Ransomware Prevention and NemucodAES Analysis
This month’s newsletter brings you into a recent case we had with ransomware, and how we got the files back without paying the ransom. Of course, we give you tips on how to stay safe as well.
Adrian will be out in Las Vegas next week, so if you’re attending Black Hat or BSidesLV, be sure to connect with him!
Down, But Not Out.
The call came in on the weekend. An organization had been hit with a variant of cryptoransomware, all of their important files (approximately 25,000 of them) had been encrypted. They wouldn’t be able to continue business without them. Backups? They had them… emphasis on had. The ransomware deleted their Volume Shadow Copies and spread to their external drive and cloud storage services such as Dropbox and Google Drive. There were two options: pay the ransom and hope the criminals hold true on their promise to decrypt upon payment, or try to reverse-engineer the ransomware and beat them at their own game. The customer trusted us with the latter (and we were successful). We are writing up the rather lengthy malware analysis portion of it, and it will be on our blog in the coming week.
Beating crypto is atypical. We got lucky in the random number generator the hackers used was actually pretty weak, and we used this against them to be able to decrypt the files. Odds are, many organizations won’t be so lucky, so if you don’t want to find yourself between a rock and a hard place, here are some tips your organization can use to stay safe.
- Make backups, and test them! Choosing an automated cloud-based backup provider is optimal. Many keep multiple versions (important in case your encrypted files get backed up), and they are automated, so you don’t have to remember to back up. However, you do have to remember to test your restores!
- Keep your anti-malware definitions up to date, and enable real-time scanning. Windows Defender in Windows 10 did an excellent job of stopping this variant. In fact, without disabling Windows Defender, we couldn’t perform malware analysis.
- Keep systems up to date. For less-critical systems (workstations), enable automatic updating. For more critical systems, commit to a maintenance cycle, and stick to it.
- Crank up UAC to the max. UAC provides many security enhancements, including notifying the user anytime something is trying to execute with admin privileges.
- Don’t allow programs to execute from %APPDATA% or %TEMP%. You can set this in Local Security Policy (or GPO in a domain environment). Be cautious though, malware isn’t the only program that likes to execute from these directories. Some legitimate programs execute from here as well.
- Utilize DNS intelligence and block lists. Setting your DNS servers to ones that filter out known malicious domains can help safeguard your organization.
- Associate .js and other script files with Notepad.exe (not Windows Script Host) so they don’t auto-execute on double-click. Again, this can be done in either Local Security Policy or GPO.
- If you get hit with ransomware, don’t delete the artifacts! Some of them are needed to decrypt, analyze, or recover files.
- Regular training and education that teaches everyone (admins, users, execs) how to identify phishing emails.
If you’ve been hit with NemucodAES, our friend Adam Caudill and Fabian Wosar have both been successful in writing decrypters for it, and Adam has an excellent blog post explaining the ins and outs of the code and the crypto.
I just published a new version of the NemucodAES decrypter that supports the 100,000 byte variant as well: https://t.co/kxBftlgyod
Breaking the NemucodAES Ransomware https://t.co/pEeBoPgVOq
At the end of the day, with proper training and technical controls, the majority of the infections and malware out there can be stopped before they ever execute (and many times, before they even have a chance to get on the machine). Due diligence is key, whether it’s BC/DR, technical controls, or user education. As always, if you need us, we’re ready to help you and your organization Go Savage.
This is a Security Bloggers Network syndicated blog post authored by Kyle Bubp. Read the original post at: Savage Security Blog - Medium