During the holiday period between Christmas and New Year’s in 2018, workers at a Tribune Co. newspaper location in South Florida found out that they couldn’t upload late-breaking sports scores to the portion of their CMS that handles printing and distribution. Later, other newspapers in the Tribune chain discovered other problems related to the printing and distribution of their papers, as did the Los Angeles Times, which used to be part of the Tribune group but still uses the printing and distribution software.
As the Tribune IT staff investigated, they found that the Ryuk malware had encrypted critical portions of their operations and that a ransom was being demanded to reverse the attack. Eventually, the newspapers were able to overcome the effects of the attack, but the newspapers were delayed; some went to press without a portion of their advertising.
At about the same time, security researcher Brian Krebs reported that cloud hosting provider DataResolution.net suffered a similar attack. There the company immediately shut down their network to avoid the further spread of the malware and then worked on a resolution. Since then, both DataResolution and the Tribune companies have moved along in their recovery. Neither has said whether they paid the ransom, but considering the time it took for each to recover, it appears that they did not.
DataResolution Identifies Hackers as Being From North Korea
The staff at DataResolution announced that the attackers were from North Korea, and that the attackers were professionals. How they knew who to attribute the attack to is unclear, but perhaps it turned up in the ransom demand.
The Ryuk malware is different from most malware in that it doesn’t really spread itself across the internet. Instead, according to Stu Sjouwerman, CEO of KnowBe4, the spread of Ryuk takes place slowly and carefully, and it’s usually performed manually by the bad guys once they’ve penetrated a network.
When they’re in the network, the attackers study it and prepare a “whitelist” of programs and files they don’t want attacked. This allows the victim to have enough control over the compromised server to be able to apply the fix that’s provided by the attackers once the ransom is paid. Once everything is ready, then the attackers unleash the malware.
Sjouwerman noted that the attackers who use the Ryuk ransomware specifically attack companies that cannot afford downtime and then price their ransom accordingly. He said that one recent victim paid the attackers nearly $400,000 to get the decryption key.
Normally the attackers make sure to also attack and encrypt any backups or other copies of the data that they’ve encrypted, but they’re not always successful. DataResolution said in a status update that the company was able to retrieve copies of what was encrypted from other production servers that weren’t attacked. Apparently, the decision to shut everything down was an appropriate response in this attack. But no matter how you look at it, a Ryuk attack is going to be expensive, so it’s best to prevent it from happening.
Nation-State Attackers Have Unlimited Resources
Unfortunately, keeping a nation-state attacker out of your network is tough. They have essentially unlimited resources, so they can search for compromising information until they find it, and they can pound on your network essentially forever until they find a hole that will allow them to enter.
Sjouwerman said there are basically two ways that such attackers break into your network. One is through phishing attacks, in which they will use information they’ve found about your organization to get the confidence of your employees so they can use phishing. Good training and careful control over your incoming email can minimize the success of those attacks.
The other method is an RDP attack. This happens when the remote desktop service on a computer somewhere on your network is vulnerable, then they go in through that RDP connection and effectively are free to move about your network. Because RDP credentials are widely available to attackers, this has become the most common method of attack for Ryuk attacks.
Steps to Take Now
There are some steps you can take to reduce the likelihood of a successful attack.
- Disable Remote Desktop on every computer on your network.
- Where you can’t remove RDP, replace it with a third-party version that is secure and that can provide two-factor authentication.
- Require two-factor authentication for any changes to your network devices, including your servers and to your clients. The second factor should be a physical smart card or USB key, not an SMS text message.
- Impose a password management policy on your network, including a requirement that all passwords be changed immediately. At this point, any passwords that have been in use for a while will have been compromised, so implement a policy that requires new passwords immediately, sets requirements for password age and doesn’t allow password reuse.
- Make sure your backups don’t use disk letters or any other method that allows access through the operating system. Backups must be managed by backup software that creates protected backups that cannot be otherwise accessed from the network.
- Make sure you test the ability to recover your files to confirm that you really have a backup you can use. Then store those backups off-site in a cloud location or potentially in a physical vault.
One reason to suspect North Korea in these attacks is that it’s their government hackers who have perfected the Ryuk ransomware. In addition, these attacks demand very large ransoms, and North Korea is in need of hard currency. A government-sponsored attack would serve multiple purposes.
That being said, attribution for an attack like this is very difficult. It might not be North Korea, but that hardly matters. If you’re attacked by someone using Ryuk, it’s going to be very expensive.