Ransomware is in the news on a daily basis. Often, we focus on Microsoft as being the only entry point for ransomware but too often, it’s other entry points as well. Recently researchers accumulated a listing of vulnerabilities that have been used in attacks over the last several years. The list showcases the typical attacks that have been used to gain network access and includes vulnerabilities of VPN software, network storage software, Firewall software, and various other platforms that have been used.
Entry Points for Ransomware Attacks
Here is the list: Pulse Secure VPN (CVE-2021-22893, CVE-2020-8260, CVE-2020-8243, CVE-2019-11539, CVE-2019-11510), F5 (CVE-2021-22986, CVE-2020-5902), Microsoft Windows CVE-2019-0708, CVE-2020-1472, CVE-2021-31166, CVE-2021-36942), Citrix (CVE-2020-8196, CVE-2020-8195, CVE-2019-19781, CVE-2019-11634), Palo Alto (CVE-2020-2021, CVE-2019-1579), Microsoft Office (CVE-2017-0199, CVE-2017-11882, CVE-2021-40444), Atlassian (CVE-2021-26084), Microsoft Exchange (CVE-2021-34523, CVE-2021-34473, CVE-2021-31207, CVE-2021-26855), QNAP (CVE-2021-28799, CVE-2020-36198), VCenter (CVE-2021-21985), Zoho (CVE-2021-40539), Fortinet (CVE-2020-12812, CVE-2019-5591, CVE-2018-13379), Sophos (CVE-2020-12271), Accellion (CVE-2021-27101, CVE-2021-27104, CVE-2021-27102, CVE-2021-27103), Microsoft Azure (CVE-2021-38647), SonicWall (CVE-2021-20016, CVE-2020-5135, CVE-2019-7481), SharePoint (CVE-2019-0604) and FileZen (CVE-2021-20655).
All of these vulnerabilities have been used over the last several months to attack public and private sector networks. When reviewing the networks you protect, think of these methodologies that have been used to gain access and launch attacks. Attackers are using weaknesses in the edge devices and remote access tools to gain access to the networks under your protection. Once inside then they use tools and weaknesses in credential protection to then take control of networks.
Government Clamp Down
The United States Treasury recently released a document regarding their planned sanctions for firms paying ransom as well as firms that facilitate the payment of ransom.
Various government agencies are starting to put together resources such as a ransomware checklist to aid the business in preparing for an attack. But one of the ways they are starting to clamp down on ransomware is going after the financial side of the equation. The United States Treasury recently released a document regarding their planned sanctions for firms paying ransom as well as firms that facilitate the payment of ransom. Generally speaking, it’s not wise to pay a ransom. It keeps the attackers in business. Nor should you plan on obtaining a de-encryption key that will be fast enough to restore your data. The de-encryption process is so slow that often the tool has to be re-coded in order to speed the process up.
Only during ransomware do you truly understand and grasp the concept of restoring everything from backup. Often, we test or recover parts of servers and assets on a regular basis, but it’s certainly not often that every digital asset including servers and workstations are recovered all at the same time. It can be an interesting lesson learned regarding the steps and passwords you may have forgotten in order to completely restore the network.
Only during ransomware do you truly understand and grasp the concept of restoring everything from backup.
To Pay or Not to Pay
But there are times that some firms decide to pay the ransomware. But in doing so we keep the attackers in business. The U.S. Department of Treasury is trying to break us from paying the ransomware by putting in place sanctions.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has designated several cyber attackers with sanctions. Recently they designated SUEX OTC (a virtual currency exchange) for its part in facilitating ransomware transactions. The implementation of the sanctions means that for this company, “all property and interests in property of the designated target that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50% or more owned by one or more designated persons are also blocked. In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.”
Ransomed Clients and the Law
But what if one of your clients is a victim of ransomware? Could you or that firm be sanctioned for paying the ransomware just to gain access to those digital assets again? It actually is a possibility. The Treasury document indicates that “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.”
But the US Treasury has also introduced what I would call “wiggle room” that gives you the potential to not be sanctioned. In my interpretation of the guidance, I focused on the section where they stated that if you performed steps to reduce the risk of extortion by adopting and improving your clients’ cybersecurity practices, such actions will be taken into account when determining OFAC enforcement response. As they note in the document, they will be looking for “steps could include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.” The CISA’s guidance on ransomware protection should be reviewed and you should be aware of updates in the CISA guidance.
Working with Law Enforcement
The OFAC encourages victim companies to report incidents and cooperate with law enforcement. They indicate in the document that cooperation with OFAC, law enforcement, and other relevant agencies. The agency would be more likely to not sanction your clients (or you) and merely provide a no-action letter or a cautionary letter if you cooperated with authorities and reported the attack to authorities. Often with smaller firms, it’s unsure of where to report such ransomware attacks. No matter how large or how small the ransomware attack, ensure that you report the ransomware at a minimum through the Internet Crime Complaint Center. If the impact to the firm or industry is high enough in value, or you represent an industry with a key national security impact, you may wish to report the issue to your local U.S. Secret Service office. As Managed Service Providers are in the crosshairs these days, it would be wise to investigate your local resources. Review ahead of time if you have log files and evidence that may be needed in the investigation.
Have a Backup Plan
For any managed service provider, the question of ransomware should be a question of when, not if. There is no magic bullet of protection for ransomware. It’s layered patching, protecting authentication, end-user education amongst many other techniques. The only true protection is a good strategy of backing up and restoration so that the firm can recover its assets to a time before the attack. But given that many firms don’t realize the faults in their backup strategies until it’s too late, or contact the MSP once the damage is done, payments to ransomware attackers continue to occur. Ensure that you don’t get caught up in a potential sanction by ensuring that you contact the Internet Crime Complaint Center at a minimum after each incident. Review your processes and those of your clients to see where your firm and your clients can do better. It’s only by cutting off the financial pipeline of these attackers can we finally get ransomware more under control.
About the Author
Susan Bradley is a GIAC Security Essentials Certificate holder. GIAC Security Essentials Certification graduates have the knowledge, skills, and abilities to incorporate good information security practices in any organization. To be listed as a GIAC Security Essentials Certified graduate a candidate must pass a comprehensive exam that is based on the best security practices to meet the current threat as outlined on the GIAC web pages. In addition, the candidate must complete an Internet research project and contribute to the knowledge of the defensive community. Accounting Today magazine named her as one of the “Top 100” in the accounting profession. The group was described as the “true changemakers and pacesetters in the accounting profession…[who] shape and inspire the future of accounting.” She is the past Technology Chairman of the Fresno CPA Society and the California Society of California CPAs and regularly presents on the topics of technology and issues in Security. She is an Associate Member of the Association of Certified Fraud Examiners.
She trained at the Guidance Software training center located in Pasadena, California in the use of EnCase Forensic software and other forensic techniques and is in the process of obtaining her EnCase Certification. She provides data retrieval and other computer forensic examinations including examination of computers, drives, portable devices, email, and other electronic discovery techniques.