Sophos Intercept X Ransomware

NOTE: Please visit our Healthcare Targeted Ransomware landing page for additional information and resources.

Kaspersky File Shredder detected as ransomware by Sophos Intercept X / Exploit Prevention Due to the process used by Kaspersky File Shredder, the action will trigger a ransomware detection. Kaspersky will report that it has successfully deleted the requested files, even though they are still present. ESG Lab Validation: Sophos Intercept X In late 2017 ESG Labs comprehensively reviewed Sophos Intercept X, testing it's effectiveness at stopping ransomware, blocking never-seen-before threats, and stopping the exploit techniques that hackers use to carry out their attacks.

The outbreak of COVID-19 has put cyberattacks on healthcare providers into hyperdrive. Factors contributing to such attacks include, but aren’t limited to:

Decentralized business operations
Emergency COVID-19 facilities set up without planned security of IT infrastructure
A significant rise in the amount of patient health data stored by healthcare organizations
Telehealth, and remote workers flung around the world almost overnight, opening up security gaps

Ryuk ransomware, in particular, has seen a resurgence recently. Sophos recently identified a new spam campaign linked to the Ryuk actors, and our Managed Threat Response team assisted an organization in mitigating a Ryuk attack, providing insight into how the Ryuk actors’ tools, techniques, and practices have evolved.

The investigation showed an evolution of the tools used to compromise targeted networks and deploy the ransomware. But what was more notable was how quickly the attacks can move from initial compromise to ransomware deployment. Wallpaper for mac os hd. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller and were in the early stages of an attempt to deploy ransomware.

The evasion techniques of ransomware are rapidly changing. In recent years, ransomware attacks have trended away from brute-force, large-scale attacks to focused, planned, and manually executed attacks that are much harder to detect and block. Humans are handcrafting artisanal malware.

The criminals have hybridized their attacks, combining automation to find victims with gaps in their defenses. Exposed servers with Remote Desktop Protocol (RDP) enabled, administrators without multi-factor authentication for remote access, unpatched web servers, or even these same issues at a trusted partner or service provider are enough to put your network, systems, and resources under ransom.

Here are the five things healthcare providers can do to protect against ransomware attacks:

Maintain IT hygiene. Make sure you’re practicing basic IT hygiene, which includes installing all the latest patches, shutting down RDP entirely (or putting it behind a VPN), and making regular back-ups and keeping them offsite where attackers can’t find them. It also includes applying multifactor authentication to services hosting the most sensitive data in your organization. These are just some of the fundamental steps you can take to protect yourself and your network today.
Educate your users. Teach them about the importance of strong passwords and roll out two-factor authentication wherever you can. Educate them on phishing, which is one of the main delivery mechanisms for ransomware.
Minimize the risk of lateral movement within your network. Segment LANs into smaller, isolated zones or VLANs that are secured and connected by the firewall. Be sure to apply suitable IPS policies to rules governing the traffic traversing these LAN segments in order to prevent exploits, worms, and bots from spreading between LAN segments. And if an infection hits, automatically isolate infected systems until they can be cleaned up.
Use endpoint detection and response (EDR) tools with your endpoint protection. Targeted ransomware today isn’t just about stopping one piece of malware; it’s about stopping an active adversary and disrupting the attack chain that puts them in a position to run the malware. Ensure every endpoint is protected and up to date. A device not functioning correctly may not be protected and could be vulnerable to a ransomware attack. Use tools like EDR, which allow you to ask detailed questions so that you can hunt for active adversaries and identify advanced threats in your network. Once you do, EDR also helps you take appropriate actions quickly to stop such threats.
Close the gap with human intervention. Computers, automation, and tools are amazing but human intellect, pattern recognition, and our ability to apply context provide an even more formidable defense. Managed detection and response (MDR) services are critical here. Pairing your internal IT and security teams with an external team of elite threat hunters and response experts helps provide actionable advice for addressing the root causes of recurring incidents.

Sophos Intercept X Advanced with EDR

Sophos Intercept X Advanced with EDR includes all the features you need to help protect your organization from ransomware attacks like Ryuk, Sodinokibi, Maze, and Ragnar Locker.

Intercept X includes anti-ransomware technology that detects malicious encryption processes and shuts them down before they can spread across your network. Anti-exploit technology stops the delivery and installation of ransomware, deep learning blocks ransomware before it can run, and CryptoGuard prevents the malicious encryption of files, rolling them back to their safe states.

Furthermore, Sophos EDR helps keep your threat hunting and IT operations hygiene running smoothly across your entire estate. Sophos EDR empowers your team to ask detailed questions to identify advanced threats, active adversaries, and potential IT vulnerabilities, and then quickly take appropriate action to stop them. It enables you to detect adversaries lurking in your network and waiting to deploy ransomware that may have gone unnoticed.

