Listen to this podcast on Apple Podcasts, SoundCloud or wherever you find your favorite audio content.
This week’s SecurityIntelligence podcast puts the focus on ransomware. How do organizations shift from reactive attack protection to proactive threat prevention? Joining David Moulton and Pam Cobb are two IBM experts: Matthew DeFir, incident response function lead for IBM X-Force IRIS, and Robert Gates, senior threat intelligence analyst with the IBM X-Force IRIS threat hunting team. Here’s what they had to say.
Maximum Pressure to Respond to Ransomware
For Gates, the goal of any ransomware attack is to apply “maximum pressure” — to disrupt key systems and normal operations long enough that enterprises are willing to pay. While these blackmail-based threats are often treated differently than “destructive” malware attacks, DeFir points to a gray area, noting that “ransomware attacks are kind of inherently destructive from a client’s perspective, from an urban environment perspective.”
The pair also points out that ransom attacks have become more targeted over time. Hackers “are definitely doing their due diligence in profiling the potential victim organization,” says Gates. They’re also “living off the land,” combining common tools, tactics and procedures (TTPs) with legitimate penetration testing tools such as Metasploit and Meterpreter. For DeFir, this means more attackers leveraging “commodity infections” — generic malware code or Trojans used to gain a network foothold for sophisticated attack vectors.
You Don’t Always Get What You Pay For
Should companies pay the ransom when they’re attacked? DeFir is firmly in the “no” camp, noting “there’s no guarantee that the attacker is going to actually decrypt all of the systems in the environment.” Even if they do provide a working decryption key, attackers may still have backdoor access to the system and could compromise networks again — especially knowing they’re likely to get paid.
Whatever an enterprise chooses to do, it should decide in advance. Why? “Because if they wait till the day they become a victim, it’s likely going to be their worst day, week, month ever, and probably not the time to explore their options.”
How Can the Public Sector Improve Ransomware Protection?
As DeFir and Gates point out, attacks on public sector institutions such as schools and municipal governments are on the rise. Part of the appeal comes from limited budgets and small IT departments, making it easier for hackers to gain a foothold. The other big benefit is maximum pressure; if city power goes out or students can’t register for classes, institutions are more likely to pay up, even if it means exposing themselves to more risk.
Citizens, meanwhile, have no interest in paying higher taxes to cover ransom costs or better protect networks — they believe organizations should already have effective protections in place. The same attitude extends to enterprise stakeholders. Compromises should be avoided, not remediated, wherever possible.
To accomplish this aim, DeFir recommends robust endpoint visibility and management to help organizations identify potential attacks more quickly. Gates suggests remediating all commodity infections, even if they don’t appear serious, and recognizing the potential risk of ransomware attacks via compromised third parties, such as cloud and managed service providers.
The pressure is on. Preparation, not payment, helps prevent ransomware attacks.
Read more about ransomware and incident response:
Episode Transcript
Pam: David, when I was preparing for this episode, I realized we both live in states that have experienced ransomware attacks. Do you have any thoughts about what happened in Texas regarding ransomware?
David: Yeah. For those who are listening who don’t know, 23 cities here in Texas were attacked. And overall, it seems like the governments and the different IT departments that are reacting to it have done a good job of shielding the public from feeling it, but I would say, on the other side, it’s not made it into the news cycle. So, the level of awareness, unless you’re looking for it, seems like it is going to be minimal.
And I’ve debated back and forth. Do we owe it to taxpayers’ constituents to talk about what we’re doing to remediate a problem or does that actually help the attacker? And I have not come to a solid answer on that. I think both can be true. I know there in Atlanta, there have been a number of attacks, obviously, the one…it was about a year ago that was major. What was your experience?
Pam: Well, so where I live is outside the 285 perimeter — commonly known as OTP, outside the perimeter — and so I don’t have a direct tie with the city of Atlanta, but I will also say when the ransomware attack hit, it followed on a series of other unrelated disasters, like part of our interstate melted, and a whole lot of stuff went down in the city of Atlanta.
