Hacks I've Known: Ransomware and the Government Institution

Ransomware on Server 2016

‘It’s a small glitch’ our server admin said as he responded to the bleep as a website uptime monitor turned red.

‘I’ll do a restart.’

Which as any Windows user knows is the best way to fix any funnies.

In this case, it didn’t work. The uptime monitor glowed stubbornly red.

Next step was to remote into the box so we could take a look around. We asked our customer for remote desktop credentials and logged in, to be presented with the screen below.

Superficially, the server seemed fine. Besides the message above displaying on the desktop, there were no other obvious signs of damage, until we started to browse folders on the server. The folder structure was fine but alarmingly, all file names changed into cryptic clues, of the file type .SCR.

Did they get the Gold?

In a panic, we looked for the data, which in this case was stored in Microsoft SQL databases. To be honest, we were confident that the data would be unharmed. This is because the SQL engine permanently locks its data files making them inaccessible, as anyone who has tried to move or delete a MS SQL database has found.

To our surprise, the SQL data folder looked like this:

In the image above, the .SCR files are encrypted SQL data files!

If you ever try to mess with a mounted SQL database, you will eventually find out that the only way to do it is to stop the MS-SQL database service. A feat you can only achieve if you are packing the highest system privileges.

So, have a quick think about this.

• First, the hackers gained access to the server. (HOW? More about this momentarily...)
• Then they had uploaded their nasty program
• Which they executed with admin and SQL DBO (database owner) privileges

The bad guys came packing magic. Bad Magic.

Stopping SQL Server

Their code was smart enough to know where to find the gold and then savvy enough to know how to stop SQL server, which it proceeded to do. With SQL stopped, it was bombs away, as it renamed and encrypted the databases.  

Slipping Through Our Defenses

The fact is that a modern operating system (OS) should have some way of stopping this kind of brute force attack. Failing detection by the OS, a watchful anti-virus or by malware software should trigger and stop the attack. In this case, the Windows OS had not been updated, the Windows Update Service had never been started and Windows Defender was stopped. Also, no anti-virus or anti-malware was loaded.

Welcome to The Matrix

For our client, this visit from The Matrix was a nasty wake up call. Their attacker was part of the Matrix ransomware family, a family of many siblings and cousins who roam the Internet looking for easy targets.

In this case, all attackers asked was a single Bitcoin, in exchange for a key that would decrypt the files and return the server to normal. Our client, a large government parastatal had no procurement process that would cover this kind of purchase, so a ransom payment was neither consider nor paid.

In the end, the website was down for a number of days as we rebuilt the system from the meagre off-site backups that remained.

RDP, Was How They Did It

Once, the dust has settled, I connected to the hacked server via RDP for some post-mortem investigations. Sometimes, hackers gain access via a website; usually by exploiting some weakness in the CMS (Content Management System) the website is running. However, I could find no evidence of this.

I also looked for new system users and drew a blank there. Then, I checked the FTP service for any issues but could find no FTP user with access to any system folders.

Stumped, I took a walk to the coffee machine. As the rancid coffee kicked in, I realized the obvious. It was a password hack! The RDP (remote console) password they customer had given me, was ridiculously simple; four capital letters, followed by @123.  The hackers had simply guessed the password and logged in as Administrator.

There was no mystery, only stupidity.

However, the way they guessed it was far from stupid. Our hackers made use of a sophisticated network of attackers, called a botnet that is becoming more common.

Beware of RDP Brute Force Attacks

Be warned, these kinds of attacks are on the rise.

Attacks are seemingly impossible, because the Windows logon system detects serial failed login attempts. After a certain number of failed attempts, the system blocks any further access attempts from the same host IP address for a time. In theory, it could take forever to guess a user and password combination this way.

In reality, clever humans have found a way around this system using a botnet, which is a network of computers working together for evil purposes. The machines share lists of target servers and username-password pairs. They constantly update these shared lists to reflect the results of their individual access attempts. This results in a reducing list of username-passwords pairs, driven by the round robin of infrequent access attempts for each individual server.

Botnet machines can number in the thousands and are usually recruited by malware apps and widgets. For example, your cell phone can conceivably belong to a botnet, spending its nights next to your bedside, hacking into servers as you sleep.

Lessons Learned

Most crucially, ensure that your devices with internet access are protected by individual, difficult-to-guess passwords. Use long phrases for passwords you need to remember like ‘Beam me up Scottie’. Use a password generator service (like LastPass - https://www.lastpass.com/password-generator ) to make up and remember impossible to guess passwords. We use 20-character generated passwords that I hope no one will ever have to type. Here is an example ‘^Wg*K#PbMD^q^8F2CKu*’.

Also, make sure that your remote desktop settings are configured to allow for only a few incorrect login attempts before shutting down access attempts from that IP for at least 30 minutes or more.

Good luck it’s a war zone out there.