Whether premeditated or opportunistic, ransomware attacks take serious toll. Focus on the points of weakness, techniques used and reactions to adopt to try to deal with the worst and limit damage.

More virulent and professionalized than ever, cyber attacks by ransomware, which target businesses as well as administrations and local communities, are a real plague. After the publication at the beginning of September of a guide co-signed by theANSSI and the Ministry of Justice reviewing the means of action and reaction to face this formidable threat, it is the turn of the Observatory for the security of information systems and networks (OSSIR) of make a contribution in the fight against ransomware.

As part of one of the association’s last videoconferences, Christophe Renard, agent in the Response Division of the ANSSI Operations sub-directorate, intervened in the context of feedback on the anatomy of ransomware attacks. After briefly reviewing ANSSI’s role in the fight against cyberthreats (prevention, incident response and knowledge sharing), Christophe Renard recalled the explosion of ransomware attacks (104 between January 1 and 1 September 2020) leading to several major incidents combining data destruction and production stoppage, as was very recently the case for Sopra Steria with the key significant financial impacte.

Side attacks to better penetrate the IS

In the first part of his experience feedback, Christophe Renard draws up an inventory of the entry points allowing a pirate to enter an exposed system. Usually via an access point accessible from the Internet or a user workstation through an e-mail containing a link or trapped document. There are a variety of them ranging from the exploitation of major vulnerabilities (CVE-2019-11510 on PulseSecure, CVE-2019-19781 on Citrix and CVE-2019-0604 on Sharepoint) to those subject to massive scans, to enumerations of passwords on services exposed on the Internet (RDS of domain servers, domain VMs …) or even fruit of botnet campaigns (Emotet, Dridex …).

“Once in, the attackers seek to extend their hold,” said Christophe Renard. This lateralization can then take several paths ranging from network scanning to system exploration by RDP, RCP and SMB mount, or even the use of offensive off-the-shelf frameworks (powershell-Empire, Cobalt Strike, Metasploit, etc.). Escalating privileges is of course part of a hacker’s plan of attack to achieve his goals. For this, he can try to reuse passwords that can be common between admin and user, extrapolate the generation rules or make brute force enumeration on the applications or even go fishing in the IS (excel file containing passwords, connection shortcuts with saved password …). But also trapped by “water points” such as internal web apps or even the VPN portal as such. To protect access, approaches can be considered: such as the creation of privileged accounts (AD, local administrators, etc.) or the addition of implants (RAT, webshell, reverse tunnels, etc.).

Vigilance on warning signs

Foreseeing and to ensure the maximum effect of his attack, the hacker seeks to deploy his ransomware as quickly as possible. This involves in particular the steps of neutralizing antiviruses, shutting down server processes at the last moment or ensuring that the relevant targets are indeed reached. It is therefore better to be very vigilant to certain signals that may arise such as virus detection, anti-virus crashes, unexpected service shutdowns or connections from the domain controller. With the aim of copying and executing its malicious program on a large scale, the use of administration mechanisms is carried out (Batch files of PsExec in series, creation of tasks for instructional execution by GPO, use of BITS …). Once the code is deployed, it will tackle several targets: erase shadow copies, search for files to be encrypted and encrypt them, create invitation and contact messages or even send telemetry information to estimate the successful attack.

Generally, ransomware campaigns are carried out according to a timing that makes it more difficult to counter it (weekends, holidays, etc.). It is therefore time for the company to get down to business with the corollary of the transition to crisis which will mobilize key players internally (general management, security experts, CIOs, etc.) but also externally (outsourcers, investigators digital…). It will be imperative for this stage to designate people in charge and involved in this crisis management and especially their role and scope of intervention. The first actions will aim to stem network propagation (cut off Internet access, level 2 or 3 network filtering, cut off third-party access, etc.), but also systems (shutdown of workstations, extension of antiviral and XDR coverage, etc.). Caught between the trap set by cyberattackers and the need to restart activity as soon as possible to avoid heavy operational and financial losses, companies must also initiate a communication plan (employees, partners, media, etc.) by not forgetting the fundamentals: lodge a complaint with the competent authorities (Police, Gendarmerie …) and report the incident (ANSSI, CNIL …).

Test the restoration beforehand

In a tense and complicated to manage cotext, mistakes quickly happen. But some should be avoided, as Christophe Renard reminds us. “The ransomware crisis is a strategic crisis; it should not be managed solely from an IT angle.” Likewise, it is illusory to think that a resolution can be achieved in a few days: “no ransomware crisis that I have observed has lasted less than 3 weeks […] we will have to investigate, reconstruct, deploy temporary measures, restore backups. Nobody has the internal teams to do everything ”. Be careful not to base all this crisis organization on a single person either: “no one holds 3 weeks of crises without rest, burnouts during an incident happen”, warns Christophe Renard.

For a return to normal and after a necessary remedial step, the restoration process is a key step that should not be underestimated. It is also necessary that the backups and applications are recoverable by being previously disconnected and desynchronized from the master IS. “The restoration test experience is precious: all the reasons not to do them in calm weather are made worse by a degraded environment and stress,” explains Christophe Renard. The time will then come to take stock (image, technical, financial, regulatory and human) and to draw the consequences to improve the response to incidents and better thwart the disastrous impacts of the next ransomware. Because if there is one thing to keep in mind it is that, more than ever, in terms of cybersecurity we are never safe once and for all.