And then the ransomware was just the cherry on top, and we were like, “Oh, okay, ransomware now. This is like the seventh plague.” And we were very…Well, as a person that didn’t live in the city, it was kind of a very laissez-faire attitude of like, “Oh, here’s the latest disaster.” And it was a little depressing knowing that this actually ties to the job that I have and that we should had a perspective. It made the local news, but I didn’t hear about it so much on the national news.
David: Yeah, that’s right. I was in and out of Atlanta a couple of times during that, and I noticed nothing, which is great. I applaud the city for being able to recover, but at the same time, how do we learn from the recovery? How do we avoid these types of problems, or how do we speed the recovery so that they aren’t so long drawn in some cases? It’s real citizens and real problems in these cities in particular.
And is there an opportunity to maybe partner at the state level and support counties and cities as a network so that they aren’t concentrated as a set of problems within just inside the perimeter? I guess that would be what you’d call that in Atlanta. Or it’s somebody else’s problem here in Texas. I know Texas is huge, but really at some level, any city, any municipality that’s damaged, that’s a hit on the entire community that, you know, we all work together. So, it’s definitely something that I think our cities and our leaders need to have a playbook on and to be thoughtful about before they have to jump in and deal with it.
Pam: Exactly. This is the “Security Intelligence Podcast” where we discuss cybersecurity industry analysis, tips, and success stories. I’m Pam Cobb.
David: And I’m David Moulton.
Pam: So, I had a chance to speak with two experts who have experienced the on-the-ground investigation of a ransomware attack. Matthew DeFir and Robert Gates are members of the IBM X-Force IRIS team, and they offered some advice for our listeners on not just how to remediate after a ransomware attack, but how to actually improve your security posture to prevent one. Here’s our conversation
Welcome to the show. Can you take a minute to introduce yourselves?
Matthew: Hi. Thank you for having me. My name is Matthew DeFir. I am the incident response function lead for IBM X-Force IRIS, North American team. I come from an incident response and digital forensics background. Previously working for the Navy performing mostly incident response and malware reverse engineering as well as Mandiant before coming to IBM, where I’ve contributed to several large incident response breaches globally.
Pam: And Robert, what about you?
Robert: Thank you, Pam, for inviting me to this podcast. My name is Robert Gates. I’m a senior threat intelligence analyst with the IBM X-force IRIS threat hunt team. The majority of my experience has been in the government sector, and this is sort of my first foray into the private sector, and I look forward to this conversation because I think it’s pretty timely right now.
Pam: Yeah. We’ve seen a lot of really recent news. So, you all know I live in the city of Atlanta, and the city itself was hit by a ransomware attack. So, it’s relatively near and dear to my heart in terms of…Well at least it didn’t stop traffic, but it sure messed up trash pickup for a while.
So, we’ve talked about other kinds of malicious attacks in the past here on the podcast. We’ve talked about lateral movement and destructive malware. Can you all talk about how ransomware compares to these other tactics and what some of the differences are?
Robert: There’s definitely a fine line where ransomware can cross over to be destructive, whether it is the implementation errors with, like, the way the files are encrypted or the way the files are decrypted. Things of that nature can actually turn something where the actor intended it to be a ransomware attack, and it suddenly becomes a destructive attack, because there’s no way for the business to directly recover from that.
Matthew: I think there’s a little bit of some gray area there between destructive attacks and ransomware attacks. I think that ransomware attacks in and of themselves are kind of inherently destructive from a client’s perspective, from an urban environment perspective. And there’s really no guarantee that paying the ransom is going to get you back to where you want to be anyway. So, you know, I think they’re kind of linked, and ransomware attacks are generally considered destructive in nature.
Pam: When we look at ransomware over time — I referenced the example here in the city of Atlanta that we went through — so how have those changed, you know, since ransomware first came about?
