CDT - RiskInsight

CDT Watch – December 2021

CERT-W — Thu, 30 Dec 2021 16:46:00 +0000

THE ROLE OF DECRYPTION TOOL AGAINST THE RANSOMWARE THREAT

The ransomware threat is increasing continuously and is now considered a national threat for countries, such as the US, France, or the UK.

Last summer, the Virtual System Administrator (VSA) edited by KASEYA in the US has been exploited by REvil, impacting the company and many of its international clients. In this case, the FBI kept secret the decryption key for three weeks from the victims, in order to protect their operation against REvil.

What’s the purpose of a decryption tool?

As the name suggests, decryption tools are designed to decrypt encrypted data. Often based on previous ransomware analysis, those tools use decryption keys like a password to access blocked data. Today many decryption tools are proposed online, sometimes even for free, providing a quick solution in case of known ransomware.

Let’s consider a company ransomed. Following the criticality of the encrypted data, the company will have to choose between paying the ransom or, in case they are prepared, launching their recovery plan. This will imply rebuilding their infrastructure based on previous saves if they are still accessible which is never a trivial assumption. Paying the ransom represents an even less reliable solution to recover a safe and complete information system.

The decryption tool could be an alternative option to recover the data, with advantages such as being a widely available, affordable, and quick solution. The No More Ransom project launched by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee now make available 121 free ransomware decryption tools that can decrypt 151 ransomware families. More than six million ransomware victims have used those tools to recover encrypted files.

However, a decryption tool can be developed only for the ransomware containing vulnerabilities. If a ransomware is 100% correctly coded, there is no vulnerability to exploit and no decryption key to be developed. Therefore, the decryption tool is a solution only for a certain type of ransomware.

Moreover, this option is safe only when proposed by a reliable editor. Many fake decryption tools used as scamming vectors are proposed for free online. Besides, the ransomware being in constant evolution, the decryption tools have to follow the updates to not be rapidly irrelevant.

The controversy of the decryption tools publication

Decryption keys can be seen as ransomware vulnerabilities. In the same way that vulnerabilities are patched when discovered, when a decryption key is found, criminals patch their ransomware to make it more effective. The decryption key becomes irrelevant for the next victims.

Months before the Colonial Pipelines attacks, two searchers had found a decryption key to help DarkSide victims to recover and chose to not share it. But BitDefender discovered the key as well and published it online, alerting the victims, as well as the attackers. The day after this publication, DarkSide publicly informed they have corrected the problem and even address its “Special thanks to BitDefender for helping fix our issues. This will make us even better”.

This is not an isolated case. Earlier this year, a Spanish searcher found and developed a decryption tool for the Avaddon ransomware. He published it online on GitHub with an explanation about how to use its tool. As in the case of DarkSide, this information was shared publicly, available for the victims as well as the ransomware developers, who corrected the vulnerabilities.

In the KASEYA case, this decryption key was kept by the FIB because its publication would hinder an offensive cyber operation against the REvil gang. This implied letting victims such as schools and hospitals deal with the problem without sharing with them a solution, in order to reach the attackers. The operation didn’t happen immediately, as, in the same month, websites run by the REvil ransomware gang suddenly became inaccessible.

BreachQuest CTO Jake Williams called the situation a classic case of an intelligence gain/loss assessment. He pointed out that the direct financial damage was almost certainly larger than the FBI believed, but “on the other hand, releasing the key solves an immediate need without addressing the larger issue of disrupting future ransomware operations”.

Decryption tools: a partial solution

Outside of the debate on the necessity to publish them, the crisis management interventions of the W-CERT pointed out that, even if helpful, the decryption tools are not the ultimate and perfect solution in a ransomware attack.

Indeed, decryption tools are only usable for a limited subset of existing ransomware, where encryption mechanisms were not created using state-of-the-art security. Even if the related ransomware attack falls under this case, which would mean the affected data will be able to get recovered safely, the attacked company still has to tackle the biggest issue of such an attack, meaning rebuilding at the very least the core of the information system that got compromised. Relying on decryption tools only to face the ransomware threat is far from being a complete and reliable solution.

CERT-W: FROM THE FRONT LINE

The First Responder Word

For more information for vulnerability detection and remediation, contact Wavestone CERT-W!

Reading Of The Month

To learn more about the evolution of cybercrime, we recommend reading the Internet Organized Crime Threat Assessment 2021 of Europol. This report focuses on changes and developments of cybercrime threats during the last 12 months.

Internet Organized Crime Threat Assessment 2021, Europol

Cet article CDT Watch – December 2021 est apparu en premier sur RiskInsight.

CDT Watch – November 2021

CERT-W — Tue, 30 Nov 2021 08:50:00 +0000

FOCUS TECH

File Obfuscation

Discover Cobalt Strike capabilities with the technical zoom of the month:

To learn more about the given malwares:

Cobalt Strike Training videos

CERT-W: FROM THE FRONT LINE

The First Responder Word

We recommend the 2021 Benchmark on cybersecurity incidents which reviews the interventions of the CERT-W carried out between September 2020 and October 2021. This Benchmark provides keys to understanding the security issues and a snapshot of current cybersecurity threats in France.

CERT-W’s 2021 Benchmark on cybersecurity incidents

Reading Of The Month

To learn more about Conti, one of the most dangerous Ransomware, we recommend reading the Conti Ransomware Group In-Depth Analysis of Prodaft. According to Prodaft, this report will show you how the gang works with details obtained by their team who accessed Conti’s infrastructure.

Conti Ransomware Group In-Depth Analysis by Prodaft

Cet article CDT Watch – November 2021 est apparu en premier sur RiskInsight.

