The Norsk Hydro Ransomware Attack

A review of the 2019 ransomware attack on Norsk Hydro, for the geeks in the audience. How to Survive a Ransomware Attack Without Paying the Ransom.

For those who don’t follow these things… It has been called, “The worst cyberattack in Norway’s history.”

At around midnight Oslo time on March 19, 2019, computers owned by Norsk Hydro ASA, a large aluminum manufacturer, started encrypting files and going offline en masse. It took two hours before a worker at its operations center in Hungary realized what was happening. He followed a scripted security procedure and took the company’s entire network offline—including its website, email system, payroll, and everything else. By then, a lot of damage was already done. Five hundred of Hydro’s servers and 2,700 of its PCs had been rendered useless, and a ransom note was flashing on employees’ computer screens.

Norsk Hydro didn’t pay the ransom for all the reasons that you can imagine. Lack of guarantees. Making Norsk Hydro an attractive target for other attacks. Feeding the evil beast.

It ended up costing the company 60 million US dollars. Insurance paid 3.6 million. Oh, and they had a reasonable amount of security in place before all this started. They weren’t ignoring stuff and hoping for the best. Here’s the moral of the story…

Even when you do everything you can to protect yourself from a cyberattack, a determined adversary will almost always be able to wreak havoc. In other words, it’s less a question of how to stop hackers from breaking in than how to best survive the inevitable damage.

The description of how things worked at an aluminum plant in Cressona, Pennsylvania is pretty fascinating. How people adapted to every computer at work being shut off.

Ransomware Paid: $140 Million

That is a pretty big payday for the bad guys. FBI Says $140+ Million Paid to Ransomware, Offers Defense Tips.

At the RSA security conference this week, FBI Special Agent Joel DeCapua explained how he used bitcoin wallets and ransom notes that were collected by the FBI, shared by private partners, or found on VirusTotal to compute how much money was paid in ransom payments over 6 years.

According to DeCapua between 10/0/1/2013 and 11/07/2019, there have been approximately $144,350,000 in bitcoins paid to ransomware actors as part of a ransom. This money does not include operational costs related to the attack, but purely the ransom payments.

Still think it isn’t worth spending the resources on? I’m sure there is someone in some E-suite somewhere saying he doesn’t believe they will be targeted.

At Some Point, You Deserve What You Get

“It can’t happen to me,” is the stupidest statement you can make when it comes to computer security. Swiss Govt Says Ransomware Victims Ignored Warnings, Had Poor Security.

If you’re going to ignore warnings, from software and from people who support your business, and you’re going to ignore the recommendations from people who know what they are talking about, how exactly do you expect to avoid becoming a victim of hackers?

While analyzing the recently reported ransomware incidents, the Swiss cybersecurity body identified a number of weaknesses that allowed attackers to successfully breach the companies’ defenses (all of them can be mitigated by MELANI’s recommendations):

• Virus protection and warning messages: Companies either did not notice or did not take seriously the warning messages from antivirus software that malware had been found on servers (e.g. domain controllers).
• Remote access protection: Remote connections to systems, so-called Remote Desktop Protocols (RDP), were often protected with a weak password and the input was only set to the default (standard port 3389) and without restrictions (e.g. VPN or IP filter).
• Notifications from authorities: Notifications from authorities or from internet service providers (ISPs) about potential infections were ignored or not taken seriously by the affected companies.
• Offline backups and updates: Many companies only had online backups which were not available offline. In the event of an infestation with ransomware, these backups were also encrypted or permanently deleted.

There are more things that have been suggested and ignored.

Either turn off or secure RDP. Update your operating systems, and other software. Pay attention to warning messages (both from software and from people). Otherwise you too can find out what it’s like to be the victim of ransomware.

1,000 Ransomware Attacks on Schools for 2019

Because they love to put stuff online, but can’t be bothered about security. Ransomware Hit Over 1,000 U.S. Schools in 2019.