Robert: I think the biggest change that’s occurred over time has been the fact that a lot of these ransomware attacks have become more targeted. It seems like the attackers are definitely doing their due diligence in profiling the potential victim organization to understand when they can apply the maximum pressure to force the victim to pay the ransom. You know, you mentioned the school system attacks, and in the case of that, they did it right at the beginning of the school year, so everything is kind of in flux. You got the parents, and the students, and the teachers, and all that trying to work out the process and suddenly their network is taken down with a ransomware attack.
The maximum pressure to pay the ransom by the victim to get all their systems back online, that’s what they’re hoping for. Or, for example, say an accounting firm right around tax time. They might try to attempt to deploy their ransomware during that timeframe. Again, just to apply maximum pressure in hopes that the victim would pay the ransom.
And more and more, like the TTPs that they’re incorporating, are something that the industry has sort of called living off the land where their toolkits have started to include legitimate pen-testing tools such as, like, Metasploit, or Cobalt Strike, or PowerShell Empire, Mimikatz, Meterpreter. And as these ransomware attacks have become more and more successful, you see some of the other ransomware family operators implementing or adding some of those TTP Surveyor toolkit.
Pam: Yeah. And I think for those that aren’t familiar with the term TTP, it’s something I had to ask a couple of years ago. It’s tools, tactics, and procedures. So, that kind of common toolkit that they draw from and reuse over and over.
Matthew: This is something that we’ve definitely seen a lot more of recently, especially related to more of these targeted ransomware attacks where a commodity infection, meaning what would traditionally be a generic piece of malware or a Trojan infection on a machine, allows initial access for an attacker to get into an environment and then leverage that initial foothold to gain, you know, privileged access and harvest credentials and perform some reconnaissance activities. And once they’ve achieved that kind of initial goal, then turning the environment against the client, you know, with ransomware or some other type of destructive attack.
Pam: I want to talk about that idea of paying the ransom, and what’s your take? Because we talked about earlier, you know, the advice to not pay the ransom. What’s your perspective on that as investigators?
Matthew: I am definitely in the ballpark of recommending not to pay the ransom. There’s no guarantee that the attacker is going to actually decrypt all of the systems in the environment. We have to take into consideration that these are criminal organizations that are financially motivated, loosely based in more like splinter cell groups that are leveraging this malware and these technologies to turn a client’s environment into a way to gain a monetary goal. And so, there’s no guarantee that even if they do provide some type of decryption key, that they’re not just going to come back into the environment or that they don’t still have some type of access into the environment in order to leverage another attack.
Additionally, if the attacker still has access to the environment and a client has paid the ransom and they get some of their systems back in line, there’s also no guarantee that there isn’t some other commodity infection or some other actor in the environment who doesn’t have the same goal system as the initial attacker who leveraged the ransom. So, you could have multiple threat actors in an environment, you know, leveraging their access for different goals.
Pam: Yeah, it’s like you validated that you’re willing to pay. And it reminds me of my parents and other people that now they’ve learned don’t answer when it’s a telemarketer call because all you’ve done is validate there’s a person on the other end, and now, they just call you more. That’s what it reminds me of, like, don’t let them know that you’ll pay.
Robert: The decision is going to really fall on the victim of the ransomware attack. And, you know, I can’t stress it enough for them to consider all their options prior to becoming a victim, because if they wait till the day they become a victim, it’s likely going to be their worst day, week, month ever, and probably not the time to explore their options.
I had a couple of recent conversations with some of the cyber insurer executives…that’s becoming an industry now, and they all agreed that victims are not more apt to pay the ransom because they actually have an insurance policy. If their stances at the organization is gonna refuse to pay the ransom, then that’s the stance they take even with having insurance.
Pam: So, let’s talk about what happens if they don’t – if they pay and the attackers don’t deliver. So, let’s say the ransomware has flaws or maybe the encryption keys are just garbage and they don’t work. What happens then?
Robert: The victims themselves are put in a really bad position, I guess, because now they’ve sort of expended some of their resources that they have available to them to restore their network, right?
Matthew: Depending on the size and scope of the organization, it can be an extremely damaging situation as well. In some cases, the ransom could be considerable. And if they decide to get the approval throughout the organization to make that payment, they could be put in sometimes a worse situation financially from a cash-positive perspective for daily operations within the organization.
