We all know the security recommendations offered by professionals on malware protection. Frequently: use common sense (personally, one of the least applicable and abstract pieces of advice that can be given), use an anti-virus, a firewall (?)… All of them good intentions that are not practical, very repeated yet not very effective. Users and companies still get infected. So, what if, for a change, we listen to the creators of ransomware themselves? Wouldn´t they most certainly have a more practical and realistic vision of what to do to avoid their own attack? What are their recommendations against their own selves?
First of all, a distinction must be made between homemade ransomware and professional ransomware. In the first one, the target is any individual’s random computer, the one that doesn’t apply protection recommendation can be affected. The second one is the ransomware developed with a specific company as a target. The attackers will spend months planning the attack, probably weeks inside the network and within minutes they will encrypt everything they can to ask for a millionaire ransom. And once affected, little can be done.
Garmin has recently paid and so has CWT, a US business travel and event management company that has just paid $4.5 million to decode its own data. The deal with the attacking negotiator has been by chat and has been made public. The transcription shows the management of any business between professionals. Let’s have a look at the recommendations that the “bad” negotiator made to the CWT representative and analyse the effectiveness.
Anti-Ransomware Recommendations
It is worth stressing that these are recommendations from the attackers themselves in order to help large companies attacked by professional ransomware. Let’s check them out and analyse if they are suitable.
- Disable local passwords
On systems and servers controlled by Domain Controller, it is a good idea not to use local users and to focus on those of the domain controller. This improves traceability and reduces exposure. Good recommendation. - Force the end of administrators’ sessions
when attackers are already on the network at ease, they will try to escalate to the administrator domain and open sessions with it, otherwise they will not be able to encrypt everything important and the backups. It is a good idea that these sessions come to an end, to have an expiration date and that they are fully monitored. - Avoid WDigest (Digest Authentication) used in LDAP, store the passwords in the memory
The attacker here refers, veiled and almost certainly, to Mimikatz and how it most likely recovers the domain controller administrator password and escalates privileges thanks to this tool. If a certain Windows value is set to zero, they will not be able to see the password clearly and the elevation will be complicated for the attackers. Excellent recommendation. - Monthly passwords updates
There is a lot of controversy about updating passwords. Users find it tedious to update their passwords monthly and end up writing them down or following a pattern. But for administrators (which is where criminal is target) it makes sense. Attackers may spend more than a month on a network without revealing themselves, studying when it is the best time to launch the most effective attack. Changing passwords, which they have probably already figured out, can force them to rethink the attack and may undo much of their work. Interesting recommendation. - Reduce user permissions to access only the essential
Well, this is a common recommendation. It also very probably refers to how attackers manage, from a simple user, to increase privileges thanks to the negligence in the segmentation of permissions and privileges. - Applocker and the use of the necessary applications
This is every network administrator’s dream: to be able to have a whitelist of applications that users can run and ignore the rest. With AppLocker, already integrated in Windows, this would be enough. It works very well and allows you to limit by certificate, location, etc. Attackers would not be able to download their tools and launch them in order to increase privileges. It is an excellent, complex measure to implement yet not impossible. - Don’t count on anti-virus in short term
Well, unfortunately, we have already explained this on many occasions. Antivirus (as such) is not the best solution for early detection. “Don’t count on them”. Here, the attacker claims that anti-viruses could work in a long term, as something reactive. And unfortunately, he is right. Anti-viruses as such are a reactive element and that is where they work best: as a system for detecting and eradicating an infection when it has already occurred. To prevent, it is reasonable to use a much broader set of measures. Furthermore, he points out that the anti-virus is only useful if the attacker “for some reason does not attack in a short term”. He suggests that professional attackers are rarely impulsive. He adds that they take their time to analyse the victim and strike effectively. - Install an EDR (EndPoint Detection and Response) and efficient technicians to work with it
An EDR is more than just an anti-virus, it is actually aimed at early detection, at analysing what is happening in the system in real time, beyond the traditional anti-virus firms. And yes, that could be useful. But the subtlety touch added by the attacker is interesting: not only that they use it but also that “the technicians work with it”. As with any software, there is no point in setting up the EDR if it is not properly configured, known, worked on and monitored. - Work 24/7
For large companies, the attacker recommends three eight-hour shifts for managers, covering 24 hours a day. This means that attackers will most likely look for times when administrators are not working to launch attacks, side moves, or privilege elevations. If they manage to do so without alarms being raised (and checked), then they can wipe out the tracks. So full shifts of “human surveillance” are important.
Conclusions
Bearing in mind that they have just charged $4.5 million for a ransom they themselves have provoked, the attacker undoubtedly belongs to a professional group that knows exactly what they are doing. The recommendations seem sincere and, although it may seem counterproductive, aimed at hindering their own work. Why reveal these tricks? They communicate it exclusively to their victim (who let´s recall, has just paid) as an act of professionalism. They have completed a transaction between “professionals” for a service and so they give a “bonus” of information.
Like the plumber who, after fixing a pipe blockage, advises you before he leaves, while he is billing you, on how to prevent the sink from getting stuck again. No plumber would deny this little tip thinking he wasted opportunities by doing so. On the contrary, as a good professional, the attacker needs to generate confidence because the next time he attacks a big company and demands a few million, he wants them to know that paying is the best option to recover their data. Treat your present and future clients well… even if they are victims.
But even if these tips have been leaked, we assume that they don´t really mind. There are thousands of large companies out there who will not listen. Due to their ignorance or lack of resources, who knows, but they will still be potential victims. Attackers can afford to give advice on how to stop them from attacking and still enjoy a sufficient surface to maintain a prosperous business.
