Unless you have been living under a rock for the past year you will have seen the rise of ransomware attacks worldwide. There are lots of great online resources that cover ransomware in great detail so we will not repeat that here. Instead, we are going to look at three questions that we are often asked when discussing ransomware.

1. “What are the current delivery methods for Ransomware that you are seeing?”
2. “How should we respond to an incident?”
3. “What should I do to mitigate?”

This article will look at each question in turn.

Ransomware Delivery Methods

We have seen a split between the different delivery methods used by various ransomware gangs, and the methods used differ due to the technical skill set of the attackers and also when targeting end users or corporate systems directly.

Targeting end users 

The main methods employed to get the ransomware on to the target system still fall within the following two categories:

• Email based attachments – often using fake invoices with embedded malicious macros.
• Malicious Websites – where exploit kits are used to deliver the malicious payload. This can be through accidentally visiting a site while browsing the Internet or via clicking on a link within a malicious email.

Targeting Corporate Systems

• Internet Exposed Remote Management – where remote management systems are compromised (often through weak passwords) and the ransomware is directly delivered on to corporate servers.

In terms of remote management compromise, the attacks appear to use the following approach:

1. Identify remotely exposed RDP with weak credentials.
2. Create further administrative level accounts on the server to maintain access.
3. Maintain access for a period of time (in one case, we dealt with, access was maintained for at least four weeks).
4. Drop ransomware.

It would appear that stages 1-3 is most likely a separate party to those dropping the ransomware. From what we have seen, it is likely that access to the compromised server is being sold once the entity responsible for the initial breach has gained everything they want from the server. My assumption is that the entity selling access, could easily be selling access to a number of malicious parties and if one happens to be focused on ransomware, then that is the impact on the end client.

When dropping the ransomware, more capable gangs are mapping a drive and running the malicious code remotely, while those at the lower end are most likely purchasing ransomware kits and often drop the executable directly on to the box.

Responding to a Ransomware Attack

A key action at an early stage of any incident is to stop the ransomware from continuing to encrypt files and causing further damage. As attacks can be focused towards end users as well as directly against corporate environments, steps should be taken to identify the type of attack. Identification of the type of attack is fundamental to understanding right approach for remediation to allow for the most effective infected asset identification and its removal from the network.

The following high-level approach is suitable for most ransomware attacks, while being agile enough to enable the incident analysts to address the ever changing nature of ransomware families.

• Identify patient zero and isolate from the network.
• Analysis of the ransomware family to identify clean up activity required and if files can be recovered directly.
• Identify route of compromise (email / web browsing / remote access).
• Block access to malicious sites / remote access solutions / remove infected emails to prevent further re-infection and or command and control.
• Identify the technology flaw exploited to gain initial compromise and remediate wider environment to protect from repeat infection.
• Identify key documents encrypted and conduct Internet search to confirm no external exfiltration of data.

Ransomware Mitigation

Again there are many online guides and resources that outline how to mitigate ransomware¹. However, this is in essence an arms race between the ransomware gangs and the current defences that can be deployed. As such, it is likely that new approaches that do not have current mitigation will be identified and exploited by the gangs. Therefore, incident planning and response should also play a significant part in your preparation.

Beyond maintaining effective backups that are protected from ransomware attacks and can be successfully restored in a timely manner, a number of further key mitigating activity can be deployed to reduce the likelihood of a successful attack:

• Reduce technology surface – remove any unnecessary software, technology stacks such as java, flash etc from the enterprise.
• Hardening of web browser – protect end users from opportunistic attack via malicious web sites by applying additional security controls within the browser.
• Patching – keep technology up to date, especially java, adobe, browsers and main operating systems.
• User awareness- work with your staff to raise awareness of phishing style emails, malicious documents and what actions to take if an infection occurs.

1. https://www.nomoreransom.org/prevention-advice.html
   https://community.sophos.com/kb/en-us/120797
   https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

7 Elements CEO appointed by the Aerospace, Defence and Marine (ADM)
Industry Leadership Group

David Stubley, CEO at 7 Elements, a key player in the Scottish information security industry, has been appointed as a new member of the Aerospace, Defence and Marine (ADM) Industry Leadership Group (ILG). The group has expanded its remit to cover Cyber Security as it represents both a significant market opportunity for companies in the sector but also Scotland has a considerable and growing capability in this area. David will bring his years of knowledge and expertise into the group to ensure that the revised 2015 strategy for Aerospace, Defence, Marine and Security (ADMS) fully incorporates this new growth opportunity for Scotland’s economy.

Scottish Enterprise facilitates ILGs, with the groups responsible for developing and delivering forward looking industry strategies. ILG members provide strategic leadership and advice to industry and the public sector in Scotland, drawing on their national and international expertise on global trends and issues and the niche areas where Scotland has global competitiveness. These groups comprise leading business figures drawn from across the private sector as well as senior representatives from the public sector including Scottish Enterprise, Scottish Government and key stakeholders.

The ADMS ILG currently has 18 members from key industrial and academic players in the sector including Vector Aerospace, Selex ES, Thales Optronics, Spirit Aerosystems, BAE Systems, Clyde Marine Group, University of Strathclyde, STUC, Scottish Engineering, Society of Maritime Industries, Inter-Tec Services ltd, British Airways Maintenance Glasgow, Castle Precision Engineering, Beal Group, MacTaggart Scott ltd. 

Mick OConnor, Chairman, of the ADM ILG said;

The need to transmit and store information securely is of paramount importance in today’s business world. There are many high profile examples where data was accessed illegally at both a business and national level. In recognition of the emerging prominence of cyber security we have invited David Stubley to join the Aerospace, Defence and Marine (ADM) Industry Leadership Group (ILG) to provide matter expertise in this area. This appointment will help increase the general awareness of cyber security to business within the ADM community moreover, identify market opportunities for Scottish business.

David Stubley, CEO at 7 Elements, said;

I’m excited to have been appointed to the Industry Leadership Group. The Scottish Aerospace, Defence and Marine sector play a vital role within the national economy and has increasingly become the focus of cyber attacks. Establishing a resilient approach to security will not only reduce the impact of these events, but make Scotland a safer place to do business.