Perpetual IT

Here on Naked Security, we’ve regularly asked the question, or at least implied it: “Where do you think all those cybercrime payments go?”

When a ransomware victim hands over a largely anonymous, mostly untraceable quantity of Bitcoin, for example, to pay off a multi-million dollar blackmail demand in the hope of recovering their unusable files…

…what happens to that money?

The question, as posed above, is a rhetorical one, given that we can all hazard our own guesses about what the criminals do with the money.

But we have confronted that question quite literally on various occasions before, as we did when several suspects were arrested in Ukraine, allegedly in connection with ransomware attacks attributed to a gang known as “Clop”.

In that case, it seems as though at least some of the money went on fancy cars.

Police videos of those busts show impressive collections of car keyfobs being gathered up in evidence, and numerous flash-looking cars being loaded onto recovery vehicles and confiscated.

Reinvesting in the business

We’ve also written before about one of the REVil gang’s spending sprees.

That’s the same REvil ransomware operation that oversaw the infamous “Independence Day Weekend 2021” ransomware attack launched simultaneously on more than 1000 networks via software from IT management company Kaseya.

That attack led to the REvil gang’s almost casually provocative “business offer” that, for a one-off ueberpayment of $70 million in Bitcoin, it would “solve” the entire incident at a stroke by releasing a single, unified decryption tool that contained all the unscrambling secrets needed to restore any computer on any network belonging to any victim.

Presumably conscious of the preceding Colonial Pipeline attack in which a $4.4 million blackmail payoff resulted in a decryptor that, though functional in theory, was worthless in practice because it ran far too slowly, the REvil crew even blithely claimed that their so-called universal decryptor would allow everyone to “recover from attack [sic] in less than an hour”.

$1 million paid forward

Last year, REvil made headlines when the gang infamously paid $1,000,000’s worth of Bitcoins into an underground cybercrime forum as advance payment for services rendered.

The REvil crew couldn’t get this money back – it was basically a million-dollar flash-the-cash exercise aimed at proving to members of the forum that the money it was offering was more than just a promise: it was already invested and committed to being spent on successful “job applicants”:

Well, according to cybersecurity investigator Pierluigi Paganini at Security Affairs, another anonymous cybercrime actor has just done something similar.

Due to fluctuations in the dollar value of Bitcoin, this flash-the-cash bundle now has a value somewhere closer to $888,888 than to a cool one million, but it’s still a staggering cash total to pay out up front: BTC 26.994602, according to Paganini.

When REvil stumped up its $1m cash bounty, the gang said it was looking for techies with a wide range of skills, including the programming language C#, commonly used for building Microsoft .NET apps and very popular with malware writers, virtualisation, and backup tools and technologies.

(Ransomware crooks with on-and-offsite backup skills can serve two devious purposes: finding and trashing any backups a victim already has; and quietly making unauthorised off-site backups to keep stolen data that can be used for extortion.)

This crook, apparently, has other ideas, and is looking to purchase one or more of the following, amongst a longer list:

* I will buy the most clean RAT from detections [...], with the prospect of one hand [...] * Buy unusued startup methods in Windows 10 (fileless software, lives in the registry), up to $150k for the original solution [...] * Buy 0day exploits in one hand under Windows 10 (LPE, RCE) budget up to $3m for RCE 0 Click [...]

What does it mean?

To decode the jargon above:

• RAT is short for Remote Access Trojan.

  Also known as bots (short for software robots) or zombies, RATs open up unauthorised access holes that let crooks take remote control of your computer at will.

  Some RATs provide explicit remote accesscommands that turn on keylogging, take screenshots, record audio and video, or copy confidential files.

  But almost all RATs also include functions that automatically update the RAT itself, that automatically download and install additional, arbitrary malware, or that quickly shut down and remove evidence of the original RAT.

  The ability of a RAT to morph into a completely different malware infection on demand means that the risks posed by an undetected RAT are essentially open-ended.

• Fileless software, lives in registry.

