Can somebody explain these ransomwear attacks?

Fri Jun 25 15:01:52 UTC 2021

On Fri, Jun 25, 2021 at 5:28 AM Jim <mysidia at gmail.com> wrote:

> Big problem that with organizations' existing Disaster Recovery DR methods
> --
> the time and cost to recovery from any event including downtime will
> be some amount.. likely a high one,
> and criminals' ransom demands will presumably be set as high a price
> as they think they can get --
> but still orders of magnitudes less than cost to recover / repair /
> restore, and the downtime may be less.
>

I think you're right.  DR methods are a *huge* part of the problem.
I manage DR systems for a number of companies including a large unnamed
healthcare provider.
A year ago they were still running Exchange 2007.  No, that's not a typo.
Cryptolocker strolled right into the network via file attachment and
somehow made it past the non-existent 3rd-party AV software that totally
wasn't integrated into Exchange because it cost too much.
It spread across the network and started encrypting around 1 AM on a Friday
morning.
Due to the way this particular strain worked, it missed several of the
monitoring tools that would have alerted my company to the massive file
encryption that was happening and it managed to completely encrypt 21
offices and all their patient data.
At 6 AM my monitoring system alerted me to a problem.  By about 6:30 I
realized the scope of the problem, disabled all the site-to-site VPNs,
dropped the 1 or 2 infected workstations off the network and the encryption
stopped.
We do local snapshots every 15 minutes, local backups twice daily, local
disconnected backups several times per week, and off-site write-only
backups multiple times per day.
After I figured out when cryptolocker launched, I ran a few commands from
our config management server and had every office restored and running in
about 28 minutes and the internal techs for the company were dispatched to
swap out the infected workstations.

The first rule I follow is: Windows *never* touches bare metal.
I amended that last year to: Windows *never* touches bare metal, including
workstations.

People *really* need to work on their backups and DR plans.  You don't need
some expensive 3rd-party cloud solution coupled with expensive VMWare
licenses to do it.

The other part of the problem is the insurance companies.
It might surprise you to learn that particular company has been
cryptolocker'd 8 times in the last 15 years.  They've never lost more than
a few minutes of data and recovery times are measured in minutes.
This line has literally been thrown around a few times: "We don't need to
spend $xxx,xxx to upgrade to current software versions.  We have a
$5,000,000 cyber insurance policy."

The insurance company issued the policy after *port scanning* their public
IPs and finding no ports open.  Our only 'ding' we got was that the routers
responded to pings and the insurance company thought they shouldn't.
Insurance failed to do any sort of competent audit (i.e. NIST 800-171).  If
they did, they would have found the techs "solve" problems by making people
local admins or domain admins and that their primary line-of-business app
actually requires 'local admin' to run 'properly'.

While they finally replaced Exchange 2007 in 2020 by switching to GMail
(not for security, but because it made work-from-home easier), they still
run about 1/3 of their systems on Windows 7 with a few Windows 8 and 8.1
machines here and there.  They even still have 2 Windows XP machines.
Their upgrade policy is currently "If the machine dies, you can replace it
with something newer".  Their oldest machine is around 15 years old.

Incompetent insurance companies combined with incompetent IT staff and
under-funded IT departments are the nexus of the problem.

-A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210625/244b901a/attachment.html>