Paycheck Protection Program UPDATE JULY 7
On June 26, 2020, the U.S. Small Business Administration (“SBA”) published guidance on the determination of the maximum loan amount by entity ...
Diebold Nixdorf, a company that is a major supplier of Automatic Teller Machines (ATM’s) and software to financial institutions was infected by the ProLock ransomware in late April. The intrusion was first reported by Brian Krebs from KrebsOnSecurity.com and confirmed by Diebold Nixdorf several days later. Fortunately it appears that the company was able to limit the attack to only parts of its corporate network while the ATM network and customer data was unaffected. Various stories circulating about the incident provide valuable lessons for other financial institutions that experience ransomware attacks and should be incorporated into incident response planning activities to ensure organizations are prepared as possible when attacked.
ProLock ransomware is a relatively new variant first seen in March 2020. The FBI’s Cyber Division put out an Alert in early May providing details on the attack methodology and Indicators of Compromise. ProLock is manually controlled which means an attacker first gain must access to the victim’s network. In the case of Diebold Nixdorf a phishing email was likely used by the attackers to gain an initial foothold. The FBI noted the QakBot trojan is associated ProLock and attackers using ProLock typically attempt to map out the networks they access and exfiltrate internal data before launching the ransomware attack which encrypts files and appends them with either a .prolock or .pr0lock extension. A .txt file directs victims to a TOR site to pay a ransom to obtain decryption keys. If QakBot is discovered on a device, it should be disconnected from the network since there is a strong possibility it will be used to launch a ProLock attack. A wrinkle in this process is the decryptor for ProLock has a bug and even with the correct decryption keys data corruption may occur on files larger than 64MB. Considering these details what can organizations do to prevent and mitigate ProLock attacks?
First, layers of controls should be implemented to prevent and mitigate phishing attacks as phishing remains one of the most common avenues of attack for data breaches and ransomware attacks. Technical tools such as advanced email protections can initially prevent malicious emails from reaching users and security awareness training can help users recognize phishing emails that make it past initial filters. If users do click on phishing links and download malicious files, next generation antivirus (NGAV) tools should be considered to provide a higher level of malware detection capabilities than traditional anti-virus tools and mitigate the ability of malware like QakBot and ProLock to go undetected in a company’s network. A deeper dive into how NGAV tools work was highlighted in another Schneider Downs cybersecurity article. Third-party penetration tests can also provide organizations with a good gauge of how well they would fare if attacked and provide training for a real attack.
Second, if an organization suspects their network has been infected with malware or has been attacked by ransomware, they need to call subject matter experts to assist with incident response. The FBI noted the ProLock ransomware attack is multi staged with attackers first attempting to exfiltrate internal data. While customer data is a key target, internal documents such as emails, customer lists and trade secrets could negatively impact organizations if stolen and publicly exposed. Incident Response specialists can help organizations determine the scope of an infection or potential breach, provide expertise on negotiating with attackers, coordinate with law enforcement and provide expertise on remediating an infection such as repairing buggy decryption tools and cleaning up persistent infections. Organizations should partner with a response team prior to an incident to speed up response activities and purchase cybersecurity insurance to offset response expenses.
Finally, good cyber hygiene and IT controls will mitigate the impact of any attack and prevent attackers from moving through a network from an initially infected device to other devices. In Diebold Nixdorf’s case it appears effective network segmentation was implemented to prevent attackers form reaching customer data. Internal firewall rules can be used to limit the protocols and devices attackers can use to move laterally through a company’s network. Patching of internal devices will also limit vulnerabilities that can be exploited to move laterally. Finally, backups should be seen as a last line of defense to recover from an attacks, storing backups offline or on a separate system will mitigate the risk that backups will also be encrypted.
Data breaches and Ransomware attacks continue to be a major cybersecurity concern and new variants and attack methodologies will challenge response teams. If your organizations needs help with developing or testing a response strategy, or if you have as experiencing and attack, reach out to Schneider Down’s cybersecurity team at email@example.com.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity.
In addition, our Incident Response Team is available around the clock at 1-800-993-9837 if you suspect your organization is experiencing a network incident.
Schneider Downs Announces COVID-19 Survey Results Companies impacted by the COVID-19 pandemic expressed concerns about the global impact of reduced consumer ...
One PPG Place, Suite 1700
Pittsburgh, PA 15222
65 East State Street, Suite 2000
Columbus, OH 43215
1660 International Drive, Suite 600
McLean, VA 22102