  Technically, software that “lives in the registry” isn’t truly fileless, because the registry itself is stored in a file on your hard disk.

  But most software that Windows launches automatically at startup is listed in the registry as filename that contains the program that should be executed, so if that program is malicious or unwanted, a regular scan of the hard disk will find the malicious file and can simply remove it.

  If the reference to the file gets left behind in the registry, no harm is done because the file no longer exists, and therefore cannot be executed in future.

  However, some registry entries can contain the actual script or program that Windows should run, encoded directly into the registry data.

  Threats stored in this way don’t occupy a file of their own on disk, so they are generally harder to find and remediate.

• LPE is short for Local Privilege Escalation.

In Naked Security articles we generally refer to LPE by its synonym EoP, which is the term used by Microsoft in its security bulletins.

Whether you say local privilege escalation or elevation of privilege, the idea is the same: crooks can’t break into your computer with an LPE vulnerability, but if they are in already, then can use an LPE exploit to promote themselves from a regular user account, such as your own, to one that can do much wider and deeper harm to your network.

Account privileges that attackers typically go after include the local SYSTEM account or even Domain Administrator, which puts the attackers on an equal footing with your own sysadmins.

• RCE is short for Remote Code Execution.

  The name RCE means exactly what it says, namely that attackers can get into your computer, and run a program of their own choosing, without needing a username or password to login in the first place.

  Some vulnerabilities, such as the notorious PrintNightmare bug in the Windows Print Spooler that was revealed in late June 2021, combined RCE with LCE/EoP, which makes them even more useful to cybercriminals because it means they can “get in and go up” in one attacking move.

• 0-Day or zero-day exploits are ones with no patch available.

  The term zero-day was borrowed from computer game piracy, where the phrase “a zero-day crack” referred to a copy-protection hack that was found so quickly that it came out on the same day as the game itself, thus giving the software vendor zero days to be ahead in the anti-piracy race.

  Where software vulnerabilities are concerned, a zero-day exploit generally refers to any vulnerability that cybercriminals know how to abuse in advance of the Good Guys having an official update against it, so that there were literally zero days that even a well-informed system administrator could have patched in advance.

• 0-Click attacks work without any user action required.

  Even so-called 1-click or multi-click attacks can be truly dangerous, if those clicks don’t produce any obvious “Are you sure?” warnings that might indicate that an attack was underway.

  For example, a 1-click attack that only required you to open or to preview an email, without further clicking on or opening any attachments in it, would be harmful because merely reading email is considered uncontroversial and is supposed to be safe.

  But a 0-click attack typically works not only without any user action required, but also if the computer is locked, or even if no one is logged in at all, as is often the case on servers.

For what it’s worth, we’re guessing that the original poster used some sort of clumsy machine translation to come up with the full English phrases above.

We’re not quite sure what “the prospects of one hand” or “to buy in one hand” really mean, but we’re assuming they are figures of speech from the author’s native language that mean “sold to me exclusively for my sole use“.

With close to a million dollars committed to the kitty already, the advertiser clearly isn’t short of ready money.

What to do?

We’re not going to say, “Never, ever, pay the ransom,” because for all we know it might be your only chance, no matter how hurtful it might feel, to avoid a business disaster that could put your company and your employees at or even over the edge of economic collapse.

But if you’ve ever wondered where that blackmail money goes, and whether it’s innocent enough to pay the “ransomware fee” just to save the time and effort of activating your backup-and-recovery procedures…

…well, now you know.

---

PS. Even if you do pay up, decrypting your data may not work out anywhere near as well as you hoped. Ask Colonial Pipeline how that process went… or check out our article “Ransomware: don’t expect a full recovery, however much you pay” to find out the problems experienced by the vast majority of victims in our survey who reported back on their experiences after paying the crooks.

---

[00’21”] The “Independence Day Weekend” ransomware drama.  [15’55”] The PrintNightmare nightmare continues.  [24’16”] An email hacker gets his conviction overturned.  [30’35”] In this week’s Oh! No! story, a server room fills with toxic fumes…

With Doug Aamoth and Paul Ducklin.