The FBI advises all U.S. entities currently targeted by a heavy barrage of ransomware attacks to follow these best practices:

  • Regularly back up data and verify its integrity
  • Focus on awareness and training
  • Patch the operating system, software, and firmware on devices
  • Enable anti-malware auto-update and perform regular scans
  • Implement the least privilege for file, directory, and network share permissions
  • Disable macro scripts from Office files transmitted via email
  • Implement software restriction policies and controls
  • Employ best practices for use of RDP
  • Implement application whitelisting
  • Implement physical and logical separation of networks and data for different org units
  • Require user interaction for end-user apps communicating with uncategorized online assets

Of course a lot of the problems for the past few years were caused by (or at least it was a contributing factor) unpatched, unsupported Windows machines. So I seriously doubt that the rest of this will happen. And the backups must be offline. (Ransomware will encrypt your raid server.)

If you can’t update or upgrade, then you have no business putting stuff on the public internet. Unless dealing with ransomware is something you like to do. But schools and cities will continue to put insecure servers on the public internet, and then shriek about how it was “totally unexpected” when bad things happen.

New Orleans Hit With Ransomware

Are we surprised? New Orleans declares state of emergency following ransomware attack.

Suspicious activity was spotted around 5 a.m. Friday morning. By 8 a.m., there was an uptick in that activity, which included evidence of phishing attempts and ransomware, Kim LaGrue, the city’s head of IT said in a press conference. Once the city confirmed it was under attack, servers and computers were shut down.

Ransomware was detected, but they didn’t say how many computers were hit or what variety it was. They were mostly reassuring everyone that all is fine.

“If there is a positive about being a city that has been touched by disasters and essentially been brought down to zero in the past, is that our plans and activity from a public safety perspective reflect the fact that we can operate with internet, without city networking,” said Collin Arnold, director of Homeland Security, adding that they’ve gone back to pen and paper for now.

I’m sure there will be more info later in the week.

More Ransomware Targeting Health Care

Because of course they are. At some point this stops being news. Zeppelin Ransomware Targets Healthcare and IT Companies.

And it is important to note that this is a phishing (may be spear phishing) attack on health care.

In a new report from Cylance, researchers have discovered the Zeppelin ransomware being used in targeted attacks against IT and healthcare companies. In at least some of the attacks, Cylance believes that they targeted MSPs in order to further infect customers via management software.

Because if you infect a service provider, you infect all of their clients. (I just said something about outsourcing of IT work…)

My take is still that doctors refuse to follow instructions that aren’t provided by doctors of higher status, but a lot of this probably overworked people, and a good phishing campaign. With probably a little bit of “It won’t happen to me! What are the chances?” Welcome to the 21st Century.

Your After Holiday Security Update

Medical facilities are still getting hit with ransomware. Ransomware Locks Medical Records at Great Plains Health.

On Tuesday, GPHealth announced that it was canceling a large number of non-emergent patient appointments and procedures. This decision does not affect surgeries and select imaging procedures, which continued as planned.

Mel McNea, GPHealth chief executive officer, says that there is no reason to suspect that patient data was accessed but the organization will do a full audit, nevertheless.

My take is still that doctors refuse to follow procedures outlined by IT security professionals. They are not doctors!

In the ironic story of the week… Ryuk Ransomware Forces Prosegur Security Firm to Shut Down Network.

Spanish multinational security company Prosegur announced that it was the victim of a cybersecurity incident disrupting its telecommunication platform.

eCards are a problem? Color me shocked. Beware of Thanksgiving eCard Emails Distributing Malware. OK, I’m not that shocked, since eCards have ALWAYS been a bad idea.

New email campaigns are underway that pretend to be Thanksgiving Day greeting cards and office closing notices with last minute invoices. Users who fall for the emails and open the attached word documents will be left with a Windows computer infected with a password-stealing Trojan and possibly other malware.

Companies in The Netherlands are targeted. Dutch Govt Warns of 3 Ransomware Infecting 1,800 Businesses.

The three ransomware strains named by the NCSC are LockerGoga, MegaCortex, and Ryuk. All of them have been involved in attacks against businesses.

Yet another reason to not store passwords in your browser. New Chrome Password Stealer Sends Stolen Data to a MongoDB Database. This is actually a fairly common occurrence.

This trojan is called CStealer, and like many other info-stealing trojans, was created to target and steal login credentials that were saved in Google Chrome’s password manager.

Yet Another School Hit By Ransomware

Is this even if news anymore? When do we start looking at the number of schools not hit with ransomware? Livingston School District in New Jersey Hit With Ransomware.

Students at the Livingston public school district in New Jersey are undoubtedly happy for a two hour delayed opening tomorrow. Unfortunately, this delay is not being caused by snow, but rather by a ransomware attack that the district is still recovering from.

