- Type of attack: Ransomware (Samas / SamSam)
- Attack vector: Brute force login via an open port on a server
- Damage/costs: $3,500 paid ransom, nearly $100,000 in recovery costs
On February 15, employees for Bingham County, Idaho, discovered they were locked out of crucial systems involved in dispatching emergency responders.
IT staff were woken up at 4am and called in to assess the situation. They quickly learned ransomware had encrypted the county servers, making computer systems inaccessible. A link was left behind in every folder that directed them to a ransom note that announced all files had been encrypted with RSA-2048 encryption. The only way to recover the files was with a private decryption key. And the only way to get that was to pay the criminals 28 Bitcoins, roughly $28,000.
Print-out of ransom screen from Bingham County attack. Source: East Idaho News
How attackers got in
According to an IT contractor who was called in to address the incident, the criminals were able to find an open port on the county’s servers that was exposed to the internet. From there, it was simply a matter of using a brute force attack to crack the password and gain access, something that automated tools can allow hackers to do in a matter of hours, minutes, or — in the case of default or extremely simple passwords — seconds.
“They kept doing that until they were able to get administrative rights,” the contractor said. “When they got those rights, they dumped their program on us and encrypted everything.”
Based on the ransom note left behind, the ransomware appears to be Samsam, a strain that gained prominence in 2016 for targeting hospitals via unpatched server vulnerabilities.
Recovery attempt fell short — not all servers were backed up
County officials initially sought to avoid paying the ransom, believing they would be able to recover all the encrypted data thanks to having multiple backup systems in place. Unfortunately, three servers could not be restored from backup.
Note: They’re not alone. In a survey Barkly conducted with companies that had experienced ransomware attacks, less than half were able to fully recover all their data from backup. Find out why.
In order to recover the information on those three servers, the county paid three Bitcoin, at that time roughly $3,500, and were provided the decryption key. Fortunately, the county carried cyber insurance through the Idaho Counties Risk Management Program (ICRMP), which reportedly mitigated most of the cost of the ransom.
$100,000 in recovery costs — the damage is still adding up
Despite being able to recover the encrypted information by paying the ransom, however, restoring the servers from backup and getting everything back to normal is an ongoing task consuming considerable time and resources.
“We basically had to completely rebuild our servers,” another IT contractor explained. “The removing of the encryption will take days to complete due to the massive amount of information affected.”
The IT team calculated the cost of repairing the servers nearing the $100,000 mark, and estimated it could take until 2018 to be 100 percent back to normal.
Lessons learned — how to protect your organization from a similar brute-force ransomware attack
This incident appears to be the latest in a growing number of attacks where criminals capitalize on open ports and weak credentials to deliver ransomware. A spike in similar brute-force attacks was spotted by researchers at Trend Micro in January, this time exploiting open Remote Desktop Protocol (RDP) ports and spreading Crysis ransomware.
It marks a slight shift in strategy from the 2016 Samsam attacks that exploited unpatched JBoss vulnerabilities to gain access to hospital servers and networks, but the general concept is the same — rather than trying to sneak past heavily guarded gateways, attackers are simply walking through doors that are already partially open.
Step 1: Hold the door
The obvious first step to defending against this kind of attack is to find your open doors and close them (if possible).
Identify all the open ports and services on your networkPort scanning tools like Nmap can help you find open ports on your network, and it’s good to keep in mind criminals have access to these tools, as well. One particular port scanning tool, masscan, boasts that it can scan the entire Internet in under 6 minutes. It’s easy to see how hackers can quickly amass a large target list of potential victims.
Here’s a tutorial from DigitalOcean that walks you through how to test your firewall configuration and see what your network looks like to an attacker.
Make brute-force login attempts more difficultAt a bare minimum, you should be enforcing strong password policies (though that’s easier said than done). In addition, you can consider implementing an account lockout policy, where, after a certain number of failed login attempts, accounts get locked down.
Step 2: Add the capability of stopping attacks during runtime
Once malware is deployed, there’s still time to prevent the attack from doing any damage.
Employ runtime malware defenseRuntime Malware Defense (RMD) is a new type of endpoint protection that serves as a last line of defense against malware in the process of executing. By monitoring activity across multiple layers of the system in real-time, and looking for the common behaviors used by malware to gain access and infect the system, RMD is able to block attacks that have slipped past other defenses, before they do any harm.
See Barkly's runtime malware defense in action against Cerber ransomware.
Step 3: Be ready, should any of your systems and accounts get turned against you
There are several things you can do in advance to increase your odds of being able to isolate, contain, and limit the damage of an infection.
Don’t give users admin accountsIt’s good general security advice to practice the principle of least privilege whenever possible by limiting access and authorization to the bare minimum. That way, when a user gets compromised, attackers won’t automatically find themselves with keys to your entire kingdom.
Use File Server Resource Manager to prevent infections from spreadingIt won’t prevent an infection from happening, but you can utilize File Server Resource Manager (FSRM) to monitor for signs of ransomware activity and automatically cut off an infected user’s access to the server.
Step 4: Make sure you’re truly capable of restoring lost data
Unless you've actively tested recovering your systems from backup you can't assume that's an option. Even then, it's a last resort you don't want to be forced to rely on. That said, setting up backup properly is obviously a must.
Embrace a 3-2-1 backup strategyThat means having three copies of your data stored on two different types of media, one of which is offsite. As the attack against Bingham County illustrated, it’s also important to confirm your backup strategy accounts for all of your servers and devices.
Finally, don’t forget the principle of Schrodinger’s backup — the condition of any backup is unknown until a restore is attempted. Make sure you test it before you need it.
Bottom line: Ransomware attackers will take advantage of any opening they can find, and often it's simple things that go overlooked that provide them with their way in. Following the steps above can help us ensure we're not doing them any favors and that we're better prepared to address attacks that do get through.
Feature Photo by Erkan Utu