How can we help?
As geopolitical events unfold between Russia and the Ukraine, organisations around the world watch and wait to see if they too will become a target or collateral damage from the fifth domain (Cyber/Information) of the war.
It is right to be concerned. Indeed, an attack in 2017 by Russia – primarily against the Ukraine – caused over a billion pounds in collateral damage to companies all around the globe as the NotPetya cryptolocker malware wormed itself through organisations irreversibly encrypting systems and destroying data.
In that attack, a group associated as being Russian State actors compromised the infrastructure of a Ukrainian software company (MEDoc) and inserted their malicious code into their product’s update. Once released, the malware spread by scanning networks and using a known exploit for a known, and patchable, vulnerability to move between devices. Where that vulnerability did not exist, or the exploit was unsuccessful, it automatically utilised credentials that it harvested in conjunction with common systems administration tools as a fallback method for moving from device to device.
The tactics and techniques for this attack highlight the importance of:
- Applying patches in a routine and timely manner
- Avoiding credential reuse, including on local devices
- Segregating networks and applying access controls
- Implementing User and Administrative account separation
- Active monitoring and alerting across environments
- Having effective Incident Response Plans and Playbooks in place, available, and practiced
- Having offline copies of backups.
Entities within the Ukraine are already being targeted by cyber-attacks in the form of cryptolocker and DDoS attacks, and attacks are already expanding out to target counties which have imposed sanctions against the Russian state, entities, and individuals.
As attacks and malware are analysed, indicators from these attacks can be used to detect compromise and vulnerabilities. For Quorum Cyber customers, threat hunts for such indicators and vulnerabilities will be carried out across the visible environment.
While improving your cyber security posture in order to avoid becoming an easy target – and to mitigate any impacts should your organisation become compromised – is always advised, the remainder of this article is given over to providing high level advice on how to handle a cryptolocker or a DDoS attack from a tactical and operational level.
Dealing with Cryptolockers (Vs Ransomware)
Don’t get ransomware and cryptolockers confused. While a cryptolocker may present a ransom note there is no decryption key. This means that even if you did pay (which Quorum Cyber would not recommend) you still would not be able to get your data back.
If we take NotPetya, discussed above, as an example: once infected, the device waited between 10 mins and 60 mins, during which time it wormed its own way between devices before automatically rebooting the device and pretending to perform a disk integrity check. Instead, what it was actually doing was encrypting the data before presenting the ransom note. Post incident analysis identified that it was possible to perform partial data recovery on devices which were shut down during this process or devices which had not, by that point, rebooted.
Conversely ransomware is often very quick at encrypting and is largely human operated in so much as someone has to have triggered it either directly on a device or by a script on a device which can access and execute commands on other network connected devices. In these instances, it is advised to disconnect the network cable but leave the device powered on. This removes remote access to the devices but leaves the memory of the device intact thereby allowing the possibly to use memory forensics in order to establish the connections the device had, and commands and actions performed by the attacker. Indicators from these types of attack are typically file name changes, and repeated flashing of a device’s screen as the winlogon process struggles to operate correctly.
There are currently 2 known cryptolockers that are being used in attacks on the Ukraine, though there’s evidence of the first being used in attacks impacting organisations in Latvia and Lithuania.
1: Compiled on 28/12/2021, the wiper/cryptolocker contains 4 drivers DRV_X64, DRV_X86, DRV_XP_X64, and DRV_XP_X86 which are signed by CHENGDU YIWO Tech Development Co., Ltd. When executed, the malware installs one of these drivers (the one relevant to the architecture of the system impacted) as a Windows service. In this instance the cryptolocker corrupts the device’s files, including the Master Boot Record (MBR), before rebooting the device. In at least one attack the malware was deployed using Active Directory Group Policy. This is indicative of prior, wider network compromise.
2. First seen in January and dubbed “WhisperGate”, it poses as being ransomware by overwriting the MBR with the ransom note. This wiper/cryptolocker executes in 3 stages. The first, named stage1.exe launches from C:\PerfLogs, C:\ProgramData, C:\, or C:\temp and overwrites the device’s MBR. The second stage, named stage2.exe, is executed simultaneously and downloads the third stage (named Tbopbh.jpg) which is downloaded from a discord server. This payload looks for a list of different file extensions and overwrites them with a fixed number of 0xCC bytes (totalling 1MB in size).
Tbopbh.jpg (third stage):
What made NotPetya so destructive was its worming capabilities. What we’re seeing, so far, are cryptolockers (or wipers) being manually operated in a way more akin to ransomware.
While this advice may change, as details about these new attack variants emerge, a rule of thumb would be:
|Attack Type||Actor||Visual difference detection||Action to be taken|
|Ransomware||Cybercriminal||Login screen repeatedly flashes / file names have been changed||Disable network connections (both cable and Wifi)|
|Cryptolocker||Nation State||Devices start to reboot perform “checks”||Disconnect the power|
This, coupled with verified offline backups, give your CSIRT teams the best chance to recover your organisation.
(Distributed) Denial of Service
Russia has been targeting government/public sector, critical national infrastructure, and banking institutions with DDoS attacks. The impact of this has been to knock out financial transactions including some from ATMs across the country as well as public services.
A Denial-of-Service (DoS) and a Distributed Denial-of-Service (DDoS) attack is the intentional consumption of computer related resources to inhibit its ability to operate correctly. They are very difficult to defend against though there are services which can be placed in front of key systems to mitigate the impacts. In November 2021, Microsoft mitigated a DDoS attack with a throughput of 3.47Tbps, equivalent to 340,000,000 packets per second (pps). Few organisations and mitigation services would be able to withstand an attack of that magnitude. However, when trying to mitigate (D)Dos attacks it is important to first understand what “normal” and “essential” network traffic and processes look like.
If you find yourself the target of such an attack:
- Check routing and access controls
- Identify the systems being targeted
- Identify systems being impacted
- Identify Attack patterns
- Identify source(s)
- User agents
- Packet flags
- Identify any attack patterns:
- Changes in severity
- Type or nature of target
- Identify source(s)
- Review network or system design/structure
- Fail over or move systems/services
- Apply filtering and containment
- Allow only essential access
- Contact you upstream provider for support.
One important point to note is that (D)DoS attacks have been used as a diversionary tactic to carry out other types of attack, such as unauthorised data access and exfiltration.