There is little other real information. The district made some “reassuring statements” that didn’t cross over into lies, but were probably close.

“Our understanding is that these criminals do not typically steal data, but rather render the systems unusable”

While true, is not an assurance that no data was stolen. And then of course Bleeping Computer cites an instance were encrypted data was stolen, and released because no ransom was paid.

Hospital Ransomware Attacks Cause Deaths

What a shock. Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks.

As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.

The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

Do you think that security is worth anything? Do you think that doctors will actually follow recommendations from someone who isn’t a doctor?

Does a Hospital Getting Hit with Ransomware Count as News?

I’m leaning toward not news. Brooklyn Hospital Loses Patient Data In Ransomware Attack.

The hospital provided very little information, except to say that the attack happened in July. There was an investigation, and attempts to recover the files in the intervening months.

The unrecoverable information includes names and certain dental or cardiac images. The hospital highlights that the investigation did not find any evidence that the data was exfiltrated from its systems or otherwise misused.

Does it need to be stated again? Organizations have decided that backups are not needed. (People have decided that as well, both are wrong.) Or in other cases, they have a backup server which is online to their network, and that gets encrypted as well. At least some of the backups need to be offline.

Alabama Hospital Pays Ransom

But it’s OK, because they have insurance. Alabama Hospitals Back Online 10 Days After Malware Attack.

The DCH Health System said its hospitals in the west Alabama cities of Tuscaloosa, Northport and Fayette resumed admitting patients Thursday, and its imaging and patient scheduling services were going back online Friday.

So they did what the FBI has been telling people not to do, which is pay the ransom. I wonder if they will take any action to prevent a repeat attack, or if the bad guys are just keeping a list for places to revisit next year. I also wonder how long insurance will be available. You can get homeowners’ insurance because house fires are relatively rare occurrences. If half of your neighborhood burned every year, insurance would be harder to come by, or it would cost a whole lot more.

Is Ransomware Getting Worse? Yes

The FBI sees the writing on the wall. Will anyone listen? FBI warns of major ransomware attacks as criminals go “big-game hunting.

Where certain attacks have behaved like opportunistic attacks – Baltimore is mentioned – that is changing as the bad guys get better, or worse. Better at being bad guys, anyway.

Data from CrowdStrike has shown a rise in what the firm refers to as “big-game hunting” over the past 18 months. These attacks focus on high-value data or assets within organizations that are especially sensitive to downtime—so the motivation to pay a ransom is consequently very high.

And the FBI, though they didn’t give much info, thought the situation warranted a warning. Not that anyone will listen. Actually preparing for such an attack costs money, and means we have to change the way I do things, in ways that I don’t like, and besides those damn IT folks are always wanting to spend money some crazy thing. And what can it cost, anyway?

What Is the Cost of a Ransomware Attack?

In the case of Demant (a Danish company), the costs are high. Ransomware incident to cost Danish company a whopping $95 million.

While they had an insurance policy, it will not cover a quarter of that bill. And there are worries that while they were down, and unable even to support retail sales, customers switched brands, and will not be back.

And the company isn’t saying “ransomware.” Though Danish media is reporting it that way, and it “sure did look like one from the outside.”

Most of the losses have come from lost sales and the company not being able to fulfill orders. The actual cost of recovering and rebuilding its IT infrastructure were only around $7.3 million, a small sum compared to the grand total.

So what part of that $7 million has the IT department been pleading for? But as they say, there is much more.

Furthermore, “in our hearing aid retail business, many clinics across our network have not been able to service end-users in a regular fashion.”

These business upheavals have been a disaster for the company’s bottom line. In a message to its investors, Demant said it expects to lose somewhere between $80 million and $95 million.

So, for that $7 million, could the IT folks have made themselves immune to ransomware? Probably not. But they might have been able to mitigate the cost, and it’s not like the company didn’t end up spending the money anyway. The difference is between a scrambling emergency, that impacts customers, as well as both top-line growth and the bottom-line, and a planned implementation.

Other incidents from 2019 include…

defence contractor Rheinmetall, airplane parts manufacturer Asco, aluminum provider Norsk Hydro, cyber-security firm Verint, the UK Police Federation, utility vehicles manufacturer Aebi Schmidt, Arizona Beverages, engineering firm Altran, the Cleveland international airport, and chemicals producers Hexion and Momentive.