Pam: Can we drill down into that a little bit more and talk about some best practices that can help reduce the likelihood of an infection turning into a ransomware incident?
Matthew: Yeah, so, just a couple of fundamental recommendations right off the bat is just having end-point visibility. It’s highly likely that you’ll be in a better position from an organization perspective, from a security perspective within your environment if you can identify this type of attack earlier in the attack chain when the attacker is getting set up to actually deploy the ransomware in the environment.
Typically, there is an initial attack phase where they gain a foothold into the environment through some type of commodity malware Trojan, or even through some other type of, you know, back door or even a vulnerability through an externally-facing web application that is not segmented from the corporate environment well enough in order to keep the attacker from moving laterally.
Robert: I would also consider remediating all the commodity infections. Don’t treat them as a nuisance in the past, because some of these commodity malware campaigns can be pretty broad and untargeted and the spear-phishing associated with it could thousands of targets. But sometimes these infections, though, like Matt was saying earlier, they sit on the network for eight months, a year, and any of these could ultimately lead to the deployment of the ransomware. And I think another thing to consider is some of these ransomware actors have started to target things like managed service providers or cloud service providers.
So, understanding your third party risk with your network and understanding, you know, all the outgoing connections where they go, incoming connections, what you expect them to look like and things like that, because in a couple of instances they have compromised say a managed service provider and used that access, because on a normal day-to-day basis, those two networks communicating would be considered normal, but it allows the attacker into your network, and then potentially, like I said, ending up with ransomware being deployed.
Pam: So, I want to circle back to one of our earlier topics. When we were talking about school systems and local governments, are there other sectors beyond the public sector that are vulnerable to this kind of attack?
Robert: I think historically some of the numbers indicate that the medical or health sector has been a particular victim of this sort of attack, and I think it goes back to, again, maximum pressure, right? If they deploy ransomware on a hospital’s network or anything associated with healthcare, you know, now we’re talking about potential of life and death, the ability to treat patients and things like that.
I think the reason they sort of targeted the school systems and local governments, I think some of these attackers might see those particular victims as low-hanging fruit. You know, they’re operating on a very tight budget with limited personnel to protect their networks, so it might provide them an easy way to get in. But I think today, no sector…because of the perception that it’s profitable for these ransomware operators, there’s not a sector that isn’t necessarily gonna be targeted at some point by ransomware. I think, you know, everybody should be on the lookout.
Matthew: I would definitely agree with that. If you think about just the active targeting a municipality, like a city, the chance of potentially affecting their 911 services, fire and rescue services, could apply a lot of pressure to an organization to just pay the ransom so that they can provide life-saving services to the citizens within that municipality. A small foothold in one environment within a city like Atlanta or like Baltimore can lead to serious destruction, you know, from a holistic perspective where if an attacker was able to bring down essential services like water purification or even potentially electric grid or something that affects rescue and 911 services, it can really apply a lot of pressure to a city to just pay the ransom.
Pam: And as a citizen and a taxpayer, how are you seeing taxpayers respond to these kind of incidents? Like, what’s the public perspective on how prepared local governments are for an attack like this?
Robert: So, IBM jointly recently conducted a survey of local government ransomware and how the public feels about paying the ransom and things of that nature, and there was definitely some surprising findings such as half the Americans knew nothing about ransomware, which is astounding, since it seems to be in the news almost every other day. Then they also discovered that roughly 50% of the people wouldn’t be willing to pay additional tax dollars to pay the ransom or they wouldn’t be willing even to pay additional dollars to strengthen the protections for their local networks and things of that nature. Most of the respondents were putting the onus on the federal government versus the local government. They were almost like, “The federal government should step in and protect us and refund us any money that we do pay out for ransoms,” and things of that nature.
Pam: I find it interesting too that I feel like a lot of those opinions are coming from the fact of, like, “Well, I already pay taxes, why aren’t you doing it right to begin with so you don’t get infected?”