Download the IBM 3270 retrofont that Duck admired in the podcast.

Intro and outro music by Edith Mudge.

---

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Here’s the good news: Microsoft has released an emergency patch for the infamous PrintNightmare bug that showed up just over a week ago.

The patch is what Redmond refers to as an OOB Security Update, where OOB is short for out-of-band.

OOB is a jargon term that refers to communications that are kept separate from the usual channel you use, notably for safety reasons in case the main channel should fail or need overriding in an emergency.

In Windows update parlance, OOB refers to patches that are deemed so important that they can’t wait until the next official Patch Tuesday, which is always the second Tuesday in each calendar month. (This month, that’s 2021-07-13, which is still almost a week away.)

ICYMI, PrintNightmare is an aptly named bug that became a public danger for the unfortunate reason that a team of security researchers jumped to an incorrect conclusion:

What happened?

Briefly put, Microsoft published a Windows Print Spooler patch for a bug dubbed CVE-2021-1675, as part of the June 2021 Patch Tuesday update that came out on 2021-06-08.

Originally, the bug was reported as an elevation of privilege (EoP) vulnerability, meaning that altough attackers already on your computer could exploit the bug to promote themselves from a regular user to a system account, they couldn’t use it to break into your computer in the first place.

In the meantime, Chinese researchers preparing a paper for the 2021 Black Hat conference were working on their own bug in the Windows Print Spooler.

Theirs sounded very similar, except that it was an RCE bug, short for remote code execution, meaning that it could be used for breaking in, not merely for elevating privilege.

Given that the Chinese researchers’ bug was apparently different, they hadn’t disclosed it yet.

Later in the month, however, Microsoft admitted that CVE-2021-1675 could also be used for RCE, and updated its public advisory to say so.

Even though that meant the bug was more serious in theory, no one worried too much in practice.

After all, a patch was already available, and anyone who had installed the patch to close the EoP hole was, ipso facto, protected against the newly announced RCE hole as well.

Never assume

The researchers then apparently assumed that their bug was not original, as they had thought.

Because it had already been patched, they assumed that it would therefore not be untimely to publish their existing proof-of-concept exploit code to explain how the vulnerability worked.

“What’s the chance,” we guess they asked themselves, “that two different RCE bugs, working in what sounds like exactly the same way, would be found at exactly the same time in exactly the same Windows component, namely the Print Spooler?”

With hindsight, which is a wonderful thing indeed, we can compute that chance precisely: 100 percent.

Their bug was not CVE-2021-1675 at all; it was CVE-2021-34527, although no one knew that at the time, because that additional bug number was only issued later on.

Even worse, this new RCE hole wasn’t blocked by Microsoft’s Patch Tuesday update, making the published code into a publicly available, fully functional, break-and-enter exploit.

Brand new bug

In the jargon of the cybersecurity industry, the researchers had unwittingly dropped an 0-day.

(“Zero days” is the jargon for a previously unknown and unpatched security hole, because that’s how many days ahead the Good Guys were when the Bad Guys first got to hear about it.)

The researchers removed the zero-day code from the internet pretty quickly, but not quickly enough.

As Pandora found when she opened her proverbial Jar , there’s no point in trying to put secrets back in the box once they’ve escaped.

The PrintNightmare exploit code had already been copied and republished in many places, and almost every known version of Windows was at risk.

Most notably, even Domain Controllers generally have the Print Spooler running by default, so that the PrintNightmare code theoretically gave anyone who already had a foothold inside your network a way to take over the very computer that acts as your network’s “security HQ”.

An easy workaround

Fortunately, there was a 2-minute workaround for any and all Windows systems: turn off the Print Spooler and set it into disabled mode so it can’t start up again, either by accident or by design.

No Print Spooler, no attack surface; no attack surface, no security hole; no security hole, no break-and-enter point.

Unfortunately, without the Print Spooler running, you can’t print, so anyone who needed a working printer somewhere on their network working was on the horns of a dilemma: leave the Spooler running only on carefully selected servers, and watch them really carefully; or continually re-enable/print/disable the Spooler every time output was required.