Sophos Managed Threat Response (MTR)

The Sophos MTR service adds human expertise to your layered security strategy. An elite team of threat hunters proactively looks for and validates potential threats on your behalf. If authorized, they take action to disrupt, contain, and neutralize threats, and provide actionable advice to address the root causes of recurring incidents.

Sophos Rapid Response

If your organization is under attack and needs immediate incident response assistance, Sophos can help.

Delivered by an expert team of incident responders, Sophos Rapid Response provides lightning-fast assistance with identification and neutralization of active threats against organizations. On-boarding starts within hours, and most customers are triaged within 48 hours. The service is available for both existing Sophos customers as well as non-Sophos customers.

The Sophos Rapid Response team of remote incident responders quickly takes action to triage, contain, and neutralize active threats. Adversaries are ejected from your estate to prevent further damage to your assets.

How these stages evolved

As you probably know, the first two stages above are fairly recent developments in ransomware criminality.

Back in 2013, when the infamous CryptoLocker gang were the kings of the ransomware scene, it was all about stage 3: scrambling files and then using the decryption key as a blackmail tool: “Send us $300 or your files are gone forever”.

The crooks generally didn’t target networks back then; instead, they went after millions of victims in parallel, with each infected computer ransomed independently. Mac os for pc users.

The criminals “targeted” everyone – from home users who probably didn’t have backups of any sort and might be willing to spend $300 to get their wedding photos or the videos of their children back – to big companies where 100 users might fall for the latest ransomware spam campaign and the business would need to spend 100 × $300 to get the unique decryption key for each now-useless computer.

Stage 1 arrived on the ransomware scene when criminals realised that by going after entire networks one-at-a-time, they could cut their “losses” early in the case of a network that they didn’t have much success with, and focus on networks where they could cause disruption that was both sudden and total.

Instead of pursuing thousands of individual computer users for hundreds of dollars each, the crooks could blackmail a single company at a time for tens of thousands of dollars a time.

Indeed, the early adopters of the “all-at-once” ransomware approach often took the cynical approach of offering two prices: a per-PC decryption fee, and an “all you can eat” buffet price for a master key that would unscramble as many computers as you wanted – almost as if the crooks were doing you a favour.

The crooks behind the SamSam malware – four Iranians have been identified and formally charged by the US, but are unlikely ever to stand trial – even offered a staged payment “service” whereby you could pay half the ransom to receive half of the decryption keys (chosen randomly by the criminals).

If you were lucky, you might just end up with enough computers running again to save your business for just 50% of the usual price…

…but if not, you could pay the rest of the ransom, presumably now with considerable confidence that the crooks would deliver the decryption tools as promised.

You could even take a chance on paying the per-PC fee for your most critical computers – typically $8000 a time – to tide you over, and “top up” later, once you were “confident” in the criminals, to the master-key price, which was typically set by the SamSam crooks just below $50,000.

Whether they chose $50,000 at a guess, or because they found it represented a common accounting department limit in the US below which it was much easier for the IT manager to get the payment approved, we never found out.

As you can imagine, the exposure of the alleged perpetrators by US law enforcement pretty much drove the SamSam crooks out of business, albeit not before they had extorted millions of dollars from victims around the world, but ultimately didn’t make much of a dent in ransomware attacks in general.

Price inflation

Sadly, the SamSam gang’s fee of $50,000 a network turns out to be small by current standards.

A recent ransomware attack that took US GPS and fitness tracker giant Garmin offline for several days was apparently “resolved” when the company coughed up a multi-million dollar payment, supposedly negotiated downwards from $10,000,000.

That incident attracted controversy because the ransomware involved was alleged to have been the work of a Russian cybercrime outfit known as Evil Corp, and transactions with that group are prohibited by US sanctions imposed in December 2019.

And US travel company CWT is said to have coughed up $4,500,000 recently – again, down from an opening demand of an alleged $10 million for unscrambling what the crooks claimed were 30,000 ransomed computers.

If true, $10,000,000 for 30,000 devices comes out at $333 each, a fascinating full-circle back to the $300 price point of the 2013 CryptoLocker ransomware, which was itself an intriguing echo of the first ever ransomware attack, way back in 1989, where the criminal behind the malware demanded $378. (With no prepaid credit cards, online gift cards or cryptocurrencies to use as a vehicle for pseudoanonymous payments, this early attempt at ransomware, known as the AIDS Information Trojan, was a financial failure. Indeed, it wasn’t until the early 2010s that cyberextortion based on locking up computers or files worked out at all for the cyberunderworld.)

The biggest tactical change

But the biggest tactical change in ransomware is stage 2 above.

