A TRUE STORY OF UNDETECTED INITIAL INFECTION BY UNKNOWN THREAT VARIANTS – AND HOW IT HELD A MAJOR U.K. ENTERPRISE TO RANSOM
He didn’t spot the threat and neither did the software.
“Funny, I don’t recognise that invoice. Still, I’d better get it out of the way – I’ve got loads to get through today.”
This was manager Chris’s reaction to a strange invoice email on a frenetic weekday morning in a major UK logistics enterprise, when his mind was firmly on other priorities.
Hastily, he double-clicked the Word attachment, keen to get the admin task off his plate and get on with his day. The invoice made no sense – it wasn’t from any of his suppliers.
Bin it and say nothing. Move on. Work to do…
Unknowingly, Chris had triggered the initial infection of an extensive data compromise and encryption attack that evaded all the security software this large organisation had deployed across its networks.
That afternoon, Chris could no longer access any of the data he needed to do his job. And neither could a growing number of his colleagues.
The critical data of an entire, multi-billion-pound enterprise was being held to ransom – and that was only part of the story.
What had come from ‘out there’ and got ‘in here’ – and how?
Reliance acsn’s incident response investigation showed that the business had fallen prey to new variants of Trickbot and Emotet malware and to Ryuk ransomware.
Critically, these were not detected by any of the commercial Anti-Virus (AV) software vendors tested by the Reliance acsn team – and therefore remained undetected by the enterprise’s incumbent security technologies.
Emotet had probably targeted the enterprise via phishing emails containing Word documents posing as invoices. These had triggered outbound port 80 connections to a single command and control (CnC) server, gaining connectivity between this server and the business’s networks.
Emotet was then used as a dropper for the two other malware variants identified in this incident – Trickbot and Ryuk.
Trickbot was known to be linked with the banking trojan Dyre, but the new variant has additional modules that were used to gather information about devices, networks and critical data sources from the infected machines. Ryuk then acted on this information to hold the organisation’s data to ransom.
The team identified previous Bitcoin payments made to the Ryuk wallet in question by other organisations totalling several hundred thousand pounds!
“OK, now we see it – but we can’t stop it.” The Head of IT’s story.
Tasneem, Head of IT, was reeling.
Whatever this malware was that was stopping Chris and others from doing their jobs, it had come in totally under the security software’s radar. The defensive technologies they paid their security provider month in, month out to deliver had, of themselves, apparently achieved absolutely nothing.
But even more terrifyingly, this unknown was replicating and spreading. Tasneem and her team simply didn’t know which process or network resource it would hijack next in its quest to find and paralyse the business’s data – and the security software they had invested in couldn’t tell them!
There was no security community knowledge around these modified malware variants, either. Nothing on Virus Total, for example. No announcements or advisories from the big-name security companies.
The enterprise’s workstations, domain controllers and a hypervisor had all been hit. And Tasneem simply had no idea where the attack was going next – or how to stop it.
Why were the attack processes so difficult to stop?
Expert analysis of an attack by experienced cyber security specialists can reveal much about the multiple processes an attacker will attempt – and how to recognise and remediate them.
Security technology, of itself, typically cannot make these connections, or propose suitable actions in response. In this case, this proved to be the gravest of shortcomings.
The Trickbot variant, for example, constantly spawned multiple similar processes, with minor variations, to increase its chance of success.
It’s also likely that its new additional modules were used to gather and extract passwords from applications such as Outlook and Filezilla, in addition to device login credentials.
The Emotet variant, for its part, likely made use of its new additional modules to access the enterprise’s Outlook Messaging API and steal contact lists, in order to rapidly propagate the phishing mails throughout the organisation (and elsewhere).
In short, the attack relied on very specific suspicious behaviours to achieve its aims of targeting, deploying, spreading as quickly and as extensively as possible – but the enterprise’s security measures could not and did not flag them and the usual sources of useful information were silent.
In fact, the very first advisory that appeared about the new malware variants came from Reliance acsn, as a result of their incident response activities – and within 72 hours it had been adopted industry-wide.
“Get the security provider in here. Right now.” The CEO’s story.
CEO Doug takes one look at what the spreading ransomware attack is doing to the business’s operational performance – already – and calls his security provider in to explain to him what’s going on and how they’re going to limit the damage.
But they can’t.
As they point out, they simply resell and deliver security software developed by experts elsewhere; they have no skilled security analysts who understand threat behaviour and evolution, and can take predictive action.
However, they’re quick to confirm that they have done all the ‘right’ things – deployed multi-layered security software, configured it correctly, monitored it, kept it patched and updated – just like their SLA says.
Doug is starting to learn that there are security providers and there are security providers – and these guys are the kind he doesn’t need…
Why did the security software fail? What the security provider didn’t know and couldn’t explain.
The attack included sophisticated methods for actively evading and indeed disabling the typical enterprise security technologies.
Trickbot, for example, was found to be encrypted across all executables and subsidiary DLL modules.
Security software is powerless to identify and stop what it can’t recognise, and most security providers are unable to painstakingly reverse-engineer the unique key for each machine in order to decrypt the application and gain any understanding of its workings.
Trickbot also removed Windows Defender from the registry of each machine, effectively turning off Windows devices’ critical first line of cyber defence, and it is capable of copying processes from memory in order to avoid interactions with the host and system that could trigger anti-virus software.
Ryuk, too, had its way with the organisation’s security software, stopping several services to avoid detection and then pressing home the advantage to disable other solutions that can render ransomware toothless (backup, restore, shadow copies etc.)
Confronted so harshly by threats that can ‘play’ security technology in this way, Doug and Tasneem realised they needed a very different approach to keeping their people, networks and business secure.
This was how it all started.