My Ransomware Post-Mortem

Cody Smith* //

As information security professionals we’re not invincible to breaches. Even the most robust security system can’t make up for a lack of user education, which I was painfully reminded of in December of 2016.

My “… !@$#” Moment:

Late one Sunday night, I was sitting at my desk working toward an empty inbox when a client of mine called me.

“Hey, do you have a minute? I can’t seem to open my files.”

“Sure, what’s going on?”

“Well, I can see where my files should be, but I can’t open anything. None of them look like they’re supposed to.”

“Can you describe what you’re seeing?”

“All of the file icons look like white pieces of paper, and their names are just a bunch of garbled letters with a weird file extension.”

At this point, I was quite concerned, “What does it say?”

“Dot Osiris? I don’t know if I’m saying that right.”

“… !@#$.”

My Response:

I quickly threw together my typical “go-bag” for things like this. My Apple MacBook Pro, a MacBook Air that has been converted into a Kali Linux machine, and a couple of flash drives with various distros, tools, etc.

On my way to the site, I prepared myself to see the worst. Maybe this is because of my training as a fireman, or maybe it was just my paranoia. Nonetheless, here is what I was expecting:

  • Full propagation throughout the SOHO network.
  • Full data-loss on multiple computers.
  • Loss of a client

However, when I got to the business, I realized that we weren’t as bad off as I had thought. While the one user’s files were encrypted (more on that later), the ransomware had only managed to encrypt that computer, and no other device on the network was affected. So, what happened, and how did it happen? Let’s break this down into what went wrong and what went right.

What Went Wrong:

In short, one thing went wrong. I didn’t educate the end-user on a recent threat that’s been sweeping the internet. I didn’t educate them on how “hackers” (or skids) were using scam-emails to deliver ransomware through Microsoft Office documents. That is my fault and mine alone. I took responsibility for the breach even though I wasn’t the one that caused it. Why? Because the network’s security was my responsibility, and as such, so was anything that happened to it.

The user was sent an email similar to ones I’ve seen in the past. It was an email from “FedEx” claiming that a package couldn’t be delivered to the user. The plot twist? My user was expecting a package that day, from FedEx, and it wasn’t delivered to him.  I know, what’s the chance of this happening right? Well, the user downloaded the file, and they joyfully put in their password to the U.A.C. prompt when it came up. They enabled the Excel document’s macros, and then the ransomware propagated throughout the computer. However, unlike other attacks I’ve read about, it didn’t propagate throughout the network.

What Went Right:

I’m overly paranoid when it comes to security, so I had various steps in place to mitigate this threat. (Clearly, I didn’t have enough.) Below, I’ve listed an overview of what went correctly.

  • Backups – If you’ve never been on the receiving end of ransomware, you probably don’t know how grateful you are for backups. (Unless you own a Seagate hard-drive) My client had an effective backup strategy. Weekly backups from the computers to the local NAS, and from that NAS a weekly upload to an Amazon Web Services S3 Bucket. After that backup has sat in the S3 bucket for one week, it’s transferred over to AWS’s Glacier just in case the newest S3 backup has issues. Having the most recent backup in S3 allowed for a quick download (considering it was a 64GB file) that I was able to restore files from the next day.
  • Network Drive Segmentation – A lot of SOHOs have file-shares, and that’s okay. However, if one file-share has access to every computer on the network, then you’re going to have a bad time. However, this client’s network was segmented in such a way that users only had access to their own drive, for “cross account” sharing, a special drive is used with a different username and password than their personal folders.
  • Osiris Sucks – If you’re the author of Osiris, we have to have a talk, and for a few reasons.
  • Your malware didn’t encrypt anything with the .jpeg extension.
  • Your malware didn’t encrypt anything with the .pdf extension.
  • Your malware didn’t manage to change the background on the computer, and it only left 2-3 ransom notes, but none on the desktop
  • Your malware didn’t leave any .html files, but instead .htm files. *sighs*

Now, don’t get me wrong. Osiris Ransomware isn’t something you want to meet in the wild, and you really don’t want to meet it like I did, when the only post you found about it was two days old. However, Osiris isn’t without its faults.

What I Could’ve Done Better:

I could’ve had local account policy in place to thwart the ability to run Macros in Office Documents, as well as the ability to run anything out of %Temp%. I could’ve better educated my end users. I could have just sent out an email warning my clients of the possibility of them receiving one of the emails like what had caused our breach. Lastly, I could’ve tested to see if my faith in my end users was warranted. I could’ve sent them all an email that looked like “the email” and took note of who actually opened the document and ran the Macros. This would have at least allowed me to better see who is aware of what threats.

What you can do:

With that said, I’d like to leave you with a few easy tips of what you can do to improve your security posture:

  • Backups saved my life, and they can save your life too. It isn’t good enough to just “have backups” Your backups have to work, and they have to be current. If you haven’t checked your backup method in a while, do so! It can save your rear some day.
  • File shares are sometimes a necessary evil, but you can greatly reduce the risk if you try to do so. Just because someone thinks they need access to a drive doesn’t mean they do. A simple principle of least access comes in here.
  • User education is still the weakest point of any I.T. infrastructure, and it’s also one of the most important domains to make sure you have covered. We often overlook user education because “users are all idiots that shouldn’t be allowed near a computer”. However, while that may be the case, it isn’t good practice. Educate your users and they’ll be able to help you far more than you could hope for.

So with that said, I leave you with this: Can your network handle this breach?

_____

*Cody Smith is a guest poster**.  He is a Performance Engineer, Cyber-Security Junkie, and frequently tweets GIFs. He spends most of his time attempting to keep up with current trends, malware samples, threats, and vulnerabilities. In his spare time, likes to browse the web for pictures of Corgis.

**Oh, you want to guest post for us too? Shoot us a Twitter DM, or email us via our contact form!