What to do?

The good news is that there’s a more fundamental fix for the RCE hole available now in the form of Microsoft’s Out-of-Band (OOB) Security Update available for CVE-2021-34527.

Use Settings > Update & Security > Windows Update and install the latest update (KB5004945)

Microsoft has also published some additional precautions that Windows administrators can follow to lock down their printers more thoroughly than before.

For what it’s worth, reports currently circulating on Twitter suggest that this patch only covers the RCE (“breaking in across the network”) part of the bug, not the EoP (“increasing account privilege after you’re in”) part…

…but the patch should be nevertheless be considered critical.

As mentioned above, on an unpatched network, cybercriminals could exploit this hole to take over your entire network, starting from almost any account on almost any computer.

Oh, before we go: don’t make the same mistake as the security researchers who unleashed this zero-day code by mistake.

When it comes to cybersecurity… NEVER ASSUME!

---

CHECKING FOR PRINTNIGHTMARE PATCHES

If you have Sophos Central, you can use the Live Discover feature with a query we’ve published to check your whole network for PrintNightmare patches.

On your own computer, you can view your recent updates using Settings > Update & Security > Windows Update > View update history.

Below, we’re running the latest Enterprise Edition of Windows 10 (21H1), and we’ve highlighted the June 2021 Patch Tuesday update, which covers CVE-2021-1675, and the 06 July 2021 Emergency update described in this article, which covers CVE-2021-34527:

You can also list the official hotfixes on your computer from a command prompt (CMD.EXE) using the SystemInfo or WMIC commands, like this:

C:\Users\duck> systeminfo Host Name: TESTING123
OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.19043 N/A Build 19043
[. . .]
Hotfix(s): 4 Hotfix(s) Installed. [01]: KB5003254 [02]: KB5000736 [03]: KB5004945 <-- Win10 PrintNightmare fix [04]: KB5003742
[. . .] C:\Users\duck> wmic qfe list brief
Description [..] HotFixID [..] InstalledOn Update KB5003254 6/26/2021
Update KB5000736 4/9/2021
Security Update KB5004945 7/7/2021 <-- Win10 PrintNightmare fix
Security Update KB5003742 6/24/2021

From a PowerShell prompt, you can simply use the Get-HotFix command:

PS C:\Users\duck> Get-HotFix Source Description HotFixID [..] InstalledOn
------ ----------- -------- -----------
TESTING123 Update KB5003254 26/06/2021 TESTING123 Update KB5000736 09/04/2021 TESTING123 Security Update KB5004945 07/07/2021 <-- Win10 PrintNightmare fix
TESTING123 Security Update KB5003742 24/06/2021 

To find out the KB number for your version of Windows, you can consult the list on Microsoft’s CVE-2021-34527 Security Update Guide.

NB. The list has 52 entries and covers 10 different hotfix numbers, from KB5004945 to KB5004959. You can download the complete list in Excel or CSV format from the relevant Security Update page.

---

In this special splintersode, Kimberly Truong talks to Eva Galperin, Director of Security at the Electronic Frontier Foundation.

Join Eva as she discusses growing up with cryptography, the troubling issue of stalkerware, how to get started in cybersecurity… and the sort of hobbies that help infosec professionals to free their minds from work pressure when they want to relax.

Eva’s TED talk mentioned in the podcast: What you need to know about Stalkerware.

Intro and outro music: Edith Mudge.

---

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

It’s like the movie Independence Day, but with the malware part of the story back-to-front.

In the 1996 Jeff Goldblum classic, the bespectacled, academic antihero finally quashes the alien invaders by connecting to their mothership with his Mac laptop and uploading a computer virus that even the telepathic aliens didn’t see coming.

In the movie, what’s left of the earth is saved.

Fast forward to 2021, and we’re witnessing an Independence Day malware attack of another sort.

In this attack, the REvil ransomware gang broke into the mothership of a popular software management tool from the company Kaseya.

