I received a call from John this week regarding a potential crypto infection on his network. John described some suspicious files found on his server with a name of help_file_3EF8ACE30F.html. All John had to say was the file started with “help”, and I knew we had a major problem. A variant of the cryptolocker ransomware was running live on his network as we spoke. John was very concerned and didn’t understand how his network could have been compromised, considering all the machines were up-to-date on patches, and his antivirus didn’t detect any infections. I discussed with John how patching closes vulnerabilities in software but doesn’t always protect you against phishing and social engineering attacks.
Acme Insurance was compromised by a phishing attack that sent an email to an employee at the company containing a malicious script disguised as a fax attachment. Take a look at the fax. I edited the actual hyperlink by adding a couple of characters so that anyone who curiously clicked it wouldn’t get infected.
From: eFax Report [mailto:firstname.lastname@example.org]
Sent: Thursday, March 03, 2016 7:47 AM
To: XXXXXXXXX, CIC, ACSR
Subject: eFax Id# 5652-754
INCOMING FAX REPORT
Date/Time: Wednesday, 03.02.2016
Connection time: 06:05
Remote ID: 751-748-177131
Line number: 1
Description: Internal only
Suspect, Inspect & Reject!
When dealing with suspicious emails, I recommend incorporating my Suspect, Inspect & Reject policy. You should suspect any email that comes from an unknown source or that is unexpected and assume it is suspicious! Make sure that you inspect the email message for signs it could be malicious. I recommend checking the hyperlink by hovering over it to make sure it’s taking you where the link says it’s going. Inspect the sender email address and also look for misspellings or grammar errors which are quite common in phishing attempts. Test the links and payload with virustotal.com. Cybercriminals might be smart enough to steal your Personally Identifiable Information and hijack your bank account, but spelling and grammar is a common problem for them, as English might not be their first language. Finally, if you find the email to be potentially malicious; don’t open it. Reject it by sending it to the trash bin.
Not Following Best Practices Leads to Disaster
In the case of Acme Insurance, my email best practices were not followed, and that lead to the immediate compromise of their network. An employee notified John of a suspicious email with a fax attachment. The employee was not sure if it should be opened or not so they forwarded it to John to inspect it. This was the right thing to do but what happened next absolutely was not. John decided to inspect the email to see if it was malicious. John clicked on the link and downloaded the zip attachment.
Here is the folder extracted from the zip
Here is What Happened Next
Prior to launching the infection; ctfmon.exe and the very suspicious I3BjlbD10156.scr script were not running.
Upon execution crypto starts to encrypt your files as seen here in our test environment.
For every encrypted file; crypto places an .html or .png file with ransom information on the infected device. Here are the help files that first alerted John to suspicious activity when they started to appear on his desktop. As you can see, by the time John was aware that something was wrong, his data had already been encrypted.
Shortly after the help files appeared, this pop-up with the ransom was displayed. This is one of the help_file****.png files.
Next the virus opens the HTML to display the same information in the browser window.
After the machine has been restarted, a number of ransom alerts appear because they have been placed in the startup folder.
“I need Carbon Black now!”
As the infection unfolded quickly, John realized how advanced endpoint protection could have helped him identify and isolate this ransom attack as it was occurring. With Carbon Black installed, the forensic experts at WatchPoint would have been alerted to the suspicious activity as soon as the malicious link was clicked and the payload launched. We would have examined the threat as it was unfolding and would have immediately isolated John’s workstation to avoid allowing the infection to spread through network shares, eventually reaching his server. John spent the last few days reimaging his workstation and the network server. He also got to spend some time restoring their agency management system. I was happy to hear John tell me “I need Carbon Black now!”, however these are not the circumstances we want you to be in when you decide your AV, firewall and backups are no match for the next generation of cybercriminals.
With WatchPoint's Security Solution you will: