Photos by Hillary Ehlen and Pexels. Graphic by Sarah Geiger
By Jamie Maguire
Presented by High Point Networks
High Point Networks is a value-added reseller (VAR) of information technology providing solutions to both the SMB and enterprise level markets in the upper Great Plains. They offer organizations best-in-class voice and data networking solutions, supported by the best professional services team in the region. Their solutions solve real challenges and provide measurable return on investment.
In August, a customer contacted High Point Networks and was looking for assistance to recover from a ransomware attack. I wanted to share the experience and highlight a few tips that companies can take to prevent themselves from falling victim to the same type of attack. Unfortunately, in this case, the business did not have any backups. With no backups, the business had little choice but to pay the $3,000 ransom to recover their 450 gigabytes of encrypted data. After assisting them with the ransom process, restoring their data and getting them back online, I spent some time analyzing the infected servers to try to determine how this attack occurred and what could have been done to prevent it.
1. I found a firewall rule that allowed the Remote Desktop Service through the firewall to one of their servers. In short, anyone on the internet could directly access the login prompt to one of the business’s servers.
2. The scammers launched a brute-force login attack and guessed thousands of username and password combinations over a period of months.
3. Eventually the scammers guessed the correct password and logged into the server. They then placed the following pieces of malware in the “My Music” folder of the server:
- Mimikatz – A password stealing tool popular in the pentesting community
- shinchakun5main.exe – This appears to be a network scanning tool designed to identify other servers and shares on the network. Generally, scammers are very careful to ensure they infect as many machines as possible to increase their chances of getting paid.
- exploit.exe – This appears to be a malicious executable that exploits a vulnerability to launch a command prompt running as an administrator. In other words, even if the scammers got access to an unprivileged, user-level account, if the server is missing security patches, they can gain full administrative access by running this exploit.
- x86.exe – This executable appears to serve the same function as exploit. exe, but for 32-bit systems rather than 64-bit.
- shadow.bat – This is a batch file that deletes all shadow copies on the system. Shadow copies are automatic backups of the system taken by Windows. By deleting them, this increases the likelihood that the victim will be forced to pay the ransom because they no longer have any local system backups to restore.
- shaofao.exe – This is a malicious executable that encrypts all files on the server and demands the ransom.
4. With their malware placed on the first server, the scammers scanned the network and found the second server that contained all the business’s data. They logged in to the second server using the same administrative password, deleted all shadow copy backups from both systems and launched the “shaofao.exe” to encrypt all files on both servers.
Check external facing services: Check any externally facing services and avoid allowing services like RDP through your firewall. If remote access is required, consider using an SSL VPN or a Citrix appliance. For even more security, consider adding Multi-Factor Authentication (MFA) to remote access. According to the website shodan.io, there are just over 100 servers with RDP exposed to the internet across the state of North Dakota. Plug your external IP address into shodan.io to see which services your systems have exposed.
Check the passphrase policy: If you’ve read my previous article, then you know how I feel about passwords. In this case, the attackers demonstrated that the administrative password on the server could be guessed, given enough time. Businesses should consider reviewing their passphrase policies and ensuring that accounts with administrative access have strong passphrases. In addition, consider locking out accounts after excessive invalid login attempts. This is an effective safeguard against brute force login attacks.
Check antivirus: Unfortunately, the business was not running any antivirus on their servers, making it easy for the attackers to plant their malware. However, remember that antivirus is just one layer of security. In this scenario, it’s hard to say if antivirus would have completely stopped the attackers. After all, the attackers already had an administrative account on the server and could have uninstalled any anti-virus if they knew what they were doing.
Check your backups: The only safeguard that could have prevented the business from paying the ransom would have been an offline backup. Even something as simple as manually backing up files to an external USB drive and storing it in a cabinet would have been enough. While backups are not the most exciting safeguard when compared to firewalls or antivirus, their importance should not be overlooked.