Ransomware Lessons

USB Hacks - @SeniorDBA

Ransomware is malicious software that attacks a computer or your entire network to force you to pay a fee (ransom) to regain access to your systems. If the fee is not paid within a set timeframe, the criminals who now has access to your systems will wipe the data. Since those systems are unavailable to your organization most businesses are faced with a decision to pay the ransom and get back to business or refuse to pay the ransom and risk forever losing customer data.

Like any other virus or malware the ransomware is usually downloaded from the internet, most often by clicking a suspicious link in an email or on a website.

Continue reading “Ransomware Lessons”


Ransomware: WannaCry Malware Review

WannaCry Malware

The WannaCry ransomware was first noticed on May 12, 2017 and it spread very quickly through many large organizations, infecting systems worldwide. Unlike other ransomware, this sample used the SMBv1 “ETERNALBLUE” exploit to spread. “ETERNALBLUE” became public about a month prior when it was published as part of the Shadowbroker archive of NSA hacking tools.

Prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March 2017 Patch Tuesday release. The patch was released for only supported versions of Windows. In response to the rapid spread of WannaCry, Microsoft eventually released a patch for later versions of Windows as part of MS17-010, going back to include the still popular Windows XP and Windows Server 2003.

One way to detect the spread of the malware was the significant increase in activity on port 445. The increase was caused by infected systems scanning for more victims. It is still not clear how the infection started. There are some reports of e-mails that included the malware as an attachment, but at this point no actual samples have been made public. It is also possible that the worm entered a corporate network via vulnerable hosts that had port 445 exposed to the internet. The WannaCry malware itself doesn’t have an e-mail component.

At startup, the malware was first checking if it can reach a specific website at http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, but it can no longer be assumed that newer versions will still demonstrate this behavior. This was a simple “kill-switch”, since if it found the site it would stop operations.

Eventually, the malware would create an encryption key and encrypt all the user files on the infected PC to prevent normal user access to those files. The idea is to force the user to pay a fee to recover the files they no longer could access.

Encrypted files use the extension: wncry. To decrypt the files, the user is asked to pay $300, which increased to $600 after a few days. The ransomware threatened to delete all user files after a week waiting period.

In addition to encrypting files, the malware also installed a “DOUBLEPULSAR” back door. The backdoor could be used to compromise the system further. The malware will also install Tor to facilitate communication with the ransomware author.

New variants have already been reported with slight changes to the kill switch domain and other settings. There is also a decryption key that can be used on many systems, but prevention is always better than sarching for recovery options.

If your version of Windows was supported and you installed all available patches from Microsoft, your system would not have been infected. Microsoft also announced that the new “Windows 10 S” would help prevent ransomware infection as it will only run software purchased from the Microsoft Store.

What Security Threat Are You Overlooking?


A recent european IDC survey of more than 400 organizations discovered that many companies fail to address one of the main causes of data exposure, which is an insider threats. The report shows that most security attacks are caused by users unintentionally using outdated credentials to access secure systems. The problem is only 12 percent of companies surveyed considered insider threats as “highly concerning”, with common threats like viruses, phishing, ransomware, etc. listed as bigger threats requiring more attention.

This gap in security thinking can lead organizations to misunderstand users and miss opportunities to detect intentional user breaches.

Businesses need to shift their security focus away from the actions that must happen after a breach, like dealing with the aftermath of ransomware or removing a new virus, and focus on the true source of the problem which is mostly user behavior. Education can go a long way to reduce activity that leads to dangerous behavior, as well as reducing the events that lead to unintentional misuse of user credentials. This should reduce the threats from multiple sources and allow your security team to focus on those users that need additional attention, as well as those users that have attempted the intentional misuse of user credentials.

It is really an effort to stop reacting to attacks caused by uneducated users doing silly things and be proactive on those threats that you can control.


How to disable macros in Microsoft Office

Macro Virus - SeniorDBA

Not everyone has the level of technical expertise to understand why macros are dangerous, or how to disable them. Macros are a really powerful feature in Microsoft Office, allowing you to do many difficult things with the click of a button. These complicated tasks might be formatting a spreadsheet, inserting a standard block of text in Word documents, etc. The problem is malicious code, like a macro virus, can automatically be executed as a standard macro when the user opens a document from an untrusted source.

The creators of these malicious code segments attempt to prevent users from catching on by disguising their malicious document, usually sent as an email attachment,  as something seemingly routine. There are active malware efforts that are actively infecting user computers right now, with examples like PowerSniff! or other examples that have been around in one form or another for many years.

There are three things will prevent almost 100% of all infections:

  • Disable macros in Microsoft Office. This is fairly easy for even non-technical users to accomplish.
  • Another great way to prevent infections is to never open an attachment from an untrusted source.
  • You should also be running anti-virus and anti-malware software on your computer.

These three things will prevent almost 100% of infections.

Disabling Macros in Microsoft Office

  1. Click File > Options.
  2. Click Trust Center, and then click Trust Center Settings.
  3. In the Trust Center, click Macro Settings, where you can make any changes you want and approve them by clicking OK.

Microsoft Office Trust Center - SeniorDBA

Enterprise Efforts

As a technical person, there are several things you can do at your company to help prevent a successful malware attack.

  • Security Training – Make sure you create a policy that outlines user responsibilities for cybersecurity. This includes be aware of potential cyber threats, not opening attachments from untrusted sources, selecting strong passwords, etc. This includes the potential risks of opening macro-enabled office documents.
  • Anti-Malware and Anti-Virus – While software will never be 100% effective in detecting and blocking infections, it can be more effective than nothing.
  • Anti-Spam – Build rules in your spam tool to automatically restrict email attachments with a .zip extension.
  • Default Microsoft Office Security – Use the default setting of “High” for Macro security on all Microsoft Office applications.
  • PowerShell – Publish a Group Policy Object that restricts the use of PowerShell for most users. Allow PowerShell for specific power users on a case-by-case basis.
  • Monitor Activity – Look for unexpected pings from internal computers and keep an eye on unusual network activity.


