Three months after WannaCry, an NHS hospital group was once again forced to cancel patient appointments due to ransomware. Find out more about the Bit Paymer variant and watch Barkly block it.
On Friday, August 25, several hospitals that are part of the NHS Lanarkshire board — responsible for providing healthcare services to more than 654,000 Scottish residents — were infected with a new strain of ransomware.
For NHS Lanarkshire officials, the attack likely triggered a sickening feeling of déjà vu. The group had also been among the UK hospitals infected during the WannaCry outbreak in May. But the prior experience may have also helped prepare the group for a quicker response this time around. Just one day after the initial infection, NHS Lanarkshire officials issued a statement announcing staff had worked overnight to secure and reinstate IT systems with minimized disruption to patients.
Even with the around-the-clock recovery work, CEO Calum Campbell acknowledged a number of procedures and appointments had to be rescheduled, and it could be some time before services were back up and running as normal.
Considering the amount of damage and disruption ransomware can cause in a hospital environment — one attack in April 2017 cost a Buffalo, NY hospital $10 million — NHS Lanarkshire appears lucky to be coming out of this incident in comparatively good shape. Especially considering the type of ransomware the hospitals were infected with.
Bit Paymer is the latest ransomware variant being used to specifically to attack large businesses. The obvious thinking behind this approach is that these targets can (theoretically) afford to shell out large ransom payments. But Bit Paymer significantly ups the ante. The attack on NHS Lanarkshire demanded a jaw-dropping 50 Bitcoin (roughly $230,000).
If that wasn't bad enough, the attackers behind Bit Paymer also threaten to dox sensitive victim data they've collected by sharing it with the media unless payment is made. There have been no confirmed indications that this threat is valid, but if it is that fundamentally changes the risk involved with ransomware infections.
Doxing can be especially damaging for companies in tightly regulated industries. Healthcare organizations, for example, are required to report any breach of electronic patient information, and may suffer law suits as well as stiff penalties and fines as a result.
Simply recovering encrypted data from backup does't put an end to the threat if an attacker can release private information they collect publicly. That raises the priority of blocking attacks at the very outset, before they have a chance to establish a foothold.
See what a Bit Paymer infection looks like, then watch Barkly block an attempted attack in progress in the video below:
Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?
Any other details or context?
According to several researchers, Bit Paymer is initially gaining access to networks via computers with Remote Desktop Protocol (RDP) exposed to the Internet. By brute-forcing their way past weak or default passwords protecting these systems, the attackers can gain access, launch Bit Paymer, and see how many additional systems on the network they can compromise.
Once executed, Bit Paymer uses a combination of RC4 and RSA-1024 encryption algorithms to encrypt victim files. Unfortunately, no flaw has been found in the encryption process, making recovery without the decryption key impossible.
Files encrypted by Bit Paymer are renamed with ".locked" appended to the file extension. The ransomware also replaces the victim's desktop with a black screen and creates ransom note text files with the extension ".readme_txt".
Full ransom note text:
YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED! All files are encrypted. We accept only bitcoins to share the decryption software for your network. Also, we have gathered all your private sensitive data.So if you decide not to pay anytime soon, we would share it with media's. It may harm your business reputation and the company's capitalization fell sharply. Do not try to do it with 3rd-parties programs, files might be damaged then. Decrypting of your files is only possible with the special decryption software. To receive your private key and the decryption software please follow the link (using tor2web service): [REDACTED URL] If this address is not available, follow these steps: 1. Download and install Tor Browser: hxxps://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: [REDACTED URL] 4. Follow the instructions on the site 5. This link is valid for 72 hours only. Afetr that period your local data would be lost completely. 6. Any questions: [REDACTED EMAIL]
Infecting victims via unsecured RDP isn't a new tactic, but it's one that has absolutely exploded in 2017. The groups behind SamSam, CrySiS, Shade, Apocalypse, BTCWare, and other ransomware variants all activly use RDP as their attack vector of choice. And they're unfortunately not lacking for potential victims. According to a recent scan conducted by researchers at Rapid7, more than 4 million endpoints currently have port 3389 open with RDP exposed.
To put that in perspective, that's 10x the computers that were infected by WannaCry, the largest ransomware outbreak to date.
What makes this trend additionally troubling is that many companies are focusing almost solely on email as the primary infection vector for ransomware. Investing in email filtering and training users how to recognize and avoid malicious emails is certainly a good thing, but it won't prevent these types of attacks.
Another aspect of these attacks that's not unique to Bit Paymer is the clear preference for infecting corporate targets with deep pockets.
While some of the bigger-name ransomware variants like Locky are still finding success over large-scale, indiscriminate spam email campaigns, we've seen more and more attack groups choosing to dial back the volume and zero in on specific businesses and industries. After all, why go to the trouble of launching wave after wave of campaigns designed to infect consumers at $500 a pop, when one attack against the right business can land you $1,000,000?
According to Symantec, corporations account for 42% of ransomware infections this year, up from 30% of all ransomware infections in 2016.
The tactic of threatening to publicly release private data gathered during ransomware attacks (doxing) is something we've been tracking for quite some time (we even referenced it as a trend we expected to see more of in 2017). We've yet to see attackers follow through on the threat in the context of a ransomware attack, though we've certainly seen several high-profile data leaks as a result of hacking extortion attempts this year (see Netflix and HBO).
As we've written before, for victims that manage sensitive private customer data — healthcare providers, law firms, financial services, etc. — the added threat of that data getting posted online for the world to see (and for other criminals to abuse) is something they have to take very seriously.
It makes it impossible to sweep ransomware infections under the rug by wiping infected systems and recovering from backup. Instead, it transforms them into potentially very damaging public data breach events.
In addition, we're also seeing more ransomware variants incorporating credential theft into their infection processes, either for the purposes of selling the stolen information or using it to gain deeper access into the infected network. New updated Cerber and Spora variants are just two recent examples.
With more ransomware attacks skirting traditional infection vectors like email and compromised websites, companies need to focus their protection on their endpoints. Attacks that brute-force RDP or that leverage SMB exploits like WannaCry did also don't require any user interaction to launch, which means training (or blaming) end users isn't going to prevent these infections from happening.
Endpoints need to be protected with strong security designed to block malicious system behaviors in addition to malicious executables.
Today's attacks are designed to spread rapidly and cause as much damage and disruption as quickly as possible. Waiting to react to ransomware infections until after data has been encrypted can result in extremely disruptive chain reactions and restoration efforts that drag out for weeks, months, or even longer.
Dealing with data encryption can be disruptive enough, but the additional threat of data exfiltration also means any reaction to successful infections comes after irreversible damage is already done.
Instead, companies need to focus on prevention and blocking attacks earlier in the infection chain.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.