Sunday, August 7, 2016

Feedly:SANS Internet Storm Center, InfoCON: green. Follow-up to: Stop calling it a ransomware "attack", (Sun, Aug 7th)

from SANS Internet Storm Center, InfoCON: green


Earlier today, I posted a diary protesting an overall trend of calling ransomware infections "ransomware attacks" [1].  Unfortunately, that previous diary didn't include information on attacks that actually have involved ransomware.

This diary addresses some tweets about my original write-up.  It hopefully presents a more balanced view.

Shown above:  Commenting on the first diary, @DanielGallagher notes Samsam.

Shown above:  Commenting on the first diary, @fwosar discusses RDP attacks.

Distribution: both large-scale and targeted

As previously stated, I frequently find ransomware during daily investigations of exploit kit (EK) traffic and malicious spam (malspam) campaigns.  However, my visibility is limited.  I rarely, if ever, run across activity I consider a targeted attack.  That field of view doesn't include ransomware infections seen after brute force attacks using Microsoft's Remote Desktop Protocol (RDP).  Examples of brute force RDP attacks resulting in ransomware infections have been published as recently as May [2, 3] and June 2016 [4].

Other sources have reported targeted attacks involving ransomware known as Samas, SamSa, or SamSam [5, 6, 7, 8, 9 to name a few].  Most of these write-ups say organizations in the health industry (as well as other industries) have been targeted.  These reports document a trend where an attacker first gains unauthorized access to an organization's network, then the attacker deploys ransomware on hosts within that network.

Shown above:  Diagram of a Samas infection chain from the Microsoft report [8].

That's certainly an attack.

I'd be crazy not to include this information when discussing my disdain for the term "ransomware attack."  And it's something I foolishly omitted in my previous diary on the subject.  Ransomware is, indeed, distributed in both large-scale and targeted campaigns.

Large-scale does not equal targeted

Most reports of ransomware infections, especially in the health care industry, imply some sort of targeted attack.  But that's not always the case.

For example, in March 2016 we saw reports that a Kentucky-based Methodist Hospital was infected with Locky ransomware through malspam.  The malspam contained a Word document with malicious macros masquerading as an invoice [10].  The press played it up as an attack, but malspam is a common tactic of large-scale campaigns distributing Locky, where some messages occasionally slip through spam filters.  Even Krebs called it an "opportunistic attack" when reporting on the incident [11].

However, opportunistic is not targeted.

In March 2016, Wired published an in-depth write-up on why hospitals are perfect targets for ransomware [12].  In that article, the author discusses Methodist Hospital and other Locky incidents while including targeted attacks by criminals spreading Samsa ransomware.  Although the author notes Locky involves "spray-and-pray phishing campaigns" involving mass emails, this method is still described as a "Locky attack."

Wired's article is well-written and worth a read.  It includes plenty of detail on the reasons why health care organizations are at risk.  But readers who only skim the article will miss some key points, and they could easily confuse large-scale Locky distribution with a targeted attack.  In cases like this, I think authors should use "Locky campaign" instead of "Locky attack."

Final words

Even considering targeted attacks involving ransomware, I still feel we're putting too much emphasis on the attackers and not enough focus on fixing our own vulnerabilities.

Furthermore, I believe media reporting leads some people to confuse large-scale ransomware campaigns with targeted attacks.

The number of ransomware samples found in large-scale campaigns far outweighs the number of ransomware samples reported from targeted attacks.  I still believe that, odds are, any given ransomware "attack" is probably the result of a large-scale campaign.

I'd rather see people use "ransomware incident" instead of "ransomware attack."

My thanks to @DanielGallagher and @fwosar for their tweets.  They helped keep me a bit more honest.


Brad Duncan
brad [at]



Web Analytics