By perpetrating data breaches up front, before unleashing the file scrambling component – in Brown-Forman’s case, the breach allegedly includes 1 terabyte; in CWT’s attack, the criminals claimed that 2 terabytes were thieved up front – the crooks now have a double-barrelled weapon of criminal demand.

You’re no longer being extorted to pay for the crooks to do something, namely to send you a set of decryption keys, but also being blackmailed into bribing the crooks not to do something, namely not to go public with your data.

Early ransomware had more in common with kidnapping, though with jobs at stake rather than the victim’s life: the theory was that if you paid up and the crooks released a working decryption tool, you not only got your data back but also quite clearly ended the power that the criminals had over you.

For the crooks to ransom your data again (sadly, this happens), they’d need to break into your network again and essentially start from scratch, assuming that you worked out how they got in before and closed the holes they used last time.

But today’s ransomware is turning into old-school, out-and-out blackmail: the crooks promise to delete the data they already stole, and thereby to “prevent” your ransomware incident turning into a publicly visible data breach, but you have no way of knowing whether they will keep their promise.

Worse still, you have no way of knowing whether the crooks can keep their promise, even if they intend to.

For all you know, the data they took illegally could already have been stolen from them – remember that many of the cybercrime busts written about on Naked Security, including ransomware arrests, happened because of cybersecurity blunders made by the perpetrators that allowed their evil secrets to be probed, uncovered and ultimately proved in a court of law.

Or the criminals themselves may have been victims of “insider crime”, where one of their own decided to go rogue – after all, we’ve also written about crooks getting busted not through operational blunders but through a falling-out among thieves, where one of the gang has ratted out the others or otherwise co-operated with the authorities to save themselves

What does this new-look ransomware mean?

Technically, or at least from a regulatory point of view, all ransomware attacks are data breaches, even if all they do is scramble your files in place.

After all, if an outsider is able to modify files they weren’t supposed to access at all, that clearly amounts both to unauthorised access (a crime in most jurisdictions) and to unauthorised modification (a yet more serious crime) – and even though this makes you a victim of crime, it also means you’ve failed in at least some way at protecting information you were supposed to protect.

And ransomware crooks who steal your data before scrambling it are really in the pound seats when it comes to blackmail.

Even if you prevent the final stage of the attack, or if you have reliable backups so you don’t need the decryption keys, the crooks are going to squeeze you anyway, by threatening to make a bad thing much worse by deliberately releasing the stolen data.

The good news, in the case of the Brown-Forman attack, is that current reports suggest two important things:

Brown-Forman prevented the file scrambling part (stage 3) of the attack. That’s great news, because it means that the company is unlikely to go offline like Garmin had to, which reduces the impact on the people that do business with the company, including suppliers, creditors, partners, distributors, retailers, and more.
Brown-Forman has supposedly told the criminals to stick their blackmail demands where the sun doesn’t shine. Paying up simply encourages – indeed, it helps to fund – the next attack.

All we can say to that is, “Well done, and thanks for standing firm.”

Grubman Shire Meiselas & Sacks, a law firm that represents numerous high-profile celebrities, recently faced a demand similar to Brown Forman’s, where the ransomware criminals menaced company founder Allen Grubman in broken English with threats to auction off celebrity data in the cyberunderworld:

We have so many value files, and the lucky ones who buy these data will be satisfied for a very long time. Show business is not concerts and love of fans only — also it is big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs and treachery. […] Mr. Grubman, you have a chance to stop that, and you know what to do.

The company famously likened the blackmailers to terrorists and refused to pay up. (The threatened auctions haven’t yet happened – though no one knows whether that’s because the crooks felt they couldn’t trust their own or because the data stolen simply wasn’t up to what the crooks claimed.)

To reward companies that are willing to say, “We won’t pay,” and who help to break the feedback that keeps the ransomware cycle turning, we suggest that you repay them by making sure that if their data does get dumped by crooks…

…that you simply do not look at it.

No matter how useful it might seem; no matter what items that you feel are now both “in the public domain” and in the public interest; no matter how much you might argue that companies like Brown-Forman were themselves remiss in the first place for not protecting data that they ought to have; even if you’re “just interested”, please don’t look.

We urge you, “Just say no.”

Brown-Forman’s breach is now a matter of public record and we assume it will be carefully investigated by law enforcement and the relevant regulators, so let’s leave them to it.

As Sophos Cybersecurity Educator Sally Adam put it:

There is no ‘end justifies the means’ discussion to be had here because this is nothing like the cases of whistleblowers like Edward Snowden or Chelsea Manning, where – no matter what you think of their ultimate actions – an insider identified something they perceived to be wrong. This is purely about extortion.”

What to do?