RIGHT IN OUR OWN BACKYARD – JACKSON COUNTY HIT WITH RYUK RANSOMWARE – AN ATTACK THAT COULD HAVE EASILY BEEN AVOIDED
Officials in Jackson County, Georgia, paid $400,000 to cyber-criminals this past week to get rid of a ransomware infection and regain access to their IT systems. The County hired a cyber-security consultant to negotiate a ransom fee with the hacker group. Jackson County officials have not yet confirmed how hackers breached their network.
The infection forced most of the local government’s IT systems offline, with the exception of its website and 911 emergency system.
“Everything we have is down,” Sheriff Janis Mangum told StateScoop in an interview. “We are doing our bookings the way we used to do it before computers. We’re operating by paper in terms of reports and arrest bookings. We’ve continued to function. It’s just more difficult.”
Jackson County officials notified the FBI and hired a cyber-security consultant. The consultant negotiated with the ransomware operators, and earlier this week the Georgia county paid $400,000 to hackers to get a decryption key and re-gain access to their ransomed files.
County officials are in the process of decrypting affected computers and servers, Jackson County Manager Kevin Poe told Online Athens in an interview.
“We had to make a determination on whether to pay,” Poe said. “We could have literally been down months and months and spent as much or more money trying to get our system rebuilt.”
It looks like there are two Ryuk gangs at the moment, one out of North Korea and the other one is believed to be operating out of Eastern Europe. For the past year, both have focused on targeting local government, healthcare, and large enterprise networks. They intentionally go after big targets as part of a tactic known as “big game hunting.”
Jackson County won’t be the victim who paid the largest ever ransom demand, though. This “honor” goes to South Korean web hosting firm Internet Nayana, which paid 1.3 billion won ($1.14 million) worth of bitcoins to a hacker following a ransomware attack in June 2017. More at ZDNet.
WHY THIS HITS CLOSE TO HOME FOR US AND HOW THIS COULD HAVE BEEN AVOIDED
Terra Nova is located and heavily active in the business community in the Jackson County Area. Obvioulsy, as a result, this news hit too close to home for us for comfort so we did some further research to confirm how this could have been avoided with the right solution in place such as our 24/7 Business Protect Cybersecurity Platform featuring SentinelOne as our flagship EDR tool.
As described below, the Ryuk Ransomware quite frankly would have been detected and eliminated before any further damage occurred. Had anything slipped through the cracks, SentinelOne features an unprecedented ransomware protection guarantee and one-of-a-kind immediate rollback capacity. NO RANSOM TO BE PAID AND $400,000 LEFT IN THE BANK TO SPEND ON FURTHER GROWTH OF JACKSON COUNTY. Curious to see what affect this has on the growth of our area in the near term as things progress.
Since this is right in our backyard, should any Jackson County Officials read this – contact Terra Nova today as we are more than willing to assist and consult in any future planning for your systems, network and infrastructure security, and overall cybersecurity awareness. We can show you first hand how this could have been avoided using SentinelOne Autonomous Endpoint Protection – The only platform that defends every endpoint from every type of attack at every stage in the threat lifecycle. In partnership with S1, we’re helping change the game with how threats are addressed and truly making fear of cyber attacks a thing of the past.
This should also serve as a lesson to our business contacts in the area. No matter how safe you think your business and critical data is, you are being targeted and one attack away from being out of business. Don’t hesitate to reach out to us as soon as possible for a free consultation to further protect your business and its most precious assets today!
A DEEPER TECHNICAL LOOK IN RYUK RANSOMWARE AND WHAT OUR PLATFORM WOULD HAVE DONE
Ryuk is not new. Since mid-August 2018, the Ryuk ransomware has netted a tidy sum for its authors and shown that simply having AV and backup solutions on board may not be enough.
Ryuk Use Case Attack Example:
Linked to the notorious APT Lazarus group and the earlier HERMES variant of ransomware, Ryuk’s bitcoin wallets have already accumulated over $640,000 in bitcoins, indicating just how successful their strategy has been so far. The particular sample we tested is responsible for 50.41 BTC (316,265 dollars as of today).
What we found particularly interesting was Ryuk’s attempts to disable legacy AV products and to delete Windows VSS shadow copies before the ransomware started its encryption procedure.
By default, Windows makes up to 64 shadow copy backups of volumes and files, enabling users to recover data from snapshots at different points in time in the event of data loss or overwrite.
Ryuk, however, begins by deleting the snapshots and resizing the storage space to zero-out any chance of recovery:
Not content with ensuring that the built-in backups are unavailable, Ryuk also disables several 3rd-party backup services, including Acronis, SQLSafe, VEEAM, and Zoolz.
Ryuk also attempts to stop processes belonging to some legacy AV protection software, among them Sophos and Symantec System Recovery processes.
As can be seen in the demonstration video below, Sophos comes in for particular attention, as this view from the SentinelOne Management Console shows:
Ryuk’s attempts would have been ineffective against our Cybersecurity Platform with all endpoints protected by the SentinelOne agent, as it has several detection layers and anti-tampering protections. SentinelOne also has the ability to integrate directly with network infrastructure security as well using a simple Connector to allow for immediate blacklist updates and quarantining even deeper than just for endpoints located on the internal LAN.
- Pre-execution – as seen in the video below, once the malware is copied to disk, it is detected. In a real-life scenario, this occurs as the threat is quarantined, ensuring the user never has a chance to execute it.
- On execution – this is where the behavioral AI comes into play. As seen in the video, the Ryuk sample is spawning multiple processes, using a
batfile to complete its operation. The behavioral AI is capable of connecting all the dots and creating what we call a “group”.
- This leads to the third layer that makes a difference, Deep Visibility. The group contains all the files, processes, registry entries (
created registry auto run keyin this case), and other IOCs related to this malware. Even if the device were set to a Detect-only policy, a SOC analyst would be able to perform a threat hunt operation that would reveal all items related to this threat, as shown in the example below:
See Ryuk in action in the embedded video below. The threat was immediately detected and eliminated. The Platform also provided a full forensics profile of the attack in the form of an “attack story line”, what attempts were made by the threat and where, and how the system eliminated the threat.
Anti-tampering – the SentinelOne agent protects its services, processes, registry entries and others by default. It also protects all VSS shadow copies, so users can quickly rollback and recover their files.
Ryuk’s behaviour underlies the importance of a security solution like SentinelOne that provides defense in depth and is immune to tampering. It should never be possible to disable or cripple reliable endpoint protection.
Contact Terra Nova today to learn more!