CTIP - Missouri Hospital Association

Transcription

Unclassified // For Official Use Only – TLP: GREEN
DISTRIBUTION NOTICE: TLP: GREEN
Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but
not via publically accessible channels.
http://www.us-cert.gov/tlp/
RANSOMWARE ATTACKS ON US HOSPITALS
DATE: April 13, 2016 Ref: CTIP-IB-16-23
(U//FOUO) SCOPE
(U//FOUO) This product covers ransomware attacks reported by hospitals in the U.S. occurring from
approximately January 2016 to April 2016. This analysis will concentrate on two variants of
malware/ransomware used in the most sophisticated attacks known as “Locky” and “MSIL/Samas.A”
(hereafter, “ATTACK TYPE 1” and “ATTACK TYPE 2” respectively).
(U//FOUO) For ease of use, the key findings and attack history and overview have been split into separate
sections. The technical analysis starts on page three. Preventative and Protective information applicable to
both attack types start on page eight. The analysis should be passed to the appropriate system administration
and information security personnel.
(U//FOUO) KEY FINDINGS




(U//FOUO) An increasing number of hospitals in the US have suffered disruption from ransomware.
(U//FOUO) Consequences of the attacks have ranged from short term disruption to long term
interruption of operations and patient care.
(U//FOUO) Attack methods have become refined and are becoming resistant to current detection
methods.
(U//FOUO) Both automated and manually targeted attacks have been effective at disrupting hospital
operations.
(U//FOUO) KCTEW judges with high confidence that ransomware attacks will continue to be attractive to
attackers and will continue to be a threat to hospital operations.
(U//FOUO) BACKGROUND (OVERVIEW)
(U) Hospitals throughout the US and Canada are falling victim to ransomware attacks in increasing numbers.
Ransomware is malicious software that encrypts a user’s or companies files and programs and forces them to
pay a ransom to the attacker in order to gain access to their own files. Some of the targeted hospitals include:

(U) CoxHealth – A Southwest Missouri based group
1






(U) MedStar – A Maryland based group of 10 hospitals
(U) Hollywood Presbyterian Medical Center
(U) Chino Valley Medical Center – California based hospital
(U) Desert Valley Medical Center – A California based hospital
(U) Ruby Memorial Hospital – A West Virginia based hospital
(U) King’s Daughters Hospital – A Southeast Indiana hospital
(U) The targeted hospitals have suffered consequences ranging from short term disruption of limited services
to complete disruption enterprise wide of administration and clinical systems for multiple days, taking many
additional days to fully recover all systems. Additionally, some hospitals have paid ransom amounts of $17,000
or higher to perpetrators in order recover hospital information.
(U) The attacks have been accomplished by a variety of different strains of ransomware, but in general
represent two largely different attack methods.
(U) The first methodology (“ATTACK TYPE 1”) is the more commonly seen ransomware attack and typically
uses three infection vectors:
1) (U) Phishing email – The attacker sends millions of emails with malicious links or attachments, hoping
an unsuspecting user will click the link or open the attachment.
2) (U) “Drive-by” browser attacks – Where a user visits a malicious website that exploits a vulnerability in
the user’s browser to infect the system by simply visiting the site.
3) (U) Free software downloads – A user downloads seemingly useful software from an apparently trusted
site but the files are carrying malicious code that infects the users system when installed.
(U//FOUO) KCTEW Analyst Note: The nature of ransomware and the usual tactics employed to deliver it and
that ransomware does not typically traverse a network means that although an infection can encrypt any files
to which the infected machine has access, the infected code will not typically spread itself to other machines.
That means with prior planning, an attack can be limited to small sections of an enterprise thereby limiting
ransomware impact. However, newer strains of ransomware are increasing in “anti-forensic” capability and
may develop the capability to spread to other systems.
(U) The second methodology (“ATTACK TYPE 2”) seen recently more closely resemble a “traditional”
malware attack. In one case the attacker appears to have used an open-source penetration testing tool to
scan targets looking for specific vulnerabilities in specific types of software. Once vulnerabilities are found,
they are exploited to give the attacker “command line access”. The attacker, using stolen credentials, spreads
through the network, compromising other machines. In this instance the attacker appears to identify the most
valuable and vulnerable assets and executed a ransomware virus on that machine.
(U//FOUO) KCTEW Analyst Note: In this scenario, the attacker enters through a server and has increased
access to the enterprise network. Their activity is stealthy, meaning they can remain in the network for weeks
or months while performing reconnaissance, exfiltrating information/files, altering information, altering systems,
etc.. It is important to note that this type of attack is usually NOT automated. The attacker is manually
traversing the system looking for opportunity. Anti-virus and Intrusion Detection systems using signatures are
much less likely to spot this type of compromise. An attacker can implement multiple attacks depending on
what they find. They do NOT have to confine their crimes to ransomware and could use a ransomware attack
as cover for other crimes, commit multiple crimes or stay resident, lurking in the network waiting for
opportunity.
2
ATTACK TYPE 1
Locky Variants
(U//FOUO) METHODS / EXPLOITED VULNERABILITIES
(U) “Locky” variants are delivered primarily via Phishing Email methods. It has significantly increased its
virulence compared to other ransomware variants and is close to being the second most used attack tool.1 At
least one vendor has observed a botnet distributing phishing email with Locky attachments at the rate of
200,000 emails per hour. 2
(U) Locky has undergone significant enhancement recently adding complex anti-detection, anti-forensic
countermeasures including (but not limited to):
 (U) Adding the ability to use a javascript downloader in addition to malicious Microsoft Word macros.
 (U) Addition of at least 10 downloader variants
 (U) Change of communication protocol
 (U) Inclusion into the Nuclear exploit kit (EK).
(U) A significant addition to Locky is the ability to encrypt files on unmapped network drives. This means that
even though a drive doesn’t appear as a drive letter or attachment, Locky will perform network discovery and
try to encrypt files on unassigned drives.3
(U//FOUO) KCTEW Analyst Note: The capability to discover unmapped network drives extends Locky’s
reach in an enterprise environment significantly, giving the impression that it is traversing the network. The
number of variants, loaders, communication changes, etc make Anti-virus and Intrusion Detection systems
using signatures less capable of spotting this infection.
(U//FOUO) INDICATORS
(U) A preferred method for delivery is phishing email containing a bogus invoice attached. The invoice is a
Microsoft Word document with a malicious macro embedded similar to Figure 1.
Credit: Bleeping Computer
(U) Figure 1
3
(U) When malicious MSWord document is opened and macros are enable, Locky finds files with the extensions
of:
.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf,
.wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak,
.tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg,
.jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch,
.dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb,
.dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy),
.sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx,
.potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx,
.xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots,
.ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF,
.pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat
(U) Locky will skip any files where the full pathname and filename contain one of the following strings:
tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp,
thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows
(U) Locky encrypts and renames files to the format [unique_id][identifier].locky. So when test.jpg is
encrypted it would be renamed to something like A5094B2F762DD993AFC2742E3F5297CD.locky .
(U) Locky then deletes all of the Shadow Volume Copies (SVC) on the machine so that they cannot be used to
restore the victim's files by executing:
vssadmin.exe Delete Shadows /All /Quiet
(U) In the Windows desktop and in each folder where a file was encrypted, Locky will create ransom notes
called _Locky_recover_instructions.txt. This ransom note contains information about what happened to the
victim's files and links to a decryption page. Locky alters the systems wallpaper to display the ransom note,
similar to Figure 2.
Credit: Bleeping Computer
(U) Figure 2
4
Locky stores information in the system registry under the following keys:




