Research Saturday 5.23.20
Ep 136 | 5.23.20
Naming and shaming is the worst thing we can do.
Transcript

Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:25] And now a quick word about our sponsor, Juniper Networks. NSS Labs gave Juniper its highest rating of "Recommended" in its recent Data Center Security Gateway Test. To get your copy of the NSS Labs report, visit juniper.net/securedc, or connect with Juniper on Twitter or Facebook. That's juniper.net/securedc. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:00:56] Thanks to our sponsor, Enveil, whose revolutionary ZeroReveal solution protects data while it's being used or processed – the 'holy grail' of data encryption. Enveil delivers privacy-preserving capabilities to enable critical business functions. Organizations can securely derive insights, crossmatch, and search third-party data assets without ever revealing the contents of the interaction or compromising the ownership of the underlying data. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.

Alex Tilley: [00:01:34] So, talking initially about the people using the Maze ransomware, which we called GOLD VILLAGE, it then sort of pivoted on through to other groups like the people using DoppelPaymer and REvil and Nemty, et cetera – but the various different smaller, you would say, ransomware families.

Dave Bittner: [00:01:49] That's Alex Tilley. He's a senior security researcher at Secureworks. The research we're discussing today is titled, "Ransomware Name-and-Shame Game."

Alex Tilley: [00:02:01] They sort of saw an opportunity, we believe, to say, well, listen, yes, we've got your business, we've got you either fully encrypted or half-encrypted, but also here's your data that we have. And if you don't pay the money now, we're going to either leak the data or we're going to tell regulators, et cetera. So sort of added a bit of extra pressure onto the victims to pay up.

Dave Bittner: [00:02:21] And what can you tell us about the Maze ransomware itself?

Alex Tilley: [00:02:25] It's relatively new, sort of coming around late last year, in around December last year. It seems to spread via – either via email or there's some sort of exploitation as well going on. Apart from that sort of things, technically, it's a pretty straightforward ransomware. It does what it does. It uses maths as a weapon, basically. But the way that they're saying, listen, we're going to name-and-shame you and dump your data if you don't pay up – that's sort of much more of a personal attack on the victims.

Dave Bittner: [00:02:57] Well, before we dig into some of those techniques, let's explore some of the technical things that are going on behind the scenes here. Do you have any sense for how people are finding themselves infected?

Alex Tilley: [00:03:10] Yeah, it does appear to be email, like, phishing-based, but also via some sort of web exploitation sometimes, either via exploit kits or various web-based attacks that way. So it's more of a browser- and email-based attack.

Dave Bittner: [00:03:26] And what's going on in terms of their command-and-control servers and their infrastructure behind the scenes?

Alex Tilley: [00:03:33] A lot of it is hosted out of – some of it was via Cloudflare, some of it's out of Russia. There's a lot of the name-and-shaming bits are done out of Onion sites – so, through Tor, that sort of thing.

Alex Tilley: [00:03:46] And what is your sense for who is running these operations?

Alex Tilley: [00:03:51] Well, they definitely speak fluent Russian and they hang out on some Russian forums, Russian-language forums. So, they either speak very, very good Russian for a Westerner, or they are Eastern European or Russian.

Dave Bittner: [00:04:03] Well, let's go through – there's several that you're tracking here. You've got GOLD VILLAGE, GOLD HERON, GOLD SOUTHFIELD, and GOLD MANSARD – and these are using different types of ransomware?

Alex Tilley: [00:04:13] Yeah, they're using different families of ransomware and different attack styles. Like, GOLD SOUTHFIELD's one of the ones that people would be most familiar with – that's the REvil group, or the group that uses REvil – they seem to use RDP to access boxes. And it's always kind of amazing to me that we're – what, we're in May 2020, and there's still open RDP on the Internet with single-factor. And these attacks still work pretty easily. I mean, if you think back, what, three, four years now, to the xDedic leak where, you know, that forum that had a bunch of RDP boxes listed that you could buy access to – that leaked, and those are still useful. Those are still being used these days. People haven't changed passwords in three or four years, haven't put a firewall in front of their RDP, or some sort of second-factor in front of their RDP. So, a lot of these groups just sail straight in.