Robert: Agreed. You know, the percentage of people that likely said, “Just pay the ransom,” are probably under the impression that by paying the ransom, you know, the services…It’s like your power was turned off one day because your bill wasn’t paid and suddenly you pay it, and everything is restored within days. And it’s definitely not a situation like that.
Pam: I find it delightful that there’s that perception that it would be fixed so quickly and we’re just like, “No, most of us have worked with government at some point. Nothing really happens quickly.” All right. So, let’s bring it back around to recovering. How do we get ahead of this as businesses, as the local government? So, what recommendations do you all have for backup and recovery planning after this kind of attack?
Matthew: We’ve seen in some cases where the actual backup systems themselves, if they’re on-prem, were actually targeted by the attackers as well. And so it really needs to come down to having multiple different avenues to recover in the environment if we’re just talking from a backup perspective. If you need to have something that’s, you know, an incremental backup that’s on-prem, that’s perfectly understandable. But there should also be incremental and full backups for those critical systems that go offsite to a non-connected environment.
There are a whole host of other recommendations that usually come along with remediation and recovery from an event like this, and most of those are, you know, more centered around preventing it from happening again by segmenting different assets in the environment, auditing privileged accounts like domain administrators and service accounts and those types of things in order to, you know, basically make the environment less applicable for the attacker to move from an initial foothold to, “Hey, I’ve got full access into the environment, and I have domain administrator credentials and now I can, you know, set up my ransomware on this domain controller and then use the domain controller to deploy ransomware throughout the entire environment.”
Pam: Great. I think we’ve got a blog on SecurityIntelligence.com that documents some of those best practices and we’ll link to that in the show notes for this episode. So, this spring, the IRIS team helped prevent a ransomware attack with the client. Can you all share some of your takeaways from that win?
Matthew: Yeah. Rob and I worked really closely on that engagement. So, some of the takeaways are that there are multiple groups doing this type of thing. Some of them are more traditionally financially motivated attack groups who have changed their tactics and techniques and procedures in order to kind of jump in on the ransomware bandwagon
And what you get with that is that you get a more sophisticated threat actor in the environment, performing reconnaissance, moving laterally, deploying different types of persistence in the environment, and leveraging a more sophisticated attack to deploy ransomware or, you know, whatever their end goal is. But in this particular case, it was MegaCortex ransomware. The attacker gained access to the environment through commodity Trojans like TrickBot, and Emotet, and Cuebot that are more traditionally considered information stealing, banking Trojan, you know, types of commodity malware that have different types of configurations that are designed for basically stealing banking credentials and those types of things. But they have a lot of other functionality as well, such as, you know, they’re modular in nature, and you can deploy credential harvesting tools, and you can gain C2 access to an end-point and leverage that access to basically move laterally in the environment.
In this particular engagement, we identified that the attacker had leveraged that initial foothold in the environment to harvest some credentials, perform active directory reconnaissance to identify key assets in the environment as well as key users in the environment, specifically targeting domain administrators in the environment. They had leveraged Mimikatz to harvest the credentials for several domain administrator accounts and then used basically the Windows Management Instrumentation Console or command-line, WMIC, basically to move laterally and deploy their ransomware and supporting batch scripts throughout the environment. And they were leveraging a domain controller that they had compromised as basically the repository for the ransomware and the supporting scripts that they were using to execute the ransomware.
Pam: So, you mentioned three different commodity malware used to initiate the infiltration. Is that because they try a lot of things to see what’s actually going to work or do these three things only end up showing up together? Like, what’s the reasoning behind that, from your perspective?
Matthew: I think that it depends on the threat group, you know, and which of these types of tools they have access to, which of these commodity Trojans that they have access to or that they are comfortable with and feel like leveraging. In some cases, it’s hard to actually attribute which commodity infection actually provided initial access to the environment. In some cases, there’s multiple.
We had basically identified the attacker was deploying their ransomware in real-time, because we had end-point visibility in the environment. And so, when we had identified that they were starting to deploy the ransomware, we got on the phone with everybody in the organization. We had the right people on the phone, and we started implementing containment measures and putting in restrictions to the access in the environment that we knew the attacker had at the time.