HKCU\Software\Locky\id - The unique ID assigned to the victim.
HKCU\Software\Locky\pubkey - The RSA public key.
HKCU\Software\Locky\paytext - The text that is stored in the ransom notes.
HKCU\Software\Locky\completed - Whether the ransomware finished encrypting the computer.
Related files:
%UserpProfile%\Desktop\_Locky_recover_instructions.bmp
%UserpProfile%\Desktop\_Locky_recover_instructions.txt
%Temp%\[random].exe
(U//FOUO) REMEDIATION / MITIGATION
(U) At this writing, the most effective method of recovery is to restore the files from backups.
 Assure backup files are available and viable.
 After preserving forensic evidence as necessary, completely wipe the machine(s) and rebuild/reinstall
software from known clean sources.
o Operation system
o Applications
 Restore backup
 Institute preventative/protective measures.
(U//FOUO) KCTEW does NOT recommend paying ransom. There is no guarantee that the criminals will
honor the agreement, the criminal may target you again knowing that you have paid ransom before and in
general paying the ransom encourages the criminal(s) to try extortion again.
(U//FOUO) However, if adequate backups do not exist and the effort to recreate the files is expensive or the
content of the files are critical, an enterprise or individual may choose to attempt to pay the ransom. Inside the
Locky ransom notes are links to a Tor site called the Locky Decrypter Page. This page is located
at 6dtxgqam4crv6rr6.onion and contains the amount of bitcoins to send as a payment, how to purchase the
bitcoins, and the bitcoin address you should send payment to. Once a victim sends payment to the assigned
bitcoin address, this page will provide a decrypter that can be used to decrypt their files.
(U//FOUO) KCTEW Analyst Note: The attacker is hoping that the combination of Locky deleting itself,
deleting shadow copies and renaming each encrypted file with a unique identifier complicates the task of
recovery to the point that the victim will pay the ransom rather than trying to attempt it. The choices for
recovery for this ransomware variant usually come down to either restore from backup copies or paying the
ransom. One hospital elected to pay a ransom of $17,000 in the face of the difficulty. 4
5
Attack Type 2
MSIL/Samas.A
Credit: Microsoft Security Blog
(U) Figure 3
(U//FOUO) METHODS / EXPLOITED VULNERABILITIES
(U//FOUO) Attacks built around MSIL/Samas.A are different than the majority of other ransomware attacks. It
appears the attackers’ desired outcome is to extort ransom from the target, though it actually resembles a more
conventional system compromise and malware attack.
(U//FOUO) As show in Figure 3, the attacker used an open-source penetration testing tool ( JexBoss ) to scan
systems for vulnerable systems and software. 5 In this case the attacker scanned for outdated and unpatched
versions of the JBOSS framework, WildFly application server or various vulnerabilities in Java applications.6
Once inside the network the attacker used several tools to proceed.




Installation on the compromised server of a Python-based SOCKS proxy to conceal communications
with systems within the network.
Installation and use of a Windows credentials collection tool to steal user credentials to move laterally
within the network.
Network reconnaissance using the Hyena and reGeorg network scanning tools to locate more Windows
machines to attack.
Use of stolen credentials to connect to found systems and implant Samsam.exe .
(U//FOUO) Analysis indicates the attackers conducted reconnaissance of the network for an extended time in
order to identify an appropriate ransom amount based on the perceived value of the targets data. Of note is
that the attacks were performed manually, the initial penetration occurred weeks or months before the
ransomware attack was launched. 7
(U//FOUO) KCTEW Analyst Note: As mentioned previously, it is important to note that this type of attack is
usually NOT automated. It is much more specifically targeted and the attacker is aware of what kind of
establishment they are compromising. They do NOT have to confine their crimes to ransomware and could
6
use a ransomware attack as cover for other crimes, commit multiple crimes or stay resident, lurking in the
network waiting for opportunites.
(U//FOUO) Once inside the network and various machines are identified as targets, the ransomware attacks
are launched and proceed in much the same manner as more traditional ransomware attacks.
 (U) The file samsam.exe and a key file with the name consisting of <Computer Name>_PublicKey.xml
is deposited into the “system” folder.
 (U) The ransomware searches for and encrypts files and names from a fixed list of file extensions and
exceptions. using a 2048 bit RSA algorithm. Encrypted files names have “encrypted.RSA” appended to
them.
 (U) Similar to the Locky ransomware, the vssadmin.exe utility is used to delete the the Shadow Volume
Copies and any backup files.
 (U) Deposits a file, “HELP_DECRYPT_YOUR_FILES.html in the root folder of any encrypted files and
also in the Desktop folder.
 (U) After the files are encrypted, a ransomware message is displayed and the malware deletes itself.
(U//FOUO) INDICATORS
(U//FOUO) FBI has provided a list of indicators and additional information. Because of the length, those
documents are included as attachments. Additionally a copy of the files are included with the distribution of
this document. Those included are:



(U//FOUO) FBI FLASH MC-000070-MW
(U//FOUO) FBI FLASH MC-000068-MW
(U//FOUO) Samas_A_IOC spreadsheet
To see the attached document, click here:
(U//FOUO) Preventative Measures
(U//FOFO) These measures address vulnerabilities that enable this attack type, ie: ransomware attacks against
hospitals. HOWEVER they should be considered for ANY enterprise.
(U) Assure that server based software such as JBOSS, JNI and any Java based applications are patched and
the latest versions installed.
(U) Adopt active monitoring of application transaction logs.
(U) Ensure that a strong password policy is implemented throughout the enterprise.
(U) The attackers used stolen or derived credentials>
(U) Protect derived domain.
(U) Use two-factor authentication when possible.
(U//FOUO) REMEDIATION / MITIGATION
(U//FOUO) Because the attacker may have been resident in the network for an extended time, KCTEW
recommends that it be treated as a full System Security Breach and the appropriate procedures implemented
immediately. The attacker has had access to the entire network and the integrity and confidentiality of any
system or sub system should be verified. Procedures put in place by MEDSTAR (USBIZ), a Maryland based
group of ten hospitals, took all systems, administrative and clinical, off-line and brought them back on-line in
order of criticality as each was cleaned and verified.
(U//FOUO) The ransomware extortion portion can be treated as one facet of the attack and has similar
procedures as the recovery from a Locky attack (ATTACK TYPE 1). As in that attack, an evaluation should be
made whether the information can be restored from backups or if there should be an attempt to pay the
ransom if the information is critical and can’t be replicated or recovered.
7
(U) PREVENTATIVE MEASURES (APPLICABLE TO BOTH ATTACK TYPES)
(U//FOUO) Be very careful about opening unsolicited attachments. Due to the continued evolution of
ransomware/malware toward defeating Anti-Virus and Intrusion Detection systems, the best preventative
measure is to not click on malicious links in email, do not download and open malicious attachments in email,
do not download infected or malicious free software.
(U//FOUO) USER EDUCATION is a key prevention practice. Implementing a cyber security awareness
program with periodic, realistic training can significantly reduce the risk of ransomware and malware attacks
through phishing emails. One security company measuring 300,000 users over a year’s time saw a drop in
clicks on malicious email from 15.9 percent to 1.2 percent when training had been implemented.8
(U) SUGGESTED PROTECTIVE MEASURES