Hat tip to Security Now episode #735.

RobinHood Ransomware Ups Its Game

Ransomware as a business, means marketing will play a role. RobbinHood Ransomware Using Street Cred to Make Victims Pay.

RobinHood was the ransomware responsible for the Baltimore outage. The number referenced for what the city spent on remediation (they did NOT pay the ransom) is 10 million dollars. That’s a bit disingenuous, because a fair amount of that money was for new equipment. And they spending even more to harden their infrastructure. I would argue that is money they should have spent BEFORE they were hit. But hey, I’m not in politics.

The operators behind the RobbinHood ransomware have changed their language in the ransom note to take from victims all hope of decrypting the files for free and to make them pay for the recovery.

Boastful and arrogant in their message, the cybercriminals point to past incidents involving their ransomware, which ended with victims paying much more than the ransom demand.

Is there any politician or corporate drone who can say, after their organization gets hit with ransomware, that the attack was “unexpected?” Of course their are; I forget that they are paid to lie every day.

Ransomware Continues to Impact Health Care

Remember when Obama said computerizing medical records would be such a good idea. U.S. and Australian Hospitals Targeted by New Ransomware Attacks.

Three hospitals in Alabama and seven in Victoria, Australia have been hit with ransomware. Some are not accepting new patients. Some are reverting to manual procedures.

In a related bit of news, a California clinical group is closing its offices because they can’t recover patient records.

In related news, following another ransomware attacks from early August, Californian medical practice Wood Ranch Medical announced on September 18 that it will be closing offices on December 17 because of the extensive loss of patient healthcare records.

Their “backup server” was online, so it too, was encrypted. Having a separate copy of your data is NOT ENOUGH. How many times do people need to be told that before they’ll listen? Well, if they don’t listen to this advice at this point, then they never will. And my level of sympathy for people playing in traffic was exhausted decades ago.

So I can’t decide if Obama and Company saying how great things would be when all medical records are computerized counts as politicians pretending to be engineers (or computer scientists), or if it just evidence of colossal arrogance. From my POV, having all the records on computers, that the doctors won’t pay to secure, hasn’t made things better. I’m sure the hackers LOVE the fact that all those records are computerized. And poorly secured. You could think Obama has some interest in the hacking, but that would be giving him too much credit for understanding what encryption can do. Smartest President Ever™

Just Because It Claims to Be Ransomware…

Or why you shouldn’t pay ransom, and why you should have backups. Destructive Ordinypt Malware Hitting Germany in New Spam Campaign.

A new spam campaign is underway that pretends to be a job application from “Eva Richter” who is sending her photo and resume. This resume, though, is actually an executable masquerading as a PDF file that destroys a victim’s files by installing the Ordinypt Wiper.

It masquerades as ransomware, and demands a ransom, but even if you pay, the files have been overwritten with garbage, NOT encrypted. You won’t/can’t get them back.

So do you have those multiple backups? Are some of the them offline? How would you recover?

A City Says “Nuts” to Ransomware Demand

Granted, coming up with a payment that large is probably a problem from most municipalities. $5.3M Ransomware Demand: Massachusetts City Says No Thanks.

Okay, they aren’t really channeling Anthony McAuliffe and 101st Airborne, but they decided not to pay.

New Bedford, population 95,000 is near Boston.

After a ransomware attack slapped a hefty payout demand of $5.3 million on New Bedford, Mass., the city announced that it is instead opting to pick up the pieces and restore what it can from backups itself.

They had a little bit of luck, and they had some decent architecture. Which resulted in only about 4 percent of computers being hacked. They did have to shut down for an extended period of time.

That’s because after learning of the attack, the city was able to rapidly disconnect its computer servers and shut down systems. In addition, the attack hit after the July 4 holiday, meaning that a large number of computers were turned off at the same time that the ransomware was attempting to spread; and, officials said the city’s network was compartmentalized “to a certain degree,” making it harder for the malware to spread.

And they told us what the ransomware was, Ryuk (Ree-ook). Ryuk is both a strain of ransomware that is been wreaking havoc in various places and a character from a Manga (Japanese comic book) called Death Note. He is a Shinigami, “supernatural spirits that invite humans toward death in certain aspects of Japanese religion and culture.” I think that says something about the authors of the ransomware.