Alex Tilley: [00:05:02] And once they get in, they find – you know, it's not to victim shame at all – but relatively flat networks, no real segmentation, not a lot of controls internally, so they're able to sort of go nuts. Obviously, that's at victims that we see fully victimized, you know what I mean? Like, fully encrypted right to the end. We can't really say how many they get in and have a look at and say, oh, we can't fully victimize this network, and then just leave. Definitely when they get in, there's pretty standard lack of security controls, which is, in 2020, it's a bit of a shame, really.

Dave Bittner: [00:05:36] And then the other ones – one of them is using DoppelPaymer and one of them is using Nemty.

Alex Tilley: [00:05:42] Yeah. These families sort of all spring up and they all have their own approaches. A lot of times they do use OT pay. A lot of times I'll use spearphishing. These old types of sources of attack still work these days. And, you know, I sort of always say that criminals don't stop doing something unless it stops working. So, as they keep using these methods of ingress, it means that they're still working, right? And they're still getting enough victims and enough successful infections to keep it going forward, to keep it lucrative.

Dave Bittner: [00:06:12] And who do they seem to be focused on, both geographically, but then also in terms of the types of businesses they're after?

Alex Tilley: [00:06:19] Yeah, really, it's – so, it's an interesting one. So, these groups we're talking about here are really a mixed bag. Most of their targeting does seem to be in North America. That could just be because that's most of the targeting that we're seeing, if you know what I mean. But it does seem to be mostly in North America. The verticals they're targeting are across the board. Now, that's the particularly bad part of it, because with things like Ryuk and some of the earlier, you know, large-scale ransomware attacks, we could see that they would surgically pick their targets based on who would do the most damage and who would be the most likely to pay up. These guys seem to be just sort of going for whoever they can get into, mostly sort of medium-to-large businesses, but it's really there's no one vertical that's being victimized more than another. It's pretty much open season.

Dave Bittner: [00:07:08] And what are you able to see – what sort of insights do you have in terms of their success?

Alex Tilley: [00:07:13] Well, so, that's very interesting, right? So, people sort of throw around numbers like ten percent or fifteen percent of businesses pay up, that sort of thing. Obviously, our advice is don't pay up. It's not worth paying up. But the ex-law-enforcement person in me says, well, if they weren't being successful, they wouldn't still be doing it. And the fact they're doing it more and more does speak to a certain level of growing success, if you know what I mean, from a criminal point of view. So, I guess all we can really say is that if ransomware wasn't working, you wouldn't still see ransomware. But we do see a lot more ransomware, which speaks to itself, really.

Dave Bittner: [00:07:50] Do you have any sense from the data that they're posting – you know, a big part of this is the threat to post the data that they're able to exfiltrate – do you have any sense for how many victims they've been able to hit?

Alex Tilley: [00:08:02] Yeah, so, sort of – if we pick the Maze group, it looks like around the sort of ninety-five to a hundred level of businesses that they've processed so far, which we would see as relatively significant. Across, you know, across all verticals across the world, if you think about it from a criminal point of view, that's a decent success rate if you get ten, fifteen percent of those to actually pay up. The other groups, you know, it's smaller numbers – you know, thirty, forty, fifty sort of things, so probably a few hundred to a thousand worldwide, maybe – probably more likely to be a few hundred.

Dave Bittner: [00:08:36] And they seem to be – how do I say this – you know, it's a common thing when we see Russian-speaking organizations, it seems as though they will avoid hitting their fellow countrymen. It'll be very noticeable that they don't seem to be hitting that part of the world. Is that something that you're tracking with this group?

Alex Tilley: [00:08:58] We haven't seen any hitting of Russian targets, or any Eastern European targets, for that matter. It is skewed towards the continental United States, but again, that could just be what we're seeing, and what they're publishing. They might hit some Eastern European or Russian targets but just not publicize it – who knows? But, yeah, we don't see any of that. It does seem to be definitely that point of view of you don't – you know, if you're inside Russia, the last thing you do is hack Russia, right?

Dave Bittner: [00:09:24] Right. Right. And in terms of staying up and running, these organizations, they're using bulletproof servers. Is that pretty much the name of the game?

Alex Tilley: [00:09:34] Yeah, bulletproof servers or semi-bulletproof servers. In the case of some of the earlier stuff we saw, there were – one of the victims launched a legal process against their hoster in Ireland and got their data taken down. So then they sort of named-and-shamed them a bit more brutally via Cloudflare in the States. Yeah, so that was the Maze Group with Southwire. So that was an interesting sort of reaction. And I suppose we see that a bit across different verticals, where a victim's sort of first approach is to launch due process, which is not a bad thing, it's just oftentimes that can antagonize the criminals, as we saw here.

