomware and the growing ambition and skill of those deploying it, things are going to get a lot worse for many organizations before they get better. Perhaps worse; it’s not as if people haven’t seen this coming.
Easy money
As a form of criminal business, crypto-ransomware is low-risk with an increasingly high yield. While the potential payoff of data theft can generate a lot of cash for cybercriminals—either through credit fraud, tax return fraud, or sale of identity information—crypto-ransomware provides a way to get paid directly by the victim with little risk of exposure.
It taps into an already thriving market of Bitcoin transfer services and malware-as-a-service operators, allowing just about anyone to make money off a few unlucky victims.
At least so far, there’s also little fear of law enforcement tracking ransomware operators down. Many cases of crypto-ransomware attacks go unreported to law enforcement—or to anyone else, especially when the targets are companies. “Companies don’t like talking about these incidents because they’re worried they may escalate the situation they’re in or become targets for other attackers,” said security researcher Roel Schouwenberg. “Folks are also concerned that talking about these attacks in a public setting will encourage more criminals to go the targeted ransomware route.”
These attacks are becoming more targeted, at least in terms of how targets are chosen.

Corporate and organizational e-mail accounts are increasingly the focus for phishing attacks, particularly with malware like Locky and Petya. Petya specifically targeted German corporate HR employees; Locky comes in on a Microsoft Office document often disguised as an invoice.
“The targeted attacks that I’m aware of started to become more prevalent over the course of 2015,” Schouwenberg told Ars. “I’m talking about a number of different threat actors, but it’s very hard to get the full picture.
So far, the numbers are not near those of targeted network exploitation.”
The targeted phishing approach counts on convincing users to click on an attachment or link and sometimes actively change settings or give approval for the malware to be installed.

But as attackers who have done network exploitation to steal data in the past have seen the payoff from ransomware and its disruptive effect on victims, they’ve clearly taken notice. Now, at least some of these criminals are employing ransomware themselves in a more direct way than phishers.

This latest wave uses built-in system administration tools to help spread ransomware across the network or at least on systems where it will do the most damage.
The worst part of this new development is that there are likely already compromised systems in these networks or out-of-date or misconfigured software that can easily be compromised to help spread ransomware.

As demonstrated by a number of documented attacks by the group spreading Samsam, the ransomware operators behind an attack today likely have access to the targeted network for weeks or months.

These crypto-crooks can bide their time before springing an attack.
Part of that may be because attackers are waiting to see if their presence gets detected, judging whether the target is actively monitoring systems.
It’s also likely that attackers simply have a long list of other networks to attack already in queue.
In the current network climate, the operators of Samsam have a target-rich environment to go after.
Carvey emphasized that while the Samsam attacks have been associated so far with exploits of JBoss, future attacks could use any of the other well-known vulnerabilities already in circulation. “I’m waiting for the next one to come in where they didn’t have a JBoss server,” he said. “Somebody’s going to say, ‘We don’t use JBoss—we use IIS so we’re safe.'”
That thought was echoed by Craig Williams of Cisco’s Talos Research. He told Ars that the way ransomware was evolving, the next attacker could easily use a common content management system vulnerability to get in to launch their attack. One misconfigured Drupal server or an improper file permission setting on a file upload utility could easily lead to a backdoor into many organizations’ networks.
The 2014 hack of the University of Maryland’s network demonstrated how widespread these sorts of vulnerabilities are.

A well-crafted Google search can reveal hundreds of backdoor “Web shells” installed that take advantage of misconfigured websites run on servers within organizations’ networks.
Such a structure gives even the most casual attacker instant access to systems, and from there anyone can seemingly launch ransomware or other attacks.

Even in today’s increasingly security-minded world, many vulnerable systems never get patched well after problems are identified.

This situation isn’t getting better—in fact, it may be accelerating in the other direction.
“People think of the Hollywood version of the hacker groups somewhere in a dark room devising these really innovative and creative kinds of techniques,” said Kevin Kelly, the CEO of LGS Innovations. His security company formed as a spinoff of the federal research arm for Bell Labs. “The reality is that most of the attack vectors are administrative vulnerabilities that creative and talented people have discovered over time, but they weren’t the work of some evil mastermind somewhere in a basement.