The city tried to negotiate a smaller payment, but that was rejected by the attackers. So off they go to restore.

Ransomware Attacks on Cities, Schools and Dentists

People need to figure out how to work with data that is NOT online. Because if you don’t have the resources to defend your data, it will be encrypted. Cybercriminals Attacking Schools, Governments With Ransomware.

Cybercriminals are wreaking havoc across America in recent months, with the latest target being local governments and even schools.

A school in Orange County, New York, was all set to welcome students back from summer vacation on Wednesday, but a ransomware attack has delayed the start of the school year.

As many have said, the smaller cities and schools are not spending money on cybersecurity. Which at this point, they need to seriously consider doing, or they should consider stopping with the “put all the data online” push.

And the dentists? Ransomware Attack on Digital Dental Records Impacts Many Providers.

The computers systems of a large number of US dental offices were infected with ransomware on Monday, [week ago] after a malware attack on the Digital Dental Record and PerCSoft’s cloud remote management software. The impacted providers are still attempting to recover access to their patient data and systems.

And also Ransomware Bites Dental Data Backup Firm. Attacks on service providers mean one attack can impact multiple offices/sites, whether that be dentists, doctors, cities or schools.

Attacks on hospitals and larger clinics remain common, but cities and schools are more likely to be in the news.

And sadly, things will get worse before they get better.

Ransomware as a Service

The replacement for GandCrab didn’t take long to get established. A Look Inside the Highly Profitable Sodinokibi Ransomware Business.

Relatively new on the ransomware scene, Sodinokibi has already made impressive profits for its administrators and affiliates, some victims paying as much as $240,000, while a network infection netted $150,000 on average.

These figures are not surprising when you look at the malware’s recent activity. On August 16, Sodinokibi hit 22 local administrations in Texas and demanded a collective ransom of $2.5 million. It compromised multiple MSPs (managed service providers) spreading the malware to their customers.

I don’t expect things to get better anytime soon. And I’m in good company.

Today, there isn’t a malware author alive who isn’t aware that it’s now possible to live well by finding, infecting, and encrypting the data of the right targets. And really changes everything. The twisted brilliance of ransomware was that the victim’s data was still there. They can still see their files, now with a “.crypto” or other extension appended to the end. The files weren’t deleted, their contents were simply moved just out of reach. This allowed the carrot of full data recovery to be dangled in front of the victim. And, as a result, more often than not, though no one wants to knuckle under to extortion, the sanity of self-interest would prevail and money would flow into the bad guys’ cryptocurrency wallets… thus further encouraging them to find their next victim. [Steve Gibson – Security Now #730 Show Notes. For the video see this link.]

The internet was fun while it lasted.

23 Texas Cities Hit by Ransomware

Are cities ready to do anything about this yet? New ransomware strike kicks 23 Texas agencies offline.

That’s the regular media article, so it contains virtually no technical info. But that’s the state of the regular media. Well at almost the end of the article, they do quote ZDNet by mentioning Sodinokibi ransomware also known as REvil.

So let’s look at ZDNet: Over 20 Texas local governments hit in ‘coordinated ransomware attack’

The attack took place on Friday morning, August 16, US time, when several smaller local Texas governments reported problems with accessing their data to the Texas Department of Information Resources (DIR).

Texas does have a statewide office for dealing with this crap, so at least there is someone for the impacted cities to call, but being hit by 23 cities at one time is going to stretch their resources. (That’s a guess on my part BTW.) And in a statement that surprises no one, this is all the result of a single bad person or group.

There are some indications that the OSTAP Trojan is how this thing moved around in the networks.

UPDATE: Lubbock County was also targeted, but was able to contain the ransomware fairly early on, and was not impacted. The Texas DIR reports that about one quarter of the towns hit in this attack have been able to resume operations. Via ARS Technica.

I am still trying to find some info on how this attack got into 20 plus cities/counties at the same time. At a guess, I would say phishing. The bad guys formulated an email, pretended to be from someone people working for cities and counties in Texas would trust. (Someone from the state, or an association of mayors or something.) And they were in with either TrickBot or OSTAP Trojan. (Both of those are often found together.) But the FBI likes to limit any information coming out while they investigate, though most of the “press people” from the cities wouldn’t understand the technical side of things, even if the DIR/Tech support folks had time to brief them.