Ransomware Gangs Say This Makes You a Target

The FBI and ransomware gangs agree on this one point: If you don’t want to be the next Colonial Pipeline or JBS, use strong passwords. The FBI and ransomware gangs agree on this one point: If you don’t want to be the next Colonial Pipeline or JBS, use strong passwords. “The password issue is such a big problem,” said FBI agent Doug Domin, who supervises the Boston division’s criminal computer intrusion squad. Domin, who participated in Cato Networks’ ransomware discussion this week, said overly simple passwords remain “the No. 1 vector for what we see as the initial attack vector” for ransomware. “And that’s a very simple and easy fix.” However, it’s not a one and done fix. Security hygiene measures such as changing passwords, patching software, and training employees need to be part of an organization’s routine security processes. Or else they risk being hit repeatedly by ransomware attacks. “I hate to use the word ‘frequent fliers,’ but there are cases, instances of the victim contacting us several times for new infections that they’ve identified,” Domin said. After an attack, “there’s got to be some discussion, and then debrief, and there’s really got to be a security program that’s cyclical, that is looking at these things over and over again,” he added. Also as part of the discussion, Etay Maor, senior director of security strategy at Cato Networks, shared some helpful “tips” that actual ransomware operators shared with their victims after they paid millions of dollars to decrypt their files. Maor displayed screen shots that a ransomware victim had shared on Twitter. They show the negotiations via chat windows between the victim and “support,” aka the ransomware criminal, who had locked 30,000 devices from different countries and demanded $10 million for two “services”: decrypting software and deleting the private data from the ransomware operator’s servers. The attacker did, however, commend the victim’s “business spirit,” and offers a discount, albeit one that’s still an “adequate price” for the ransomware “market.” The ransomware operator added: “As a bonus, we will provide you with the details about how we breach your security perimeter and give you recommendations about improving security measures to help you avoid such issues in the future!” “What’s really interesting is once the victims paid, look what the attackers sent to the victim,” Maor said, reading a message that begins: “Here are the list of recommendations to avoid such things in the future.” The top item on the list says to turn off local passwords. The attackers also tell the victim to update passwords every month. “So passwords, passwords, passwords,” Maor said. Some of the other recommendations include: And finally, the ransomware attackers suggest that “huge companies” hire at least three systems administrators that work 24 hours. Four administrators working three, 8-hour shifts per day “would be enough.” Hiring advice aside, the how-not-to-get-hacked list largely boils down to zero-trust security practices and supporting technologies. Maor also pointed to an RSA Conference session titled “Two Weeks With a Russian Ransomware Cell” by SonicWall Senior Product Strategist Brook Chemlo, in which Russian attackers gave Chemlo tips on how to avoid being attacked. They suggested securing vulnerable ports, using proper passwords (at least eight characters, use special characters, and avoid using personal information like your pet’s name), requiring multi-factor authentication, writing in a “real” programming language, employing the right people, and watching for misconfigured firewalls. “So all kinds of basic stuff around security management and network issues,” Maor said. This advice also echoes a new Cisco Talos report from a series of interviews that the security research team conducted with a self-described LockBit operator over several weeks in 2020. Talos says the hacker is a male who lives in Siberia and isn’t affiliated with any Russian state-sponsored group or a large ransomware gang. The Talos team gleaned several key takeaways in their talks with “Aleks,” as they refer to him throughout the report. One of the big ones is that attackers continue to go after the low-hanging fruit, which means easy targets and easy entry points. They see unpatched systems as an easy intrusion method. “Routine patching can be difficult, especially for large organizations, and the bad guys know this, too,” the report says. “The most commonly exploited vulnerabilities are those that are well-understood with publicly available exploit code.” And they prioritize easy targets like schools and health care providers, which generally have minimal, under-funded security teams but can’t afford downtime. Similarly, many cybercriminals use readily-available open source tools. Reusing already-established tools is easier and more efficient than building something new and more sophisticated — especially for financially motivated criminals. “Companies should be most concerned about the tools and tactics that are also likely used by their own red teams,” according to Talos. Additionally, cybercriminals are “avid consumers” of security news and vulnerability research, which they can use in future attacks. Talos says that organizations should encourage their own security teams to continue learning as well and stay up to date with the latest open source information and trends in the threat landscape.