New Zealand CERT issues advisory on ransomware campaign
By William Knowles
June 18, 2020
The New Zealand Computer Emergency Response Team (CERT NZ) has released an advisory on a ransomware campaign leveraging remote access technologies.
Unknown malicious cyber bad actors are targeting organizations’ networks through remote access tools, such as Remote Desktop Protocol and virtual private networks, to exploit unpatched vulnerabilities and weak authentication.
After gaining access, these cyber bad actors use various tools including mimikatz, PsExec, Cobalt Strike, and Nefilim ransomware for privilege escalation, lateral movement, persistence, and data exfiltration and encryption. The issue cannot be resolved by simply restoring data from backup due to the level of access gained before deploying ransomware.
We are aware of attackers accessing organizations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN), as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organizations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched.
The current attacks are believed to be sophisticated and well crafted. These attacks can have severe impacts on business operations, including data being stolen and sold. Recovery from these attacks requires significant investment to fully investigate and remediate the network compromised, and restore encrypted files from backup.
Attackers access an organization’s network through vulnerable remote access technologies. This could be by:
- unpatched software,
- weak authentication, or
- lack of multi-factor authentication (MFA).
From there, any system on the network may be affected. Citrix remote access technologies have been reported as a common way for attackers to gain access.
What this means
Once an attacker gains a foothold through the remote access system, they use tools such as mimikatz, psexec, and Cobalt Strike to elevate privileges, move laterally across a network, and establish persistence on the network.
The attacker identifies and extracts sensitive information from the network and encrypts files. Nefilim ransomware has commonly been used, but other ransomware can also be used. Once the attacker has the information, they want they attempt to sell or publicly release the information.
Due to the level of access gained before deploying ransomware, merely restoring data from a backup won’t resolve the issue. Remediation will require an in-depth investigation of all compromised or potentially compromised systems to fully eradicate the attacker and to identify the security improvements necessary to prevent another attack.
What to look for
How to tell if you’re at risk
Any network that has does not have appropriately secure remote access is at risk.
How to tell if you’re affected
Check your remote access systems for any sign of unauthorized access. If any unauthorized access is detected, further investigation will be required to determine any lateral movement across the network.
If an attack has progressed to the ransomware phase, Nefilim ransomware may leave the following indicators of compromise (IOCs):
- files with a .NEFILIM extension
- a file called NEFILIM-DECRYPT.txt may be placed on affected systems
- batch files created in C:\Windows\Temp
The following public reporting includes IOCs specific to Nefilim ransomware:
- Trendmicro’s investigation into Nefilim
- Sentinal labs write up on Nefilim
- Indicators of compromise from Alienvault
What to do
Ensure that all remote access systems are:
- up-to-date with security patches
- strictly enforcing strong authentication (strong passwords and MFA).
CERT NZ Critical Controls such as network segmentation and application whitelisting can mitigate the impact of such an attack, by making it harder for an attacker to move around your network. Well-configured backups are essential to recovery from any ransomware attack.
If you require more information or further support, submit a report on our website.