CYBER INTELLIGENCE REPORT
NCSC Advisory: Trickbot
The National Cyber Security Centre has released guidance on how organisations can protect their networks from the 'Trickbot' banking trojan. Trickbot is an established banking trojan used in cyber attacks against businesses and individuals in the UK and overseas. Trickbot attacks are designed to access online accounts, including bank accounts, in order to obtain personally identifiable information (PII). In some cases, Trickbot is used to infiltrate a network, and then used to deploy other malware including ransomware and post-exploitation toolkits.
Read the advisory at https://www.ncsc.gov.uk/news/trickbot-advisory
Below we take a quick look at prevalent and emerging ransomware variants in the UK according to Action Fraud reports, along with some protective advice.
Delivery Method: Phishing email/RDP
Typical Ransom Demand: Changes on how fast the victim gets in touch with suspects but usually around 1 BTC
Online Decryptor Keys: No
Once encrypted, two files are placed on the victim's desktop - "FILES ENCRYPTED.txt" and "INFO.hta". These contain the suspect email as well as instructions on how to purchase Bitcoins.
The ransomware uses asymmetrical encryption, generating both a public and private key during the encryption process (the public to encrypt the files and then the private key to decrypt them).
There are currently no tools able to decrypt Dharma, with the remaining solutions being paying the ransom (not advised) or restoring files from a backup/system restore.
NFIB have observed a case of a victim paying a ransom demand of 5 Bitcoin (roughly £25,000) but not receiving a decryption key.
Delivery Method: Phishing email
Typical Ransom Demand: Between USD 300-600
Online Decryptor Keys: No
Once infected the ransomware encrypts victims' devices with AES and RSA-1024 encryption algorithms. It places a file on the victim's desktop called "!!!YourDataRestore!!!.txt".
It was previously seen usin the ".DJVU" extension however it now uses the original ".STOP" file extension.
The ransomware demands between $300-$600 and leaves two email addresses and a Bitmessage address for victims to get in touch with to get their files back.
There is currently no tool available to decrypt the data once it has been encrypted, therefore the only way of getting this back is to restore everything from a backup.
Delivery Method: RDP
Typical Ransom Demand: Changes on how fast the victim gets in touch with suspects, reports have seen demands up to USD 1200
Online Decryptor Keys: No
Cr1pt0r is a ransomware targeting NAS (Network-attached storage) equipment exposed to the internet.
It has been seen targeting vulnerabilities in old firmware. D-Link DNS-320 NAS models.
Originally built to target Linux systems it can be modified to infect Windows devices.
Once infected the malware places two plain text files on the desktop. One text file is the ransom note called "_FILES_ENCRYPTED_README.txt" which gives information to the victim regarding how to pay the ransom and what the victim will get in return which is the file decryption key. The other text file is called "_cr1ptt0r_support.txt" and it stores the address of the website in the tor network.
No specific extension is added to the locked files but what is added is an end of file marker "_Cr1ptT0r_"
There is currently limited open source information surrounding the ransomware at the moment but this could change as the ransomware becomes more prevalent.
Points to consider:
Ensure that your organisation is employing all of the necessary steps it can do to reduce the impact of phishing (NCSC guide at https://www.ncsc.gov.uk/guidance/phishing). Get creative with internal awareness campaigns and awareness sessions/training (e.g. use screenshots of phishing emails the company has received). Seek buy-in from senior management and from other departments within your company, and make use of the resources which are out there from organisations we often cite (e.g. NCSC, ActionFraud, CyberAware, Take Five, Europol, CPNI).
Create regular backups of your important files to an external hard drive, memory stick or online storage provider. It's important that backups are not left connected to your computer as ransomware infections can spread to those as well. As we always say, check that you have backups, check what's on those backups, and check that they actually work!
Always install updates as soon as is reasonably possible to do so. Make sure that all of your architecture (operating systems, applications, web frameworks, software packages etc. across all devices and services) consistently receive updates.
Remote Desktop Protocol (RDP)
RDP vulnerabilities are being commonly exploited, so ensure that you are doing everything you can to secure against associated threats. This includes reviewing port security, access controls, defending against brute force attacks through strong authentication, or disabling RDP altogether if not needed. Other guidance can be found via https://www.ncsc.gov.uk/section/advice-guidance/all-topics
Should I pay the ransom?
The nationally recommended guidance is that victims of ransomware should not pay the ransom. This is for a number of reasons:
> There is no guarantee you will receive your data back.
> If criminals know that you have paid out previously, you may be at risk of being targeted again.
> Ransom payments fund criminality, and if criminals consistently receive funds then they will continue to employ those successful tactics.
If you have been a victim of ransomware, please report the incident to Action Fraud. Typically, ransomware attacks will be live incidents, so if this is the case you can make use of Action Fraud's 24/7 reporting function through phone at 0300 123 2040. More information can be found at https://www.actionfraud.police.uk/campaign/24-7-live-cyber-reporting-for-businesses
Reporting helps build intelligence for law enforcement which is vital to investigations, as well as informational campaigns.
When reporting, it is hugely helpful to capture as much evidence as possible, including images of splash screens, linked email addresses, or linked Bitcoin/cryptocurrency wallets.