Cisco Senior Security Researcher Brad Antoniewicz often gets asked whether those who take people’s computers hostage with ransomware actually hold up their end of the bargain and decrypt files when victims pay by bitcoin.
“They’re in it to make money…Good customer service is important to these people,” he said, and not at all tongue in cheek, during his lunchtime address on the opening day of SecureWorld Boston this week.
Antoniewicz, sporting a RUN DNS t-shirt reflecting his position with the Cisco Umbrella (formerly OpenDNS) team, dove into the topic of ransomware variants like Cerber as part of a broader talk on “An Anatomy of an Attack” and the elaborate ecosystem behind cyberattacks.
As he relayed, what starts as something seemingly simple like the infiltration of a Wordpress blog, often has much more serious consequences when you follow the “exploit kit infection chain.”
AND THE NEXT THING YOU KNOW YOU'VE GOT RANSOMWARE
In the example Antoniewicz shared, a blog showed up normally for Chrome browser users, but in the form of an error message when accessed via Microsoft Internet Explorer.
“Somehow an error message is being spawned by another process outside the browser,” he said. “This is a pretty bad situation.”
Clues given by the page source code show suspect code had been added in the IE view by someone who used an exploit kit to compromise the blog and potentially, visitors’ browsers and systems. Neither the blogger nor the blog’s followers would likely realize what’s going on.
“This is incredibly indicative of a specific campaign called Pseudo-Darkleech,” Antoniewicz said, that uses the “pretty awesome” – as in powerful – RIG exploit kit. It even comes with a single-pane-of -glass dashboard that attackers can use to identify victims by browser type, operating system and country of origin, among other things.
Would-be attackers frequently access exploit kits on an “as a service” basis, then hit unsuspecting victims with malware such as ransomware, Antoniewicz said. “This is a whole ecosystem,” from those who hacked the blog to those who provide the exploit to those who pay to have the ransomware like Cerber Red (also called Red Cerber) installed, he said.
This elaborate ecosystem gets back to Antoniewicz’s comment about the criminals who wield ransomware and their attention to providing good customer service, as in, typically freeing computers that are held hostage after a victim pays. What's more, ransomware only locks down certain files, folders or directories — after all, the perpetrators want you to be able to use your computer to pay your ransom.
“They have support forums in case you have trouble getting onto Tor, in some cases they have live chat and in one scenario they even had a dial-in number for technical support,” said the Cisco researcher, who also includes Hacker in Residence at New York University’s Tandon School of Engineering on his resume.
His favorite case involved a support forum in which a victim was having all sorts of trouble getting on Tor, dealing with Bitcoin, etc., and eventually got involved in such a long thread of messages that the attacker got worn down and released the files for free.
SEEKING 'PATIENT ZERO'
Antoniewicz and his peers study attacks like the one described here to better understand what Cisco customers are up against. One of the first things researchers do is try to find what he referred to as "patient zero, the first person to get infected" to learn what else on the network might have been affected. This can help vendors build signatures to detect future breaches.
"When patient zero gets hit that's not when the attack actually started," Antoniewicz said. "There was a whole prior phase to all of this. There was when the attacker compromised that first web site. There was when the attacker had to set up the infrastructure that serves up these exploits. There's when the attacker needs to set up reconnaissance to figure out who they're targeting and understand the network."
Antoniewicz and his Cisco Umbrella colleagues not surprisingly examine attacks from the DNS level and he said those in the crowd could do likewise by viewing DNS logs. DNS is often overlooked, but can give you a real read on what's happening on your network and even let you block certain connections before they are made, he said.
The Cisco Umbrella team exploits machine learning and big data analytics to make sense of such data, using IP geo-location, predictive and other models. While Antoniewicz's background is actually more on the attack side of IT security, his teammates include plenty of data scientists, and he said that's where most security teams need to go these days to thwart emerging threats.