Dave Bittner: [00:10:13] And then the criminals are following through on their threats to start publishing the data, yes?

Alex Tilley: [00:10:19] Definitely. So, that's a really good point, and I think that really sort of does bear in understanding that, in a really weird way, ransomware is based on trust, as in you're going to trust your attacker that he'll either give you the keys or, you know, in some way give you the means to decrypt yourself if you pay up. And it's the same thing with this stuff. You have to trust your attacker that if you pay up, he's not going to dump all of the data has, or more of the data he has, or any of the data he has. Because the second that you break that trust model – which is in inverted commas, because obviously it's a perverted trust model...

Dave Bittner: [00:10:56] Right.

Alex Tilley: [00:10:56] ...But the second that you, as the attacker, break that trust model, that word's gonna get out, right? And everyone's going to know, well, if you get an email from the Maze team or the REvil team saying, we've got you, pay up or we'll dump your data – if word gets out that they'll dump your data anyway, no one's going to pay. You know what I mean? 

Dave Bittner: [00:11:13] Yeah.

Alex Tilley: [00:11:13] Because that trust is completely broken. It's a really perverted trust model that sort of says that we will do what we say we'll do if you pay us. It's a really strange place to be, as a victim in one of these things. Because, I mean, if you think about it, if you're not getting asked for, like, six million dollars, if you're getting asked for ten thousand dollars, let's say, for instance, to actually say, no, we're just gonna rebuild, that could cost you significantly more than ten thousand dollars to rebuild.

Alex Tilley: [00:11:41] But the reverse is also true. If you're a large enterprise and you pay up, you know, let's say three-hundred thousand dollars and you pay up and you get a tarball with twenty thousand individual keys in it – right? – now you've got a data management problem. How are you going to deploy those keys to workstations and servers in an acceptable timeframe? And which ones do you start with? So, even if you do pay up and you get the data back, it's not saying that you're gonna be back online in twenty minutes. You've got a significant issue here of deploying these keys and getting these workstations and servers decrypted and back online. A lot of people don't consider that – they sort of think, okay, well, if I pay up, that's the magic, you know, the magic key, and all of a sudden I'm good to go. Well, not really. If you pay up, a lot of times, you're just starting your journey... 

Dave Bittner: [00:12:26] Right.

Alex Tilley: [00:12:26] ...And this recovery journey can be arduous. And I think what you can find is a lot of places – you know, obviously, I operate a bit on a don't ask, don't tell sort of policy, if you will, around these things. It's like, if you've keys, that's great, I'm not gonna ask how you got them. That's your business is business, as it were. 

Dave Bittner: [00:12:42] I see. 

Alex Tilley: [00:12:43] Yeah. But, like, just having the keys is the beginning of your journey. And then all of a sudden you have competing interests. You know, like, if you're a decent-sized enterprise and you say, okay, we've got the means to decrypt these this stuff – where do we start? Can you imagine that the fight could break out? Because everyone's systems and everyone's data is the most important in the business, right? Of course it is.

Dave Bittner: [00:13:05] Of course. (Laughs) Yes, absolutely.

Alex Tilley: [00:13:08] (Laughs) So that's sort of – I've been sort of pushing this barrow around my little patch here in Australia for a little while now. It's about people are having their BCP meetings and their DR meetings and they are now discussing ransomware. That's great. That's an awesome step. You know, three years ago, two years ago, it wasn't really brought up in those sort of meetings. Now it's, okay, well, if we get ransomware'd, what's our corporate policy? What's our marketing strategy? You know, these things sort of come into play. 

Alex Tilley: [00:13:36] But the extra question is, okay, before the bad thing happens, discuss and agree on what we will decrypt first should we come into possession of keys. You know, let's just say a magic fairy drops some keys in our lap. Where do we start? And I think having that nailed down and discussed upfront will put you in a good position. It'll also help you sort of figure out what's the most important to your business, because – fair enough, we talk about it from a ransomware point of view, but you can talk about it from any sort of nasty attack, any sort of crippling attack point of view as well. Like, okay, well, what actually is key to our business? And it might be different than your normal BCP planning, where it's about a power outage or, you know, some sort of event in your server farm. You might have a different thought process around what's most important when it comes to, it'll come back – it'll just take six hours to decrypt. You know, and then you sort of have those discussions.

Dave Bittner: [00:14:27] Yeah, it is interesting, I find, how often, I suppose, it's easy for people to overlook the time factor – that, you know, even when we were in the mode of advocating for having good, robust backups, that those backups aren't going to just restore themselves instantaneously. That takes time.

Alex Tilley: [00:14:49] Yeah, yeah. And I think, in all honesty, that could be sort of a bit of a failing on us as security professionals, because maybe we don't think about that. We just think about backups, check. Do the backups work? Yes. Good, tick box. Next problem. We don't think about the poor server admin who's got backups, yes, but he's got four hundred servers to restore and everyone's screaming at him.

Dave Bittner: [00:15:12] Right.

Alex Tilley: [00:15:12] You know, maybe we haven't considered the personal aspect to this. And that's the part of it that I find the most interesting, is the human aspect of what we do as either criminals or defenders. It's, yeah, those situations where it's, yes, you've got keys, or you've got backups, but that's going to take time, and have we budgeted for that? And that's where it does come down to a realistic discussion around what's it gonna – you know, it could take us three or four weeks to get everything back online. What's that gonna cost us as a business, even if we've paid the X hundred thousand dollars, X million dollar ransom? Or it'll take us this long to rebuild from scratch and we'll lose a week's worth of data. Maybe there's a discussion to have there, because I think, yeah, we maybe have just been discussing it, as you say, from a more of a technical point of view of, yes, we have backups, that's all fine. I think there's deeper chats to be had there.

Dave Bittner: [00:16:05] What sort of advice do you have for organizations to protect themselves against this?

Alex Tilley: [00:16:10] Well, block RDP would be a good starting point. (Laughs) 

Dave Bittner: [00:16:11] (Laughs)

Alex Tilley: [00:16:15] I think, honestly, if you can – yeah, if you can block RDP, or put it behind some sort of second-factor or some sort of authentication gateway, you'll be ahead of a lot of people. Because – while some of this stuff is definitely targeted and they pick their targets based on who is the most likely to pay up, because they have either regulatory authorities on their back or they have, you know, maybe critical-to-life functions, that sort of stuff – some of this stuff does seem to be more opportunistic, which will be more around, well, let's just see what we can get access to and then see if it's worth our time to encrypt them all. So, by not being on that list – either don't show up in the Shodan search, or don't be in a database dump or, you know, change your passwords, that sort of thing – you will see a lot of these people just move on to someone else.

Alex Tilley: [00:17:04] A determined attacker is still going to be able to – like, there's a lot of ways to skin a cat, right? – so, if someone really wants into your network, they probably gonna get in eventually. But in all these cases here, it's just a case of they just want to get access to anything, to anyone who might pay up. So, just make that little bit harder for them. Obviously, proper email sanitization, that sort of stuff works really well. You know, detonate all your incoming documents in some sort of sandbox to see if they go off, if they're doing anything strange, standard security provisioning around, you know, don't run as admin, app whitelisting, et cetera. Again, things that are very easy for us as security professionals to say, but trying to deploy app whitelisting on a large enterprise is, as we all know, quite a beast in and of itself. 

Dave Bittner: [00:17:47] Mm-hmm.

Alex Tilley: [00:17:48] But if you can move towards that, you're doing pretty well, I think. But yeah, a lot of times it, honestly, it is just literally put something in front of your RDP or block your RDP, and then use two-factor on your OWA. Honestly, it's really simple things to make you not be at the top of that infection curve, as it were, and make them move on to someone else.

Dave Bittner: [00:18:08] Do you think there's any advantage to encrypting all of your data at rest? So that if these folks get their hands on your data, it's encrypted – if they publish it, there's really nothing to be gained from it.

Alex Tilley: [00:18:23] Yeah, I mean – see, that's a very good question, and it's a little bit hard to sort of say categorically, because yeah, if you encrypt all your data and they get it, yeah, a hundred percent, it's going to be just maths – just gonna be entropy is all they're going to look at. But a determined attacker who's got enough access to your systems to get that data, you could say they'd have access to the means to decrypt at the same time. You know what I mean? So, if you're on a system as, you know, admin or SYSTEM privileges, and that has some involvement in the encryption or decryption of those data at rest, you're gonna be able to decrypt it anyway. So, yeah, it will definitely put a hurdle in place. But I think, again, if it's a sufficiently determined attacker, they'll be able to sort of subvert that anyway.

Alex Tilley: [00:19:08] We see that a lot with things like with the BEC stuff, where, you know, these emails are arriving at suppliers or vendors that have SPF and DKIM checked, and they've got digital signatures checked, and the invoice looks exactly the way it should, et cetera, because they're literally in that person's system generating all this information and the emails through their mail client. 

Dave Bittner: [00:19:28] Right.

Alex Tilley: [00:19:29] So, all these little technical ticks that we put in place to say, yes, this is legitimate – it will tick on all those boxes because it is literally legitimate, it's just not that person using that laptop to do it – it's someone else.

Dave Bittner: [00:19:39] Right. Right. It's like that old horror movie where they call and they say, you know, the call is coming from inside the house.

Alex Tilley: [00:19:47] That's literally what it is. And it's why it's so insidious, because, you know, again, we've sort of said, listen, if the little padlock is is there and the address bar's green, yeah, that's fine, or if it's got the tick here, or whatever, it's passed some sort of technical check to say that, yes, this is a legit document or a secure site or whatever, you know, these sort of positive security affirmations, as it were. We've said, if you see these or if these things happen, then it's all good. The problem then becomes is when the bad guy can subvert that trust and use it against us to say, well, yeah, everything's good about this email, except it wasn't that person sending it. That's – again, our trust model is completely broken down, because we trust all these technical indications that things are all fine.

Dave Bittner: [00:20:27] Right. 

Alex Tilley: [00:20:27] So, that's what makes a lot of this stuff insidious. It's a hard one, because we've sort of – we've taught people that, yeah, if all these things say yes, it's all good, then trust it. But maybe we shouldn't.

Dave Bittner: [00:20:39] Yeah, no, it's a really interesting insight.

Alex Tilley: [00:20:43] It's hard, right?

Dave Bittner: [00:20:45] Yeah, it is. Oh, it absolutely is. It absolutely is. And then I think that's a big part of why you can't sort of shame the victims here.

Alex Tilley: [00:20:54] No. Hundred percent.

Dave Bittner: [00:20:54] Yeah, they're doing their best.

Alex Tilley: [00:20:57] Yeah. A hundred percent. And that's sort of – even if I'm not professionally involved – if I'm just, you know, if I have a friend in the business who's doing this sort of – who's getting victimized by ransomware at various levels. My advice to my friends is always if you do pay up, that's cool, that's on you. You know, like, I would advise not doing it, but, you know, your business is your business. Don't tell anyone. You know what I mean? Like, you just – you came across some keys, or you managed to find some sort of way to decrypt it, whatever your story needs to be. But your business is your business, and you haven't got to tell the world. Because, yeah, people do like to victim shame, but I think it's maybe a situation similar to what we used to see, again, with BEC, with business email compromise, where people didn't want to say that they were victimized. They don't want to say that they'd lost four-hundred thousand dollars to some scammer, because they're embarrassed or it might hurt trust in their business or whatever like that. 

Dave Bittner: [00:21:51] Right.

Alex Tilley: [00:21:51] But now, you know, I stand up in front of groups of people and say, well, who here has had an issue? And hands got up across the board. Everyone's going, yep, yep, we lost twenty grand, yep, we lost eighty grand, or we almost lost four-hundred thousand dollars. You know, everyone's had experience with this now, so that sort of shame element has gone out of it. Because, yeah, we used to think – or some people used to think – you know, you'd have to be a real fool to fall for one of these scams. And that is no way the case at all. You know, these attackers – be they ransomware or BEC or whatever – they've been doing this as long or longer than we have as defenders. You know what I mean? So we have to sort of respect the adversary in a way. And yeah, victim shaming is not gonna help anyone. It's the worst thing we could probably do.

Dave Bittner: [00:22:38] Our thanks to Alex Tilley from Secureworks for joining us. The research is titled, "Ransomware Name-and-Shame Game." 

Dave Bittner: [00:22:47] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.

Dave Bittner: [00:22:55] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.

Dave Bittner: [00:23:03] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team working from home is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.