Newsletter CERT-W, from the front line – June 2021

CERT-W — Thu, 24 Jun 2021 13:39:44 +0000

DECRYPTION

CYBER CRIMINAL NETWORK DISMANTELING

The last 6 months, large-scale coordinated international actions have dismantled several of the biggest cybercriminal networks such as Emotet, Netwalker, Egregor or even Cl0p. Let’s have a closer look at some of them.

What is Emotet?

Emotet was originally a banking trojan, stealing emails and contact list, retrieving passwords on navigators and systems, spreading within the infected network. In 2019, Emotet lost its banking module and became a dropper of malwares. The trojan used a botnet of 1.6 million machines to realize phishing campaign and install itself on victims’ machines.

Why is Emotet called the “king of malware”?

At the end of 2020, Emotet was identified as one of the most dangerous malwares. Additionally, being a dropper as well as a botnet, Emotet also served as a front door to many other malwares. It was used to drop malicious payloads directly onto the victims’ assets: for example, TrickBot was dropped onto the targeted machine which in turn, would drop Ryuk or Conti ransomware. According to Checkpoint Research, Emotet was at the top of the Global Threat Index in October 2020 and was linked to a wave of ransomware attacks. According to CISA, the U.S. Cybersecurity & Infrastructure Security Agency, Emotet infections cost is estimated at $1 million per incident.

Main TA542’s customer base, “The Malware As a Service EMOTET”, ANSSI 2021

During several months, Europol used the help of Eurojust, France, Germany, United States of America and announced their successful dismantle of the Emotet network in January 2021.

Does this dismantling mean the end of the malware?

The end of one botnet actually led to the rise of several others, such as TrickBot, which even though existed since 2016, replaced Emotet as one of the most well-established MaaS (Malware as a Service) not long after the events on January.

This turn of events might not be so surprising, as threat actors often pivot and change their tools along the way, whether by choice or by necessity as it was the case here. Taking one malware down would only force them to use another one. Yet, what is interesting is that TrickBot also suffered a dismantlement of its own, back in October 2020. In an attempt to disrupt one of the most used distributors of ransomware, Microsoft joined forces with other security teams to take down TrickBot servers. As you may have noticed, this was months before law-enforcement took down Emotet, and now TrickBot or other versions of this malware, still lives on. These actions only disrupted TrickBot activities for a few days, before going back to what it was and even overtaking Emotet dominance.

Moreover, TrickBot seems to be somehow connected to the Bazar malware (BazarLoader and BazarBackdoor), as some part of its infrastructure is shared with TrickBot and both show code similarities. This new toolset is now the most seen malware used to deploy Ryuk ransomware instead of the previous Emotet-TrickBot-Ryuk or TrickBot-Ryuk chain of infection. These changes might have to do with the previously mentioned dismantlements, or due to a new collaboration between threat actors.

What about the people behind these groups?

More recently, on June 4th, Alla Witte was charged on multiple counts for participating in TrickBot criminal activities. Is this arrest, serving as a warning with several hundreds of years of prison if convicted, going to change cybercriminals’ operations? A few months before that, the Ukrainian authorities cooperated with the French law enforcement to conduct an arrest against Egregor members, while a Canadian tied to Netwalker ransomware was charged by the police for distributing the malware. Last year was also marked by several other arrests of cybercriminals around the world. For instance, the arrest of members of the Infinity Black website selling user credentials, lead to the end of the website and the group altogether. On the other hand, the arrests mentioned regarding Netwalker and Egregor seem to concern ransomware affiliates. And as the operators are still free and collaborate with other affiliates, their ransomware continues being deployed around the world. Alla Witte’s case is different since she is suspected to be a malware developer for the TrickBot Group. While her possible conviction might slightly disrupt TrickBot, it seems like their operations still go on, as according to the any.run website and its malware trend tracker, the trojan was last seen on June 16th, 2021. Last but not least, some mid-tier members of the Cl0p gang may have been arrested mid-June in Ukraine even though it seems no core actor behind Cl0p were apprehended.

What could be the long-term consequences of these takedown for the cybercriminal activities?

It’s still early to draw meaningful conclusions on the consequences for cybercriminal activities with the recent arrests. Yesterday, June 16th, at the Geneva summit, U.S. President Joe Biden met with Russian President Vladimir Putin. One of the hot topics of discussions was the ransomware attacks on U.S. entities from Russian soil. Biden warned Putin that United States would not tolerate any other cyber-attacks, especially on 16 critical sectors. The G7 and the NATO also stated that in order not to consider cyber-attacks as armed attacks, Russia should try to identify and disrupt ransomware organizations within its borders.

Even with the arrests of criminal gang members and cybersecurity talks at the presidential levels, some experts say there would be no or little impact on ransomware groups that will still operate with impunity. The near future will give hints about the possible evolution of the cyber-attacks landscape. On one hand, the rising of a broader international collaboration against cyber-criminal gangs which could lead to less opportunistic and lucrative attacks. On the other hand, growing tensions between two blocks: U.S.-Europe and Russia-China with possible sanctions from either side and more cyber espionage, supply-chain or state-sponsored attacks.

CERT-W: FROM THE FRONT LINE

The First Responder Word

FOCUS TECH

Phishing

Think like a cybercriminal and understand how a spear phishing campaign is built to avoid them!

The technical zoom of the month:

To learn more about this:

Reading Of The Month

We recommend the short report “APT trends report Q1 2021”, which reviews the highlight events and findings observed by the Global Research and Analysis Team at Kaspersky during the Q1 2021 around the world.

Cet article Newsletter CERT-W, from the front line – June 2021 est apparu en premier sur RiskInsight.