NZ Incident Response Bulletin December – 2020

Our Views:

This month’s them is “Ransomware and Data Leak Sites”.

In the course of our day to day work as Cyber Incident Responders we have noticed a concerning rise in Ransomware attacks which now extend to the threat of leaking compromised data. Our observations are backed by similar warnings from organisations such as the Australian Cyber Security Centre (ACSC), The United Kingdom’s National Cyber Security Centre (NCSC) and The United States Department of Homeland Security (CISA), all of whom have recently issued general Ransomware advisory notices. Not only is the increase in attacks concerning, but the nature of Ransomware attacks has also evolved making them a significant threat to all organisations in New Zealand.

Ransomware typically encrypts data on devices rendering them inaccessible. A ransom is generally demanded in the form of crypto currency in order to obtain a decryption key. It is currently one of the most profitable forms of malware for the cybercriminals as they are successful in using ransomware to disrupt operations and cause reputational harm. Ransomware is not only costly to mitigate but the impact of this kind of attack has now stretched beyond financial and reputational damage to include threats on life. A German hospital recorded the first reported death as a direct result of Ransomware in September this year.

Research indicates that any business that stores electronic information is a target and the size and sensitivity of this data is largely irrelevant. This means you do not have to be storing national security secrets or traditional Personally Identifiable Information (PII) to be a target and attacked.

Ransomware Innovations and Data Leak Sites

The potential damage ransomware can inflict has recently increased. Cybercriminals are now tailoring attacks to ensure they are more successful and profitable than ever by using techniques that incentivise victims to pay.

One worrying trend is the combining of encryption with the exfiltration of confidential data. In these instances, the ransomware gang compromise the network and steal data before encrypting the systems and sending a ransom note. The cybercriminals then threaten to release the information publicly if the ransom is not paid, providing a sample to prove they have the data. This means that even if an organisation has great backups, they are still under pressure to pay the ransom or else sensitive data may be released online.

Many ransomware gangs have created dedicated websites called “data leak sites” where they publish the data stolen from organisations who do not pay the ransom. While not all gangs work this way, it is known that Maze, Ako, Avaddon, CLOP, Darkside, DoppelPaymer, Mesipinoza, neflim, netwalker, ragnarLocker, REvil and Sekhmet all operate data leak sites and publish confidential data to these portals. Coveware report that up to 50% of the ransomware incidents investigated recently involved the theft of data before encryption occurred and that this percentage is rising.

Typically to date, if a ransom is paid to decrypt locked data, the decryption key is provided. This is because ransomware gangs operate as businesses that rely on reputation. Unfortunately, when it comes to the double extortion schemes where data is stolen prior to encryption, more incidents are being reported where the cybercriminals are not keeping their promises. Instead of deleting the stolen data once the ransom is paid, some groups are asking for second payments weeks later using data that the victim thought had been deleted after the first ransom payment.  Sensitive data has also been seen published on data leak sites even after a ransom was paid and falsified evidence has been sent to victims indicating it was deleted when it was not.

“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end. Once a victim receives a decryption key it cannot be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future” – Coveware

In light of this research, we recommend caution when considering such demands. Instead, focus on identifying and notifying any impacted parties in order to mitigate any potential harm. Under the new Privacy Act, notification in the event of potential serious harm is mandatory in New Zealand.

Other tactics cybercriminals use to increase their success of ransomware attacks are to:

  • Publicly advertise that an organisation has been compromised (to the attention of their customers and partners) to put additional pressure on the organisation to resolve the problem and pay the ransom.
  • Perform significant reconnaissance on a target to understand their vulnerabilities and potential to pay a ransom including investigating a business’s net income to establish ransom amounts.
  • Increase the ransom demand amount after a specific time period placing pressure on the victim to pay quickly and before receiving expert advice.
  • Offer to partially decrypt some of the victim’s network for a reduced percentage of the ransom. While this offer is sometimes posed under the guise of compassion it actually benefits the cybercriminal by indicating to them what parts of the business network are the most valuable to the victim which they then may on sell.
  • Target critical service sectors such as hospitals who cannot afford any loss of system operations.

Mitigation and Incident Response

Like other malware, ransomware can infect a device in a variety of ways including via:

  • Opening emails or files from unknown or unsafe sources.
  • Clicking on malicious email links.
  • Insecure remote desktop protocol sessions.
  • Clicking on malicious links in social media and peer to peer networks.
  • Visiting compromised or unsafe websites.

Mitigation strategies involve various steps to ensure your business can prevent malware delivery, recover data and systems, and contain any damage.  Prior to an attack happening steps such as conducting user education, implementing allow listing, ensuring principle of least privilege, maintaining adequate offline backups, regularly patching systems, disabling macros and configuring endpoint detection and response are essential.

If an attack has occurred however it is vital to understand approaches for uncovering, mitigating, and remediating malicious activity. The Department of Homeland Security recently published Alert (AA20-245A) which we consider to be critical advice to assist in addressing potential incidents. This advisory combined research from five nations including New Zealand and can serve as a playbook for incident investigation. Details on general mitigation are also included in this advisory such as:

  • Restricting use of FTP and Telnet services
  • Restricting use of non – approved VPN services
  • Shutting down unused services and systems
  • Quarantining and reimaging compromised hosts
  • Disabling unnecessary ports, protocols, and services
  • Restricting interactive logins for service accounts
  • Disabling unnecessary remote network administration tools
  • Managing unsecure remote desktop services
  • Resetting credentials and reviewing access control
  • Patching vulnerabilities

The threat of extortion via elaborate ransomware and data exfiltration schemes is growing. If sensitive data is released publicly it can have devastating effects on organisations and individuals. Should you fall victim to a ransomware attack we suggest you consider the possibility that your data has been compromised and immediately seek help from a cyber security and incident response service.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.