5 Steps to Prevent Ransomware

Ransomware - @SeniorDBA

In recent years a new term has entered the vocabulary of cybersecurity experts: Ransomware. Wikipedia says: “Ransomware is computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to restore it.” This basically means a computer system is attacked, the user files are encrypted, and the user must pay a fee to regain access to their critical files. While there is a long history of minor attempts by hackers to create this type of malware, the most well known version of this type of malware is known as “Cryptolocker“, that was released in late 2013.

Most ransomware attacks were opportunistic and targeted at individual computers, but recently there has been a change in the threat landscape to target entire organizations. The ransom demands have also transitioned from the equivalent of a few hundred dollars for an individual to millions of dollars for an entire organization.

The impact of a successful ransomware attack are more extensive than just the cost of the ransom. Your organization can suffer the impact of lost productivity, inconvenience to your customers, decreased sales, and even the permanent loss of essential data.

Tips on preventing this type of infection in your organization:

  1. Planning – Aggressively patch all systems to prevent known vulnerabilities. All endpoints should also be protected with anti-malware and anti-virus software to automatically detect and respond to any infection attempts. This should also include user training to help users understand how infections are executed, what they can do to minimize the risk of attack, and who they should contact if they have concerns or questions. All user files should be backed up to another location that can’t be accessed by the malware. You want to minimize data loss in the event of a successful attack.
  2. Active Detection – You can minimize the damage from an attack if you are monitoring your enterprise systems and are alerted to the attack as quickly as possible. Threat intelligence software should be used to block suspicious software and alert you to a possible attack. This includes screening email attachments and embedded links, blocking access to known internet malware sites, and security rules to block common malware folders on endpoints to help spot infections before the files are encrypted.
  3. Isolation – Even if malware slips through your defenses and an infection occurs on one device, you need to have procedures in place to isolate the infected system and limit the exposure of the remaining endpoints. To help prevent additional files on the network from being encrypted the infected device must be isolated from the network.
  4. Counterattack – During a ransomware incident, once it has been contained you must eradicate it by using effective counterattack procedures. First replace infected devices and format the compromised hard drives. If you have been effective at the previous steps, you can recover user files from your backups and nothing was lost on the device. By formatting the hard drives you make sure the infection is removed from the device, without the need to worry about residual or hidden files. If you have a network infection, the infection can be much more difficult to contain and cleanup will be much more time consuming. A good relationship wth your anti-malware vendor is essential to make sure they help you with any possible infection, even one from an infection they haven’t seen before.
  5. Resolution – The best way to recover from an attack is having backups of all your important files. Once user systems have been cleaned and files have been restored, the last step is reviewing what went well and what still needs some more work. Was the infection caused by a user bypassing a security control? Was your anti-malware software ineffective? Are there required changes to your procedures or training that would have made your response faster or more effective?

Never be satisfied with “good enough” security, and look for ways to improve your response times, better educate your users, and provide a safer overall environment for your business. Your level of success against a ransomware attack is largely dependent on you and how seriously you prepare for the possibility of a malware attack.


New Malware Copied To Your Network Daily

Malware - @SeniorDBA

Security researchers at Check Point analyzed information on over 30,000 security incidents discovered by the that company’s ThreatCloud prevention software which is installed at more than 1,000 companies worldwide. Check Point found that employees in most business sectors are downloading potentially harmful files to their company’s networks at an alarming rate.

Check Point says in their new study that a new malicious file downloads have increased 900% per hour:

  • Unknown malware continues its exponential and evolutionary growth. Researchers found a 9x increase in the amount of unknown malware plaguing businesses. This was fueled by the employees, who downloaded a new unknown malware every four seconds. In total, there were nearly 12 million new malware variants discovered every month, with more new malware discovered in the past two years than the previous decade.
  • Security is lagging behind the speedy, on-the-go mobile device. With smartphones and tablets accounting for 60 percent of digital media time spent, businesses’ mobile devices present both an access curse and a business productivity blessing. While employees do not want to be the cause of a company network breach, 1-in-5 will cause one through either mobile malware or malicious Wi-Fi.
  • Endpoints represent the starting points for most threats. Among the businesses surveyed, endpoints were the most common cause of breaches and the most critical component in cyber defenses, with attackers leveraging email in 75 percent of cases. Also, 39 percent of endpoint attacks bypassed the network gateway firewalls, and routine operations uncovered 85 percent of threats after they had already gotten inside the enterprise.

A full copy of the report is available here.

Cybersecurity Hit List


When looking at the most common ways a hacker launches a successful attack against corporate networks, application security isn’t anywhere near the top. Praetorian researchers looking at successful attacks point to the top five activities in the “cyber hit list”:

  1. Weak domain user passwords – Weak passwords were successful 66% of the time
  2. Broadcast name resolution poisoning (like WPAD) – Successful 64% of the time
  3. Local administrator password attacks (pass-the-hash attacks) – Successful 61% of the time
  4. Attacks on cleartext passwords in memory – Successful 59% of the time
  5. Insufficient network segmentation – Successful 52% of the time

The first four on this list are phishing or social engineering attacks to gain stolen credentials. Since your efforts to educate users on how to prevent these types of attacks will never be 100% effective, you should accept these type of attacks will eventually be successful and focus on limiting access via network segmentation, limiting attack profiles, and automated alerts via available tools to detect unusual user activity.

You can read more on their research here.