Wannacry, Erebus, and Mole made last week a big week for ransomware
By Christine Barry
There’s so much going on with ransomware that we can’t stick to just one topic. This week we’ll take a look at three interesting attacks that occurred around the world.
Let’s start with Wannacry, which is probably the most famous ransomware in history. Last time we talked about this ransomware, it was in full attack mode around the globe. Eventually, this attack settled into an ebb and flow pattern, on a much smaller scale. The news around Wannacry had slowed to a trickle until Monday, when attackers were able to successfully use the ransomware against Honda networks in North America, Japan, Europe, and China.
In response to this attack, Honda stopped operations at its Sayama plant, which manufactures about 1,000 vehicles per day. Sayama operations were back online by Tuesday, and no other facilities were impacted by the ransomware. Honda did make an extra effort to secure its systems during the May attack and gave no details on how the ransomware made its way into the systems this week.
Renault and Nissan were also struck with Wannacry during the May attack. This caused the shutdown of production facilities in Japan, Britain, France, Romania, and India. Industry experts warn that new versions may be used in future attacks.
Next in the list is Erebus, a piece of ransomware discovered in September 2016. This ransomware evolved quickly from targeting PC workstations to infecting Linux and Windows servers.
Over the last couple of weeks, a South Korean web hosting company called ‘Nayana’ has been dealing with a devastating attack that infected 153 Linux servers and 3400 business websites. In a June 12 notice, the company announced that they were dealing with “System failure due to Erebus Encrypted.” (link is translated into English) According to The Merkel, Nayana has agreed to pay $1 million to the attackers to decrypt their files. The demand was initially about $1.65 million, but Nayana successfully negotiated the amount down to $1 million. The bitcoin transaction took place in three separate phases due to the restrictions on buying large quantities of bitcoin.
Nayana’s server software had not been updated in years: the Linux kernel dates back to 2008, and the Apache and PHP versions are from 2006. It’s not currently known how the servers were compromised, but considering the age and patch status of the software, the attackers probably used a known exploit to deploy the ransomware.
Paying the ransom doesn’t guarantee that all of the data will be decrypted and available to use. Some data may be lost in the process, or the criminals might not hold up their end of the deal. Even more troubling is the fact that if the ransomware isn’t configured correctly, the criminals won’t be able to track which victims are paying the ransom. In this case, the victims probably won’t get anything in return for their money. There’s no reason to think that this is the case with Nayana, but it’s a good time to point out that paying the ransom doesn’t guarantee complete data restoration.
And now we come to Mole, which is the ransomware that took the University College London and Ulster University offline last week. Mole was discovered in April of this year and is part of the CryptoMix family of ransomware. Researchers believe that Mole was distributed by the AdGholas malvertising group, which is an operation that has a massive malvertising network. AdGholas was discovered in 2015 and observed infecting thousands of victims per day with multiple sophisticated techniques.
As I noted in the UCL post last week, the staff believed that the network was infected after a user visited a compromised website. These sites require no input from the user; the attack analyzes the visitor’s computer for known vulnerabilities and will deploy an attack based on those weak spots.
What’s interesting about this attack by AdGholas is that the group is commonly associated with stealth attacks. They are best known for targeting financial institutions with advanced persistent threats (apt) and other attack software that will allow them to perform reconnaissance and data exfiltration. A ransomware attack isn’t their style, which leads some to wonder if they’ve decided that ransomware is where the money is.
All three of these ransomware attacks might have been avoided with software updates. This is why it is so important to apply patches and other fixes as soon as they are available. Obviously, this can’t be done in every situation; some environments just require testing and other procedures before a patch can be applied. Network security may prevent the ransomware from communicating with the C&C server, and data recovery solutions can restore your files after an attack. Ultimately, you want to make sure you’re doing everything right, not just a few things. Deploy a comprehensive security solution that includes data recovery, update software when possible, and train users consistently.
(This article first appeared on Barracuda’s blog here).