(U) Implement a comprehensive backup process
o Offline copies with versioning capabilities.
o Don’t depend on default backups to the cloud.
o Test the effectiveness and validity of backups periodically
(U) Segment enterprise network(s)
o Separate functional areas with firewalls,
o Implement and enforce detailed access policies by department
o Separate client and server networks, so systems and services can only be accessed if really
necessary.
(U) Don’t enable macros by default.
o Most Windows ransomware in recent months has been embedded in documents distributed as
email attachments.
o Consider using Microsoft Office viewers.
 These viewers will let you see what a document looks like but do not support macros.
(U) Implement “least privilege” policies.
o Don’t give more login power than needed.
o Don’t stay logged in as an administrator any longer than is strictly necessary
o Avoid browsing, opening documents or other “regular work” activities while you have
Administrator rights.
(U) Keep your operating system and software up-to-date with the latest patches.
o Vulnerable applications and operating systems are the target of most attacks. Ensuring these
are patched with the latest updates greatly reduces the number of exploitable entry points
available to an attacker.
o Often there is too much faith place on antivirus software while ignoring patching. Securing an
environment is a multi-front campaign, and over-reliance on one strategy can lead to a
network/system compromise.
(U) Keep Anti-Virus and IDS software up to date.
o Many strains of malware are becoming increasingly resistant to signature based detection, if
signatures and the software itself is not kept current, it will not be able to deal with new strains
of malware.
(U) Use application whitelisting to help prevent malicious software and unapproved programs from
running.
o Application whitelisting is one of the best security strategies as it allows only specified programs
to run, while blocking all others, including malicious software.
(U) Implement Defense-in-Depth processes.
o The defense-in-depth strategy encourages businesses to use a variety of security practices and
technology to deter any one threat. Technologies or processes may be circumvented by
8

attackers, and when they are circumvented, a lack of multiple layers enables ransomware to
propagate should one defense layer fail.
(U) Keep informed about new security features or newly discovered vulnerabilities in your application
and operating system software.
(U) REPORTING NOTICE
(U) Please report any occurrence or attempt at ransomware extortion or any other cyber related
incident to:
FBI CYWATCH – Email: [email protected] Phone: 855-292-3937
or
KCTEW Cyber Intelligence – Email: [email protected] – Phone: 816-413-3588
This product pertains to Standing Information needs: HSEC-1, KCTEW-SIN01.13.2,
KCTEW-SIN01.13.3, KCTEW-SIN01.13.4, KCTEW-SIN01.13.5
THIS PRODUCT IS INTENDED FOR THE CYBERSECURITY AND
CRITICAL INFRASTRUCTURE / KEY RESOURCES COMMUNITIES.
The KCTEW CTIP (Cyber Threat Intelligence Program) does not provide consulting, remediation or investigative
services, but supplies information about specific threats, analysis and other information to its Federal, State,
Local, Tribal and Private Industry partners to utilize in their Cyber Terrorism/Cyber Crime prevention efforts.
Comments and questions regarding this product should be directed to:
KCTEW CTI Staff
816-413-3588
[email protected]
1
“CryptoWall, Locky Dominate Ransomware Landscape: Report”
http://www.securityweek.com/cryptowall-locky-dominate-ransomware-landscape-report
Accessed: 04/13/2016
2
“Locky Variant Changes Communications and Spreads With the Nuclear EK”
https://securityintelligence.com/news/locky-variant-changes-communications-and-spreads-with-the-nuclear-ek/
Accessd: 04/13/2016
3
“The Locky Ransomware Encrypts Local Files and Unmapped Network Shares”
http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/
4
“Hospital pays $17k for ransomware crypto key”
http://arstechnica.com/security/2016/02/hospital-pays-17k-for-ransomware-crypto-key/
9
5
“SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM”
http://blog.talosintel.com/2016/03/samsam-ransomware.html
6
“Maryland hospital group hit by ransomware launched from within “
http://arstechnica.com/security/2016/03/maryland-hospital-group-hit-by-ransomware/
7
“A threat actor deployed ransomware weeks to months after compromising the system.”
https://www.secureworks.com/blog/ransomware-deployed-by-adversary
8
“Security Awareness Training Features”
https://www.knowbe4.com/security-awareness-training-2016-features/
10

CTIP - Missouri Hospital Association

Transcription

Similar documents

Ransomware - Northeast Ohio HFMA

July 2016 - JR-Tech

The Rise of Ransomware

RSA Monthly Online Fraud Report -

Minnesota National Guard

LOSS PREVENTION! - Fortuna Chamber of Commerce

ERL-0631-GD PR

unlock the key to repel ransomware