The cybercriminals uploaded a computer virus to the mothership (more precisely, for the pedants amongst us, they uploaded a ransomware Trojan Horse) that Kaseya then automatically delivered via dozens of different service providers onto hundreds of its customers’ networks.

As Sophos CISO Ross McKerchar put it:

This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen. At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organisations. We expect the full scope of victim organisations to be higher than what’s being reported by any individual security company. Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the UK and other regions.

Rattling the chain

As you probably know, this sort of leveraged onslaught is known as a supply chain attack, for obvious reasons.

Instead of attacking thousands or millions computers individually, you attack the company that supplies software to all of those computers, or worse still – as in this case – you attack the company that supplies software to the companies that supply software to all of those computers.

We won’t go into the technical details of the Kaseya attack here – if you would like to know how it worked, SophosLabs has published a full analysis describing the chain of execution all the way from Kaseya’s compromised management servers to the scrambled computers on the victims’ networks.

This article is highly recommended:

We’ve also published IoCs (indicators of compromise) on our GitHub page if you want to use threat-hunting tools to look for evidence of an attack on your own networks, as well as the names Sophos products will report in logfiles when detecting and blocking the various components used in this attack.

What next?

The burning question now, of course, is, “What do the crooks do next?”

The world’s first-ever ransomware attack, the AIDS Information Trojan of 1989, failed for two fortunate reasons.

• There were no cryptocurrencies or anonymous credit cards back then. Getting individual victims to pay $378 each by international banker’s draft was just too difficult.
• The creator of the ransomware made a cryptographic blunder. He hard-coded the same decryption password into every copy of the malware, so that once the malicious code has been reverse-engineered (including by Sophos co-founder Dr Jan Hruska, who published a detailed public analysis of how it worked) and the key extracted, there was no need for anyone to pay up.

It wasn’t until about 2013 that contemporary cybercriminals “solved” these ransomware payment-and-recovery problems.

Cryptocurrency made pseudoanonymous international payments possible, so the crooks could collect their blackmail demands entirely online, without involving traditional financial institutions who could freeze or reverse illegal transactions.

And public-key cryptography, where you use one key (the public key) to lock up data, but need a different key (the private key) to unlock it again, made it possible to have a unique decryption key for each network, or each computer, or even for each file.

This is the same principle that’s used for good when you visit an HTTPS website. Public-key cryptography allows your browser and the web server at the other end to agree on a one-time data scrambling key, used with traditional symmetric encryption (where the same key both locks and unlocks the data) to protect the current session. Even if you intercept all the network traffic at the start of the HTTPS connection, public-key cryptography means that you can’t extract the so-called session key needed to decrypt the rest of the HTTPS connection either.

If you get attacked and pay the extortion money, there’s no point in sharing your unlocking key with anyone else, even if they’ve been hit by exactly the same ransomware, because each decryption key is unique.

Programming blunders by some ransomware cybercrooks have occasionally made it possible to recover without paying in some attacks, but gangs like REvil, the criminal gang behind the Kaseya attack, generally get the coding correct.

If you don’t have a backup then paying the blackmail money for the decryption key is about your only chance of recovering your scrambled data.

Central payment

Even though many modern ransomware Trojans use a different session key for every file they scramble, let alone for every computer, contemporary ransomware is geared towards bulk payments.

The idea is that instead of hitting as many comuters as they can on your network and asking for a few hundred dollars to decrypt each one, the crooks offer to sell each victim a “bulk decryptor” that can unscramble some, many or all of the computers on their network.

This is the same sort of technique that legitimate encryption software uses to provide a controlled way for a organisations to recover data off staff computers if an employee forgets their password, or leaves the company in a huff.

This isn’t the same as an encryption backdoor that could let anyone with insider knowledge decrypt the data. Usually, the data isn’t encrypted directly with the user’s password. Instead, a random “master encryption key” is generated to secure the data, and that key is re-enrcypted multiple times, using different passwords or public keys. This means that there may be multiple decryption keys that can decrypt the master key that in turn decrypts the actual data. These decryption keys may be split up between more than one person, for example so that an individual computer can only be unscrambled either by the user acting alone for day-to-day use, or by the IT manager and HR manager acting together in an emergency. This provides additional privacy control that helps to protect both the user and the company.

