Tip

Destruction of service: How ransomware attacks have changed

New ransomware variants have introduced another threat to enterprises. Rob Shapland explains what destruction of service attacks are and how organizations should prepare for them.

The latest wave of ransomware attacks, including WannaCry, Petya and NotPetya, show not only an increase in sophistication of these types of attack, but also a change in motivation. Although NotPetya is ostensibly a ransomware variant, the threat actors appeared to have no interest in making money, and were more concerned about damaging companies by disrupting operations.

Now dubbed destruction of service, this latest trend is something I've been concerned about for a while, having tested many companies' internal networks and witnessing firsthand how vulnerable they are.

A different kind of ransomware

Getting malicious software inside a company's network is quite easy -- an email phishing attack usually works.

However, NotPetya also appears to have spread by compromising M.E.Doc, a Ukrainian financial services software maker, and then altering an automatic update to include NotPetya, delivering it to every client. The vast majority of antivirus and antimalware software was unable to detect the malicious content. It then restarted the victims' machines, encrypting the data, and then overwriting the master boot record with its own custom loader. Once this process was completed, the data on the machines was unrecoverable unless it could be restored from backup.

For a hacker who is concerned with destroying data and causing as much damage as possible, the next step is to give the ransomware variants the ability to spread. NotPetya had a number of clever methods built into it; it essentially automated the process I use when I'm penetration testing corporate networks.

The two easiest ways for a hacker to move around a computer network is to either exploit known vulnerabilities or extract administrator credentials from memory and use them to access any computer on the network. NotPetya had both of these abilities built in; it used the leaked NSA tools EternalBlue and EternalRomance on unpatched computers, and also extracted credentials from memory using a variant of the Mimikatz tool.

It is very common for Windows PCs on an organization's network to have local admin or even Domain Admin credentials in memory due to the use of service accounts. These are usually Domain Admin accounts that update particular software automatically or that run backup processes. As they log in to every computer on the network, they leave behind their credentials in memory -- which is exactly what NotPetya needs to compromise the network.

Once credentials are stolen, they can then easily be reused anywhere. Nearly every company has a flat network, meaning that all parts of the network are accessible from anywhere else.

The ransomware game has changed

The potential implication of this type of ransomware variant that most concerns me is the hackers taking manual control once malware such as NotPetya is inside the network. If they do this, they can then do things that can be highly damaging to the company.

Firstly, they could use the complete control of the network that NotPetya has granted them to steal corporate secrets or publish passwords and other confidential data online. The second option, and one that is more in the theme of destruction of service, would be to completely wipe the company's data. The best way to do this would be to start by destroying the backups, if the company is not clever enough to store their backups off site. Once the backups are gone, encrypting the main file shares on the network would bring an organization to its knees.

From my experience of testing hundreds of networks, most companies would not be prepared for an attack of this sophistication. The only real protective mechanism for companies is having a proper backup process with off-site storage and no connection to the main corporate network. It is highly possible that a large company without a robust backup process could be totally destroyed by a manually controlled destruction of service attack.

Preventing destruction of service attacks

Defending against these advanced destruction of service attacks is best accomplished using a layered, defense in depth approach.

Preventing the initial infection is difficult, but a mix of user education, to help protect against phishing attacks, and advanced endpoint security software can help. Preventing the spread of ransomware variants is just as important; regular software patching, including the ability to bypass normal patching cycle restrictions to install particularly critical patches, is essential.

To reduce the risk of the extraction of credentials from memory, limit the use of local administrators and severely restrict the number of Domain Admins, as well as the operations they can conduct.

Assuming that you will be attacked is a sensible viewpoint and, therefore, having an effective and tested backup strategy that stores the backups separately from the main network is of paramount importance.

Although this new wave of destruction of service attacks is very sophisticated, combining the different tenets of a robust cybersecurity strategy, coupled with user education and regular testing of your defenses, can reduce the risk of a highly damaging attack.

Next Steps

Find out how WannaCry ransomware can affect industrial control system security

Get the latest on the evolution of biometric authentication systems

Read more on how to apply a hacker mindset to improve security

Dig Deeper on Threats and vulnerabilities