Long have the dangers of pirated software be shouted from the mountaintops by security researchers. Despite being illegal, the user has no idea what they are downloading. In many cases what they believe is a software package, movie, or TV show is laden with malicious payloads. Some of those payloads contain ransomware. This publication has covered how this is a favored distribution technique for many malware families and how the Pysa ransomware has been seen distributed via fake software crack sites. Now a company in the BioTech sector just suffered a Ryuk attack via a student downloading pirated software.
In a recent article published by Sophos, an incident involving their Rapid Response Team was covered. The team was called in to neutralize a Ryuk infection that occurred at a European biomolecular research institute. The organization has close links with several universities and works with students from those universities through a variety of programs. Further, the organization is involved in COVID-19 research which has proven to pique the interest of ransomware operators meaning that they are prime targets for ransomware gangs like the one behind Ryuk.
News of this incident follows closely on the heels of other Ryuk related news. The gang had changed tactics yet again.
This time to include more worm-like capabilities to promote lateral infections. As researchers noted,
“Once a foothold has been established Ryuk operators will attempt to enumerate domain trusts such as local domains, network shares, users, and Active Directory Organization Units. During this stage, the actors attempt to gather information about the organization to determine what resources within the infected domain are of value to perpetrating the rest of the attack. Bloodhound and AdFind have become popular tools used by actors trying to enumerate active directory information within an infected domain.”
Returning to the incident handled by Sophos, the attack resulted in the loss of a week’s worth of research data due to it not being backed up. Further, computer and server files had to be rebuilt from the ground before data could be restored. Researchers believe that this attack could have been avoided by providing restricted access to the network. As is the case, the more users that have privileged access gives hackers more chances to gain a foothold on the network and cause damage. Sometimes that damage results in data being unrecoverable and high remediation costs.
While the article does not go into detail regarding the ransomware’s architecture or its inner workings, these have been covered by several other security firms and in great detail. The article does go into great detail on the actions that led to the door been left open for Ryuk operators. By analyzing the logs and historical data researchers were able to retrace the attacker's path to system compromise and the encryption of vital data repositories.
It was discovered that the attackers managed to gain access to the network via the errors of a single individual. Commenting on the nature of the human error and the failure of the organization to adequately protect against this, researchers noted,
“Human error can happen in any organization; the reason the mistake was able to progress to a fully-fledged attack was because the institute didn’t have the protection in place to contain the error. At the heart of this was its approach to letting people outside the organization access the network. Students working with the institute use their personal computers to access the institute’s network. They can connect into the network via remote Citrix sessions without the need for two factor-authentication.”
One of the Students had downloaded a pirated copy of a data visualization tool used by the organization. A single-user license would likely cost hundreds of dollars and students, normally restricted to the infamous student budgetary constraints, decided to circumvent paying. Unable to find a free version, the student proceeded to look for a cracked version. Typically cracked versions are seen as the program with the licensing controls removed or bypassed.
What the student downloaded was not a cracked version but rather a malicious payload which triggered Windows Defender when the student attempted to install the package. Not deterred by the warning the student proceeded to disable Windows Defender and attempt to install what they had downloaded.
Rather than the data visualization tool the student downloaded a malicious info-stealer that, once installed, began logging keystrokes, stealing browser, cookies, and clipboard data. This piece of malware was capable of eventually harvesting the student's login credentials for the biomedical institute. Thirteen days after the student downloaded the malicious package a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials.
By default when an RDP connection is created so too is a printer driver installed. Researchers discovered that the printer driver installed was a Russian-language driver. 10 days after the connection was created Ryuk was launched. Peter Mackenzie, manager of Rapid Response at Sophos, commenting on the attack said,
“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack. The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access…Incident investigations are crucial because they allow us to see how an attack unfolded and help targets to understand and address security gaps for the future. In this case, the implementation of robust network authentication and access controls, combined with end user education might have prevented this attack from happening. It serves as a powerful reminder of how important it is to get the security basics right.”
Not just Ryuk
In 2019, researchers discovered that the STOP ransomware strain has been spread via cracked software packages, adware bundles, and websites with a shady reputation. More often than not the ransomware came bundles with a variety of other malware strains including various forms of trojan. While the ransomware itself is not noteworthy as it operates as expected, STOP has proved difficult to counter due to the number of versions in the wild. In 2019, there were 159 versions known.
In the last quarter of 2020, it was discovered that Exorcist 2.0 was been spread in a similar way to the above two examples. Users looking for specific cracked software packages would be redirected to malicious websites through the use of the PopCash malvertising malware. The website would advertise supposed cracked versions of software including Windows 10. If the user downloaded and attempted to install the package, rather than Windows 10 users would discover that their data was being encrypted.
This would be followed by a ransom note being dropped with instructions on what to do next to recover their data. Ransom demands started at 250 USD and were as high as 10,000 USD for certain victims during this campaign.
The incident involving the student and the biomedical institute the current dangers faced by organizations was clearly highlighted. Sophos recommends the following to prevent and mitigate ransomware attacks:
- Enable multi-factor authentication (MFA), where possible, for anyone required to access internal networks, including external collaborators and partners,
- Have a strong, password policy in place for everyone required to access internal networks,
- Decommission and/or upgrade any unsupported operating systems and applications,
- Review and install security software on all computers,
- Regularly review and install the latest software patches on all computers – and check they have been installed correctly,
- Review the use of proxy servers and regularly check security policies to prevent access to malicious websites and/or the downloading of malicious files by anyone on the network,
- Lockdown remote desktop RDP access with static Local Area Network (LAN) rules, via a group policy or using access control lists,
- Implement segregation for any network access, including for LANs (or consider using virtual LANs) and where necessary use hardware/software/access control lists,
- Continuously review domain accounts and computers, removing any that are unused or not needed,
- Review firewall configurations and only whitelist traffic intended for known destinations,
- Limit the use of admin accounts by different users as this encourages credential sharing that can introduce many other security vulnerabilities.