Universal decryptors

Early ransomware attacks relied on squeezing hundreds of thousands of people to pay $300 each to buy back the decryption keys for their own (but no one else’s) computer.

Make no mistake, crooks such as the CryptoLocker gang raked in millions of dollars, maybe even hundreds of millions of dollars, this way:

If you had 10 computers on your network all scrambled at the same time, that was just bad luck: to recover them all meant paying 10 separate $300 blackmail demands.

But later attackers took a hybrid approach.

The SamSam crew, for example, notoriously hit one network at a time, and callously offered “deals” on decryption.

The price shot up to $8000 per computer, so if you felt that you could recover your business by decrypting just two or three of your most critical laptops or servers, you didn’t have to pay for all of them, but you couldn’t get away with just $300 each, either.

But for a one-off fee that usually came out at $50,000, the SamSam crooks would give you a universal decryptor (universal to your network, at least) that was pitched as a sort of “all you can eat buffet.”

In fact, in a fit of “goodwill”, they’d even let you try paying the $8000 fee for individual computers, to see if you could recover enough of your business to get away without paying $50,000 in total.

Sadly, many victims found that the one-by-one approach just didn’t work out for them, at which point the SamSam crooks would “graciously” allow them to top up their payments to the $50,000 mark.

Once the crooks had received the all-you-can-eat fee of $50,000, they’d give you a “software upgrade” to the universal decryptor that would work on all of your computers, not just specific ones you had chosen in advance:

More recently, most mainstream ransomware crooks have discontinued the “individual decryptor” option and will only negotiate to sell universal decryptors – and as we all know, they aren’t asking for $50,000 any more.

Extortion demands often reach several million dollars, with recent victims Colonial Pipeline allegedly coughing up $4.4 million (ironically for a decryptor that was so slow as to be worthless), and meat packing company JBS supposedly paying out a mammoth $11 million in blackmail money.

You can see where this is going.

The REvil gang have apparently now decided that they are going to offer what you might call a universal universal decryptor that will not only unscramble all the computers on your network, but also all the computers on the networks of everyone else affected by what we shall probably be calling the Independence Day attack for many years to come.

The catch?

This time, the ueberuniversal decryptor isn’t $50,000, or $4,400,000, or even $11,000,000.

The crooks are calmly demanding $70,000,000:

On Friday (02.07.2021) we launched an attack on [Managed Service Providers]. More than a million systems were infected. If anyone want to negotiate about universal decryptor – our price is [$70 million in Bitcoin] and we will publish publicly decrypto that decrypts all files of all victims, so everyone will be able to recover from attack in less that an hour. If you are interested in such deal – contact is using victims “readme” file instructions.

What to do?

This audacious demand raises many difficult questions.

Many governments and most law enforcement experts vigorously encourage victims not to pay up.

Even though it seems that at least some of the money goes on fancy cars, we we know for sure that at least some of the funds from today’s attacks are directly used to fund tomorrow’s:

Some governments are even seriously considering making ransomware payments illegal as way of breaking the cycle of attacks.

But if someone else were to cough up the $70,000,000, perhaps from a country with a government with more conciliatory attitudes towards negotiating with criminals, would that make it OK to run the decryptor, even in a country where paying up would have been unlawful?

Is this the shape of ransomware attacks to come?

Will regultory intervention to criminalise ransomware payments make matters better, or worse?

Let us know what you think in the comments below! (You may remain anonymous.)

---

PS. Don’t forget that even if you get hold of a ransomware decryptor after an attack, whether by paying yourself or through someone’s else’s largesse, that’s not the end of your worries. Check our recent State of Ransomware survey to find out why paying the crooks is not the end of your troubles, and how much you can expect the incident to cost, whether you end up with a decryptor or not: