Problem to Solve: How can we go about searching for potential Ransomware activity before our organization gets attacked?
The evolution of security for so many has become a reactionary series of response and recovery. The latest highly publicized exploit leaves a tangible feeling that we all relate to and understand, extortion. Ransomware has had some high-profile victims recently that have had coverage beyond our industry trade publications and have spawned a new round of security product offerings. This kind of Insidious Malware generates its own cipher keys and then encrypts drives, file shares, and on-line storage systems. The vulnerability is in SMB and its UNIX cousin SAMBA.
I Told You So Messaging
Articles and blogs on the subject can be grouped into two categories, those who preach “I told you so” and those that offer advice on “how to protect yourself“. The “I told you so” group message should not be dismissed. It is like talking to my doctor, “Try to exercise more and if something tastes good, then spit it out”. Messages of “better backups” and “test your backups” and “layer your security” and “patch often” and a list of other good practices should be taken to heart. How about those trying to deliver a more pragmatic message? They have offered good advice relative to what do to if you are hit and if you feel you have to pay the ransom and how to deal with the hijackers. I will not detail those here since they have been analyzed and blogged to a sufficient level for any sane person.
In all the public published cases the culprit is exploiting a vulnerability that has a name, Badlock. This ransomware had no signatures and little to no phone home behavior. Variants often have a delay factor or a series of tests they perform before they fire. Part of that is to go looking for file shares and determining when devices are left unattended and if the host that they have become a parasite on has the permissions needed to encrypt the file/drives. This is yet another case where behavior analytics could provide some coverage that perhaps other security products do not. Look for unusual amounts of file access traffic from a single host. That is of course if an organization can staff investigators to look into such notifications. Ransomware of this type right now all operates basically the same way. They generate an encryption key and then encrypt drives or directories or whole file shares, whatever the system has privileges to do or can escalate to.
Error Codes and Pre-Cursors
Watching and searching for devices on the network that appear to be scanning for file shares or looking through file shares, as in all file shares, can indicate a pre-cursor to ransom events. Searching for hosts/clients with a large number of SMB/CIFS/SAMBA errors would be a solid approach to find and isolate potential dangerous behavior. Once this scanning/enumeration period is complete, the actual event itself usually happens, most often during off-hours. Once underway, Encryption generates a lot of traffic on the network between the client and the file-share and takes a long time accomplish. So, it is typically visible on most application aware APM and NPM+ solutions. But most of the time it is not seen or searched for until after the ransom note arrives.
You could see several different kinds of error codes show up in escalating numbers after a drive has been encrypted by ransomware similar to that used recently and highlighted by the media.
- SMB/CIFS – ERRDOS class, (13) permissions error
- SMB/CIFS – ERRDOS class, (5) access denied
- SMB/CIFS-ERRSRV class, (2) bad password
- SMB/CIFS – ERRSRV class, (4) access denied
- SMB/CIFS-ERRSRV class, (45) bad permissions
- SMB/CIFS-ERRSRV class, (08C0) client does not have permissions
Security, as well as misconfigurations, feedback loops, and self-inflicted denial of service attacks, are all symptoms of a missing component in IT and an under-served function of IT Security, establishing a proactive posture. Our entire industry is event/ticket driven. Our comrades and whole departments and groups are measured by them. They are motivated to reduce them, close them quicker, increase the number of tickets handled per person, and perhaps even automate event responses. Look at all the UP/Down alert integration to ticketing systems available from most if not all vendors of ticket products or similar SaaS offerings.
I am planning on writing a separate article about establishing a proactive posture. So, I will restrain myself from transitioning to that here and now. What I will offer, is the thought that involving more people in “Service Availability/Assurance” is the key to scaling in this escalating attack vector to distributed data access methods linear analysis. Choosing the most efficient data sources and normalizing wording and labeling, errors and events, is the key to achieving building an army of service assurance and availability wary company. If everyone responsible for different operations in their business watched relevant metrics for their area, it would be much easier to achieve a proactive posture than a centralized entity or service. No one knows what is normal about segments of the business more than someone intimately aware of how it runs day-to-day. Using the same metrics and workflows for all views, but in CONTEXT for each segment allows for rapid sharing and explanation and ultimately proactive maintenance and planning or very quick event reactions.
Points to Ponder
So, get out there! Make a difference, and change the status quo, don’t count on luck or hoping that your neighbors and competitors look like more tasty targets than your organization. Like most things, the first step to change is to start talking about WHY before WHAT and HOW.