Pam: So, we’ve heard about the trends that we’ve seen here, you know, consumer perceptions. We’ve talked about tips and tactics to try and avoid infection or at least making it worse. Let’s talk about the future, and more specifically, you know, what you would expect to see ransomware change or evolve into. What are we thinking you’re gonna see in the next six months to even a year from now? What changes?
Robert: Well, I think as long as the attackers themselves consider ransomware profitable, I think we can expect an increase in attacks and possibly even drive, you know, new actors that weren’t operating in this space to make their attempts to deploy ransomware. And if everybody takes a collective stance against paying the ransoms and we find key controls to put on networks to sort of prevent these attacks from happening, I think maybe it’ll likely cause a shift within the attackers as far as seeing ransomware as a viable way to make money.
Matthew: When ransomware first came on the scene, it was more of a worm-like types of malware that eventually propagated their way through the environment. Most likely through some type of vulnerable web application or somebody clicked on a spam email or clicked on a phishing email and opened an attachment and this kind of worm-like malware would propagate to the environment by itself and then eventually would hit some type of trigger or would be beaconing out to some command and control infrastructure and then the attacker could basically hit the trigger on it and encrypt the environment.
These attacks are moving more and more to, you know, more sophisticated, targeted threat groups or coming into environments, you know. They’re compromising the environment in a traditional kind of sense. You know, they have a foothold in the environment. They take that foothold, and they leverage that to deploy custom back doors and custom malware into the environment, compromise domain administrator accounts, and move laterally to critical assets in the environment. So, very similar tax structure to other types of attacks that aren’t ransomware in nature.
Pam: Any closing thoughts that you want to leave our listeners with?
Robert: I would say devising a plan before you become a victim, because the ransomware activity has grown to where it’s at nowadays.
Matthew: I would agree with that. This is more of a recommendation for, you know, potential victim corporations, but implementing very specific playbooks into the environment for handling ransomware incidents, who are the right people to bring in, the right times in order to implement countermeasures, identifying the different phases of a ransomware attack and having different plans for those different phases. And on top of that, you know, additionally having critical assets segmented away from the rest of the environment through multiple means, and then additionally having multiple forms of backup solutions for those critical assets as well.
Pam: Okay. Well, thank you both so much for joining and sharing your experiences, both with our clients and as responders out in the field.
One of the things that really struck me about that conversation with Matthew and Robert was how much it hearkened back to the discussion we had on lateral movement, and once there’s an infiltration and how quickly that can happen. And I really encourage listeners to go back and listen to that episode if they haven’t yet.
So, David, do you have any good news for us this week?
David: It actually came to me over the weekend. I was watching my personal favorite college football team, the Fighting Irish at Notre Dame, and during one of the ad breaks, I really applaud the university and the local South Bend Police Department for their partnership that they did a quick special on, I guess, maybe an advertisement, but they were talking about how they had paired some of the students, the digital natives there at the university with the local police force.
And they were looking at real law enforcement work experience for the students, but they were bringing in the speed and the knowledge of the digital world from the students so that as they investigated cybercrime, they were moving their investigations from things that would take a couple of months down to a couple of hours, maybe a couple of days, and finding more evidence than they had before. And in some cases, they were exonerating people who had been accused, and on other cases, they were finding people who they didn’t even think to investigate or know to investigate through these partnerships.
And I think that what the university has done with the local police department is a great model for other cities with the university states and local PD and university students coming together. This real experience, I think, should translate into some of the very best cyber professionals as they leave the confines of academic and move into corporate or private world. So, way to go Irish, and I’m looking forward to seeing more about what they’re going to do.
Pam: Great. Well, that’s it for this episode. Thanks to Robert Gates and Matthew DeFir for joining us as guests.
David: Subscribe to this podcast on Apple Podcast or SoundCloud to make sure you never miss an episode. And also, visit securityintelligence.com/media to explore more episodes like the one Pam mentioned earlier. Thanks again for listening.