The amount of software going into everything—including the Internet of Things, which is a booming marketplace—is just proliferating these vulnerabilities globally.”
The problem isn’t limited to Web applications.
In the rush to develop mobile applications for employees and customers, organizations have often opened up whole new avenues for attack on the server-side. “The biggest problem I’ve seen—not unlike what you’re seeing with JBoss—is companies who have deployed a mobile app and maybe don’t realize that having a mobile app that gets information from a URI is putting an API on the Internet,” said Greg Brail, chief architect at the application program interface (API) platform provider Apigee. “Or they may have realized what they’re doing, but they didn’t realize how easy it was to discover.”
Often, those mobile application interfaces haven’t been properly secured—giving attackers insight into the companies’ server infrastructure and potentially offering even more channels for attack.
Listing image by Aurich Lawson

Exploit, Explore, Extort

The attackers behind Samsam used automated tools to exploit JBoss servers…

The attackers behind Samsam used automated tools to exploit JBoss servers…

..but their spreading of the malware within the network was largely sysadmin-style grunt work.

What JexBoss looks like from the attacker’s side.

The code could conceivably be altered to automate attacks against a list of targets found through Google searches and other network exploration.

Cisco Talos
A screen grab of a “discussion” between a Samsam victim and the crypto-ransomware’s operators through their Tor .onion site.
In some cases, the attackers asked for more Bitcoins after initial contact, raising the stakes.

Samsam may have only recently surfaced as a major threat, but the individuals behind it have been active since at least the fall of 2015.
So far, Dell SecureWorks’ incident response team has dealt with three clients who were hit by Samsam—none of them in healthcare, though healthcare companies factored heavily in the several dozen attacks being tracked by Cisco’s Talos Research.
In each case, the attack began with an exploitation of a vulnerability in an Internet-facing JBoss server months earlier.

And in one case, a server had already been exploited by another attacker to run a Bitcoin miner as much as two years prior to the ransomware attack.
The attacks generally looked like this: first, a JBoss server is exploited using JexBoss, a tool developed for penetration testing. JexBoss can be used to scan for vulnerable sites, testing to see if the JMX management interface is accessible from the Internet.
Specifically, it tests for whether the JMX console, Web console, and HTTP invoker interfaces have been left open.
Properly configured, JMX should be limited to access from the local network, but the default installation of JBoss leaves the JMX interface exposed.
Securing them then becomes an exercise for the system administrator. When vulnerable servers are found, JexBoss can use the exposed interfaces to install a remote shell on the targeted system—giving the attacker what amounts to an administrative level command prompt.
JexBoss works on JBoss servers using any operating system, but the Samsam attackers were seeking JBoss installations running on Windows networks.

And while the initial compromise of the servers was fairly push-button, much of what followed was manual Windows administration grunt work.
In the next phase of their campaign against each victim, the Samsam attackers issued remote commands to download and install a number of utilities.

There was some variation, but based on Cisco Talos and Dell SecureWorks these tools generally included:
ReGeorg, a Python-based SOCKS proxy (which, in turn, probably meant installing Python).
Mimikatz, a tool for sniffing Windows login credentials from the server’s memory.
The Hyena network scanning tool, a commercial administrative tool run that has an interface similar to Microsoft’s “File Explorer” and management console tools. Running Hyena would have required a Remote Desktop Protocol (RDP) session.
PsExec, a remote control tool that allows sets of commands to be executed across multiple target computers simultaneously.
A collection of Visual Basic and batch scripts used to deliver the malware.
Then came the reconnaissance. With the compromised server now essentially a window to the entire network of the victim, the attackers used captured administrative credentials to explore the networks and choose their targets for infection with Samsam. “In the customers we dealt with, it wasn’t a 100 percent infection of all systems,” Carvey said. “The best we could get for a number from one of our clients was ‘several of our 200 servers.’ Another client said 135 systems, and another said 143 systems—out of a significantly larger number of total endpoints in their infrastructure.” Carvey said he didn’t know exactly why those systems were targeted and not others.

Carvey suggests it could have been that there were certain files found on the systems attackers ultimately went after.
One thing is clear from how the attack played out at MedStar—the attackers went after servers, including domain servers.

At a transportation company that called SecureWorks’ incident response team in, administrators discovered there was a problem only after they could no longer remotely administer some of the organization’s key servers.
When the malware was finally deployed, it was done quickly.
In some cases, it was installed via the PsExec tool, launching scripts to remotely install and activate the Samsam malware. “What we’ve seen is the use of simple VB scripts and batch files, all of which have been left behind,” Carey said.

There’s also evidence that in some cases the attackers made RDP connections to systems from the compromised server to install the malware, Carvey added.
Marianne Mallen of Microsoft’s Malware Protection Center noted the attackers also used Windows’ vssadmin.exe utility in some cases to delete the “shadow files” on targeted systems.

That prevented administrators from simply rolling servers and workstations back to a previous, known good state. Locked out of their servers, administrators had two choices—restore hundreds of systems from the ground up, or pay the ransom.
The trap sprung, the attackers then just had to sit back and wait for the victims to contact them.

Through a Tor .onion site, the attackers started off demanding 1 Bitcoin per system (about $420 today) for the keys to unlock data.
In later attacks, they raised the per-system ransom to 1.5 Bitcoin (about $630), but they also offered to provide all the keys for 22 Bitcoins (about $9,300).
In one case documented by Dell SecureWorks, the ransom was raised to 40 Bitcoins (nearly $17,000) for all the keys for one victim after the initial contact.

Cisco Talos observed the rising demands as well; Craig Williams told Ars he believed that the attackers were testing to see what the market would bear for ransom demands.
Given the publicity around recent payouts by hospitals, it appears that price hasn’t yet reached the tipping point.
The other shoe drops?
What’s strange about the Samsam intrusions is that despite the length of the penetration into the victims’ networks, they appear to have been explicitly for the purpose of releasing the crypto-ransomware and nothing else.

Aside from the initial compromise and reconnaissance, Carvey said there were no other signs of activity from the attackers in the forensic data the SecureWorks team examined.
“We couldn’t see anything that would indicate there was other activity involved,” Carvey said. “But these systems weren’t fully instrumented. We’re doing forensic analysis of images acquired from the systems—we’re not looking at information from fully instrumented systems. We didn’t see any evidence of staging, or use of archiving utilities… there was almost a dearth of artifacts between the different times there was activity going on.
It appears, based on the data that we have available, that this activity was almost purely to do the ransomware.”
It’s possible that this was because the attackers found nothing else within reach to compromise during reconnaissance, in the end deciding to simply cash in quickly on their access to the victims’ networks. Ransomware attacks like Samsam could also be used as a “parting shot” to targets after the theft of corporate data or to cover attackers’ tracks.
Given that the security holes that have made ransomware attacks like Samsam possible are the result of human error and neglect, the solution to the problem may require more than technology—organizational culture likely needs to adapt.
Endpoint security and monitoring software could help detect attacks before they unfold.
Virtualized servers, regular snapshotting, and an effective enterprise data backup plan could make it relatively easy to roll systems back when ransomware attacks happen.

But these things cost money and time, and they require the adoption of a security mindset that is fundamentally different from the culture at the organizations most susceptible to ransomware attacks.

Because of the relatively low comparable cost of paying out ransoms—at least so far—some executives might decide it’s worth the risk to avoid the investment.
Instead, they’ll just continue to make payments to an insurance company to mitigate the financial risk.
That approach, however, fails when ransomware attacks become as public as the recent disruptions at hospitals. High-profile failures undermine confidence in these targeted organizations.

And insurance companies may not be so eager to carry the risk for companies with less-than-best security practices when the cost of ransomware attacks continues to rise.
On top of that, there’s always the possibility that the next crypto-ransomware attack might not actually be a ransomware attack.
In one 2015 case Dell SecureWorks encountered, an attacker apparently used ransomware planted on one part of a victim’s network as a distraction “while they were going after something else,” Carey said. “What they did was they loaded ransomware on one server—just set the file there—and had created scheduled tasks on other domain controllers to point at that file.” The policy tasks to install the ransomware, however, had one error that kept them from running.

The domain name associated with the stolen administrative credentials was misspelled.
“It was a one-letter misspelling of the domain name,” Carey said. “I’m of the opinion, still have the opinion that it was intentional.
I didn’t see any indication of consistent errors—when credentials are stolen and someone logs in to your VPN, they’re the users who don’t make mistakes on the password.

The ransomware was easily detected by antivirus.
So what happened was you get an org and you suspect there’s some activity—they’re following two steps behind you, so what do you do? Create a distraction, so while they are going crazy over this antivirus alert and scouring systems, you’re still on the other side of their domain and you’re exfiltrating data.”
What can be a distraction could also be a weapon. Organizations vulnerable to ransomware attacks could just as easily find themselves in a situation like the victims of the “wiper” malware attacks that hit Sony Motion Pictures, South Korean banks and media companies, and Saudi Aramco.

Today’s targets may find themselves waiting for an electronic ransom note that never appears.

And with Internet of Things devices in the mix, companies might face ransomware attacks that affect not only them, but also their Internet-connected customers.
“It’s important to get the message out there so companies can get better prepared for this type of escalation,” urged Schouwenberg. “Whether they pay up or not, these attacks are costing companies a ton of money in incident response and recovery.

The threat models that companies and security vendors use center around data exfiltration, so they’re not well-prepared to deal with this type of extremely damaging attack.”